Encryption of Communication between FMHA Nodes

This feature implements secure data transmission between Fabric Manager High Availability (FMHA) nodes using encryption. This feature aids in securing communications between FMHA nodes with IPSec, using either Pre-shared Secret Keys (PSK) or Certificate-Based Authentication.

Encryption using Pre-Shared Secret Keys

GigaVUE‑FM uses a secret key (Pre-Shared Key) to verify and allow access to a secure network. GigaVUE‑FM auto generates an AlphaNumeric Random Secret Key without the user intervention and shares automatically with other nodes when they are added to the FMHA group.
By default, GigaVUE-FM employs PSK for authentication, facilitating the establishment of secure tunnels between Fabric Managers within a High Availability (FMHA) cluster.

Encryption using Certificates

Once the FMHA cluster is established, GigaVUE‑FM provides you with an option to switch to Certificate-Based authentication through the Graphical User Interface (GUI). This method requires each node within the cluster to have a certificate signed by the same Root Certificate Authority (RootCA), ensuring a higher level of security and trust.

Using expired certificates in GigaVUE‑FM and switching the encryption mode to Certificate-Based will result in FMHA nodes communicating without encryption.

Note:  GigaVUE-FM does not manage the certificates in this feature. You should obtain and maintain the necessary certificates. For instructions on configuring the certificates, refer to Setting up Certificate (PKI) based Encryption in FMHA .

Rules and Notes

■   FMHA Secure Tunnel Authentication mode uses certificates, and you should manage the certificates manually. When you choose manual management, you should replace any revoked or expired certificates.
■   When the FMHA is at risk or all nodes are disconnected, you need to check if the certificates have expired. If they have expired, replace them with the appropriate certificates. Once the right certificates are replaced, Share Certificates to Peer FMHA Nodes and then restart the IPSec service using systemctl restart ipsec.service on each FMHA node. If the certificates are not replaced, the communication will not be encrypted.