Take the following points into account when using transparent data encryption in an HA cluster environment that does not use database multiplexing.
Placement and automatic opening of the keystore file
There are two alternatives for placing the keystore file:
Sharing the keystore file
Placing a copy of the keystore file
This involves using the same keystore file on the primary server and the standby server.
As the standby server is not active while the primary server is running, this file would not be accessed simultaneously, and therefore, it can be shared.
To manage the keystore file in a more secure manner, place it on the key management server or the key management storage isolated in a secure location.
Enable the automatic opening of the keystore on both the primary and standby servers.
This involves placing a copy of the primary server keystore file on the standby server.
You can do this if you cannot prepare a shared server or disk device that can be accessed from both the primary and standby servers.
However, if you change the master encryption key and the passphrase on the primary server, you must copy the keystore file to the standby server again.
To manage the keystore file in a more secure manner, prepare the key management server or the key management storage isolated in a secure location for both the primary and standby servers, and place the keystore files there.
Enable the automatic opening of the keystore on both the primary and standby servers. Note that copying the automatically opening keystore file (keystore.aks) to the standby server does not enable the automatic opening of the keystore.
See
Refer to the Cluster Operation Guide (PRIMECLUSTER) for information on building a cluster system environment for performing failover using the failover feature integrated with the cluster software.
