Config Sync =========== Introduction ------------ This feature allows, in a multi-appliance configuration, to synchronise configuration parameters between those appliances. The replication has a multi-master architecture, meaning that each appliance will be able to communicate/receive the changes on the configuration to/from the other appliances, but only one will start the broker to hold the messages. The next figure shows a multi-appliance configuration with the communication with the broker. In this case the broker is embedded in one of the appliances but the behaviour will be the same: .. image:: images/ConfigSync/ConfigSync1.jpg :alt: Multi-appliance configuration diagram :align: center The sections that can be replicated are: * Repository -> Groups * Repository -> Attributes * Policy -> All sections Configuration Parameters ------------------------ .. image:: images/ConfigSync/ConfigurationParameters.png :alt: Config Sync Configuration Screenshot :align: center * **Synchronise configuration**: Indicates if the appliance configuration should be synchronised. * **Broker IP**: The IP where the broker is running. * **Broker Port**: The port number where the broker is running. * **Act as Broker**: Indicates if the current appliance should start the broker. * **Broker checking frequency (seconds)**: Indicates the period between attempts to reconnect with the broker when the connection has been lost. * **Config sync checking frequency (seconds)**: Indicates the period between attempts to check the synchronisation state and only appears if the appliance acts as a broker. In the case where synchronisation is enabled, the appliance 'broker' will send the information about the sections configured with a sync type Manual or Automatic (except Attributes and Groups) to the other appliances and the other appliances will show in the status screen if the sections are in sync or not compared with the broker. * **Shared Secret**: The same shared secret needs to be set on the appliances to synchronise data. Example Configuration --------------------- Suppose the next configuration: .. image:: images/ConfigSync/ConfigSync2.jpg :alt: Example configuration topology :align: center The configuration parameters on each appliance will be the below (the appliances will have the same secret defined): **Swivel Core A** .. image:: images/ConfigSync/ConfigSync3.jpg :width: 700px :alt: Swivel Core A Configuration When the broker has started the information message: ‘Sync broker has been started’ will be displayed and when the Synchronise configuration is activated “Connected” will be shown: .. image:: images/ConfigSync/ConfigSync4.jpg :width: 700px :alt: Swivel Core A Connected Status **Swivel Core B** .. image:: images/ConfigSync/ConfigSync5.jpg :width: 700px :alt: Swivel Core B Configuration .. note:: If we try to start a broker in that machine, an error message will be shown because another broker is started in the same machine in the same port (in that case Swivel Core A): .. image:: images/ConfigSync/ConfigSync6.jpg :width: 700px :alt: Broker Error Message **Swivel Core C** .. image:: images/ConfigSync/ConfigSync7.jpg :width: 700px :alt: Swivel Core C Configuration .. note:: By default the IP that appears is the current IP, in that case 192.168.0.151. If the ‘Synchronise configuration’ is activated with that IP an error message is shown to indicate that it's not possible to establish the connection: .. image:: images/ConfigSync/ConfigSync19.jpg :width: 700px :alt: IP Connection Error Synchronisation Types --------------------- There are 3 synchronisation types: .. image:: images/ConfigSync/ConfigSync8.jpg :alt: Sync Types List :align: center This drop-down list will only appear on the sections mentioned before if 'synchronise configuration' is true. .. image:: images/ConfigSync/ConfigSync9.jpg :alt: Sync Dropdown Location :align: center Automatic ~~~~~~~~~ The changes applied in the section will be synchronised with the other appliances whose section is configured as Automatic or Manual. Also the current appliance will be able to receive messages of synchronization about that section and they will be processed. With this option, the button 'Sync now' is shown which allows to replicate the whole section, not only the changes. .. image:: images/ConfigSync/ConfigSync10.jpg :width: 700px :alt: Sync Now Button .. note:: If a section, e.g. groups has more groups than the other appliances, if a new group is added this will not be created in the other appliances. In the sections repository groups and repository attributes if the repositories are different in the other sections, the value of the repository will not be updated. Manual ~~~~~~ The changes applied in the section will **NOT** be synchronised but the current appliance will be able to receive messages of synchronisation about