On Sun, Jan 24, 2010 at 7:40 AM, J R <jayare...@hotmail.com> wrote: > I don't know EKM. However, in general, you should be able to hardcode > the IP address in your configuration file or, better, in local host tables. > > Although hardcoding sounds less flexible, it has to be done somewhere - > either locally or on a DNS server.
Assuming SSL is used to fetch the keys, it has to be in host tables -- you can't do SSL using IP, you need the hostname to match the certificate. Doing it in host tables breaks the DNS model, of course, since it means that DNS isn't centralized. Depending on flexibility of the rest of the solution, it *might* be possible to list an alternative hostname in /etc/hosts or equivalent, and use that if/when the primary isn't available. I'd investigate that, to avoid a problem when the real EKM IP changes and things break again. If this works, then your exposure is that the real EKM IP changes and the real DNS is down. at which point you'll still have a problem. That might be avoided by having some non-critical process test the connectivity daily using the alternative name: then you'd notice the change and have time to deal with it. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html