Solved: Re: Device Certificates vs. Clustering

Ken-J_ · ‎05-27-2011

Quickie question from my faded memory:

Does a newly-installed Device Certificate (and its port assignments) propagate automatically to the standby unit in a cluster as part of configuration updating, or must the Device Certificate be installed and assigned to the Virtual Ports separately for each clustered unit?

Our cluster is active/standby, and the certificate in question is for a virtual IVE.

Thanks!

RKB_ · ‎06-02-2011

Yes, in IVS setup newly installed certificates will be propogated across nodes.

Valid for both Active/Active and Active/Passive

View solution in original post

NULL_ · ‎05-29-2011

Dear Ken-J,

the Certificate is associated to a Domain-Name. So the certificate will be switched over to the backup device if the primary one will fail and everything works quite fine. :-)

regards

NULL

Ken-J_ · ‎06-02-2011

No, the certificate is not assigned to a domain name: in the IVE, the certificate is bound to a virtual port.

Juniper appears to have no documentation on this topic and my feelings about my attempt to obtain support are better left unwritten. The sometimes-cited KB article on this topic appears to have been revoked without replacement.

RKB_ · ‎06-02-2011

Yes, in IVS setup newly installed certificates will be propogated across nodes.

Valid for both Active/Active and Active/Passive

Ken-J_ · ‎06-03-2011

This indeed turns out to be what we saw at certificate installation this morning: the certificate was installed in the primary and automatically propagated (along with its virtual port assignment) to the passive/secondary node.

Thanks!