Re: TMS Redundancy Certificates

Zekeria Sammantar · ‎10-24-2018

I'm deploying TMS 15.4 with NLB

The certificate part does't make sense to me, its says in the doc:

"If enabling HTTPS during installation, use a certificate issued to tms.example.com"

the certificate tms.example.com will be assigned to the LB and not contain the SAN of the remaining TMS Certificate (tms01 and tms02).

I'm I suppose to create a certificate that looks like this:

CN: tms.example.com

SAN: tms01.example.com, tms02.example.com

and assigned to both TMS Servers and LB?.

cyashley · ‎10-24-2018

The FQDN tms.example.com would be where the DNS record points to for the VIP configured on the NLB. This is also what you configure TMS in Administrative Tools > Configuration > Network Settings > Advanced Network Settings for Systems on Internal LAN and for Advanced Network Settings for Systems on Public Internet/Behind Firewall.

Once the IP address and hostname values in Network Settings have been changed, the Database Scanner service enforces these new network settings on the managed systems. The systems then start directing traffic to the NLB, which forwards the requests to the TMS servers.

So the certificate would have the CN as the VIP FQDN [such as tms.example.com] and then the TMS server hostnames in the SAN list [such as tms01.example.com and tms02.example.com]

You then give both TMS servers that same certificate when configuring HTTPs communications.

Zekeria Sammantar · ‎10-24-2018

Can I use a wildcard certificate?

CN: tms.example.com

SANL: *.example.com