YK-KSM Synchronization Monitor

If you deploy multiple redundant YK-KSM instances, it is important to monitor them to make sure the data they have is synchronized. While there are many mechanisms to achieve this, we provide a simple yet flexible approach. The ykksm-checksum script reads out the important fields from the database and computes a SHA-1 hash of it, and truncates the hash to 10 hex characters and prints them to stdout.

The "important fields" are serial number, public name, internal name and AES key.

Sample output looks like this, first there is a Unix time (for freshness) and then is the truncated hash value.

1284488221
50f5649b80

The script requires the Perl SHA-1 package. Install it like this:

user@ksm:~$ sudo apt-get install libdigest-sha1-perl
...
user@ksm:~$

The typical way to use this is either manually or to run it in a cron job and output the hash to a file that can be downloaded by a remote monitor system such as Nagios. The intention is that you run a check that downloads this file from all of your KSMs, and the Nagios check verify that all values are 1) fresh (Unix time is not too old) and 2) that the truncated hash value is identical on all KSMs.

user@ksm:~$ sudo sh -c 'cat > /etc/cron.hourly/run-ykksm-checksum'
#!/bin/sh
FILE=/var/www/checksum.txt
(date --utc +%s; ykksm-checksum --db-user ykksmreader --db-passwd `grep passwo rd /etc/yubico/ksm/ykksm-config.php|cut -d\  -f3|cut -d\" -f2`) > $FILE.tmp
mv $FILE.tmp $FILE
user@ksm:~$ sudo chmod +x /etc/cron.hourly/run-ykksm-checksum

If you notice mismatches, you may want to run ykksm-checksum with the -v parameter on the different hosts and then use diff -ur or similar tool to compare the outputs. This should make it possible to identify the missmatching entries easily.