3.4.3 Setting Up a Cluster

  1. Install the additional Identity Servers.

    During the installation, choose option 2, Install Identity Server, from CD 1 of the Access Manager installation discs. Specify the IP address and administration credentials of each additional Identity Server. If you are installing on a machine without Administration Console, the installation asks you for Administration Console’s IP address. After you install Identity Servers, the servers are displayed on the Servers page in Identity Servers.

  2. Assign Identity Servers to the same cluster configuration.

    For more information about assigning servers to a configuration, see Assigning an Identity Server to a Cluster Configuration.

  3. Ensure that the L4 VIP is the DNS for Identity Server clusters configuration.

  4. Click Devices > Identity Servers, then click the configuration name you created for the cluster.

  5. On the Cluster Details page, click the configuration name.

  6. Specify the following details as required:

    Name: Lets you change the name of Identity Server cluster configuration.

    Cluster Communication Backchannel: Provides a communications channel over which the cluster members maintain the integrity of the cluster. For example, this TCP channel is used to detect new cluster members as they join the cluster, and to detect members that leave the cluster. A small percentage of this TCP traffic is used to help cluster members determine which cluster member would best handle a given request. This back channel must not be confused with the IP address/port over which cluster members provide proxy requests to peer cluster members.

    • Port: Specifies the TCP port of the cluster back channel on all of Identity Servers in the cluster. 7801 is the default TCP port.

    • Encrypt: Encrypts the content of the messages that are sent between cluster members.

    Level Four Switch Port Translation: Provides an alternative to using iptables when you want to use port 443 on the L4 switch and port 8443 for cluster communication. This option only works if firewalls do not separate Identity Servers from each other and the L4 switch supports port translation. To use this option, configure the base URL to use port 443, then configure the following options:

    • Port translation is enabled on switch: Indicates that L4 switch has been configured to support port translation and that incoming traffic is using a different port than the cluster members.

    • Cluster member translated port: Specifies the port the cluster members are configured to use. The default port that must be used for HTTPS is 8443.

    If you have firewalls separating your Identity Servers or your L4 switch does not support port translation, you can use iptables to translate the port. For more information about iptables, see Translating Identity Server Configuration Port in the NetIQ Access Manager 4.4 Installation and Upgrade Guide.

    IDP Failover Peer Server Count: Enables session failover. For more information about this feature, see Configuring Session Failover.

  7. Click OK.

  8. Under Cluster Members, you can refresh, start, stop, and assign servers to Identity Server configurations.

  9. Click OK, then update Identity Server as prompted.

Real Server Settings Example

Virtual Server Settings Example