This documentation is for older WSO2 products. View documentation for the latest release.
Clustering Identity Server - Clustering Guide 4.2.0 - WSO2 Documentation
||
Skip to end of metadata
Go to start of metadata

Creating a cluster of WSO2 Identity Server instances is very similar to clustering other WSO2 products (see Clustering Business Process Server for details). To ensure that the instances share governance registry artifacts, you create a JDBC mount.

Note: This document provides instructions for WSO2 Identity Server versions 5.0.0, 4.6.0 and 4.5.0. See Clustering Identity Server for instructions on clustering more recent versions.

At a high level, use one of the following steps to cluster Identity Server:

Clustering IS

  1. Install Identity Server on each node.
  2. Create the registry database and configure it. See here for more information on setting up the database and mounting the registry.
  3. Do the following changes to the <IS_HOME>/repository/conf/axis2/axis2.xml file for both nodes.

    1. Enable clustering on node 1 and node 2 by setting the clustering element to true:
      <clustering class="org.wso2.carbon.core.clustering.hazelcast.HazelcastClusteringAgent" enable="true">

    2. Use the same domain name across the cluster.
      <parameter name="domain">wso2.is.domain</parameter>

    3. Use the well-known address (WKA) based clustering method. In WKA-based clustering, we need to have a subset of cluster members configured in all the members of the cluster. At least one well-known member has to be operational at all times.
      <parameter name="membershipScheme">wka</parameter> 

    4. Configure the localMemberHost and localMemberPort entries. These must be different port values for the two nodes if they are on the same server to prevent any conflicts.

      <parameter name="localMemberHost">127.0.0.1</parameter>
      <parameter name="localMemberPort">4000</parameter> 
    5. Under the members section, add the hostName and port for each WKA member. As we have only two nodes in our sample cluster configuration, we will configure both nodes as WKA nodes.

      <members>
          <member>
            <hostName>127.0.0.1</hostName>
            <port>4000</port>
          </member>
          <member>
            <hostName>127.0.0.2</hostName>
            <port>4010</port>
          </member>
      </members>

      Note: You can also use IP address ranges for the hostName. For example, 192.168.1.2-10. This should ensure that the cluster eventually recovers after failures. One shortcoming of doing this is that you can define a range only for the last portion of the IP address. You should also keep in mind that the smaller the range, the faster the time it takes to discover members, since each node has to scan a lesser number of potential members.

  4. Change the datasource name to jdbc/WSO2UMDB in user-mgt.xml and identity.xml (located in <IS_HOME>/repository/conf/) and application-authentication.xml (located in <IS_HOME>/repository/conf/security/) of both node1 and node2.

    user-mgt.xml
    <UserManager>
      <Realm>
      <Configuration>
      ...
      <Property name="dataSource">jdbc/WSO2UMDB</Property>
      </Configuration>
      ...
      </Realm>
    </UserManager>
    identity.xml
    <JDBCPersistenceManager>
       	 <DataSource>
       		<Name>jdbc/WSO2UMDB</Name>
       	 </DataSource>
       	    	 <!-- <SkipDBSchemaCreation>false</SkipDBSchemaCreation> -->
    </JDBCPersistenceManager>
    application-authentication.xml
    <TrustedIdPConfig xmlns="http://wso2.org/projects/carbon/trusted-idp-config.xml">
        <JDBCPersistenceManager>
       	 <DataSource>
        		 <Name>jdbc/WSO2UMDB</Name>
       	 </DataSource>
        </JDBCPersistenceManager>
    </TrustedIdPConfig>

    For Identity Server 4.6.0 users

    The configuration you do in the application-authentication.xml file must be done in the trusted-idp-config.xml (located in <IS_HOME>/repository/conf/security/) instead. This is because the application-authentication.xml file does not exist anymore.

    trusted-idp-config.xml
    <TrustedIdPConfig xmlns="http://wso2.org/projects/carbon/trusted-idp-config.xml">
        <JDBCPersistenceManager>
       	 <DataSource>
        		 <Name>jdbc/WSO2UMDB</Name>
       	 </DataSource>
        </JDBCPersistenceManager>
    </TrustedIdPConfig>

    For Identity Server 4.5.0 users

    The configuration you do in the application-authentication.xml file must be done in the trusted-idp-config.xml (located in <IS_HOME>/repository/conf/security/) instead. This is because the application-authentication.xml file does not exist anymore.

    trusted-idp-config.xml
    <TrustedIdPConfig xmlns="http://wso2.org/projects/carbon/trusted-idp-config.xml">
        <JDBCPersistenceManager>
       	 <DataSource>
        		 <Name>jdbc/WSO2UMDB</Name>
       	 </DataSource>
        </JDBCPersistenceManager>
    </TrustedIdPConfig>

    Additionally, you must make the following change in the <IS_HOME>/repository/conf/security/application-authenticators.xml file. Note that this is different to the application-authentication.xml file.

