3.7 Configuring a Cluster

The Advanced Authentication Server that is deployed first gets the Global Master and Server Registrar roles.

In a production environment, you must use more than one Advanced Authentication Server for fault tolerance, load balancing, and redundancy. To configure an Advanced Authentication Cluster, switch to the Cluster section in the Advanced Authentication Administrative Portal.

On the Advanced Authentication Server Registrar, a message Replication not configured is displayed along with the following text:

Click the button below to start new cluster. This server will then become the Global Master. It will register new servers.

  • The cluster consists of Sites.

  • Every site has DB Master, DB Server and Web Servers, located in same data center. The site is "web farm" or "server pool" in terms of load balancing.

  • Global Master is first Master of first Site. There is one Global Master in the cluster. It manages all the sites.

To configure the Global Master, perform the following steps:

  1. Click Set up Global Master.

  2. Specify the Global site name in Enter name of the site. Renaming not supported. The Global site name must be in lower case and can contain latin characters, digits, and underscores. Click OK.

  3. A message This server block is displayed that contains the following information:

Mode:

Global Master, <site name>

Replication:

replicating

 

Configured and running.

DB in use:

127.0.0.1

 

Master connects to local DB always. DB Servers and Web Servers connect to Master DB. They connect to DB Server when Master is not accessible

DB available:

<Registrar_host_name> (Global Master)

Below the block, a table All DB servers in the cluster table is displayed with only one server (Global Master). For each server in the list, the following information is displayed:

  • Site name

  • Mode (Global Master, DB Master, DB Server-1, DB Server-2)

  • Host name

  • Description

  • Heartbeat. Each server is pinged for every 5 minutes. The time of the last ping is displayed.

If your company is geographically distributed and you want to deploy the Advanced Authentication Servers to every site, click Registering a New Site.

If you want to register a new server in one of the existing sites, click Registering a New Server.

If you have already configured a cluster and you are receive a replication conflict, click Resolving Conflicts.

3.7.1 Registering a New Site

To register a new site and deploy a DB Master server in the site, perform the following steps:

  1. Ensure that you have administrator privileges to access the Advanced Authentication Server Registrar and you have installed but not configured an Advanced Authentication server appliance for a DB Server in the new site.

  2. Open the database port <Registrar_host_name>:5432 on your NAT/Firewall.

  3. Open the Advanced Authentication Configuration Wizard for a new installed server: https://<New_Server_host_name>.

  4. In the first Server Mode step of the Configuration Wizard, select Existing cluster. Click Next.

  5. In the DNS hostname step, specify the server DNS hostname in My DNS hostname. Click Next.

    WARNING:You must specify a DNS hostname instead of an IP address because appliance does not support the changing of IP address.

  6. In the Import database information step, a message Waiting for Global Master.... is displayed.

  7. Switch to the Advanced Authentication - Administrative Portal of the Advanced Authentication Server Registrar and in the Cluster section, click Register new site.

  8. In the Register new site window, specify a host name for the new DB Server in the new site in Master server host.

    HINT:If the new server is behind NAT, you can forward its port 443 on a temporary basis and enter external hostname:port. Do not forget to close the port after installation.

  9. Specify a name of the new site in Site name.

  10. Click Register.

  11. After successfully registering, a message Success! Continue server install is displayed. In the DB servers list, DB Master server for the newly created site is displayed. The record is marked by red and Waiting this node to contact me is displayed in its description.

  12. Switch to the new server and click Next.

  13. In the Copy database step click Copy.

  14. Wait until the database is copying from a Global Master server. The server is automatically restarted within 60 seconds once the copying is completes.

  15. Switch to the Advanced Authentication Server Registrar. The newly deployed server is displayed in the DB servers list and may appear in red within 5 minutes after installation.

    NOTE:Each of the DB servers in the list are pinged for every 5 minutes. In the case of an issue, the server is marked by red in the list and you can get the details of connectivity issues by clicking View log and replication issues by clicking Conflicts.

  16. Close the database port <Registrar_host_name>:5432 on your NAT/Firewall.

    NOTE: You must install the new servers one at a time. Simultaneous installations may cause replication issues.The inter-site replication interval is 10 seconds.

3.7.2 Registering a New Server

To deploy a new DB Server or a Web Server in an existing site, perform the following steps:

  1. Ensure that you have administrator's privileges to access the Advanced Authentication Server Registrar and you have installed but not configured the Advanced Authentication server appliance for a new server.

