Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Note
titleUnder update

This article is currently under update and will be finished within the coming weeks.


SEO Metadata
titleSet up high availability for Digital Access component

Smart ID Digital Access component supports distributed mode to enable high availability and failover that provides powerful flexibility and scaleability. With this mode, Digital Access component will switch to a redundant service once the primary one has stopped working.

Smart ID Digital Access component supports distributed mode to enable high availability and failover that provides powerful flexibility and scaleability. With this mode, Digital Access component will switch to a redundant service once the primary one has stopped working. Thereby, not only one but several redundant services are supported. Using high availability enables systems to meet high service-level agreement (SLA) requirements.

This article describes the setup of high availability between four Digital Access component instances. See also High availability architecture for Digital Access component.

Expandall

Prerequisites

Expand
titlePrerequisites

The following prerequisites apply:

  • External databases are available for users, OATH and Oauth2.

  • Four instances of Digital Access component are running. in the examples in this article they are called HAG-1, HAG-2, HAG-3, and HAG-4:

    • Two instances shall be running in a protected networkand not be accessible from DMZ. (In the example in this article this is HAG-1 and HAG-2.)
      • Only one Administration service is installed. This is done on HAG-1.
      • Only one Distribution service is installed. This is done on HAG-1. 
    • Two instances shall be hosted in DMZ and run only Access Point. (In the example in this article this is HAG-3 and HAG-4.)

  • The Access Points running in DMZ should have access to the protected network so that they can communicate with other services like Authentication, Policy and Distribution service. For information how to set this up, refer to Run Digital Access component in distributed mode

  • The IP addresses of all four nodes must be known.

    Info

    When using the virtual appliance for deployment, the IP address for a node can be found in the console menu, select 1) Setup system > 1) modify interfaces. Here you can see the assigned IP to eth0.

    When using the Orchestrator deployment, use the IP addresses from the host network. 


Step-by-step instruction

Configure database service

Expand
titleConfigure database service

To be able to add an Authentication service you must first point the user database, the OATH database, and the OAuth 2.0 database to an external database.

Change hosts and add services

Expand
titleStop services

Stop the services of all instances except the Administration service of HAG-1.

To stop a service:

Expand
titleUsing virtual appliance
  1. Issue this command to stop, for example, the authentication service:

    Code Block
    sudo /etc/init.d/authentication-service stop



Expand
titleUsing Orchestrator
  1. Issue this command to stop, for example, the authentication service:

    Code Block
    docker exec orchestrator hagcli -s authentication-service -o stop




Expand
titleLog in to Digital Access Admin
  1. Log in to Digital Access Admin of HAG-1 with an administrator account.


Expand
titleChange hosts and add services
  1. Change the host of registered Policy service:
    1. In Digital Access Admin of HAG-1, go to Manage System > Policy Services.
    2. Select the registered Policy Service.
    3. Change the Internal Host from 127.0.0.1 to HAG-1's IP Address.
    4. Check Distribute key files automatically.
    5. Click Save.
  2. Add a Policy Service:
    1. In Digital Access Admin of HAG-1, go to Manage System > Policy Services.
    2. Click Add Policy Service…
    3. In Display Name enter "Policy Service 2".
    4. In Internal Host enter the IP address of HAG-2.
    5. Check Distribute key files automatically.
    6. Select the Server Certificate and Add it.
    7. Note down the Service ID of newly added Policy Service.
  3. Change the host of registered Distribution Service:
    1. In Digital Access Admin of HAG-1, go to Manage System > Distribution Services.
    2. Select the registered Distribution Service.
    3. Change the Internal Host from 127.0.0.1 to HAG-1's IP Address.
    4. Check Distribute key files automatically.
    5. Click Save.
  4. Change the host of registered Authentication Service:
    1. In Digital Access Admin of HAG-1, go to Manage System > Authentication Services.
    2. Select the registered Authentication Service.
    3. Change the Internal Host from 127.0.0.1 to HAG-1's IP Address.
    4. Check Distribute key files automatically.
    5. Click Save.
  5. Add an Authentication Service:
    1. In Digital Access Admin of HAG-1, go to Manage System > Authentication Services.
    2. Click Add Authentication Service…
    3. In Display Name enter "Authentication Service 2".
    4. In Internal Host enter the IP address of HAG-2.
    5. Check Distribute key files automatically.
    6. Select the Server Certificate and Add it.
    7. Note down the Service ID of newly added Authentication Service.
  6. Change the host of registered Access Point:
    1. In Digital Access Admin of HAG-1, go to Manage System > Access Points.
    2. Select the registered Access Point.
    3. Change the Internal Host to the IP Address of HAG-3. Make sure you use the correct IP address of HAG-3 (which is accessible in the protected network).
    4. Check Distribute key files automatically.
    5. Click Save.
  7. Add an Access Point:
    1. In Digital Access Admin of HAG-1, go to Manage System > Access Points.
    2. Click Add Access Point…
    3. In Display Name enter "Access Point 2".
    4. In Internal Host enter the IP address of HAG-4.
    5. Check Distribute key files automatically.
    6. Select the Server Certificate and Add it.
    7. Note down the Service ID of newly added Access Point.

Set up services

There will be only one administration service running, so all other Digital Access component instances need to have administration service at disabled state. You need to change the IP address of administration service in each Digital Access component instance in order to run the other services at external IP.