    <Status value="10" loginPage="https://<HostName>/authenticationendpoint/login.do"/>
  5. Copy the JDBC driver (in this case MySQL driver) to the <IS_HOME>/repository/component/lib directory of both nodes. To do this, download the MySQL Java connector JAR from here and place it in the <IS_HOME>/repository/components/lib directory.

  6. Point all cluster nodes to same user store (to share one LDAP directory). By default, WSO2 Identity Server is started with an embedded LDAP which comes with the product. Disable the embedded LDAP of node 2 by modifying embedded-ldap.xml which can be found in <IS_HOME>/repository/conf directory.

    <EmbeddedLDAP>
    	<Property name="enable">false</Property>
    <--------------------->
    <EmbeddedLDAP>

     

    Point node 2 to the default user store of node1. You need to configure the connection URL in user-mgt.xml of node2 as given below (default port is 10389). By default, the connection URL given in the file is ldap://localhost:${Ports.EmbeddedLDAP.LDAPServerPort}.

    <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
        <------------>
    	<Property name="ConnectionURL">ldap://[IP_of_node1]:10389</Property>
    	<------------>
    </UserStoreManager >

    If you are using some other external user store, make sure you point both nodes to that external user store.

  7. If both nodes will be running on the same server, set the port offset to avoid port conflicts. 

  8. Start the nodes. Use the -Dsetup option (e.g., sh wso2server.sh -Dsetup) on node 1.
  9. Verify in the registry browser that the governance collection is shown with the symlink icon.

Fronting the IS cluster with WSO2 ELB

If you need to front the above IS cluster with WSO2 ELB, you can follow the instructions given below (you need to do this after setting up the cluster following the above instructions).

Configuring the ELB

Now that the two IS nodes are configured, use the following steps to configure the ELB. 

  1. Access the <ELB_HOME>/repository/conf/axis2/axis2.xml file and make the following change:

    <clustering class="org.wso2.carbon.core.clustering.hazelcast.HazelcastClusteringAgent" enable="true"> </clustering>
    
    <parameter name="domain">wso2.lb.domain</parameter>
     
    <parameter name="localMemberPort">4100</parameter>

    The localMemberPort in the ELB is an individual port unique from the localMemberPort of the IS nodes.

  2. Uncomment the localMemberHost element in the <ELB_HOME>/repository/conf/axis2/axis2.xml file and specify the IP address (or host name) which you are going to advertise to the members of the cluster.
    <parameter name="localMemberHost">127.0.0.1</parameter>

  3. Change the transport ports (used as proxy ports in IS nodes).

    <transportreceiver name="http" class="org.apache.synapse.transport.passthru.PassThroughHttpListener">
    	<parameter name="port">80</parameter> 
    </transportreceiver>
    
    <transportreceiver name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLListener">
    	<parameter name="port" locked="false">443</parameter>
    </transportreceiver>
  4. Access the <ELB_HOME>/repository/conf/loadbalancer.conf file, remove all the services entries and add the following.

    identity {
    	domains { 
             wso2.is.domain { 
                tenant_range *; 
                group_mgt_port 4000; 
                mgt{ 
                    hosts wso2.is.com; 
                } 
            } 
        } 
    }

    The group_mgt_port defined here should be the same port given in the ‘members’ section in axis2.xml of both IS nodes. Please ensure that the group_mgt_port value and the localMemberPort value are not the same.

IS node 1 configuration

Configure IS node 1 using the following steps.

  1. Go to <IS_HOME>/repository/conf/axis2/axis2.xml, enable clustering and configure the other parameters as shown below.

    Note that we use wka here instead of multicast as the membershipScheme. This is the method recommended for production. The Well Known Addresses (WKA) feature is a mechanism that allows cluster members to discover and join a cluster using unicast instead of multicast. WKA is enabled by specifying a small subset of cluster members (referred to as WKA members) that are able to start a cluster. The WKA member starts the cluster and the other members join the cluster through the WKA member. If the WKA member is down, the cluster breaks and the members will not be able to communicate with each other.

