opHA 3 has two different Authentication configurations to discover a peer:
For the user/password, it should be a valid user and password with permissions over module_opcore_view module.
For the user/sharedkey:
omkd_secrets in opCommon.json in the poller. Used for authentication. A token will be generated using this user and password to protect the shared key.
opHA 3 needs to have the "token" authentication method setup in order to perform the internal communication.
It can be changed in opCommon.json setting in the pollers:
"auth_method_1" : "token", |
It can also use auth_method_2 or auth_method_3.
After the change, omkd daemon should be restarted.
For this purpose, the following settings are sent from the poller to the primary:
"auth_token_key" : ["token"], "opha_api_user" : "omkapiha", |
And they would be saved in the the registry in the primary, that will generate a token with this data to perform the communication.
After upgrade of any of the poller configurations:
On the peer discovery, we specify the url of the peer. The peer, is going to provide to the poller the url for their communications.
If we specify a discovery url using https but this is not set in the pollers configuration, the internal communications will go into http. It can be changed in the poller in opCommon.json in the setting:
"opha_url_base" : "https://myserver.com", |
If we set this property, we also need to change:
"opha_hostname" : "myservername", |
After the change, we would need to upgrade the poller configurations.
If the certificate is self signed, there are a couple of settings that can be changed to avoid validation. But this is not recommended in production environments:
"opha_allow_insecure" : 1, |
And for editing remote nodes:
"omk_ua_insecure" : 1, |