Expand
titleSet up HAG-1

In the Administration console of HAG-1:

Expand
titleUsing virtual appliance
  1. Select 2) Detailed server setup.
  2. For each service:
    1. Select the service and answer "y" to the question "Should this service be enabled?"
    2. The question At which IP can I find [service] will be shown. Change the IP address of the service from 127.0.0.1 to the IP address of HAG-1.
  3. For the Access Point:
    1. Use the menu option 5) Setup Access Point and Disable the Access point, that is, answer "n" to the question "Should this service be enabled?"


Expand
titleUsing Orchestrator
  1. Enable all services

    Code Block
    docker exec orchestrator hagcli -s all -o enable


    Note

    The IP addresses under where each service is reachable has already been changed in the previous section.




Expand
titleSet up HAG-2

In the Administration console of HAG-2:

Expand
titleUsing virtual appliance
  1. Select 2) Detailed server setup.
  2. For the Administration Service:
    1. Select the service and answer "n" to the question "Should this service be enabled?"
    2. The question At which IP can I find [service] will be shown. Change the IP address of the service from 127.0.0.1 to the IP address of HAG-1.
  3. For the Access Point:
    1. Use the menu option 5) Setup Access Point and Disable the Access Point, that is, answer "n" to the question "Should this service be enabled?"
  4. For each of the other services:
    1. Select the service and answer "y" to the question "Should this service be enabled?"
    2. The question At which IP can I find [service] will be shown. Change the IP address of the service from 127.0.0.1 to the IP address of HAG-2.
    3. The questionWhat node Id does this service have? will be shown. Change the ID to the Service ID which you noted down in earlier steps corresponding to the service.


Expand
titleUsing Orchestrator
  1. For the Administration service:

    1. Disable the service:

      Code Block
      docker exec orchestrator hagcli -s administration-service -o disable


    2. Change IP address of Administration Service for each service enabled on this host
      1. Open LocalConfiguration.xml in opt/nexus/primary/<service>/config/LocalConfiguration.xml 
      2. Search for Administration Service section
      3. Change value of mHost to external IP address of Administration Service.
  2. For the Access Point:
    1. Disable the service:

      Code Block
      docker exec orchestrator hagcli -s access-point -o disable


  3. For each of the other services:
    1. Enable the service: 

      Code Block
      docker exec orchestrator hagcli -s <service> -o enable




Expand
titleSet up HAG-3 and HAG-4

In the Administration console of HAG-3 and HAG-4:

Expand
titleUsing virtual appliance
  1. Select 2) Detailed server setup.
    1. For the Administration Service:
      1. Select the service and answer "n" to the question "Should this service be enabled?"
      2. The question At which IP can I find [service] will be shown. Change the IP address of the service from 127.0.0.1 to the IP address of HAG-1.
    2. For the Access Point:
      1. Use the menu option 5) Setup Access Point and answer "y" to the question "Should this service be enabled?"
      2. The question What node ID does the service have? will be shown. Change the node ID to the Service ID which you noted down in earlier steps.
    3. For each of the other services:
      1. Select the service and answer "n" to the question "Should this service be enabled?"


Expand
titleUsing Orchestrator
  1. For the Administration service:

    1. Disable the service:

      Code Block
      docker exec orchestrator hagcli -s administration-service -o disable


    2. Change IP address of Administration Service for the Access point:
      1. Open LocalConfiguration.xml in opt/nexus/primary/access-point/config/LocalConfiguration.xml 
      2. Search for Administration Service section
      3. Change value of mHost to external IP address of Administration Service.
    3. Change Service ID of Access point:
      1. Open LocalConfiguration.xml in opt/nexus/primary/access-point/config/LocalConfiguration.xml 
      2. Change id values in element <id> and attribute mId to a the number you got when adding the new service node in the administration interface
  2. For the Access Point:
    1. Enable the service:

      Code Block
      docker exec orchestrator hagcli -s access-point -o enable


  3. For each of the other services:
    1. Disable the service: 

      Code Block
      docker exec orchestrator hagcli -s <service> -o disable




Expand
titleChange IP address of API resource

Change the IP address of api resource:

  1. In Digital Access Admin, go to Manage Resource Access and click the +-sign at api.
    1. Click Edit Resource Host...
    2. Change the Host 127.0.0.1 to HAG-3 IP and HAG-4 IP. Separate the IP addresses with a semicolon (;).

Set up load balancer

Expand
titleSet up load balancer

To set up high availability for Digital Access component, an external load balancer must be used. In this example, we use HAProxy.

  1. Log in to Digital Access Admin of HAG-1 with an administrator account.
  2. In Digital Access Admin, go to Manage System > Access Points.
  3. For each added access point:
    1. Add a listener by clicking Add Additional Listener…
    2. In Host, enter the IP address of the Access Point. Enter a Port, and set Type to Load Balance.
    3. Click Add.
  4. Go to Manage System > Access Points.
  5. Select Configure Load Balancing…
  6. Check Enable multi-host sessions and Send sticky cookies. Enter a Name of Sticky Cookie to be used by the load balancer service.
  7. Click Save.
  8. Select Configure Load Balancing…
  9. Click Add Pair of Mirrored Access Points...
  10. Select Access Point 1 and Access Point 2 as Primary and Secondary server.
  11. Click Save.

Check setup

Expand
titleCheck the setup
  1. Start all the required services.
  2. Publish the configuration.
  3. Check that all services are connected.
  4. Do a login to the portal and check if all works as expected and that you can see the portal items and display names properly.
  5. In case of any failure, check if sha1sum of shared.key and internal.key for all connected services are the same. The keys can be found under /opt/nexus/<service>/keys/. 
  6. Inspect logs and address any unexpected errors.