4.2 Clustering Identity Servers

A cluster of Identity Servers should reside behind an L4 switch. Clients access the virtual IP address of the cluster presented on the L4 switch, and the L4 switch alleviates server load by balancing traffic across the cluster. If your Identity Server is on the same machine as an Administration Console, and your second Identity Server is on the same machine as a secondary Administration Console, ensure that you are familiar with Section 4.1, Installing Secondary Versions of the Administration Console before proceeding.

Whenever a user accesses the virtual IP address (port 8080) assigned to the L4 switch, the system routes the user to one of the Identity Servers in the cluster, as traffic necessitates.

The system automatically enables clustering when multiple Identity Servers exist in a group. If only one Identity Server exists in a group, clustering is disabled.

IMPORTANT:Using a DNS round robin setup instead of an L4 switch for load balancing is not recommended. The DNS solution works only as long as all members of the cluster are working and in a good state. If one of them goes down and traffic is still sent to that member, the entire cluster is compromised and all devices using the cluster start generating errors.

This section describes how to set up and manage a cluster of Identity Servers:

4.2.1 Services of the Real Server

A user’s authentication remains on the real (authentication) server cluster member that originally handled the user’s authentication. If this server malfunctions, all users whose authentication data resides on this cluster member must reauthenticate.

Requests that require user authentication information are processed on this server. When the system identifies a server as not being the real server, the HTTP request is forwarded to the appropriate cluster member, which processes the request and returns it to the requesting server.

A Note about Alteon Switches

When configuring an Alteon switch for clustering, direct communication between real servers must be enabled. If direct access mode is not enabled then when one of the real servers tries to proxy another real server, the connection fails and times out.

To enable direct communication on the Alteon:

  1. Go to cfg > slb > adv > direct.

  2. Specify e to enable direct access mode.

With some L4 switches, you should configure only the services that you are using. For example, if you configure the SSL service for the L4 and you have not configured SSL in Access Manager, then the HTTP service on the L4 will not work. If the health check for the SSL service fails, then the L4 assumes that all the services configured to use the same virtual IP are down.

4.2.2 Prerequisites

  • An L4 server installed. You can use the same server for Identity Server clustering and Access Gateway clustering, provided that you use different virtual IPs. The LB algorithm can be anything (hash/sticky bit), defined at the Real server level.

  • Persistence (sticky) sessions enabled on the L4 server. You usually define this at the virtual server level.

  • An Identity Server configuration created for the cluster. You assign all the Identity Servers to this configuration. See Creating a Cluster Configuration in the Novell Access Manager 3.0 SP4 Administration Guide for information about creating an Identity Server configuration. See Assigning an Identity Server to a Cluster Configuration in the Novell Access Manager 3.0 SP4 Administration Guide for information about assigning Identity Servers to configurations.

    The base URL DNS name of this configuration must resolve via DNS to the IP address of the L4 virtual IP address. The L4 balances the load between the identity servers in the cluster.

  • Ensure that the L4 administration server using port 8080 has the following ports open:

    • 8443 (secure Administration Console)

    • 7801 (TCP)

    • 636 (for secure LDAP)

    • 389 (for clear LDAP, loopback address)

    • 524 (network control protocol on the L4 machine for server communication)

    The identity provider ports must also be open:

    • 8080 (nonsecure login)

    • 8443 (secure login)

    • 1443 (server communication)

    If you are using introductions (see Creating a Cluster Configuration in the Novell Access Manager 3.0 SP4 Administration Guide), you must configure the L4 switch to load balance on ports 8445 (identity provider) and 8446 (identity consumer).

4.2.3 Setting Up a Cluster

  1. Install the additional Identity Servers.

    During the installation, choose option 2, Install Novell Identity Server, from CD 1 of the Access Manager installation discs. Specify the IP address and administration credentials of each additional Identity Server. If you are installing on a machine without the Administration Console, the installation asks you for the Administration Console’s IP address. After you install the Identity Servers, the servers are displayed on the Servers page in Identity Servers.

  2. Assign the Identity Servers to the same cluster configuration.

    For more information about assigning servers to a configuration, see Assigning an Identity Server to a Cluster Configuration in the Novell Access Manager 3.0 SP4 Administration Guide.

  3. Ensure that the L4 VIP is the DNS for the Identity Server clusters configuration. (See Section 1.3, Creating a Basic Identity Server Configuration.)

  4. Click the configuration name you created for the cluster under Configuration Assignment.

  5. On the Cluster Details page, click the configuration name.

  6. Fill in the following fields as required:

    Name: Lets you change the name of the Identity Server cluster configuration.

    Cluster Communication Backchannel: Provides a communications channel over which the cluster members maintain the integrity of the cluster. For example, this TCP channel is used to detect new cluster members as they join the cluster, and to detect members that leave the cluster. A small percentage of this TCP traffic is used to help cluster members determine which cluster member would best handle a given request. This back channel should not be confused with the IP address/port over which cluster members provide proxy requests to peer cluster members.

    • Port: Specifies the TCP port of the cluster back channel on all of the Identity Servers in the cluster. 7801 is the default TCP port.

      Because the cluster back channel uses TCP, you can use cluster members on different networks. However, firewalls must allow the port specified here to pass through. To do so use the port number plus 1 for additional devices in the cluster. For example, if you use four devices, your port numbers would be 7801, 7802, 7803, and 7804.

    • Encrypt: Encrypts the content of the messages that are sent between cluster members.

    Level Four Switch Port Translation: Configures the L4 switch to translate the port of the incoming request to a new port when the request is sent to a cluster member. Because the cluster members communicate with each other over the same IP address/port as the L4 switch, the cluster implementation needs to know what that port is. The translated port is the port on the cluster members where other cluster members can contact it. This is the IP address and port where cluster members provide proxy requests to other cluster members.

    • Port translation is enabled on switch: Specifies whether the port of the L4 switch is different from the port of the cluster member.

    • Cluster member translated port: Specifies the port of the cluster member.

  7. Click OK.

  8. Under Cluster Members, you can refresh, start, stop, and assign servers to Identity Server configurations.

  9. Click OK, then update the Identity Server as prompted.

Real Server Settings Example

Virtual Server Settings Example