3.3. Change Domain settings

A Trisul distributed domain is identified by :

a set of two network endpoints
a certificate+key pair

When you first install Trisul it creates a domain0 that uses Unix Sockets as endpoints. So by default, the Trisul-Hub and Trisul-Probe will run on the same physical box. This page describes how you can generate a new Domain Certificate to modify these settings.

3.3.1 IPC vs TCP domain

Trisul uses ZeroMQ (0MQ) as the underlying transport layer. As mentioned above, the default install of Trisul uses IPC Unix Sockets for domain0, the default domain.

In the figure below, the domain0 uses Unix Sockets identified by the 0MQ connection strings ipc:///usr/local/var..

The figure below shows a open distributed domain that uses TCP ports 14000 and 14001 identified by the 0MQ connection strings that start with tcp://10.1.18.102:14001

3.3.2 domain0.cert – the certificate file

Domain information is encoded in the Domain Certificate File that can be found at
/usr/local/etc/trisul-hub/domain0/domain0.cert


$ cat /usr/local/etc/trisul-hub/domain0/domain0.cert

#   ****  Generated on 2016-07-27 20:52:08 by CZMQ  ****
#   ZeroMQ CURVE Public Certificate
#   Exchange securely, or use a secure mechanism to verify the contents
#   of this file after exchange. Store public certificates in your home
#   directory, in the .curve subdirectory.

metadata
    domain-id = "domain0"
    domain-backend = ipc:///tmp/ctl_router_be
    domain-frontend = ipc:///tmp/ctl_router_fe
    domain-description = "Default Trisul Demo Domain"
curve
    public-key = "?$*:Ze]{UxMgkRM[K[{FmmEc@wq:P4p)+#qT0c5d"

On the hub node there is another file called the domain0.cert_secret representing the private key file.

3.3.3 Switching to a distributed domain

Changes to the domain settings just involve regenerating a new cert+key pair — a new pair of files domain0.cert and domain0.cert_secret.

The following instructions tell you how to generate and install a new certificate that switches from a default IPC domain to an Open TCP domain.

Stop the domain and all contexts

This stops all Trisul processes on all nodes and then stops the domain0 processes.
```
$ sudo trisulctl_hub

stop context all
stop domain
quit
```

Remove the old domain0.cert key pair

Remove the old certs from the share directory.


sudo rm /usr/local/share/trisul-hub/domain0.cert
sudo rm /usr/local/share/trisul-hub/domain0.cert_secret

Create a new domain0 key pair

Use trisulctl_hub create domain to create a new certificate+key pair with different TCP endpoints.

You enter the following information

Domain ID	use `domain0` – we’re trying to create a new cert
Domain Description	a text description of the domain, goes in the cert file
Socket 1 (frontend)	A TCP socket ; eg tcp://192.168.2.76:12001. This is in ZeroMQ format
Socket 2 (backend)	A TCP socket ; eg 12002. Use a local IP

A run would look like this


unpl@ubuntu:~$ sudo trisulctl_hub 

trisul_hub:ubuntu(domain0)> create domain

** CREATE DOMAIN ** 
This will create a new Trisul Network Analytics distributed domain ** 

Enter Domain ID (format=domain<number>)  : domain0 
Enter Description : Titanium products Trisul domain0

Now you will be asked to enter TWO TCP/IP Ports for use by the domain 
For TCP Ports    :  Format is  tcp://ip address:12500 ( eg : tcp://127.0.0.1:12500  ) 

Enter Socket 1 (frontend)  : tcp://10.1.119.2:12000
Enter Socket 2 (backend)   : tcp://10.1.119.2:12001


Wrote certificate and key files for domain domain0 in /usr/local/share/trisul-hub/
You may install the new domain now using 'install domain /usr/local/share/trisul-hub/domain0.cert' 
trisul_hub:ubuntu(domain0)> 
trisul_hub:ubuntu(domain0)>

Sharing domain0.cert
Keep the domain0.cert certificate file in /usr/local/share/trisul-hub. You need to share this cert with any new probes you may deploy.

Install the new domain certificate

The new domain files have been placed at :
1. /usr/local/share/trisul-hub/domain0.cert – Cert
2. /usr/local/share/trisul-hub/domain0.cert_secret – Private key

Next you need to install the domain certificate on all probes and hub nodes.
- share the /usr/local/share/trisul-hub/domain0.cert offline with all probe nodes
- install new domain cert on hub0
```
 sudo trisulctl_hub install domain /usr/local/share/trisul-hub/domain0.cert 
```
  say YES if it asks you if you want to “Update the existing domain0 certificate”
- install the new domain cert on each probe. The domain0.cert in this example is placed in the mycerts directory
```
sudo trisulctl_probe install domain /home/unpl/mycerts/domain0.cert 
```
- then restart domain on all nodes
```
 

sudo trisulctl_probe restart domain

sudo trisulctl_hub restart domain

	
```
Use trisulctl commands list nodes and info context to check if all nodes have joined the new domain.

3.3. Change Domain settings

3.3.1 IPC vs TCP domain

3.3.2 domain0.cert – the certificate file

3.3.3 Switching to a distributed domain

Stop the domain and all contexts

Remove the old domain0.cert key pair

Create a new domain0 key pair

Install the new domain certificate