| Table of Contents |
|---|
| minLevel | 1 |
|---|
| maxLevel | 6 |
|---|
| outline | false |
|---|
| style | none |
|---|
| type | list |
|---|
| printable | true |
|---|
|
...
In environments where automatic failover is desired, it is possible to enhance automatic failover to monitor for additional events via a Hardware Management Console (HMC) using cluster monitors. See Advanced Node Failure Detection for additional information.
...
PowerHA uses the Power Virtual Server API to manage and control resources in IBM Power Virtual Server.
Configuring PowerHA to Accept Digital Certificates from IBM Cloud Services
All communication between PowerHA and the IBM Cloud uses TLS for communication. This communication uses digital certificates to both encrypt and protect the communication.
Create a *SYSTEM certificate store to hold the digital certificates
To create the *SYSTEM certificate store, use the following steps:
| Expand |
|---|
| title | Creating the *SYSTEM certificate store |
|---|
|
In a web browser, enter http://mysystem:2001/dcm, where mysystem is the host name or IP address of the system. This opens IBM Digital Certificate Manager for i. Log in with an IBM i profile with sufficient authority. Click on Create Certificate Store on the left-hand navigation menu On the right-hand side of the page select *SYSTEM.  Image Added
| Info |
|---|
Note: If the *SYSTEM option is not available in the list, it indicates that there is a *SYSTEM store already created on this system, and these steps have already been performed. |
Create a password for the *SYSTEM store and click Create.
| Info |
|---|
Note: The password is case-sensitive. It is recommended not to use special characters. This password is not attached to a user profile and it will not lock you out of the system after too many attempts. |
|
| Panel |
|---|
| panelIconId | atlassian-light_bulb_on |
|---|
| panelIcon | :light_bulb_on: |
|---|
| panelIconText | :light_bulb_on: |
|---|
| bgColor | #E3FCEF |
|---|
|
Tip: The system certificate store must be created on all nodes in the cluster. Ensure the *SYSTEM certificate store is created on all nodes in the cluster before continuing. |
Trusting the IBM Cloud Certificate Authority
There are two options for trusting the IBM Cloud Certificate Authority:
Recommended: Populate digital certificate manager with well known CAs.
| Expand |
|---|
| title | Populate digital certificate manager with well known CAs. |
|---|
|
Open the *SYSTEM certificate store in Digital Certificate Manager | Info |
|---|
If the *SYSTEM certificate store was created in the previous step, simply select it in the left-hand menu in Digital Certificate Manager and continue on to the next section. |
In a web browser, enter http://mysystem:2001/dcm, where mysystem is the host name or IP address of the system. This opens IBM Digital Certificate Manager for i. Log in with an IBM i profile with sufficient authority. Click Open Certificate Store. Select the *SYSTEM option, click continue.
| Info |
|---|
If *SYSTEM does not appear in the list, the system certificate store either does not exist, or is already open. If it does not exist, see Creating the *SYSTEM Certificate Store. If it is already open, select it in the left-hand menu. |
Sign in with the password for the certificate store and click Open.
Populate the *SYSTEM certificate store in Digital Certificate Manager with CAs Click the Populate with CAs link in Digital Certificate Manager  Image AddedClick the Select All button to select all certificates Click the Populate button to populate the system certificate store with all well known CAs. Repeat these steps on all nodes in the cluster.
|
Bypassing strict-certificate checking in PowerHA using a PowerHA Policy
| Expand |
|---|
| title | Bypassing strict-certificate checking in PowerHA using a PowerHA Policy |
|---|
|
| Note |
|---|
Warning: While this step only needs to be performed on one node, it is not as secure as the option for trusting well-known certificates. While this option still uses encrypted communication between PowerHA and IBM Cloud services, it does not protect against a man-in-the-middle attack. |
Add a PowerHA policy to bypass strict certificate checking in PowerHA. For example, the following policy would bypass strict certificate checking for any configuration description: ADDHAPCY PCY(QHA_COMM_STRICT_CERT_CHECK) PCYDMN(*NONE) QUAL('CFGD(*ALL)') VALUE(*NO)
This step only needs to be performed on one node as the policy applies to the entire PowerHA cluster. |
Creating an API Key
The API key at a minimum must have the following access levels to the Workspace for Power Virtual Server service:
...
In the IBM Cloud console, go to Manage > Access (IAM) and select Service IDs.
If you don’t have a service ID created, create the service ID.
Click the Actions icon > Manage service ID.
Click API keys.
Click create
Add a name and description to easily identify the API key.
Click Create.
Save your API key by copying or downloading it to a secure location.
| Panel |
|---|
| panelIconId | 1f512 |
|---|
| panelIcon | :lock: |
|---|
| panelIconText | 🔒 |
|---|
| bgColor | #DEEBFF |
|---|
|
For security reasons, the API key is only available to be copied or downloaded at the time of creation. If the API key is lost, you must create a new API key. |
...