PingFederate Server

Deploying cluster servers

A PingFederate cluster consists of multiple nodes, each of which are likely running on a dedicated host system.

About this task

In a cluster, there are two types of nodes: engine nodes and administrative console nodes. Engine nodes service end user traffic, and multiple nodes are recommended to ensure high availability for your deployment. Only one administrative console node can be active in a given cluster. This node provides the user interface and administrative API that you can use to configure the cluster. Additionally, the administrative console node manages the following runtime functions:

  • Performing periodic configuration archive backup

  • Cleaning expired persistent authentication sessions

  • Cleaning expired access grants

  • Updating connections from metadata URLs, including PingOne SP connections if configured, and sends email notifications

  • Performing automatic rotation of signing certificates if enabled

Additional steps are required to set up failover for provisioning. If you are grouping servers exclusively to provide for provisioning failover, skip these steps and see Deploy provisioning failover.

These steps describe how to configure and deploy clustered PingFederate servers by editing each node in the <pf_install>/pingfederate/bin/run.properties.

Steps

  1. Install PingFederate on each server in a cluster.

  2. Edit the clustering properties of each node in the <pf_install>/pingfederate/bin/run.properties file. See the following table for information about each property.

    Property Description

    pf.operational.mode

    Controls the operational mode of the PingFederate server. PingFederate supports the following modes:

    STANDALONE (default)

    This server is a standalone instance that operates as the administrative console and runtime engine.

    The value STANDALONE should only be used in a cluster where session-state management is not needed for any reason and configuration-archive deployment is used as the configuration synchronization method.

    CLUSTERED_CONSOLE

    This server is part of a cluster and operates only the administrative console.

    By default, only one node in a cluster can run the administrative console. If the active/passive admin nodes feature is enabled you can have more than one CLUSTERED_CONSOLE.

    CLUSTERED_ENGINE

    This server is part of a cluster and operates only as the runtime engine.

    pf.cluster.node.index

    Defines a unique index number for the server in a cluster. The index number is used to identify peers and optimize inter-node communication. The allowed range is 0 to 65535.

    If no value is set for the node index, the system assigns an auto-generated value in the range of 0 to 2147483647.

    This property has no default value. If you specify an index number, you can configure instances of the Cluster Node Authentication Selector and place them in authentication policies to customize authentication requirements based on the runtime node servicing a request.

    pf.cluster.auth.pwd

    Sets the password that each node in the cluster must use to authenticate when joining the cluster. This prevents unauthorized nodes from joining a cluster. The value can be any string, or blank.

    Consider using a randomly-generated password with 22 or more alphanumeric characters. A strong, obfuscated, Jgroups cluster password can be generated with the clusterkey utility (clusterkey.bat for Windows and clusterkey.sh for Linux), located in the <pf_install>/pingfederate/bin directory.

    All nodes in a cluster must share the same value, blank or otherwise.

    pf.cluster.encrypt

    Indicates whether to encrypt network traffic sent between nodes in a cluster. The possible values are true or false (default).

    When set to true, communication within the cluster is encrypted with a symmetric key derived from the value of the pf.cluster.auth.pwd property.

    When the pf.cluster.encrypt property is set to true, you must provide a value for the pf.cluster.auth.pwd property. Otherwise PingFederate aborts during its startup process.

    All nodes in a cluster must have the same value for this property.

    pf.cluster.encryption.keysize

    The length of the key that PingFederate takes into consideration when deriving the symmetric key from the value of the pf.cluster.auth.pwd property for the purpose of encrypting network traffic sent between nodes in a cluster. Required only when the pf.cluster.encrypt is set to true.

    All nodes in a cluster must have the same value set for this property.

    The default value is 128.

    pf.cluster.bind.address

    Defaults to NON_LOOPBACK, which leaves the system to choose an available non-loopback IP address. Alternatively, enter an IP address of the network interface to which the cluster communication should bind. For machines with more than one network interface, provide a specific IP address.

    You can use this property to increase performance (particularly with UDP) and improve security by segmenting cluster-communication traffic onto a private network or VLAN.

    Besides NON_LOOPBACK or an IP address, you can also use other values supported by JGroups. For more information, see the bind_addr special values in .org/manual/index.html//[JGroups documentation].

    This field does not support DNS name. Use the default value NON_LOOPBACK or replace it with an IP address.

    pf.cluster.bind.port

    Specifies the port associated with the pf.cluster.bind.address property or with the default network interface used.

