Deploying cluster servers
A PingFederate cluster consists of multiple nodes, each of which are likely running on a dedicated host system.
About this task
In a cluster, there are two types of nodes: engine nodes and administrative console nodes. Engine nodes service end user traffic, and multiple nodes are recommended to ensure high availability for your deployment. Only one administrative console node can be active in a given cluster. This node provides the user interface and administrative API that you can use to configure the cluster. Additionally, the administrative console node manages the following runtime functions:
-
Performing periodic configuration archive backup
-
Cleaning expired persistent authentication sessions
-
Cleaning expired access grants
-
Updating connections from metadata URLs, including PingOne SP connections if configured, and sends email notifications
-
Performing automatic rotation of signing certificates if enabled
Additional steps are required to set up failover for provisioning. If you are grouping servers exclusively to provide for provisioning failover, skip these steps and see Deploy provisioning failover. |
These steps describe how to configure and deploy clustered PingFederate servers by editing each node in the <pf_install>/pingfederate/bin/run.properties
.
Steps
-
Install PingFederate on each server in a cluster.
-
Edit the clustering properties of each node in the
<pf_install>/pingfederate/bin/run.properties
file. See the following table for information about each property.Property Description pf.operational.mode
Controls the operational mode of the PingFederate server. PingFederate supports the following modes:
STANDALONE
(default)-
This server is a standalone instance that operates as the administrative console and runtime engine.
The value
STANDALONE
should only be used in a cluster where session-state management is not needed for any reason and configuration-archive deployment is used as the configuration synchronization method.CLUSTERED_CONSOLE
-
This server is part of a cluster and operates only the administrative console.
By default, only one node in a cluster can run the administrative console. If the active/passive admin nodes feature is enabled you can have more than one
CLUSTERED_CONSOLE
.Learn more in Active and passive administrative nodes.
CLUSTERED_ENGINE
-
This server is part of a cluster and operates only as the runtime engine.
pf.cluster.node.index
Defines a unique index number for the server in a cluster. The index number is used to identify peers and optimize inter-node communication. The allowed range is
0
to65535
.If no value is set for the node index, the system assigns an auto-generated value in the range of
0
to2147483647
.This property has no default value. If you specify an index number, you can configure instances of the Cluster Node Authentication Selector and place them in authentication policies to customize authentication requirements based on the runtime node servicing a request.
pf.cluster.auth.pwd
Sets the password that each node in the cluster must use to authenticate when joining the cluster. This prevents unauthorized nodes from joining a cluster. The value can be any string, or blank.
Consider using a randomly-generated password with 22 or more alphanumeric characters. A strong, obfuscated, Jgroups cluster password can be generated with the
clusterkey
utility (clusterkey.bat
for Windows andclusterkey.sh
for Linux), located in the<pf_install>/pingfederate/bin
directory.All nodes in a cluster must share the same value, blank or otherwise.
pf.cluster.encrypt
Indicates whether to encrypt network traffic sent between nodes in a cluster. The possible values are
true
orfalse
(default).When set to
true
, communication within the cluster is encrypted with a symmetric key derived from the value of thepf.cluster.auth.pwd
property.When the
pf.cluster.encrypt
property is set totrue
, you must provide a value for thepf.cluster.auth.pwd
property. Otherwise PingFederate aborts during its startup process.All nodes in a cluster must have the same value for this property.
pf.cluster.encryption.keysize
The length of the key that PingFederate takes into consideration when deriving the symmetric key from the value of the
pf.cluster.auth.pwd
property for the purpose of encrypting network traffic sent between nodes in a cluster. Required only when thepf.cluster.encrypt
is set totrue
.All nodes in a cluster must have the same value set for this property.
The default value is
128
.pf.cluster.bind.address
Defaults to
NON_LOOPBACK
, which leaves the system to choose an available non-loopback IP address. Alternatively, enter an IP address of the network interface to which the cluster communication should bind. For machines with more than one network interface, provide a specific IP address.You can use this property to increase performance (particularly with UDP) and improve security by segmenting cluster-communication traffic onto a private network or VLAN.
