Set up high availability for Digital Access deployment (bridge network)
This article includes updates for Digital Access 6.3.0 and Smart ID 22.10.2.
This article describes the setup of high availability for two or more Digital Access services with a Smart ID docker compose deployment setup.
Smart ID Digital Access component supports distributed mode to enable high availability. With this mode, Digital Access will switch to a redundant service once the primary one has stopped working. Thereby, not only one but several redundant services are supported.
The deployment steps mentioned in Deploy Smart ID apply to single node setup only. If you want to configure Digital Access in distributed mode or high availability, follow the steps below for deployment on every node.
Step-by-step instruction
Update docker-compose.yml for all services
For all nodes that you shall add, you must do changes in docker-compose.yml for all services. Make sure that all service names are different for every node and that they match the ones you set in Digital Access Admin while adding the new services. See the examples below.
Administration service
docker-compose.yml
services:
smartid-da-admin:
env_file: ../../smartid.env
image: "${SMARTID_REPO_DOCKER}/smartid-digitalaccess/administration-service:${SMARTID_VERSION}"
restart: always
container_name: "smartid-da-admin"
ports:
- "8443:8443"
- "8300:8300"
volumes:
- ../DA-data:/etc/nexus:z
- ../config/da-admin-customize.conf:/opt/nexus/administration-service/config/customize.conf:ro
logging:
driver: json-file
options:
max-size: 10m
networks:
- smartid_backend
networks:
smartid_backend:
external:
name: smartid_backend
Policy service
docker-compose.yml
services:
smartid-da-policy:
env_file: ../../smartid.env
image: "${SMARTID_REPO_DOCKER}/smartid-digitalaccess/policy-service:${SMARTID_VERSION}"
restart: always
container_name: "smartid-da-policy"
ports:
- "4443:4443"
- "8301:8301"
volumes:
- ../DA-data:/etc/nexus:z
logging:
driver: json-file
options:
max-size: 10m
networks:
- smartid_backend
networks:
smartid_backend:
external:
name: smartid_backend
Authentication service
docker-compose.yml
services:
smartid-da-auth:
env_file: ../../smartid.env
image: "${SMARTID_REPO_DOCKER}/smartid-digitalaccess/authentication-service:${SMARTID_VERSION}"
environment:
- IMPLICITLY_TRUST_RADIUS_CLIENT=true
restart: always
container_name: "smartid-da-auth"
ports:
- "8302:8302"
- "18118-18126:18118-18126/udp"
volumes:
- ../DA-data:/etc/nexus:z
- ../config/da-auth-customize.conf:/opt/nexus/authentication-service/config/customize.conf:ro
logging:
driver: json-file
options:
max-size: 10m
networks:
- smartid_backend
networks:
smartid_backend:
external:
name: smartid_backend
Distribution service
docker-compose.yml
services:
smartid-da-dist:
env_file: ../../smartid.env
image: "${SMARTID_REPO_DOCKER}/smartid-digitalaccess/distribution-service:${SMARTID_VERSION}"
restart: always
container_name: "smartid-da-dist"
ports:
- "8303:8303"
- "9443:9443"
volumes:
- ../DA-data:/etc/nexus:z
logging:
driver: json-file
options:
max-size: 10m
networks:
- smartid_backend
networks:
smartid_backend:
external:
name: smartid_backend
Access point
docker-compose.yml
services:
smartid-da-accesspoint:
env_file: ../../smartid.env
image: "${SMARTID_REPO_DOCKER}/smartid-digitalaccess/access-point:${SMARTID_VERSION}"
restart: always
container_name: "smartid-da-accesspoint"
ports:
- "443:10443"
- "80:8090"
volumes:
- ../DA-data:/etc/nexus:z
logging:
driver: json-file
options:
max-size: 10m
networks:
- smartid_backend
networks:
smartid_backend:
external:
name: smartid_backend
In Digital Access Admin
Updates in Digital Access Admin
Start the administration service and all other services.
Example: Start Digital Access Administration service
CODEcd <SMARTIDHOME>/compose/digitalaccess/administration-service docker-compose up -d
Log in to Digital Access Admin and change the internal host of all services so that they are able to communicate with the administration service and are also reachable from other nodes to other services.
Make sure the port for each added service match the ports in docker-compose.yml.
Go to Manage System > Administration service and check Listen on all interfaces.
Click Restart to restart the administration service.
Add the required services for high availability and note down the ID of the services.
Go to Manage System, and for all the services, check Listen on all interfaces and Distribute key files automatically.
Publish the changes.
Edit LocalConfiguration.xml of all services
Update LocalConfiguration.xml of each service on the same host as administration service to have the correct mHost value for the administration service.
Update LocalConfiguration.xml of newly added services on other nodes. For example, if you add a new policy service in the administration service, then the LocalConfiguration.xml of it would look like in the example below.
Change the
<id>
tag value andmId
of the new service to match the one in Digital Access Admin. Make sure that themHost
of the administration service is correct.
Example: LocalConfiguration.xml of 2nd policy service
<?xml version="1.0" encoding="UTF-8"?><com>
<portwise>
<core>
<id>7</id>
</core>
<policy>
<node>
<object key="c000ejp1m5" name="Administration Service" trans="gi3d4lmzfh1c" ver="50600">
<attribute name="mAllInterfaces" type="boolean" value="true"/>
<attribute name="mPort" type="integer" value="8300"/>
<attribute name="mHost" type="string" value="<admin-hostname>"/>
<attribute name="mType" type="integer" value="5"/>
<attribute name="mId" type="integer" value="1"/>
</object>
<object key="aaaaaaa" name="Policy service 2" trans="abgfh" ver="50600">
<attribute name="mAllInterfaces" type="boolean" value="true"/>
<attribute name="mPort" type="integer" value="8301"/>
<attribute name="mHost" type="string" value="policy2-hostname"/>
<attribute name="mHTTPLogSettings" type="container" value="logsettings">
<attribute name="mEventLogLevel" type="string" value="OFF"/>
<attribute name="mLocalCount" type="integer" value="2"/>
<attribute name="mAuthenticationTiming" type="boolean" value="false"/>
<attribute name="mFileLogLevel" type="string" value="OFF"/>
<attribute name="mFileSizeRotationEnabled" type="boolean" value="true"/>
<attribute name="mCentralLimit" type="integer" value="15000000"/>
<attribute name="mLocalLimit" type="integer" value="5000000"/>
<attribute name="mDateRotationEnabled" type="boolean" value="false"/>
<attribute name="mCentralCount" type="integer" value="5"/>
</attribute>
<attribute name="mType" type="integer" value="1"/>
<attribute name="mId" type="integer" value="7"/>
</object>
</node>
</policy>
</portwise>
</com>
Start Digital Access
Stop and start the modified Digital Access services by going into the wanted component folder:
Digital Access - services location
CODE<SMARTIDHOME>/compose/digitalaccess/accesspoint <SMARTIDHOME>/compose/digitalaccess/policy-service <SMARTIDHOME>/compose/digitalaccess/administration <SMARTIDHOME>/compose/digitalaccess/distribution-service
Restart DÃgital Access Administration service
CODEcd <SMARTIDHOME>/compose/digitalaccess/administration-service docker-compose down docker-compose up -d
If there are errors in the logs related to that the connection is not successful, restart the services and check the logs again.