    This is the port used by other cluster members during their discovery process, usually via the pf.cluster.tcp.discovery.initial.hosts property.

    The default value is 7600.

    pf.cluster.failure.detection.bind.port

    Indicates the bind port of a server socket that is opened on the given node and used by other nodes as part of the cluster’s failure-detection mechanisms. If set to 0 or unspecified, a random available port is used. The default value is 7700.

    pf.cluster.transport.protocol

    Indicates the transport protocol used for cluster communication. Values are udp or tcp. The default value is tcp. All nodes in a cluster must have the same value set for this property.

    Use UDP when IP multicasting is enabled in the network environment and the majority of cluster traffic is point-to-full-group. You must also configure both the pf.cluster.mcast.group.address and pf.cluster.mcast.group.port properties.

    Use TCP for geographically dispersed servers or when multicast is not available or disabled for some other reason. For example, when using routers that do not support multicast messaging. TCP may also be appropriate if your cluster configuration employs more point-to-point or point-to-few messaging than point-to-group.You must also configure the pf.cluster.tcp.discovery.inital.hosts property.

    This property is a reference to a protocol-stack XML configuration file located in the <pf_install>/pingfederate/server/default/conf/ directory. Two stacks are provided: one for UDP multicast and one for TCP. You can customize either stack or add to it as needed by modifying the associated configuration file.

    pf.cluster.mcast.group.address

    Defines the IP address shared among nodes in the same cluster for UDP multicast communication; required when UDP is set as the transport protocol. The valid range is 224.0.0.0 to 239.255.255.255. Some addresses in this range are reserved for other purposes. This property is not used for TCP.

    All nodes in a cluster must have the same value set for this property.

    The default value is 239.16.96.69.

    pf.cluster.mcast.group.port

    Defines the port in conjunction with the pf.cluster.mcast.group.address property value. This property is not used for TCP configurations.

    All nodes in a cluster must have the same value set for this property.

    The default value is 7601.

    pf.cluster.tcp.discovery.initial.hosts

    Designates a static list of PingFederate servers to be contacted for cluster membership information when discovering, joining, and rejoining the cluster. This value is required when TCP is set as the transport protocol. The value is a comma-separated list of host names (or IP addresses) and their cluster bind ports, for example, host1[7600],10.0.1.4[7600],host7[1033],10.0.9.45[2231].

    When using static discovery, add at least one node for the cluster to know in advance. This property should contain all nodes in the cluster (including itself) to increase the likelihood of new members finding and joining the cluster.

    When using dynamic discovery, leave this property blank and enable dynamic discovery in the <pf_install>/pingfederate/server/default/conf/tcp.xml file. For more information, see Enabling dynamic discovery for clustering.

    pf.cluster.adaptive

    Indicates whether runtime state-management services should use the adaptive clustering architecture.

    The default value is true for new installations and false for upgrades.

    pf.cluster.diagnostics.enabled

    false turns off JGroups diagnostics. true turns it on.

    The default value is false.

    pf.cluster.diagnostics.addr and pf.cluster.diagnostics.port

    The multicast address and port this node listens on for diagnostic messages.

    The default values are 224.0.75.75 and 7500, respectively. Do not change the default values.

    node.tags

    Defines the tags associated with this node.

    Configuration is optional. When configured, PingFederate considers this property when processing requests. For example, you can use tags to determine the datastore location that this PingFederate node communicates with. You can also use tags in conjunction with authentication selectors and policies to define authentication requirements.

    You can specify one tag.

    node.tags=north

    You can also specify a list of prioritized, space-separated tags.

    node.tags=1 123 234

    Tags cannot contain spaces.

  3. Optional: Edit configuration files in each node that control the cluster protocol and runtime state-management service. For more information, see Runtime state-management architectures and Runtime state-management services.

  4. Optional: If outbound provisioning is configured for your site and you want to provide failover capabilities, identify and configure the provisioning failover nodes. For more information, see Deploy provisioning failover.

  5. Start or restart PingFederate on all nodes.

  6. Sign on to the administrative console.

  7. If you have not done so, import your PingFederate license. For more information, see License management.

  8. On the System → Server → Cluster Management window, click Replicate Configuration to push the license information from the console node to all engine nodes.

Result

After the clustered environment is set up, you can start configuring PingFederate through the administrative console. When PingFederate detects a change, it prompts you to replicate the configuration to all engine nodes.