Besides
NON_LOOPBACK
or an IP address, you can also use other values supported by JGroups. For more information, see thebind_addr
special values in .org/manual/index.html//[JGroups documentation].This field does not support DNS name. Use the default value NON_LOOPBACK or replace it with an IP address.
pf.cluster.bind.port
Specifies the port associated with the
pf.cluster.bind.address
property or with the default network interface used.This is the port used by other cluster members during their discovery process, usually via the
pf.cluster.tcp.discovery.initial.hosts
property.The default value is
7600
.pf.cluster.failure.detection.bind.port
Indicates the bind port of a server socket that is opened on the given node and used by other nodes as part of the cluster’s failure-detection mechanisms. If set to
0
or unspecified, a random available port is used. The default value is7700
.pf.cluster.transport.protocol
Indicates the transport protocol used for cluster communication. Values are
udp
ortcp
. The default value is tcp. All nodes in a cluster must have the same value set for this property.Use UDP when IP multicasting is enabled in the network environment and the majority of cluster traffic is point-to-full-group. You must also configure both the
pf.cluster.mcast.group.address
andpf.cluster.mcast.group.port
properties.Use TCP for geographically dispersed servers or when multicast is not available or disabled for some other reason. For example, when using routers that do not support multicast messaging. TCP may also be appropriate if your cluster configuration employs more point-to-point or point-to-few messaging than point-to-group.You must also configure the
pf.cluster.tcp.discovery.inital.hosts
property.This property is a reference to a protocol-stack XML configuration file located in the
<pf_install>/pingfederate/server/default/conf/
directory. Two stacks are provided: one for UDP multicast and one for TCP. You can customize either stack or add to it as needed by modifying the associated configuration file.pf.cluster.mcast.group.address
Defines the IP address shared among nodes in the same cluster for UDP multicast communication; required when UDP is set as the transport protocol. The valid range is
224.0.0.0
to239.255.255.255
. Some addresses in this range are reserved for other purposes. This property is not used for TCP.All nodes in a cluster must have the same value set for this property.
The default value is 239.16.96.69.
pf.cluster.mcast.group.port
Defines the port in conjunction with the
pf.cluster.mcast.group.address
property value. This property is not used for TCP configurations.All nodes in a cluster must have the same value set for this property.
The default value is
7601
.pf.cluster.tcp.discovery.initial.hosts
Designates a static list of PingFederate servers to be contacted for cluster membership information when discovering, joining, and rejoining the cluster. This value is required when TCP is set as the transport protocol. The value is a comma-separated list of host names (or IP addresses) and their cluster bind ports, for example,
host1[7600],10.0.1.4[7600],host7[1033],10.0.9.45[2231]
.When using static discovery, add at least one node for the cluster to know in advance. This property should contain all nodes in the cluster (including itself) to increase the likelihood of new members finding and joining the cluster.
When using dynamic discovery, leave this property blank and enable dynamic discovery in the
<pf_install>/pingfederate/server/default/conf/tcp.xml
file. For more information, see Enabling dynamic discovery for clustering.pf.cluster.adaptive
Indicates whether runtime state-management services should use the adaptive clustering architecture.
The default value is
true
for new installations andfalse
for upgrades.pf.cluster.diagnostics.enabled
false
turns off JGroups diagnostics.true
turns it on.The default value is
false
.pf.cluster.diagnostics.addr
andpf.cluster.diagnostics.port
The multicast address and port this node listens on for diagnostic messages.
The default values are
224.0.75.75
and7500
, respectively. Do not change the default values.node.tags
Defines the tags associated with this node.
Configuration is optional. When configured, PingFederate considers this property when processing requests. For example, you can use tags to determine the datastore location that this PingFederate node communicates with. You can also use tags in conjunction with authentication selectors and policies to define authentication requirements.
You can specify one tag.
node.tags=north
You can also specify a list of prioritized, space-separated tags.
node.tags=1 123 234
Tags cannot contain spaces.
pf.cluster.thread.pool.max.threads
The maximum number of threads in the JGroups thread pool responsible for processing received remote procedure calls (RCPs).
For this property to take effect, one of the following files must be up to date:
-
conf/tcp.xml
If you use the TCP protocol -
conf/udp.xml
If you use the UDP protocol
The default value is
40
. -
Optional: Edit configuration files in each node that control the cluster protocol and runtime state-management service. For more information, see Runtime state-management architectures and Runtime state-management services.
-
Optional: If outbound provisioning is configured for your site and you want to provide failover capabilities, identify and configure the provisioning failover nodes. For more information, see Deploy provisioning failover.
-
Start or restart PingFederate on all nodes.
-
Sign on to the administrative console.
-
If you have not done so, import your PingFederate license. For more information, see License management.
-
On the System → Server → Cluster Management window, click Replicate Configuration to push the license information from the console node to all engine nodes.
Result
After the clustered environment is set up, you can start configuring PingFederate through the administrative console. When PingFederate detects a change, it prompts you to replicate the configuration to all engine nodes.