--- title: Configuring a PingAccess cluster description: Install and configure PingAccess on each node in a cluster, including the administrative node, a replica administrative node, and one or more engine nodes. component: pingaccess version: 9.0 page_id: pingaccess:reference_guides:pa_configuring_a_pa_cluster canonical_url: https://docs.pingidentity.com/pingaccess/9.0/reference_guides/pa_configuring_a_pa_cluster.html revdate: April 26, 2023 section_ids: about-this-task: About this task steps: Steps next-steps: Next steps --- # Configuring a PingAccess cluster Install and configure PingAccess on each node in a cluster, including the administrative node, a replica administrative node, and one or more engine nodes. ## About this task The initial node you configure becomes the administrative node, which you will use to configure the rest of the cluster. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------- | | | Setting the `pa.operational.mode` property on each node is part of the configuration process. Do not modify this property until directed to do so. | ## Steps 1. Install PingAccess on each cluster node. 2. Configure the administrative node: 1. Open the `conf/run.properties` file in a text editor and change the `pa.operational.mode` value to `CLUSTERED_CONSOLE`. This property is case-sensitive. 2. Start PingAccess. 3. Follow steps 1-14 of [Generating new key pairs](../pingaccess_user_interface_reference_guide/pa_generating_new_key_pairs.html) to create a new key pair for the CONFIG QUERY listener. Make the following adjustments to steps 4-5: 1. To complete step 4, enter the DNS name of the administrative node in the **Common Name** field. 2. To complete step 5, enter both the DNS name of the replica administrative node and the DNS name of the administrative node in the **Subject Alternative Names** field. Alternately, configure the **Subject Alternative Names** field as a wildcard certificate. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can use an Internet Protocol (IP) *(tooltip: \
\

The method by which data is sent across the internet from the source host to the destination host.\

\
)* address as the common name or in the **Subject Alternative Names** field, as long as those values are used in the administrative node fields on the **Administrative Nodes** configuration page. | | | | | - | ------------------------------------------------------------------------------------ | | | You will need this key pair in step 3a to set up the replica administrative console. | 4. Follow steps 1-4 of [Assigning key pairs to HTTPS listeners](../pingaccess_user_interface_reference_guide/pa_assigning_key_pairs_to_https_listeners.html) to assign the key pair you just created to the CONFIG QUERY listener. 5. Follow steps 1-6 in [Configuring administrative nodes](../pingaccess_user_interface_reference_guide/pa_configuring_admin_nodes.html) to configure the administrative node settings, then review the *What to do next* section. Make the following adjustment to step 2: 1. To complete step 2, define the primary administrative node as a `host:port` pair in the **Host** field. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The host you specify must be a resolvable DNS name for the node or the node's IP address. The port must be the TCP port that PingAccess listens to for the administrative interface. By default, this port is 9090. | 6. Follow steps 1-14 of [Generating new key pairs](../pingaccess_user_interface_reference_guide/pa_generating_new_key_pairs.html) to create a new key pair for the ADMIN listener. Make the following adjustments to steps 4-5: 1. To complete step 4, enter the DNS name of the administrative node in the **Common Name** field. 2. To complete step 5, enter both the DNS name of the replica administrative node and the DNS name of the administrative node in the **Subject Alternative Names** field. Alternately, configure the **Subject Alternative Names** field as a wildcard certificate. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can use an IP address as the common name or in the **Subject Alternative Names** field as long as those values are used in the administrative node fields on the **Administrative Nodes** configuration page. | 7. Follow steps 1-4 of [Assigning key pairs to HTTPS listeners](../pingaccess_user_interface_reference_guide/pa_assigning_key_pairs_to_https_listeners.html) to assign the key pair you just created to the ADMIN listener. 8. Restart PingAccess. 3. Configure the replica administrative node. | | | | - | ------------------------------------------------------------------------------------------------------------------------------ | | | If you add a replica administrative node after you deploy the cluster, you must update the configuration for each engine node. | 1. Complete steps 1-11 of [Configuring replica administrative nodes](../pingaccess_user_interface_reference_guide/pa_configuring_replica_administrative_nodes.html). Make the following adjustments to step 2 and step 5: 1. To complete step 2, the host you specify must be a resolvable DNS name for the node or the node's IP address. The port must be the TCP port that PingAccess listens to for the administrative interface. By default, this port is 9090. 2. To complete step 5, select the key pair that you created for the CONFIG QUERY listener in step 2c of this topic as the **Replica Administrative Node Trusted Certificate**. 4. Configure the engine nodes in the cluster one at a time. For each engine node: 1. Complete steps 1-10 of [Configuring engine nodes](../pingaccess_user_interface_reference_guide/pa_configuring_engine_nodes.html). 2. On the engine node, open the `conf/run.properties` file in a text editor and change the `pa.operational.mode` value to `CLUSTERED_ENGINE`. 3. Complete step 11 of [Configuring engine nodes](../pingaccess_user_interface_reference_guide/pa_configuring_engine_nodes.html). If you specified a proxy for the engine node, see the *What to do next* section also. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | Alternately, you can configure each engine node with an auto-registration file. For more information, see [Configuring engine nodes using an auto-registration file](../pingaccess_user_interface_reference_guide/pa_configuring_engine_nodes_using_an_auto_registration_file.html). | ## Next steps 1. Go to **Settings → System → Clustering** to check your cluster's status. If everything is configured properly, the cluster engine nodes and the replica administrative node should display a green status icon, indicating that the cluster is operational. For more information about status icons, see [Clustering in PingAccess](pa_clustering_ref_guide.html). 2. Optionally, you can configure each node in the cluster to run PingAccess as a service. This set-up prompts PingAccess to run automatically when you start a node. For more information, see [Running PingAccess as a service](../installing_and_uninstalling_pingaccess/pa_running_pa_as_a_service.html) in *Installing and Uninstalling PingAccess*.