6.1 Managing a Cluster Configuration

After you install an Identity Server, you must create a cluster configuration in order to configure the Identity Server. You can assign the cluster configuration to one or more Identity Servers. As shown in Figure 6-1, you can also create multiple configurations and assign different Identity Servers to them.

Figure 6-1 Identity Server Configurations

When you assign multiple Identity Servers to the same configuration, you need to install an L4 switch, which allows the work load to be balanced among the machines.

Whether there is one machine or multiple machines in a cluster, the Access Manager software configuration process is the same. This section describes the following clustering tasks:

6.1.1 Creating a Cluster Configuration

This section discusses the settings available for an Identity Server configuration, such as importing SSL certificates, enabling introductions, and configuring identity consumer settings. You should be familiar with Creating a Basic Identity Server Configuration in the Novell Access Manager 3.0 SP4 Setup Guide before proceeding.

An Identity Server always operates as an identity provider and can optionally be configured to run as an identity consumer (also known as a service provider), using Liberty, SAML 1.1, or SAML 2.0 protocols. In an Identity Server cluster, multiple servers use the same configuration.

In an Identity Server configuration, you specify the following information:

  • The base URL for the server or clustered server site.

  • Certificates for the Identity Server, identity provider, and identity consumer.

  • Authentication settings, such as whether the identity provider requires signed authentications from service providers.

  • The service domains used for publishing and discovering authentications.

  • Organizational and contact information for the server, which is published in the metadata of the Liberty and SAML protocols.

  • The LDAP directories (user stores) used to authenticate users, and the trusted root for secure communication between the Identity Server and the user store.

To create an Identity Server configuration:

  1. In the Administration Console, click Access Manager > Identity Servers > Servers.

  2. Select the Identity Server’s check box, then click New Cluster.

    Selecting the server is one way to assign it to the cluster configuration.

  3. In the New Cluster dialog box, enter a name for the cluster configuration. If you did not select the server in the previous step, you can now select the server or servers that you want to assign to this configuration.

    For more information about assigning servers to a configuration, see Section 6.1.2, Assigning an Identity Server to a Cluster Configuration.

  4. Click OK.

    New IDS configuration

  5. Fill in the following fields to specify the properties for your Identity Server configuration:

    Name: A name by which you want to refer to the configuration. This field is populated with the name you provided in the New Cluster dialog box. You can change this name here, if necessary.

    IMPORTANT:Carefully determine your settings for the base URL, protocol, and domain. After you have configured trust relationships between providers, changing these settings invalidates the trust model and requires a reimport of the provider’s metadata.

    Modifying the base URL also invalidates the trust between the embedded service provider of the Access Gateway. To re-establish the trust after modifying the base URL, you have to restart the embedded service provider.

    Base URL: The application path for the Identity Server. The Identity Server protocols (Liberty 1.2, SAML 1.1, and SAML 2.0) rely on this base URL to generate URL endpoints for each protocol.

    • Protocol: The communication protocol. Specify HTTPS in order to run securely (in SSL mode) and for provisioning. Use HTTP only if you do not require security.

    • Domain: The DNS name assigned to the Identity Server. When you are using an L4 switch, this DNS name should resolve to the virtual IP address set up on the L4 switch for the Identity Servers. Using an IP address is not recommended.

    • Port: The port value for the protocol. Default ports are 8080 for HTTP or 8443 for HTTPS. If you want to use port 80 or 433, specify the port here, then configure the operating system to translate the port. See Section 38.4, Translating the Identity Server Configuration Port.

    • Application: The Identity Server application. Leave the default value nidp.

    SSL Certificate: Displays the Keystore page that you use to locate and replace the test-connector SSL certificate for this configuration.

    The Identity Server comes with a test-connector certificate that you must replace for your production environment. You can replace the test certificate now or after you configure the Identity Server. If you create the certificate and replace the test-connector now, you can save some time by restarting Tomcat only once. Tomcat must be restarted whenever you assign an Identity Server to a configuration and whenever you update a certificate key store. See Section 6.5.3, Managing the Keys, Certificates, and Trust Stores.

    LDAP Access: The maximum number of LDAP connections allowed to the configuration store. You can adjust this amount for system performance.

    Session Timeout: The session inactivity time allowed before timing out. This is a global setting that applies to any resource that authenticates to this Identity Server or Identity Server cluster. The default setting is fifteen minutes.

