Making a Subscriber

In the Policy Manager cluster environment, the publisher acts as the primary server. A Policy Manager cluster can contain only one publisher. Administration, configuration, and database write operations can occur only on the publisher.

The Policy Manager appliance defaults to a publisher unless it is made a subscriber. Cluster commands can be used to change the state of the server; for example, the publisher can be made a subscriber. When it is a subscriber, the Make Subscriber link is not displayed.

Caveats When Adding a Subscriber

Note the following caveats when adding a subscriber:

As part of this operation, configuration changes are blocked on the publisher during the initial cluster sync process.

If a ClearPass appliance is a subscriber in a cluster, all configuration options throughout the user interface specific to the publisher are grayed-out.

All the application licenses on this server will be removed. To add and reactivate these application licenses, contact Aruba Support—navigate to Administration > Support > Contact Support for contact information.

When an IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel is already established between two ClearPass appliances, trying to add one of the appliances as a subscriber to the other fails. Users should be aware that ClearPass does not support adding an appliance to a cluster as a subscriber while an IPsec tunnel already exists between it and the publisher.

Policy Manager indicates errors during the Make-Subscriber action if either of the following conditions are present:

The certificate chain used is not present on both systems for the HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. and database certificates.

An IP address is not included in the database certificate’s subject or the Subject Alternative Name (SAN) field.

An error message is displayed on the Administration > Server Manager > Server Configuration > Make Subscriber > Add Subscriber Node configuration dialog and an alert is shown in the Dashboard if either of these requirements are missing.

 

A subscriber's HTTPS trust list is required to include the certificate chain that signed the publisher's HTTPS server certificate. You do not have to reform the cluster when you upgrade. A database certificate is generated automatically for each node during the cluster upgrade process.

To convert a publisher to a subscriber:

1. From the publisher, navigate to the Administration > Server Manager > Server Configuration page.

The Server Configuration page opens.

Figure 1  Make Subscriber Link

2. Click the Make Subscriber link. The Add Subscriber Node page opens:

Figure 2  Adding a Subscriber

3. Specify the Add Subscriber Node parameters as described in the following table, then click Proceed.

Table 1: Add Subscriber Node Parameters

Parameter

Action/Description

Publisher IP

Enter the publisher's IP address.

Publisher Password

Specify the publisher's password.

NOTE: The password specified here is the password for the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. user appadmin.

Restore the local log database after this operation

To restore the log database after the subscriber node has been added, select the check box.

Do not backup the existing databases before this operation

If you do not require a backup to the existing databases on this node, select the check box.

4. After you click Proceed, the Add Subscriber Node window displays the progress of the Add Subscriber process.

 

Do not close the window until the process is complete. Closing this window could result in the failure of the cluster join operation.

Certificate details are displayed in a new tab in the Add Subscriber Node window. If you mark the check box to accept the certificate and click the Save button, the subscriber automatically adds the root server certificate of the publisher to the subscriber's certificate trust list and then proceeds with the make-subscriber process.

Figure 3  Automatically add a Certificate in the Add Subscriber Node Process

Dropping a Subscriber

If a cluster is broken apart to be all standalone appliances, then when those appliances contact the ClearPass server at night (phone home), each at a slightly different time, only the first one authenticates successfully with the HPE Passport software updates token. Authentication fails for the rest of the appliances.

Users should be aware that whenever appliances are taken out of a cluster, then on each resulting standalone appliance you will need to go to Administration > Agents and Software Updates > Software Updates and use the Generate Token button to generate a new software updates token specific to that appliance. For more information, refer to HPE Passport Credentials

To drop a subscriber from the cluster:

1. Navigate to the Administration > Server Manager > Server Configuration page.

2. Select the node you want to drop from the cluster.

3. Click the Drop Subscriber button.

 

This option is not available in a single-node deployment.