VIP on PINsafe Appliances

From Swivel Knowledgebase Wiki

Contents 1 Overview 2 Prerequisites 3 VIP deployment considerations 3.1 VIP Configuration 3.2 VIP Alerting 3.3 VIP Status 4 Testing 5 Known Issues 6 Troubleshooting

Overview

This document covers the use of the VIP (Virtual IP Address) on PINsafe appliances to provide redundancy in the event of a failure of one of the PINsafe servers. The VIP is usually used for providing resilience to the single channel TURing image, but may also be used for Dual Channel message requests and the Security String index.

The VIP is often used with the Mon process, so when a monitored process fails, the VIP provides resilience to that process, see MON Service Monitor How to guide

Prerequisites

PINsafe A/A appliances, see also High Availability with PINsafe

VIP deployment considerations

• Each PINsafe appliance will need to be configured both for networking and PINsafe configuration options.

• The VIP must be deployed on a pair of PINsafe servers within the same subnet.

• Three IP addresses within the subnet are required for ETH 0: Primary, Standby and VIP

• The PINsafe appliances must be able to ping each other and the gateway IP address to ensure that each other is available and detect network failures. If the gateway is a firewall, then a rule may need to be created to allow the ping.

• PINsafe A/A appliances use the cross over cable connection on ETH 1 directly between two appliances to detect that the difference between a network failure and the failure of a PINsafe appliance. the heartbeat process monitors the network and controls where the VIP should be. The mon process monitors the VIP and provides alerting.

• Where the VIP is used to obtain a graphical TURing image, the real IP address of the PINsafe appliance should be used for a RADIUS request since the PINsafe server will respond with its real IP address which may cause the access device to drop the response as it will have come from a different IP. Primary and Secondary RADIUS servers may be configured. To overcome the possibility of the single channel image coming from one server and the RADIUS request going to another server one of the following should be enabled on the Primary Master and Standby Master:

Session Sharing

RADIUS Proxy see PINsafe RADIUS Proxy

VIP Configuration

The VIP should be configured from the CMI. The networking section allows the IP address of the Primary Master, Standby Master and VIP to be entered on each appliance.

To activate the VIP the heartbeat should be configured to start on system boot on the Primary Master and Standby Master, by selecting in the CMI Advanced, then Default Running Services, select Heartbeat so that it displays ON. To manually start heartbeat, in the CMI select Heartbeat then start.

VIP Alerting

The PINsafe appliance can be configured to send an email when a fail over occurs.

Note: using Webmin on older versions of the appliance a semi colon may be added onto the end of the configuration which renders it useless.

Make a backup of /etc/ha.d/haresources

Edit /etc/ha.d/haresources

using command line, or by editing the file using WinSCP see WinSCP How To Guide, or a recent version of the Webmin and alter all occurrences of root@localhost to be the new monitoring email address you desire it to be.

Also consider the use of MON for monitoring Tomcat see MON Service Monitor How to guide

VIP Status

To verify the VIP status on a PINsafe appliance see VIP Status

Testing

Known Issues

The VIP should primarily be used for the TURing image single channel authentication. RADIUS requests should be directed against the real IP address of the appliance rather than the VIP. Requests to the VIP will be returned by the appliance on the real IP address and the access device may reject the RADIUS response as the source and destination IP addresses do not match.

Troubleshooting

Heartbeat will not start, see Heartbeat issues