This documentation is for older WSO2 products. View documentation for the latest release.
Page Comparison - Clustering Identity Server (v.68 vs v.69) - Clustering Guide 4.2.0 - WSO2 Documentation

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Creating a cluster of WSO2 Identity Server instances is very similar to clustering other WSO2 products (see Clustering Business Process Server for details). To ensure that the instances share governance registry artifacts, you create a JDBC mount.

Note

Note: This document provides instructions for WSO2 Identity Server versions 5.0.0, 4.6.0 and 4.5.0. See Clustering Identity Server for instructions on clustering more recent versions.

At a high level, use one of the following steps to cluster Identity Server:

...

  1. Install Identity Server on each node.
  2. Create the registry database and configure it. See here for more information on setting up the database and mounting the registry.
  3. Do the following changes to the <IS_HOME>/repository/conf/axis2/axis2.xml file for both nodes.

    1. Enable clustering on node 1 and node 2 by setting the clustering element to true:
      <clustering class="org.wso2.carbon.core.clustering.hazelcast.HazelcastClusteringAgent" enable="true">

    2. Use the same domain name across the cluster.
      <parameter name="domain">wso2.is.domain</parameter>

    3. Use the well-known address (WKA) based clustering method. In WKA-based clustering, we need to have a subset of cluster members configured in all the members of the cluster. At least one well-known member has to be operational at all times.
      <parameter name="membershipScheme">wka</parameter> 

    4. Configure the localMemberHost and localMemberPort entries. These must be different port values for the two nodes if they are on the same server to prevent any conflicts.

      <parameter name="localMemberHost">127.0.0.1</parameter>
      <parameter name="localMemberPort">4000</parameter> 
    5. Under the members section, add the hostName and port for each WKA member. As we have only two nodes in our sample cluster configuration, we will configure both nodes as WKA nodes.

      Code Block
      languagexml
      <members>
          <member>
            <hostName>127.0.0.1</hostName>
            <port>4000</port>
          </member>
          <member>
            <hostName>127.0.0.2</hostName>
            <port>4010</port>
          </member>
      </members>
      Note

      Note: You can also use IP address ranges for the hostName. For example, 192.168.1.2-10. This should ensure that the cluster eventually recovers after failures. One shortcoming of doing this is that you can define a range only for the last portion of the IP address. You should also keep in mind that the smaller the range, the faster the time it takes to discover members, since each node has to scan a lesser number of potential members.

  4. Change the datasource name to jdbc/WSO2UMDB in user-mgt.xml and identity.xml (located in <IS_HOME>/repository/conf/) and application-authentication.xml (located in <IS_HOME>/repository/conf/security/) of both node1 and node2.

    Code Block
    languagehtml/xml
    titleuser-mgt.xml
    <UserManager>
      <Realm>
      <Configuration>
      ...
      <Property name="dataSource">jdbc/WSO2UMDB</Property>
      </Configuration>
      ...
      </Realm>
    </UserManager>
    Code Block
    languagehtml/xml
    titleidentity.xml
    <JDBCPersistenceManager>
       	 <DataSource>
       		<Name>jdbc/WSO2UMDB</Name>
       	 </DataSource>
       	    	 <!-- <SkipDBSchemaCreation>false</SkipDBSchemaCreation> -->
    </JDBCPersistenceManager>
    Code Block
    titleapplication-authentication.xml
    <TrustedIdPConfig xmlns="http://wso2.org/projects/carbon/trusted-idp-config.xml">
        <JDBCPersistenceManager>
       	 <DataSource>
        		 <Name>jdbc/WSO2UMDB</Name>
       	 </DataSource>
        </JDBCPersistenceManager>
    </TrustedIdPConfig>
    Info
    titleFor Identity Server 4.6.0 users

    The configuration you do in the application-authentication.xml file must be done in the trusted-idp-config.xml (located in <IS_HOME>/repository/conf/security/) instead. This is because the application-authentication.xml file does not exist anymore.

    Code Block
    languagehtml/xml
    titletrusted-idp-config.xml
    <TrustedIdPConfig xmlns="http://wso2.org/projects/carbon/trusted-idp-config.xml">
        <JDBCPersistenceManager>
       	 <DataSource>
        		 <Name>jdbc/WSO2UMDB</Name>
       	 </DataSource>
        </JDBCPersistenceManager>
    </TrustedIdPConfig>
    Info
    titleFor Identity Server 4.5.0 users

    The configuration you do in the application-authentication.xml file must be done in the trusted-idp-config.xml (located in <IS_HOME>/repository/conf/security/) instead. This is because the application-authentication.xml file does not exist anymore.

    Code Block
    languagehtml/xml
    titletrusted-idp-config.xml
    <TrustedIdPConfig xmlns="http://wso2.org/projects/carbon/trusted-idp-config.xml">
        <JDBCPersistenceManager>
       	 <DataSource>
        		 <Name>jdbc/WSO2UMDB</Name>
       	 </DataSource>
        </JDBCPersistenceManager>
    </TrustedIdPConfig>

    Additionally, you must make the following change in the <IS_HOME>/repository/conf/security/application-authenticators.xml file. Note that this is different to the application-authentication.xml file.

    Code Block
    languagexml
    <Status value="10" loginPage="https://<HostName>/authenticationendpoint/login.do"/>
  5. Copy the JDBC driver (in this case MySQL driver) to the <IS_HOME>/repository/component/lib directory of both nodes. To do this, download the MySQL Java connector JAR from here and place it in the <IS_HOME>/repository/components/lib directory.

  6. Point all cluster nodes to same user store (to share one LDAP directory). By default, WSO2 Identity Server is started with an embedded LDAP which comes with the product. Disable the embedded LDAP of node 2 by modifying embedded-ldap.xml which can be found in <IS_HOME>/repository/conf directory.

    Code Block
    languagehtml/xml
    <EmbeddedLDAP>
    	<Property name="enable">false</Property>
    <--------------------->
    <EmbeddedLDAP>

     

    Point node 2 to the default user store of node1. You need to configure the connection URL in user-mgt.xml of node2 as given below (default port is 10389). By default, the connection URL given in the file is ldap://localhost:${Ports.EmbeddedLDAP.LDAPServerPort}.

    Code Block
    languagehtml/xml
    <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
        <------------>
    	<Property name="ConnectionURL">ldap://[IP_of_node1]:10389</Property>
    	<------------>
    </UserStoreManager >
    Info

    If you are using some other external user store, make sure you point both nodes to that external user store.

  7. If both nodes will be running on the same server, set the port offset to avoid port conflicts. 

  8. Start the nodes. Use the -Dsetup option (e.g., sh wso2server.sh -Dsetup) on node 1.
  9. Verify in the registry browser that the governance collection is shown with the symlink icon.

...