Get Started!

XTAM High Availability (HA) option is deployed using two or more XTAM nodes with the same software connected to a single database and balancing HTTP traffic using a Load Balancer or Virtual IP technologies. XTAM HA option allows the system to continue operating in case one of the nodes malfunctions. In addition to that, XTAM HA option when deployed using a load balancer scenario improves overall system performance by splitting the load across multiple nodes.

Xton Access Manager High Availability Option

High Availability Option Concepts

Below is a basic network diagram that should provide a visual to the following content in this article.  It demonstrates a load balanced instance of XTAM, using two XTAM nodes with a replicated external database and file share.

XTAM High Availability Two Nodes HA

High availability farm could be deployed to either a series of Unix or Windows servers, using IIS (Windows), Apache (Unix) or any other load balancer software.  For the purpose of this article, we will describe a deployment using Windows servers and IIS for load balancing.

Server 1:  Hosts Database server.  Both XTAM nodes A and B will be configured to use this external Database instance as their database.

Server 2:  Hosts IIS and configured for load balancing.  All user traffic (internal and external) will enter this server and be sent to either XTAM node A or node B.  SSL certificate will be deployed to IIS for security. Read more about advanced network load balancer deployments in Front-End Server Architecture article.

Server 3:  Hosts XTAM node A.

Server 4:  Hosts XTAM node B.

The following describes the basic configuration of each server, not the order of operations in which they should be deployed.  Database server should be setup before XTAM nodes A and B for example.

High Availability Option Setup

1
Database Server

Install or use an existing Database server database. The XTAM Internal Database is not supported for High Availability deployments. You must use one of the supported External Database options.

Both XTAM nodes will be configured with identical database parameters.

2
IIS Load Balancer

Install Windows Server and IIS.  Configure IIS as needed including SSL certificates and bindings.  Once configured, ensure that you can reach IIS from both internal and external locations.

Run XtamSetup.exe and select only the “Load Balancer” option (this does not count towards your number of licensed nodes).  This will install and configure both the ARR and URL Rewrite modules.  The setup process will configure some of the following settings, so if they are already present in IIS, simply double check and move to the next option.

  • Create a new server farm.  Add a server for XTAM node A and XTAM node B using their static IP address and port 8080.
  • Create a new default rewrite URL rule with the following settings
    • Match URL
      • Matches the Pattern, Using Wildcards, Pattern: *
    • Conditions
      • None
    • Server Variables
      • None
    • Action Properties
      • Scheme: http://
      • Server farm: [name of your Server Farm]
      • Path: /{R:0}
  • Configure your Server Farm with Server Affinity set to Client Affinity enabled.
  • Configure your Server Farm Proxy Buffer Settings:
    • Response buffer (KB): 1
    • Response buffer threshold (KB): 0
  • Restart IIS
3
XTAM node A

Install Windows Server and assign a static IP.  Reference this IP when configuring the Server Farm in your IIS load balancing.

Run XtamSetup.exe and choose the following options:

  • Directory Service
  • Application GUI
  • Job Engine
  • Session Manager
  • Federated Sign-In (optional)

When prompted for a database connection, enter the values for your Database server instance.

Configure your AD integration using AD server, user and password.

Complete installation and save your password information to a file.

4
XTAM node B

Install Windows Server and assign a static IP.  Reference this IP when configuring the Server Farm in your IIS load balancing.

Run XtamSetup.exe and choose the following options:

  • Directory Service
  • Application GUI
  • Job Engine
  • Session Manager
  • Federated Sign-In (optional)

When prompted for a database connection, enter the values for your Database server instance.

Configure your AD integration using AD server, user and password.

Complete installation and save your password information to a file.

Update the XTAM master password on node B with the one from node A by issuing the following command from the command line in $XTAM_HOME folder:
For Windows:

bin\PamDirectory SetMasterPassword web MASTER PASSWORD FROM NODE A

For Linux:

bin/PamDirectory.sh SetMasterPassword web MASTER PASSWORD FROM NODE A

Rather than entering the master password into the command, you can instead use a – (dash character). When this command is executed with a dash, you will prompted to enter the password.
bin\PamDirectory SetMasterPassword web –
bin/PamDirectory.sh SetMasterPassword web –

5
Setup Federated Sign-In Component in Multi-Node configuration

When using Federated Sign-In Component for the user authentication, synchronize this module on both nodes by copying the following parameters from $XTAM_HOME/web/conf/catalina.properties file from XTAM Node A to XTAM Node B and restart management service on the Node B

cas.ticket.registry.jpa.crypto.signing.key=VALUE
cas.ticket.registry.jpa.crypto.encryption.key=VALUE

cas.tgc.crypto.encryption.key=VALUE
cas.tgc.crypto.signing.key=VALUE

cas.webflow.crypto.signing.key=VALUE
cas.webflow.crypto.encryption.key=VALUE
6
Setup Local User Directory Replication

When using XTAM local users and groups, setup up replication between local user directory services on Nodes A and B.

  1. On XTAM Node A, open a command prompt and navigate to the XTAM installation directory
  2. Execute the following command replacing the values with those of XTAM Node B:
    • {ads.remote.server} :  The host name or IP of XTAM Node B (make sure port(s) 10636 and 10389 are open)
    • {ads.remote.password} :  The “Directory Password” of XTAM Node B that was generated during installation

    For Windows:

    bin\PamDirectory.cmd ADSReplicate web {ads.remote.server} {ads.remote.password}
    

    For Linux:

    bin/PamDirectory.sh ADSReplicate web {ads.remote.server} {ads.remote.password}
    
  3. On XTAM Node B, open a command prompt and navigate to the XTAM installation directory
  4. Execute the following command replacing the values with those of XTAM Node A:
    • {ads.remote.server} :  The host name or IP of XTAM Node A (make sure port(s) 10636 and 10389 are open)
    • {ads.remote.password} :  The “Directory Password” of XTAM Node A that was generated during installation

    For Windows:

    bin\PamDirectory.cmd ADSReplicate web {ads.remote.server} {ads.remote.password}
    

    For Linux:

    bin/PamDirectory.sh ADSReplicate web {ads.remote.server} {ads.remote.password}
    
  5. Wait a few minutes for the replication to complete and then refresh your browser.
Categories: xton

Mark Klinchin

I am Co-Founder and CEO of Xton Technologies. I am interested in computers, software development, cyber security, content management, photography, image processing and mathematics.

Related Posts

xton

KuppingerCole Analyst Executive View of XTAM

As Xton Access Manager (XTAM) continues to grow in the Privileged Account Management space we are briefing popular analyst firms such as Gartner, KuppingerCole, Forrester and others about our capabilities and product roadmap.  If you Read more…

xton

Load Balancer Configuration for Apache HTTP Server with Sticky Sessions

This article discusses the details of the Apache HTTP Server Load Balancer configuration to serve as a front end for two XTAM nodes with sticky sessions options enabled. Please refer to the diagram for the Read more…

xton

XTAM Search Query Options

Xton Access Manager (XTAM) can quickly find records that match XTAM search criteria. By default, XTAM search query finds records by record name, description and a host name on a record. However, XTAM also uses Read more…

Copyright © 2019 Xton Technologies, LLC. All rights reserved.