Difference between revisions of "V3 Setup HA Pair"
m (Admin moved page V3SetupHAPair to V3 Setup HA Pair: add spaces) |
|||
(2 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
{{template:default}} | {{template:default}} | ||
− | [[Category: | + | [[Category:Version 3 Appliance]] |
[[Category:How]] | [[Category:How]] | ||
Latest revision as of 13:01, 17 May 2017
Contents
Setting Up a High Availability (HA) Pair
What is a HA Pair?
This is a pair of Swivel appliances named Primary Master and Secondary Master that are able to provide authentication simultaneously for resilience purposes. Features include:
- Dedicated Replication Interface: User information is usually replicated across a dedicated network interface. On hardware appliances, a crossover cable is used on network interface eth1. This provides the maximum resilience, since there are no network devices between the appliances that can fail. Replication traffic may also be directed to run over network interface eth0 instead, with the loss of some resilience capability;
- Replicated Database: Out of the box, the Swivel appliances can replicate the Swivel Core database with one another. Transactions will be replicated both ways instantaneously. For example, this means that if a user changes their PIN on one Swivel appliance, the other appliance will receive the change and be able to authenticate with the new PIN immediately;
- Config Sync: Since the replicated database does not replicate the configuration of the Swivel Cores between the appliances, you will need to consider the use of the Config Sync feature. This is particularly useful when you have a lot of RADIUS entries for third party devices and need to ensure that any config changes are synced;
- Virtual IP Address: this is to allow a floating IP address to be attached to a Swivel appliance, which in the event of a Swivel appliance failure, can move to a second Swivel appliance on the same subnet. The VIP is bound to network interface eth0. The VIP is typically used to provide resilience for the Image based Swivel authentication method;
- Appliance Sync: (formerly Session Sharing) this allows an Image based security string to be requested from one appliance and an authentication request to hit the other. A session register is shared between the appliances to facilitate this;
- RADIUS Proxy: Where ‘Appliance Sync’ is not in operation this can be used to refer a RADIUS authentication request to another Swivel appliance, where the session may have originated from.
You may not take advantage of all of these features immediately, but as you integrate the Swivel appliances with more third party products, the need for these features will become apparent.
Minimum setup required
Before undertaking any High Availability configuration, you should ensure that you have setup the Network configuration for both the eth0 and eth1 network interfaces. You will need to allocate network addresses for:
- Primary eth0 interface
- Primary eth1 interface
- Secondary eth0 interface
- Secondary eth1 interface
- Virtual IP
Note: The 172.16.0.x default addresses for the eth1 interfaces can remain as they are if using a crossover cable between the eth1 interfaces that does not clash with your eth0 network.
As a minimum requirement when not using Image Based authentication you should setup both the Replicated Database and the Config Sync features. This will enable user data and configuration to synchronise between the appliances.
Where Image Based authentication is being used you should also setup Virtual IP address and Appliance Sync if you intend to be able to serve images from both appliances simultaneously or have some resilience (failover) for serving images.
To access the High Availability menu, login to the Appliance using PuTTY. This option is available from the Main Menu.
To configure the High Availability functionality we will start from the top menu item in the High Availability menu and work downwards.
As a bare minimum for a HA Pair you will need to do the following (in this order):
- Ensure that the secondary ethernet network interfaces are connected together (by crossover cable on Physical appliances or a dedicated vSwitch arrangement on Virtual Machines);
- Set the Peer IPs for on both the Primary and Standby appliances so that they can find each other on the network;
- Perform the initial Database sync if it has not synced automatically after setting the Peer IPs.
Detailed below are the configuration options on the High Availability menu.
Set Peer IP
These settings assume that you have already configured the Networking and Hostnames of the appliances. If you have not already configured the Networking and Hostnames then please do so before you proceed.
The ‘Peer’ appliance would simply be the alternate appliance in the HA Pair. So if you are logged into the Primary Console Management Interface, the ‘Peer’ would be the Secondary appliance.
Set Peer Hostname - If you are logged into the Primary appliance, you would enter the Secondary appliance hostname assuming that the Standby is the Peer you want to replicate against.
Change Replication Interface - This menu option provides the ability to toggle between using network interface eth0 or eth1 for replication of the database. By default this is set to eth1.
Set Peer eth0 IP - If you are logged into the Primary appliance, you would enter the Secondary eth0 IP.
Set Peer eth1 IP - If you are logged into the Primary appliance, you would enter the Secondary eth1 IP.
Set DR IP
These settings assume that you have already configured the Networking and Hostnames of the appliances. If you have not already configured the Networking and Hostnames then please do so before you proceed.
Add DR IP - If you are logged into the Primary appliance, you would enter the DR appliance IP assuming that the DR is the appliance you want to replicate data to, from the Primary. Multiple DR IPs can be added here - however this is not recommended. Any extra DRs would need to be configured manually using Webmin or the Command Line.
Remove DR IP - Select the item number of the DR IP that you wish to remove from the list of DRs.
Database Replication
After you have configured the Network IPs, Hostnames, Peers and DRs you should check the Status of the Database Replication with each of the Peers and if necessary perform an initial sync.
Status - This option presents you with a list of Peer and DR IPs. Select the Peer IP you want to check Replication Status against
Start Reading Updates from Peer - As described when selected this feature will begin reading database updates from the Peer appliance
Repair Replication - This option prompts you to select the canonical (valid) database to sync to the alternate appliance during the repair operation
Virtual IP
Set Email Address - Enter an email address for Virtual IP alerting emails
Change Virtual IP - Enter a new virtual IP or replace the current one
Add Ping Node - This is vital to provide the HA failover mechanism with the ability to know if it can contact something else on the network or not. Typically this would be a router or a gateway. Multiple entries can be added and will appear above the menu options in a list.
Remove Ping Node - Select the number pertaining to a particular Ping Node to remove it.
Start Mon - This is an alternating menu option. It will appear as either Start Mon or Stop Mon depending on the current service status. If you select Start Mon the Mon service will be started. If you select Stop Mon the Mon service will be stopped.
Stop Mon - This is an alternating menu option. It will appear as either Start Mon or Stop Mon depending on the current service status. If you select Start Mon the Mon service will be started. If you select Stop Mon the Mon service will be stopped.
Start Heartbeat - This is an alternating menu option. It will appear as either Start Heartbeat or Stop Heartbeat depending on the current service status. If you select Start Heartbeat the Heartbeat service will be started. If you select Stop Heartbeat the Heartbeat service will be stopped.
Stop Heartbeat - This is an alternating menu option. It will appear as either Start Heartbeat or Stop Heartbeat depending on the current service status. If you select Start Heartbeat the Heartbeat service will be started. If you select Stop Heartbeat the Heartbeat service will be stopped.
Advanced
These settings are for an engineer to be able to view the contents of the ha.cf, haresources and mon.cf files. They are to be used for advanced purposes and diagnostics only. It is not recommended that you use this menu option if setting up your appliances for the first time.
Modify Hostnames - You will be prompted to enter both the Primary and Standby hostnames. The HA configuration files will be modified with the hostnames you provide.
Modify IPs - This option sets the IP for the network interface you select or replaces the current IP.
Modify VIP - This option sets the VIP or replaces the default VIP of 192.168.0.38.