--- title: Configuring replica administrative nodes description: Configure one PingAccess node as a replica administrative node to provide an alternative if the administrative node fails. component: pingaccess version: 9.0 page_id: pingaccess:pingaccess_user_interface_reference_guide:pa_configuring_replica_administrative_nodes canonical_url: https://docs.pingidentity.com/pingaccess/9.0/pingaccess_user_interface_reference_guide/pa_configuring_replica_administrative_nodes.html revdate: April 26, 2023 section_ids: about-this-task: About this task steps: Steps --- # Configuring replica administrative nodes Configure one PingAccess node as a replica administrative node to provide an alternative if the administrative node fails. ## About this task The key pair *(tooltip: \
\

The private key and public key represented by a certificate.\

\
)* that you create for the CONFIG QUERY listener must include both the administrative node and the replica administrative node. To make sure the replica administrative node is included, you can either use a wildcard certificate or define subject alternative names in the key pair that use the replica administrative node's DNS name. For more information, see step 2c in [Configuring a PingAccess cluster](../reference_guides/pa_configuring_a_pa_cluster.html). | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you use a replica administrative node in your configuration, configure the replica administrative node before defining the engine nodes, or the `bootstrap.properties` files generated for the engine nodes will not include information about the replica administrative node. | ## Steps 1. Click **Settings**, then go to **Clustering > Administrative Nodes**. 2. In the **Host** field, in the **Replica Administrative Node** section, enter the host and port for the replica administrative node. This name and port pair must match either a subject alternative name in the key pair or be considered a match for the wildcard specified if the key pair uses a wildcard in the common name. 3. If applicable, specify an **HTTP Proxy** for the engine. For more information about creating proxies, see [Adding proxies](pa_adding_proxies.html). 1. Click **[icon: plus, set=fa]Create** to create an HTTP proxy. 4. If applicable, specify an **HTTPS Proxy** for the engine. For more information about creating proxies, see [Adding proxies](pa_adding_proxies.html). 1. Click **[icon: plus, set=fa]Create** to create an HTTPS proxy. 5. Specify the **Replica Administrative Node Trusted Certificate** if a TLS-terminating network appliance, such as a load balancer, is placed between the engines and administrative node. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------- | | | Select the certificate that the network appliance uses. The certificate helps establish a secure HTTP connection with the administrative node. | 6. Click **Save & Download** to download the `_data.zip` file for the replica administrative node. PingAccess automatically generates and downloads a public and private key pair into the `bootstrap.properties` file for the node. The public key is indicated in this window. 7. Copy the downloaded file to the replica administrative node's `` directory and extract it. 8. If the replica administrative node is running on a Linux host, run the command `chmod 400 conf/pa.jwk`. 9. Edit `/conf/run.properties` on the replica administrative node and change the `pa.operational.mode` value to `CLUSTERED_CONSOLE_REPLICA`. This property is case-sensitive. 10. Start the replica administrative node. 11. Verify replication has completed by monitoring the `/log/pingaccess.log` file and looking for the message `Configuration successfully synchronized with administrative node`.