Field
Embodiments of the invention generally relate to techniques for managing a configuration of a plurality of servers. More specifically, embodiments presented herein are directed to an automated approach for securely propagating a configuration to a plurality of servers in a server cluster.
Description of the Related Art
A set of computing devices (e.g., plurality of servers) may share a configuration in a number of contexts. For example, it is common for computer servers to use digital certificates (e.g., secure sockets layer (SSL) certificates) to associate a server with a network domain. In such cases, clients use information contained in a certificate to verify the identity of a server and to establish a secure communication session with that server (e.g., an SSL or TLS session with a web server). More generally, digital certificates and public key infrastructure (PKI) techniques are used to create, distribute, and manage cryptographic keys used in a variety of contexts.
A plurality of servers may utilize the same digital certificate (and associated private key) to associate each server with a network domain and enable secure sessions. Such a plurality of servers that share the same digital certificate (or other configuration settings, e.g., algorithm running on the plurality of servers) may be referred to as a server cluster. In one example, each server of the server cluster may run the same application and therefore require the same digital certificate to be used for clients to enable a secure session. In such cases, each server may be associated with the same hostname, and therefore, the SSL certificate may list the shared hostname. Such server clusters may be referred to as homogenous clusters.
In another example, each server of the server cluster may run a different application, but still utilize the same digital certificate to enable secure sessions. For example, the digital certificate could be a wildcard certificate or could have multiple subject alternative names (SANs) that list multiple IP addresses or hostnames associated with the servers of the server cluster. Such server clusters may be referred to as a heterogeneous cluster. Further, some clusters may be a mix of homogenous and heterogeneous clusters.
Accordingly, server clusters may share digital certificates on multiple IP addresses and/or multiple ports. Further, the servers in the server cluster may be located in different geographical areas, run different applications, run different operating systems, etc. Managing such a shared digital certificate (or other configuration) across such varied servers in a server cluster can be challenging.
In particular, the configuration (e.g., digital certificate and associated private key) of each of the servers in a server cluster may need to be updated (e.g., replace the digital certificate with a new digital certificate) for a variety of reasons (e.g., initial provisioning of a server, renewal of an expired digital certificate, replacement of a digital certificate due to key compromise or loss, etc.). For example, where the shared configuration for the server cluster is a digital certificate, a new digital certificate and associated private key may need to be propagated to each server of the server cluster.
Currently, in order to propagate a new digital certificate and private key to each server of a server cluster, an administrator may need to manually copy the digital certificate and private key to each server of the server cluster. This may be an especially difficult and time consuming process as the servers may be in a variety of geographical areas, run different applications, run different operating systems, etc. Further, the manual copying process may not be secure, as the means used to transfer the copy (e.g., flash drive) may not be secure and may be compromised, meaning the digital certificate and private key may be compromised.