that section and they will be processed. In that case, the synchronisation only will be able to be done with the button ‘Sync now’. Disable Sync ~~~~~~~~~~~~ The changes applied in the section will **NOT** be synchronised. The synchronisation messages received about that section will be discarded and the button 'Sync now' will **NOT** be shown. .. note:: If the shared secret defined in the appliance that receives the message is different than whose appliance that sent it, the message will be discarded independently of the sync type. Replicate Changes ----------------- To replicate the changes done in a section this should be configured with the sync type **Automatic**. There are 2 kinds of section, one that generate the parameters dynamically (Groups, Attributes, Policy -> Banned Credentials) and others that have static parameters. For the first ones the changes can be: update, remove or create and for the second ones only update. **Sections with static parameters** The changes applied on the parameter in a section with sync type Automatic will be synchronise with the other appliances. **Sections with dynamic parameters** If the sections have different number of parameters only the attributes with the same position that in the section to sync will be updated/remove and in one immediately position after will be created. .. note:: Attributes and groups sections have repository parameters. If the repositories are different the value of the repositories will not be updated. Replicate the whole section ~~~~~~~~~~~~~~~~~~~~~~~~~~~ In the sections to synchronise, if the configuration synchronisation is activated and the sync type is Manual or Automatic, the button ‘Sync now’ is shown which allows to synchronise the whole section with the other appliances, configured with the sync type Automatic or Manual, rather than only the changes applied. Detect state broker and reconnection ------------------------------------ Below is shown the flow of reconnection: 1. **Appliance A starts the broker and connects with the broker.** In the status screen these new parameters will be shown: .. image:: images/ConfigSync/ConfigSync11.jpg :alt: Local Sync Broker State * **State local sync broker**: Indicates the broker's state. If the broker coul not be started for some reason the state of the broker will be Inactive * **Configuration sync state connection**: Indicates the status of the connection with the broker. Only appears if the appliance is configured to synchronise the configuration. 2. **ApplianceB connects with the broker (synchronise configuration is activated).** In the status screen the parameter ‘State connection sync configuration’ will be shown. .. image:: images/ConfigSync/ConfigSync13.jpg :alt: Connection State Connected 3. **Appliance A (Broker) shuts down.** 4. **ApplianceB detects that broker is down.** Every x seconds (time configured in the configuration parameters screen) it will try to reconnect. In the status screen the parameter ‘State connection sync configuration’ will be disconnected. .. image:: images/ConfigSync/ConfigSync14.jpg :alt: Connection State Disconnected During this period if it is tried to send sync data of a section an error message will be shown: .. image:: images/ConfigSync/ConfigSync16.jpg :width: 700px :alt: Sync Data Error 5. **Appliance A and the broker start up again.** 6. **Appliance B reconnects with the broker.** In the status screen the parameter ‘State connection sync configuration’ will be connected. Detection out of synchronisation -------------------------------- To detect if the sections are synchronised, the appliance configured as a broker and with the synchronisation activated, will send messages with a checksum of the sections, configured with a type sync "Manual" or "Automatic" (except groups and attributes due to if they have different number of repositories the state will be always ‘No synchronised’). Those messages will be sent periodically to the other appliances. The other appliances when receive the messages with the checksums will compare with their section’s checksums to know if they are synchronised or not. .. image:: images/ConfigSync/ConfigSync17.jpg :alt: Sync Status Diagram :align: center In the appliances that do not act as a broker the information showed in the status screen will be the following: * **Configuration sync status, last check**: Indicates the date and time the last check of the synchronization status. * **Section > Group**: Indicates if the group is synchronised. E.g. Policy > General : Synchronised. It’s a link to access to the section screen. .. note:: If the shared secret defined in the appliance that receives the status message is different than then appliance that sent it, the message will be discarded. .. image:: images/ConfigSync/ConfigSync18.jpg :alt: Sync Status Screen :align: center