Set Up the Server Pool

  1. Select a unique name for the server pool. This name applies to all SSL-related configurations. The following examples use the name “CMSPool”.

  2. Set up each server to handle server pool connectivity.

    Add an entry in each server’s hosts file that identifies its own IP address as the CMSPool address.

    • In the hosts file of S1 (%SystemDir%/system32/drivers/etc/hosts), insert: 200.0.0.1 CMSPool

    • In the hosts file of S2 (%SystemDir%/system32/drivers/etc/hosts), insert: 200.0.0.2 CMSPool

    • In the hosts file of Sn (%SystemDir%/system32/drivers/etc/hosts), insert: 200.0.0.n CMSPool

  3. Get the SSL credentials for the:

    • ActivID CMS server – use the certificate subject: cn=CMSPool

    • Client certificate for ActivID CMS Operator

    • Client certificate for each ActivID CMS Peer Server (to be used by other peers to synchronize information). Note that this certificate is different from the Client certificate used by the ActivID CMS operators.

    All certificates need to be stored in the same location on each ActivID CMS server.

  4. Get the Issuing CA certificate.

    These credentials are used for all ActivID CMS instances installation. For more information, refer to your CA documentation.

  5. Install a complete ActivID CMS system (servers and databases). In the examples that follow, the name for this installed system is “S1.” You must enroll one operator for each ActivID CMS Peer Server, using client certificates.

    Important: When you specify the location of the database during the installation, be sure to point to the database you installed during the ActivID CMS installation for S1.

    • Do not select the automatic generation of SSL credentials during ActivID CMS installation. Use the certificates you generated in step 3 (except for the peer certificate).

    • You can install the database on the same machine as the servers, or on a remote workstation.

    • Specify the server pool name (in these examples, CMSPool) for the installation of the ActivID CMS servers, and specify the real name of the database machine. This should be the same name that you specified for S1. For example, S1 for the ActivID CMS server, or S1DB if the associated database is located on another machine (database).

    • Use the same ActivID CMS Security Key Password and Database Password used for S1.

  6. Use the Key Management System (KMS) to clone the Hardware Security Module (HSM) used by S1. For information, refer to About HSMs and Configuring Connections to Peer Servers. The other ActivID CMS server uses the HSM clone to store keys securely and perform cryptographic operations.

    Important: If you are using Entrust Datacard (formerly Thales) nShield™ Connect, make sure that both ActivID CMS Peer Servers have access to the same Transport Key. You might need to manually copy the transport key from the C:\nfast\kmdata folder on the original ActivID CMS server to the same location on the peer server, and then restart ActivID CMS. For more information about nShield Connect and ActivID CMS Peer Servers, refer to Configuring Entrust Datacard HSMs for Use with ActivID CMS.

  7. Install ActivID CMS on machine S2 pointing to the shared database. For this, ActivID CMS has to be installed in custom installation mode (with server component only), using the same database and certificates as the ones used by S1. This machine is for load balancing. (There is no limit to the number of ActivID CMS servers in the pool.)