  2. Open the database port <Registrar_host_name>:5432 on your NAT/Firewall if you are deploying a DB Server.

  3. Open the Advanced Authentication Configuration Wizard for a new installed server: https://<New_Server_host_name>.

  4. In the first Server Mode step of the Configuration Wizard, select Existing cluster. Click Next.

  5. In the DNS hostname step, specify the server DNS hostname in My DNS hostname. Click Next.

    WARNING:You must specify a DNS hostname instead of an IP address because appliance does not support the changing of IP address.

  6. In the Import database information step, a message Waiting for Global Master.... is displayed.

  7. Switch to the Advanced Authentication - Administrative Portal of the Advanced Authentication Server Registrar and in the Cluster section, click Register new site.

  8. In the Register new server window, specify the new server's host name in Server host.

    HINT:If the new server is behind NAT, you can forward its port 443 on a temporary basis and enter external hostname:port. Do not forget to close the port after installation.

  9. Select one of the following servers:

    • Web Server: It does not contain a database. It responds to authentication requests and connects to the DB Master database. You need more Web Servers to serve more workload.

    • DB Server: It provides a DB Slave database that is used for backup and fail-over. Two DB Slave servers are allowed within the site. When the DB Master is unavailable, the DB Slave node responds to the database requests. When the DB Master becomes available again, the DB Slave node synchronizes with the DB Master and the DB Master becomes the primary point of contact for database requests again.

    NOTE:If you have selected the DB Server, you must copy database from Global Master. Open database port <Registrar_host_name>:5432 on your NAT/Firewall. Do not forget to close the port after installation.

  10. Select the site to which you want to add the new server from the Add server to the site drop-down menu.

  11. Click Register.

  12. Switch to the new server and click Next.

  13. If you have selected the DB Server, in the Copy database step click Copy. Wait until the database is copying from a Global Master server.

  14. The server is automatically restarted within 60 seconds when the copying completes.

  15. If you have selected the DB Server, switch to Advanced Authentication Server Registrar. The newly deployed server is displayed in the DB servers list. The newly deployed server is displayed in the DB servers list and may appear in red within 5 minutes after installation.

    NOTE:Each of the DB servers in the list are pinged for every 5 minutes. In the case of an issue, the server is marked as red in the list and you can get the details of connectivity issues by clicking View log and replication issues by clicking Conflicts.

  16. Close the database port <Registrar_host_name>:5432 on your NAT/Firewall if you opened it.

    NOTE:You must install the new servers one at a time. Simultaneous installations may cause replication issues.

3.7.3 Resolving Conflicts

If a conflict occurs, then the replication between conflicting servers stops. Replication uses "last-write-wins" policy. Conflict can occur for one of the following reasons:

  • During upgrade: when a new server communicates with the old server.

  • When two unique objects have been added.

Outgoing conflict indicates an incoming conflict on the destination server. Unique object collision causes two corresponding conflicts: incoming and outgoing on both the source and target servers.

An example of a collision: MasterX and MasterY create a same login chain 'Visitor'. This can lead to a conflict because both try to send ‘Visitor’ to each other.

You can resolve the conflict with one of the following ways:

Simplest way: two fixes remove two objects:

  • Remove Visitor chain on both the servers: Press "Fix incoming" on both.

  • "Forget outgoing" on both the servers.

  • Use INSERT conflicts. You must be careful of "fixing" UPDATE conflict. You could have renamed two different objects to the same name. It is better to rename them and forget conflicts on both servers and avoid fixing them.

Smarter way: fix one, forget another:

  • Remove Visitor on MasterY: Press "Fix incoming"

  • "Forget outgoing" on MasterY. It does not retry to send conflicting Visitor anymore.

  • "Forget incoming" on MasterX.

  • Wait for half a minute. MasterY accepts outgoing Visitor from MasterX.

Possible way: two outgoing forgets - two independent objects:

Use for UPDATE conflicts. Object changes will be lost but will sync on next object change.

Zero way: two incoming forgets:

Do nothing. Source server re-sends the changes until you forget the outgoing conflict.

Advanced Authentication scans for the replication conflicts, automatically. To resolve existing conflicts, in the Cluster section of the Advanced Authentication Server Registrar, click Conflicts above the DB servers list. If no conflicts are detected, only the information is displayed. If there are any conflicts, the details and controls to resolve the conflicts are displayed. You will get a confirmation request with each action. The confirmation contains notes that help you to resolve the conflicts.