iPSK Manager HA: Issues & Implementation Phases
Current State
| Component | Status | Owner |
|---|---|---|
Primary Server |
Deployed by Ben Castillo, integrated with ISE, policies active |
Ben Castillo |
SSL/HTTPS |
MISSING - UI accessible on HTTP only |
InfoSec |
Secure ODBC |
MISSING - Should match domus home lab config |
InfoSec |
Secondary Server |
Provided but NOT configured |
InfoSec |
Database Replication |
Not implemented |
InfoSec |
Load Balancer VIP |
Not implemented |
InfoSec |
Issues to Address
Critical: No SSL/HTTPS
Current state: Web UI accessible only via HTTP (port 80).
Risk: Credentials and PSKs transmitted in clear text.
Fix:
# Generate certificate from Vault
vault write pki_int/issue/domus-client \
common_name="ipsk-mgr.inside.chla.org" \
alt_names="ipsk-mgr-01.inside.chla.org,ipsk-mgr-02.inside.chla.org" \
ttl=8760h
# Configure Apache for HTTPS
# See: infra-ops::examples/ise/ipsk-apache-ssl.confCritical: Secure ODBC
ISE ODBC connection should use TLS. Reference home lab configuration:
-
infra-ops::examples/ise/ipsk-odbc-operations.sh
-
domus home lab: Uses TLS-encrypted ODBC
Secondary Server Not Configured
Server provided but not set up. Need:
-
OS installation (RHEL/Rocky)
-
iPSK Manager deployment
-
Database replication setup
-
HAProxy/VIP configuration
Implementation Phases
Phase 1: Database Replication
-
Configure PostgreSQL streaming replication
-
Set up automatic failover with Patroni
-
Test replication lag and consistency
-
Document recovery procedures
Phase 2: Application Layer HA
-
Deploy iPSK Manager on secondary node
-
Configure shared session storage (Redis)
-
Synchronize PSK policies between nodes
-
Test application failover
Phase 3: Load Balancer
-
Configure HAProxy (VyOS or dedicated LB)
-
Create virtual IP for portal access
-
Set up health checks for backend nodes
-
Test load balancing and failover
Phase 4: ISE Integration
-
Update ISE RADIUS server configuration
-
Configure failover order for RADIUS proxy
-
Test PSK provisioning during failover
-
Verify guest portal redirect