---
title: Setting up an ASE cluster (optional)
description: For production environments, Ping Identity recommends setting up a cluster of ASE nodes for improved performance and availability.
component: pingintelligence
version: 5.2
page_id: pingintelligence:installing_pingintelligence_for_apis:pingintelligence_setting_up_ase_cluster
canonical_url: https://docs.pingidentity.com/pingintelligence/5.2/installing_pingintelligence_for_apis/pingintelligence_setting_up_ase_cluster.html
revdate: April 3, 2024
section_ids:
  before-you-begin: Before you begin
  about-this-task: About this task
  steps: Steps
  example: Example:
  scaling-up-the-ase-cluster: Scaling up the ASE cluster
  about-this-task-2: About this task
  steps-2: Steps
  example-2: Example:
  result: Result:
  scaling-down-the-ase-cluster: Scaling down the ASE cluster
  about-this-task-3: About this task
  steps-3: Steps
  result-2: Result:
  deleting-a-cluster-node: Deleting a cluster node
  about-this-task-4: About this task
  steps-4: Steps
  stopping-ase-cluster: Stopping ASE cluster
  about-this-task-5: About this task
  steps-5: Steps
  result-3: Result:
---

# Setting up an ASE cluster (optional)

For production environments, Ping Identity recommends setting up a cluster of ASE nodes for improved performance and availability.

## Before you begin

Enable network time protocol (NTP) on each ASE node system. All cluster nodes must be in the same time zone.

## About this task

To set up an ASE cluster node:

## Steps

1. Navigate to the `config` directory.

2. Edit the `ase.conf` file:

   1. Set `enable_cluster=true` for all cluster nodes.

   2. Confirm that the parameter `mode` is the same on each ASE cluster node, either `inline` or `sideband`.

      |   |                                                                           |
      | - | ------------------------------------------------------------------------- |
      |   | If parameter mode values do not match, the nodes will not form a cluster. |

3. Edit the `cluster.conf` file:

   1. Configure `cluster_id` with an identical value for all nodes in a single cluster (for example: `cluster_id=shopping`).

   2. Enter the port number in the `cluster_manager_port` parameter.

      |   |                                                                                |
      | - | ------------------------------------------------------------------------------ |
      |   | ASE node uses this port number to communicate with other nodes in the cluster. |

   3. Enter an IPv4 address or hostname with the port number for `peer_node`, which is the first (or any existing) node in the cluster. Keep `peer_node` empty for the first cluster node.

   4. Provide the `cluster_secret_key`, which must be the same in each cluster node. It must be entered on each cluster node before the nodes to connect to each other.

      ### Example:

      Below is a sample `cluster.conf` file:

      ```
      ; API Security Enforcer's cluster configuration.
      ; This file is in the standard .ini format. The comments start with a
      ; semicolon (;).
      ; Section is enclosed in []
      ; Following configurations are applicable only if cluster is enabled
      ; with true in ase.conf
      ; unique cluster id.
      ; valid character class is [ A-Z a-z 0-9 _ - . / ]
      ; nodes in same cluster should share same cluster id
      cluster_id=ase_cluster

      ; cluster management port.
      cluster_manager_port=8020

      ; cluster peer nodes.
      ; a comma-separated list of hostname:cluster_manager_port or
      ; IPv4_address:cluster_manager_port
      ; this node will try to connect all the nodes in this list
      ; they should share same cluster id
      peer_node=

      ; cluster secret key.
      ; maximum length of secret key is 128 characters (deobfuscated length).
      ; every node should have same secret key to join same cluster.
      ; this field can not be empty.
      ; change default key for production.
      cluster_secret_key=OBF:AES:nPJOh3wXQWK/BOHrtKu3G2SGiAEElOSvOFYEiWfIVSdu
      ```

4. After configuring an ASE node, start the node by running the following command:

   ```
   /opt/pingidentity/ase/bin/start.sh
   ```

## Scaling up the ASE cluster

Scale up the ASE cluster by adding nodes to an active cluster without disrupting traffic.

### About this task

To add a new cluster node:

### Steps

1. Enter the `peer_node` IP address or hostname in the `cluster.conf` file of the ASE node.

2. Start the ASE node.

   For more information, see [Start the ASE node](pingintelligence_starting_stopping_ase.html).

   #### Example:

   If the IP of the first node is 192.168.20.121 with port 8020, then the `peer_node` parameter would be 192.168.20.121:8020.

   ```
   ; ASE cluster configuration. These configurations apply only when
   ; you have enabled cluster in the api_config file.
   ; Unique cluster ID for each cluster. All the nodes in the same cluster
   ; should have the same cluster ID.
   cluster_id=ase_cluster
   ; Cluster management port.
   cluster_manager_port=8020
   ; Cluster's active nodes. This can be a comma separated list of nodes in
   ; ipv4_address:cluster_manager_port format.
   peer_node=192.168.20.121:8020
   ```

   #### Result:

   The new node will synchronize configuration and cookie data from the peer nodes. After loading, it will become part of the cluster.

## Scaling down the ASE cluster

A node can be removed from an active cluster without disrupting traffic.

### About this task

To remove a node from an active cluster:

### Steps

1. Stop the ASE node to be removed.

2. Set the `enable_cluster` option as `false` in its `ase.conf` file.

   #### Result:

   The removed node retains the cookie and certificate data from when it was part of the cluster.

## Deleting a cluster node

An inactive cluster node has either become unreachable or has been stopped.

### About this task

When you delete a stopped cluster node, the operation does not remove cookie and other synchronized data.

### Steps

1. To find which cluster nodes are inactive, use the `cluster_info` command:

   ```
   /opt/pingidentity/ase/bin/cli.sh cluster_info -u admin -p
   cluster id : ase_cluster
   cluster nodes
   127.0.0.1:8020 active
   Step 1.1.1.1:8020 active
   Step 2.2.2.2:8020 inactive
   172.17.0.4:8020(tasks.aseservice) active
   172.17.0.5:8020(tasks.aseservice) inactive
   tasks.aseservice2:8020 not resolved
   ```

2. Using the `cluster_info` command output, you can remove the inactive cluster nodes 2.2.2.2:8020 and 172.17.0.5:8020.

3. To delete the inactive node, use the `delete_cluster_node` command:

   ```
   /opt/pingidentity/ase/bin/cli.sh delete_cluster_node  <IP:Port>
   ```

## Stopping ASE cluster

You can stop an ASE cluster on any node in the cluster.

### About this task

To stop the entire cluster:

### Steps

1. Run the following command on any node in the cluster:

   ```
   /opt/pingidentity/ase/bin/stop.sh cluster –u admin –p
   ```

   #### Result:

   When the cluster stops, each cluster node retains all the cookie and certificate data.