11.1.1 Prerequisites for Installing Secondary Administration Console

  • Administration Consoles must have their time synchronized. You can ensure this by configuring the machines to use the same network time server for time synchronization.

  • Secondary consoles must be installed on the same operating system as the primary console. For example, if your primary console is installed on Windows, all secondary consoles must be installed on Windows. If your primary console is installed on Linux, all secondary consoles must be installed on Linux.

  • If you are going to install your clustered Identity Servers on the same machines as your primary and secondary consoles, Administration Consoles cannot be configured as a virtual group on an L4 switch. For more information, see Managing Administration Consoles Installed with Clustered Identity Servers.

Managing Administration Consoles Installed with Clustered Identity Servers

You can install the primary Administration Console and Identity Server on the same machine, even when Identity Server is going to be assigned to a cluster of Identity Servers. You can install a secondary Administration Console on another member of Identity Server cluster. You cannot configure Administration Console as a virtual group on an L4 switch. The L4 switch interferes with the communication process between Administration Console and Access Manager components. Each Access Manager component knows about its primary and secondary Administration Console, and knows how to communicate directly with each console. The component, rather than an L4 switch, needs to make the decision on which console it needs to contact.

However, traffic destined for a cluster of components (Identity Servers or Access Gateways) must pass through an L4. Figure 11-1 illustrates this configuration, showing Identity Servers on the same machine as Administration Consoles.

Figure 11-1 Identity Server Clustering with a Secondary Administration Console

  1. Install the primary Administration Console and an Identity Server on one machine by using Administration Console’s IP address when importing Identity Server component.

  2. Install the secondary Administration Console and a second Identity Server on another machine by using the primary Administration Console’s IP address when importing the second Identity Server.

  3. Specify the L4 VIP as the DNS for Identity Server cluster configurations that both Identity Servers use. (See Section 2.2, Configuring Identity Servers Clusters.)