Configuring active and passive administrative nodes

Learn how to configure active and passive admin consoles in the admin UI.

Before you begin

If you’re upgrading from a single-console cluster to a cluster with active and passive consoles:

Make a copy of the original console to use in creating passive consoles. This ensures that the passive consoles have the same configuration data archive as the original console, which reduces the size of the initial synchronization. This is similar to exporting and importing a configuration archive.
Delete the pingfederate/server/default/data/instance/admin-node-mode.xml file from the new passive node, if it exists.
Because the synchronization action only copies over configuration and license settings, similar to replication engines, you must manually adjust the properties and configuration files for the passive nodes.

About this task

To configure active and passive admin consoles:

Steps

Edit the clustering properties of each node in the <pf_install>/pingfederate/bin/run.properties file.

Learn more in Deploying cluster servers.

Enable and configure active and passive admin consoles in the pingfederate/server/default/conf/cluster-admin-nodes-sync.conf file.

Review each property in this file to make sure the values for each node are correctly configured for your cluster.

The following table describes each file property:

Property Description

Property	Description
`enabled`	Whether the active/passive admin nodes feature is enabled. Values are `true` or `false`.
`passive.node.data.sync.interval.secs`	The interval in seconds between requests from the passive node to the active node to pull the saved configuration. The default value is `10`.
`rpc.synchronization.data.timeout.milliseconds`	The time in milliseconds before a data synchronization request times out. The default value is `20000`.
`passive.node.configuration.reload.interval.secs`	The interval in seconds between configuration reloads on a passive node. The reload process locks the admin console from performing other tasks, and the process can be time-consuming, so reloads are not performed after every synchronization. Reloads are performed periodically to allow you to discover configuration issues from the `server.log` file, if they arise. This value should be greater than `passive.node.data.sync.interval.secs`. The default value is `300`.
`active.node.last.successful.sync.warning`	The interval in seconds since the active node’s last successful synchronization with a passive node before a warning is issued on the active admin console. This value should be greater than the value for `passive.node.data.sync.interval.secs`. The default value is `25`.

enabled

Whether the active/passive admin nodes feature is enabled.

Values are true or false.

passive.node.data.sync.interval.secs

The interval in seconds between requests from the passive node to the active node to pull the saved configuration.

The default value is 10.

rpc.synchronization.data.timeout.milliseconds

The time in milliseconds before a data synchronization request times out.

The default value is 20000.

passive.node.configuration.reload.interval.secs

The interval in seconds between configuration reloads on a passive node.

The reload process locks the admin console from performing other tasks, and the process can be time-consuming, so reloads are not performed after every synchronization.

Reloads are performed periodically to allow you to discover configuration issues from the server.log file, if they arise.

This value should be greater than passive.node.data.sync.interval.secs.

The default value is 300.

active.node.last.successful.sync.warning

The interval in seconds since the active node’s last successful synchronization with a passive node before a warning is issued on the active admin console.

This value should be greater than the value for passive.node.data.sync.interval.secs.

The default value is 25.

Optional: If you’re planning a fresh setup of PingFederate with active and passive admin consoles and hardware security modules (HSMs):
1. Decide which passive console will become active.
2. Start the designated passive console.
3. Switch the designated passive console to become active.
  
  Refer to step 5 or Active and passive administrative console endpoints for instructions on switching a passive console to active.
4. After the active console is started, start the remaining consoles.
  
  This ensures that the passive consoles can retrieve the default SSL server certificate from the active console so that passive consoles can start successfully.

For new installations of PingFederate, run the initial setup wizard on the node that you want to make active when you first start your cluster.

Learn more in Setting up PingFederate.

Run the initial setup wizard only on the passive node that you intend to make active.

After the wizard completes, it will automatically switch the console you run it on to an active node. Because you can only have one active admin node at a time, do not run the wizard on multiple passive nodes.

For existing PingFederate installations, switch a node to active mode:
1. Make sure the active/passive admin nodes feature is enabled in all of the admin nodes by setting the enabled parameter to true in the pingfederate/server/default/conf/cluster-admin-nodes-sync.conf file on each node.
2. Go to System → Cluster Management
3. Click the All Admin Consoles tab.
4. Click one of the listed admin consoles.
5. Click Switch to Active.

PingFederate Server

Configuring active and passive administrative nodes

Before you begin

About this task

Steps