7.0 Configuring a Cluster

In a production environment, you must use more than one Advanced Authentication server for fault tolerance and redundancy. For load balancing, see Installing a Load Balancer for Advanced Authentication Cluster.

In Advanced Authentication, a cluster consists of sites. Each site is installed in a specific geographical location and contains the following:

  • A DB Master server

  • One or two DB servers that are used for only backup and fail-over

  • Maximum of 6 Web servers without a database that are used in combination with a third-party load balancer for load balancing.

All these servers handle the authentication requests from clients of the same location. The Advanced Authentication server that you deploy first gets the Global Master and Server Registrar roles.

This chapter contains the following sections:

To configure an Advanced Authentication cluster, perform the following steps:

  1. Click Cluster in the Administration portal.

  2. You must create a Global Master. Click Set up Global Master to create a Global Master.

  3. Specify the Global site name in Enter name of the site. Renaming not supported. The Global site name must be in lower case and can contain latin characters, digits, and underscores.

  4. Click OK.

    In DB servers, the following information about each server in the list is displayed:

    • Site: Name of the site.

    • Mode: Mode of the server. The options are:

      • Global Master

      • DB Master

      • DB Server-1

      • DB Server-2

    • Host: IP address of the host.

    • Desc: Status of the server. Click the edit icon to add or edit the description.

    • Heartbeat: Time of the last ping. Each server is pinged every 5 minutes.

      IMPORTANT:Ensure to take regular snapshots of all the DB servers at the same time or to clone them to protect the environment from any hardware issues or accidental failures. It is recommended to do this for the following scenarios:

      • Each time you change the configuration of repositories, methods, chains, events, and policies.

      • After performing the enrollment.

        In large companies, the enrollment can be used on a daily basis as a massive enrollment. In such scenarios, it is good to create snapshots regularly (it can be fortnightly or monthly).

      • When you are adding or removing servers in the cluster.

      • Before you upgrade Advanced Authentication servers in the environment.

      You can convert a DB server of the primary site to a Global Master server or a DB server of a site to a DB Master server of the same site. You must update the DNS settings after the conversion. If the Global Master and the DB servers from the primary site are lost, you cannot replace them.

      NOTE:All the servers in a cluster must have the same version.

  5. Click Register new site if your company is geographically distributed and to deploy a DB Master server in another site. For information about creating a new site, see Registering a New Site.

  6. Click Register new server to register a new server in one of the existing sites. For information about creating a new site, see Registering a New Server.

IMPORTANT:For the replication to work, it is important to have the same time on the Advanced Authentication servers. Ensure that the NTP port 123 (UDP) is open on your corporate firewalls to allow the Advanced Authentication servers to sync time on the predefined NTP servers or specify your internal NTP servers.

If you have configured a cluster and you receive a replication conflict, click Resolving Conflicts.

NOTE:If you delete DB Master server of a site from the Cluster page of the Global Master, there is no provision to add it back. The deleted DB Master server of that site loses connection to other servers and this is replicated across the sites. You must deploy the DB Master server of that site again.

For example, a cluster consists of three sites: Site1, Site2, and Site3. The Global Master server is in Site1. Site2 and Site3 have DBM1 and DBM2. If you delete DBM1 from the Site2, you will not be able to add DBM1 back to the cluster.

Performing a Health Check of the Advanced Authentication Servers

You can use API to configure third-party tools to perform a health check of the Advanced Authentication servers.