From: Francis Dupont <fdupont@isc.org>
Date: Mon, 12 Apr 2021 08:59:50 +0000 (+0200)
Subject: [#1706] Added doc
X-Git-Tag: Kea-1.9.7~40
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bb7e23b000dfb1e8745600f0494a2bff604ab83e;p=thirdparty%2Fkea.git

[#1706] Added doc
---

diff --git a/doc/sphinx/arm/hooks-ha.rst b/doc/sphinx/arm/hooks-ha.rst
index 8ac3f896d9..b80fc5617b 100644
--- a/doc/sphinx/arm/hooks-ha.rst
+++ b/doc/sphinx/arm/hooks-ha.rst
@@ -197,6 +197,39 @@ clocks and restart the servers.
    the backup servers is not assessed because the active servers do
    not exchange heartbeat messages with the backup servers.
 
+.. _ha-https-support:
+
+HTTPS Support
+~~~~~~~~~~~~~
+
+Since version 1.9.7 HTTPS is supported by the High Availability hooks
+library using the TLS/HTTPS support described in :ref:`tls` where
+more details can be found.
+
+The HTTPS configuration parameters are:
+
+- the ``trust-anchor`` parameter specifies the name of a file or directory
+  where the certification authority (CA) certificate of a Control Agent can
+  be found.
+
+- the ``cert-file`` parameter specifies the name of the file containing
+  the end-entity certificate to use.
+
+- the ``key-file`` parameter specifies the private key of the end-entity
+  certificate to use.
+
+These parameters can be configured at the global level and at the peer
+level. When configured at both levels the peer value is used allowing
+to share common values with possible exceptions.
+
+The three parameters must be either all not specified (HTTPS disabled)
+or all specified (HTTPS enabled). Configure to the empty string is
+considered as not specified: this can be used for instance to disable
+HTTPS for a particular peer when it is enabled at the global level.
+
+As the High Availability hooks library is a HTTPS client there is no
+``cert-required`` parameter: it is configured at the Control Agent side.
+
 .. _ha-server-states:
 
 Server States