    This is a security setting:

    • Lower it if you want idle sessions to time out with a smaller window of opportunity that allows someone to take over a session of a user who takes a break, leaving an active session unattended.

    • Increase it if you want to allow idle users to have a longer time period before they are forced to log in again.

    If the resource is configured to use Basic authentication or SSL mutual authentication, the session times out, but the browser must be closed to terminate the session.

    Allow multiple browser session logout: Specifies whether a user with more than one session to the server is presented with an option to log out of all sessions. If you do not select this option, only the current session can be logged out. You deselect this option in instances where multiple users log in as guests. Then, when one user logs out, none of the other guests are logged out.

    After you enable this option and click OK, you are prompted to apply the changes by using Update Servers on the Servers page. You must also restart any ESPs in an Access Gateway or J2EE Agent configuration that use this Identity Server configuration.

  6. (Optional) If you are configuring the Identity Server for federation, either as an identity provider or an identity consumer, you might want to configure the following options. Otherwise, you can skip them.

  7. To continue creating the Identity Server configuration, click Next.

    The system displays the Organization page.

    Identity Server configuration organization page

    Use this page to specify organization information for the Identity Server configuration. The information you specify on this page is published in the metadata for the Liberty 1.2 and SAML protocols. The metadata is traded with federation partners and supplies various information regarding contact and organization information located at the Identity Server.

    The following fields require information:

    • Name: The name of the organization.

    • Display Name: The display name for the organization.

    • URL: The organization’s URL for contact purposes.

    Optional fields include Company, First Name, Last Name, Email, Telephone, and Contact Type.

  8. Click Next to configure the user store.

    You must reference your own user store and auto-import the SSL certificate. See Section 8.1, Configuring Identity User Stores for information about this procedure.

  9. After you configure the user store, click Finish to save the server configuration.

    The system displays the new configuration on the Servers page.

    Identity Server configurations list

The status icons for the configuration and the Identity Server should turn green. It might take several seconds for the Identity Server to start and for the system to display a green light. If it does not, it is likely that the Identity Server is not communicating with the user store you set up. Ensure that you have entered the user store information correctly, and that you imported the SSL certificate to the user store. (Edit > Local > [User Store].)

6.1.2 Assigning an Identity Server to a Cluster Configuration

After you create a configuration, you must assign the Identity Server to it. For clustering, you can assign more than one Identity Server to the configuration (see Section 6.1.4, Managing a Cluster with Multiple Identity Servers for the steps to set up a cluster). A configuration uses any shared settings you have specified, such as attribute sets, user matching expressions, and custom attributes that are defined for the server.

  1. In the Administration Console, click Access Manager > Identity Servers.

  2. On the Servers page, select the server’s check box, then choose Actions > Assign to Cluster.

    You can also select all displayed servers by selecting the top-level Server check box.

  3. Select the configuration’s check box, then click Assign.

    You are prompted to restart Tomcat. The status icon for the Identity Server should turn green. It might take several seconds for the identity provider to start and for the system to display the green light.

6.1.3 Removing a Server from a Configuration

Removing an Identity Server from a configuration disassociates the Identity Server from the cluster configuration. The configuration, however, remains intact and can be reassigned later or assigned to another server.

  1. In the Administration Console, click Access Manager > Identity Servers.

  2. Select the server, then click Stop. Wait for the Health indicator to turn red.

  3. Select the server, then choose Actions > Remove from Cluster.

For information about deleting an Identity Server, see Section 5.1, Managing an Identity Server.

6.1.4 Managing a Cluster with Multiple Identity Servers

To add capacity and for system failover, you can cluster a group of Identity Servers and configure them in a cluster configuration to act as a single server. However, a cluster is not intended for login failover because all authentication data for a user is stored in memory on the cluster member or authenticating server that originally handled the user's authentication. If this server malfunctions, all users whose authentication data resides on the authenticating server must reauthenticate.

All requests that require user authentication information must be processed on the user’s authenticating server. For example, if an HTTP request is received by a cluster server other than the authenticating server, then the HTTP request is forwarded to the authenticating server in the cluster. This server processes the HTTP request and routes it back through the forwarding cluster member and then to the original requester.

