Up
Previous Next

Sheriff CSM™

Configuring High Availability for Sheriff CSM Standard Sensors (Deputies)

This process has three tasks you perform in the following order:

Configuring the Secondary Standard Sensor for HA

To configure a secondary Sensor in HA

  1. Log into the secondary Standard Sensor.

  2. From the Sheriff Setup Main menu, select Jailbreak System and press Enter (<OK>).

  3. Press Enter (<Yes>) to continue.

    The command line prompt appears.

  4. Configure the secondary (slave) Sensor:

    1. Edit the file /etc/vigilante/vigilante_setup.conf as indicated by the angle-bracketed variables:

      ha_heartbeat_start=yes
      ha_local_node_ip=<slave_csm_IP>
      ha_other_node_ip=<master_csm_IP>
      ha_other_node_name=<master_csm_name>
      ha_password=<password>
      **Password must be same for both slave and master**
      ha_role=slave
      ha_virtual_ip=<virtual_csm_IP>

      Important: The ha_role value must always equal "slave" for the secondary node.

    2. Save the changes.

  5. Enable HA in the secondary node:

    screen sheriff-ha-assistant -e

    Note: Use screen to keep the process running in the background even when the session disconnects.

  6. Check that the secondary node is up and running

    sheriff-ha-assistant -s

  7. When prompted, enter the password for the primary (master) root user.

    You must wait about five minutes until you see output, as shown in Step 8 of Configuring the Secondary Standard Server for HA.

Configuring the Primary Standard Sensor for HA

To configure the primary Sensor for HA

  1. From the primary Standard Sensor, access the file /etc/vigilante/vigilante_setup.conf, as described in Configuring the Secondary Standard Sensor for HA.

  2. Change its fields as indicated below

    ha_heartbeat_start=yes 
ha_local_node_ip=<primary_csm_IP>
ha_other_node_ip=<secondary_csm_IP> 
ha_other_node_name=<secondary_csm_name> 
ha_password=<password> 
**Password must be same for both secondary and primary (master)** 
ha_role=master 
ha_virtual_ip=<virtual_csm_IP>

  3. Save the changes.

  4. Enable HA in the primary (master) node by typing the following command:

    screen sheriff-ha-assistant -e

    Note: Use screen to keep the process running in the background even when the session disconnects.

  5. Swap the token with the secondary node, effectively making the primary node active:

    sheriff-ha-assistant –w

  6. Check that the primary node is up and running: sheriff-ha-assistant –s

  7. When prompted, enter the remote (slave) root user password.

    After about five minutes, you see output, as shown in Step 8 of Configuring the Secondary Standard Server for HA

Configuring Communication Between the Standard Sensors and the Standard Servers

You configure communication between servers and Sensors in the following order:

  • First: Primary Sensor to primary server
  • Second: Secondary Sensor to primary server
  • Third: Primary Sensor and secondary server
  • Fourth: Secondary Sensor and secondary server

Configuring Communication Between the Primary Sensor and the Primary Server

To configure communication between the primary Sensor and the primary server
  1. Log into the primary Standard Sensor.

    Note: If you are still logged into the CSM from the previous task and in command line mode, return to the Setup Main menu by entering sheriff-setup.

  2. From the Sheriff Setup Main menu, select Configure Sensor > Configure Sheriff Server IP.

  3. Enter the virtual IP address of the Sheriff CSM Standard Server pair and press Enter (<OK>).

  4. Select Configure Sheriff Framework IP, then enter the same IP address; press Enter (<OK>).

  5. Launch the Sheriff Sheriff CSM web interface and go to Configuration > Deployment > Components > Sensors.

  6. Insert the primary Sheriff CSM Standard Sensor.

Configuring Communication Between the Secondary Sensor and the Primary Server

This task uses the Sheriff console exclusively.

To add the secondary Sensor to the primary server

  1. Log into the primary Standard Server and select Jailbreak System, press Enter (<OK>), and again Enter (<Yes>).

  2. At the command prompt, enter the following:

    sheriff-api add_system –-system-ip=<secondary_std_sensor_ip> --password=<password> --ha

Configuring Communication Between the Primary Sensor and the Secondary Server

To add the primary Sensor to the secondary server

  1. Log into the secondary Standard Server, repeat step 1. (jailbreak the system) of the previous task.

  2. At the command prompt, enter the following:

    sheriff-api add_system –-system-ip=<primary_Std_Sensor_ip> --password=<password> --ha

Configuring Communication Between the Secondary Sensor and the Secondary Standard Server

To add the secondary Sensor to the secondary server

  1. On the secondary Standard Server, repeat step 1. (jailbreak the system) of the previous task.

  2. At the command prompt, enter the following:

    sheriff-api add_system –-system-ip=<secondary_Std_Sensor_ip> --password=<password> --ha
Next...

You must add server-specific firewall rules to any new Sensors; see Duplicating Firewall Rules in Sheriff CSM Standard Sensors

This topic: Sheriff > UserGuides > SheriffCSMDocumentation > DeploymentGuide > HighAvailabilityConfiguration > ConfiguringHighAvailabilityInSheriffCSMStandardSystems > ConfiguringHighAvailabilityForSheriffCSMStandardDeputies
Topic revision: 09 Jun 2022, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.