yubikey-ksm/doc/Sync_Monitor.adoc

YK-KSM Synchronization Monitor
------------------------------

If you deploy multiple redundant YK-KSM instances, it is important to
monitor them to make sure the data they have is synchronized.  While
there are many mechanisms to achieve this, we provide a simple yet
flexible approach.  The 'ykksm-checksum' script reads out the
important fields from the database and computes a SHA-1 hash of it,
and truncates the hash to 10 hex characters and prints them to stdout.

The "important fields" are serial number, public name, internal name
and AES key.

Sample output looks like this, first there is a Unix time (for
freshness) and then is the truncated hash value.

  1284488221
  50f5649b80

The script requires the Perl SHA-1 package.  Install it like this:

[source, sh]
----
user@ksm:~$ sudo apt-get install libdigest-sha1-perl
...
user@ksm:~$ 
----

The typical way to use this is either manually or to run it in a cron
job and output the hash to a file that can be downloaded by a remote
monitor system such as Nagios.  The intention is that you run a check
that downloads this file from all of your KSMs, and the Nagios check
verify that all values are 1) fresh (Unix time is not too old) and 2)
that the truncated hash value is identical on all KSMs.

[source, sh]
----
user@ksm:~$ sudo sh -c 'cat > /etc/cron.hourly/run-ykksm-checksum'
#!/bin/sh
FILE=/var/www/checksum.txt
(date --utc +%s; ykksm-checksum --db-user ykksmreader --db-passwd `grep passwo rd /etc/yubico/ksm/ykksm-config.php|cut -d\  -f3|cut -d\" -f2`) > $FILE.tmp
mv $FILE.tmp $FILE
user@ksm:~$ sudo chmod +x /etc/cron.hourly/run-ykksm-checksum
----

If you notice mismatches, you may want to run ykksm-checksum with the
'-v' parameter on the different hosts and then use 'diff -ur' or
similar tool to compare the outputs.  This should make it possible to
identify the missmatching entries easily.