    <clustering class="org.wso2.carbon.core.clustering.hazelcast.HazelcastClusteringAgent" enable="true"> </clustering>
    
    <parameter name="membershipScheme">wka</parameter>
    
    <parameter name="domain">wso2.is.domain</parameter>
        
    <parameter name="localMemberPort">4001</parameter>
    
    <parameter name="properties">
       	<property name="backendServerURL" value="https://${hostName}:${httpsPort}/services/">
       	<property name="mgtConsoleURL" value="https://${hostName}:${httpsPort}/">
       	<property name="subDomain" value="mgt">
    </parameter>
     
    <members>
         <member>
               <hostName>127.0.0.1</hostName>
               <port>4000</port>
         </member>
    </members>

    The ‘members’ section should have the IP and port of the ELB node. The port you use in this section should be the same as the port given as group_mgt_port in the loadbalancer.conf file of the ELB node.

  2. Set the port offset if all the servers are in the same machine. Go to <IS_HOME>/repository/conf/carbon.xml and change the port offset and host names.

    <offset>1</offset>
        
    <HostName>wso2.is.com</HostName>
    
    <MgtHostName>wso2.is.com</MgtHostName>

    This hostname is used by the IS cluster and the ELB. It needs to be specified in the /etc/hosts file as:

    127.0.0.1   wso2.is.com

    In the carbon.xml file we specify the deployment synchronizer configuration as well. Here we are using SVN-based deployment synchronizer. Use your SVN server and specify a location.

    <deploymentsynchronizer>
     	<enabled>true</enabled>
     	<autocommit>true</autocommit>
     	<autocheckout>true</autocheckout>
     	<repositorytype>svn</repositorytype>
     	<svnurl>http://svnexample.wso2.com/svn/test</svnurl>
     	<svnuser>wso2</svnuser>
     	<svnpassword>wso2123</svnpassword>
     	<svnurlappendtenantid>true</svnurlappendtenantid>
    </deploymentsynchronizer>
  3. Add the svnClientBundle-1.0.0.jar to the <IS_HOME>/repository/components/dropins/ directory.

  4. ELB will run on default HTTP/HTTPS ports which are 80/443. Specify these as proxy ports in the <IS_HOME>/repository/conf/tomcat/catalina-server.xml file.

    Connector protocol="org.apache.coyote.http11.Http11NioProtocol"  
         	port="9763"  
         	proxyPort="80"
    
    Connector protocol="org.apache.coyote.http11.Http11NioProtocol"  
         	port="9443"  
         	proxyPort="443"

    80 and 443 are default ports and setting these ports in the configuration ensures that you would not need to specify them in the management console URL.

  5. If you are using version 4.5.0 of the WSO2 Identity Server, you must make the following change in the <IS_HOME>/repository/conf/security/application-authenticators.xml file.

    <Status value="10" loginPage="https://<HostName>/authenticationendpoint/login.do"/>

    The HostName here is the same as the host name you specified in the loadbalancer.conf file earlier. 

IS node 2 configuration

Follow all the configuration steps we did in the node 1 for node 2 as well. In addition to that do the following:

  1. Change the localMemberPort in the <IS_HOME>/repository/conf/axis2/axis2.xml file.
    <parameter name="localMemberPort">4002</parameter>

  2. Go to the <IS_HOME>/repository/conf/carbon.xml file and change port offset.
    <offset>2</offset>

    Configure deployment synchronizer in carbon.xml (autocommit=false in node 2).

    <deploymentsynchronizer>
     	<enabled>true</enabled>
     	<autocommit>false</autocommit>
     	<autocheckout>true</autocheckout>
     	<repositorytype>svn</repositorytype>
     	<svnurl>http://svnexample.wso2.com/svn/test</svnurl>
     	<svnuser>wso2</svnuser>
     	<svnpassword>wso2123</svnpassword>
     	<svnurlappendtenantid>true</svnurlappendtenantid>
    </deploymentsynchronizer>
  3. Since we introduced an offset to node 1, we need to change the connection URL of the user store in node 2 accordingly (port changed to 10390 since we introduced an offset of 1 in node1).

    <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
    <------------>
    <Property name="ConnectionURL">ldap://[IP_of_node1]:10390</Property>
    <------------>
    </UserStoreManager>
Running the cluster
  1. Start the ELB (you need to be the superuser of that computer to start ELB since we are running ELB on default ports) and the IS nodes.
  2. Now you can access the management console using the following URL: https://wso2.is.com/carbon/

  • No labels