3.2 Clustering Identity Servers

A cluster of Identity Servers should reside behind a Layer 4 (L4) switch. Clients access the virtual IP address of the cluster presented on the L4 switch, and the L4 switch alleviates server load by balancing traffic across the cluster. If your Identity Server is on the same machine as an Administration Console, and your second Identity Server is on the same machine as a secondary Administration Console, ensure that you are familiar with Section 3.1, Installing Secondary Versions of the Administration Console before proceeding.

Whenever a user accesses the virtual IP address (port 8080) assigned to the L4 switch, the system routes the user to one of the Identity Servers in the cluster, as traffic necessitates.

The system automatically enables clustering when multiple Identity Servers exist in a group. If only one Identity Server exists in a group, clustering is disabled.

IMPORTANT:Using a DNS round robin setup instead of an L4 switch for load balancing is not recommended. The DNS solution works only as long as all members of the cluster are working and in a good state. If one of them goes down and traffic is still sent to that member, the entire cluster is compromised and all devices using the cluster start generating errors.

This section describes how to set up and manage a cluster of Identity Servers:

3.2.1 Configuration Notes

Services of the Real Server

A user’s authentication remains on the real (authentication) server cluster member that originally handled the user’s authentication. If this server malfunctions, all users whose authentication data resides on this cluster member must reauthenticate unless you have enabled session failover. For more information about this feature, see Configuring Session Failover in the Novell Access Manager 3.1 SP5 Identity Server Guide.

Requests that require user authentication information are processed on this server. When the system identifies a server as not being the real server, the HTTP request is forwarded to the appropriate cluster member, which processes the request and returns it to the requesting server.

A Note about Service Configuration

If your L4 switch can perform both SSL and non-SSL health checks, you should configure the L4 switch only for the services that you are using in your Access Manager configuration. For example, if you configure the SSL service and the non-SSL service on the L4 and the base URL of your Identity Server configuration is using HTTP rather than HTTPS, the health check for the SSL service fails. The L4 switch then assumes that all the Identity Servers in the cluster are down. Therefore, make sure you enable only the services that are also enabled on the Identity Server.

A Note about Alteon Switches

When you configure an Alteon switch for clustering, direct communication between real servers must be enabled. If direct access mode is not enabled when one of the real servers tries to proxy another real server, the connection fails and times out.

To enable direct communication on the Alteon:

  1. Go to cfg > slb > adv > direct.

  2. Specify e to enable direct access mode.

3.2.2 Prerequisites

  • An L4 server installed. You can use the same server for Identity Server clustering and Access Gateway clustering, provided that you use different virtual IPs. The LB algorithm can be anything (hash/sticky bit), defined at the Real server level.

  • Persistence (sticky) sessions enabled on the L4 server. You usually define this at the virtual server level.

  • An Identity Server configuration created for the cluster. You assign all the Identity Servers to this configuration. See Creating a Cluster Configuration in the Novell Access Manager 3.1 SP5 Identity Server Guide for information about creating an Identity Server configuration. See Assigning an Identity Server to a Cluster Configuration in the Novell Access Manager 3.1 SP5 Identity Server Guide for information about assigning Identity Servers to configurations.

    The base URL DNS name of this configuration must resolve via DNS to the IP address of the L4 virtual IP address. The L4 balances the load between the identity servers in the cluster.

  • Ensure that the L4 administration server using port 8080 has the following ports open:

    • 8443 (secure Administration Console)

    • 7801 (TCP)

    • 636 (for secure LDAP)

    • 389 (for clear LDAP, loopback address)

    • 524 (network control protocol on the L4 machine for server communication)

    The identity provider ports must also be open:

    • 8080 (nonsecure login)

    • 8443 (secure login)

    • 1443 (server communication)

    If you are using introductions (see Creating a Cluster Configuration in the Novell Access Manager 3.1 SP5 Identity Server Guide), you must configure the L4 switch to load balance on ports 8445 (identity provider) and 8446 (identity consumer).

3.2.3 Setting Up a Cluster

  1. Install the additional Identity Servers.

    During the installation, choose option 2, Install Novell Identity Server, from CD 1 of the Access Manager installation discs. Specify the IP address and administration credentials of each additional Identity Server. If you are installing on a machine without the Administration Console, the installation asks you for the Administration Console’s IP address. After you install the Identity Servers, the servers are displayed on the Servers page in Identity Servers.

  2. Assign the Identity Servers to the same cluster configuration.

    For more information about assigning servers to a configuration, see Assigning an Identity Server to a Cluster Configuration in the Novell Access Manager 3.1 SP5 Identity Server Guide.

  3. Ensure that the L4 VIP is the DNS for the Identity Server clusters configuration. (See Section 1.3, Creating a Basic Identity Server Configuration.)

  4. In the Administration Console, click Devices > Identity Servers, then click the configuration name you created for the cluster.

  5. On the Cluster Details page, click the configuration name.

  6. Fill in the following fields as required:

    Name: Lets you change the name of the Identity Server cluster configuration.

    Cluster Communication Backchannel: Provides a communications channel over which the cluster members maintain the integrity of the cluster. For example, this TCP channel is used to detect new cluster members as they join the cluster, and to detect members that leave the cluster. A small percentage of this TCP traffic is used to help cluster members determine which cluster member would best handle a given request. This back channel should not be confused with the IP address/port over which cluster members provide proxy requests to peer cluster members.

    • Port: Specifies the TCP port of the cluster back channel on all of the Identity Servers in the cluster. 7801 is the default TCP port.

      Because the cluster back channel uses TCP, you can use cluster members on different networks. However, firewalls must allow the port specified here to pass through. To do so, use the port number plus 1 for additional devices in the cluster. For example, if you use four devices, your port numbers would be 7801, 7802, 7803, and 7804.

    • Encrypt: Encrypts the content of the messages that are sent between cluster members.

    Level Four Switch Port Translation: Provides an alternative to using iptables when you want to use port 443 on the L4 switch and port 8443 for cluster communication. This option only works if firewalls do not separate the Identity Servers from each other and the L4 switch supports port translation. To use this option, configure the base URL to use port 443, then configure the following options:

    • Port translation is enabled on switch: Indicates that L4 switch has been configured to support port translation and that incoming traffic is using a different port than the cluster members.

    • Cluster member translated port: Specifies the port the cluster members are configured to use. The default port that should be used for HTTPS is 8443.

    If you have firewalls separating your Identity Servers or your L4 switch does not support port translation, you can use iptables to translate the port. For more information on iptables, see Translating the Identity Server Configuration Port in the Novell Access Manager 3.1 SP5 Identity Server Guide.

    IDP Failover Peer Server Count: Enables session failover. For more information about this feature, see Configuring Session Failover in the Novell Access Manager 3.1 SP5 Identity Server Guide.

  7. Click OK.

  8. Under Cluster Members, you can refresh, start, stop, and assign servers to Identity Server configurations.

  9. Click OK, then update the Identity Server as prompted.

Real Server Settings Example

Virtual Server Settings Example