A cluster of Identity Servers should reside behind an L4 switch. Clients access the virtual IP (VIP) address of the cluster presented on the L4 switch, and the L4 switch alleviates server load by balancing traffic across the cluster. Whenever a user accesses the virtual IP address (port 8080) assigned to the L4, the system routes the user to one of the Identity Servers in the cluster, as traffic necessitates.

Prerequisites

  • An L4 switch installed. You can use the same switch for Identity Server clustering and Access Gateway clustering, provided that you use different virtual IPs. The LB algorithm can be anything (hash/sticky bit), defined at the Real server level. For configuration tips, see Configuration Tips for the L4 Switch in the Novell Access Manager 3.0 SP4 Setup Guide.

  • Persistence (sticky) sessions enabled on the L4 server. Normally you define this at the virtual server level.

  • An Identity Server configuration created for the cluster. You assign all the Identity Servers to this configuration. See Section 6.1.1, Creating a Cluster Configuration for information about creating an Identity Server configuration. See Section 6.1.2, Assigning an Identity Server to a Cluster Configuration for information about assigning identity servers to configurations.

    The base URL DNS name of this configuration must resolve via DNS to the IP address of the L4 virtual IP address. The L4 balances the load between the identity servers in the cluster.

  • Ensure that the L4 administration server using port 8080 has the following TCP ports open:

    • 8443 (secure Administration Console)

    • 7801 range (for back-channel communication with cluster members. You need to open two ports for each member of the cluster plus one. Thus, for a two member cluster, 7801, 7802, 7803, 7804, and 7805 need to be open.)

    • 636 (for secure LDAP)

    • 389 (for clear LDAP, loopback address)

    • 524 (network control protocol on the L4 machine for server communication)

    The identity provider ports must also be open:

    • 8080 (non-secure login)

    • 8443 (secure login)

    • 1443 (server communication)

    If you are using introductions (see Section 6.1.1, Creating a Cluster Configuration), you must configure the L4 switch to load balance on ports 8445 (identity provider) and 8446 (identity consumer).

Setup

  1. Install the additional Identity Servers.

    During installation, choose option 2, Install Novell Identity Server. You run the installation for each new Identity Server you want to add. Specify the IP address and administration credentials of each additional Identity Server. If you are installing on a machine without the Administration Console, the installation asks you for the Administration Console’s IP address. After you install the Identity Servers, the servers are displayed on the Servers page in Identity Servers.

  2. Assign the Identity Servers to the same cluster configuration (see Section 6.1.2, Assigning an Identity Server to a Cluster Configuration).

  3. Click the name of the cluster configuration.

    Cluster details

    The system displays the Cluster Details page, which lets you manage the configuration’s cluster details, health, alerts, and statistics.

  4. Click Edit.

    Editing cluster details

  5. Fill in the following fields as required:

    Cluster Communication Backchannel: Provides a communications channel over which the cluster members maintain the integrity of the cluster. For example, this TCP channel is used to detect new cluster members as they join the cluster, and to detect members that leave the cluster. A small percentage of this TCP traffic is used to help cluster members determine which cluster member would best handle a given request. This back channel should not be confused with the IP address/port over which cluster members provide proxy requests to peer cluster members.

    • Port: Specifies the TCP port of the cluster back channel on all of the Identity Servers in the cluster. 7801 is the default TCP port.

      Because the cluster back channel uses TCP, you can use cluster members on different networks. However, firewalls must allow the ports specified here to pass through. You need to open two ports for each member of the cluster plus one. For example, if you use two devices, your port numbers would be 7801, 7802, 7803, 7804, and 7805.

    • Encrypt: Encrypts the content of the messages that are sent between cluster members.

    Level Four Switch Port Translation: Configures the L4 switch to translate the port of the incoming request to a new port when the request is sent to a cluster member. Because the cluster members communicate with each other over the same IP address/port as the L4 switch, the cluster implementation needs to know what that port is. The translated port is the port on the cluster members where other cluster members can contact it. This is the IP address and port where cluster members provide proxy requests to other cluster members.

    • Port translation is enabled on switch: Specifies whether the port of the L4 switch is different from the port of the cluster member. For example, enable this option when the L4 switch is using port 443 and the Identity Server is using port 8443.

    • Cluster member translated port: Specifies the port of the cluster member.

    Under Cluster Members, you can refresh, start, stop, and assign servers to Identity Server configurations.

  6. Click OK, then update the Identity Server as prompted.