PingIntelligence

Setting up an ASE cluster (optional)

For production environments, Ping Identity recommends setting up a cluster of ASE nodes for improved performance and availability.

Before you begin

Enable network time protocol (NTP) on each ASE node system. All cluster nodes must be in the same time zone.

About this task

To set up an ASE cluster node:

Steps

  1. Navigate to the config directory.

  2. Edit the ase.conf file:

    1. Set enable_cluster=true for all cluster nodes.

    2. Confirm that the parameter mode is the same on each ASE cluster node, either inline or sideband.

      If parameter mode values do not match, the nodes will not form a cluster.

  3. Edit the cluster.conf file:

    1. Configure cluster_id with an identical value for all nodes in a single cluster (for example: cluster_id=shopping).

    2. Enter the port number in the cluster_manager_port parameter.

      ASE node uses this port number to communicate with other nodes in the cluster.

    3. Enter an IPv4 address or hostname with the port number for peer_node, which is the first (or any existing) node in the cluster. Keep peer_node empty for the first cluster node.

    4. Provide the cluster_secret_key, which must be the same in each cluster node. It must be entered on each cluster node before the nodes to connect to each other.

      Example:

      Below is a sample cluster.conf file:

      ; API Security Enforcer's cluster configuration.
; This file is in the standard .ini format. The comments start with a
; semicolon (;).
; Section is enclosed in []
; Following configurations are applicable only if cluster is enabled
; with true in ase.conf
; unique cluster id.
; valid character class is [ A-Z a-z 0-9 _ - . / ]
; nodes in same cluster should share same cluster id
cluster_id=ase_cluster

; cluster management port.
cluster_manager_port=8020

; cluster peer nodes.
; a comma-separated list of hostname:cluster_manager_port or
; IPv4_address:cluster_manager_port
; this node will try to connect all the nodes in this list
; they should share same cluster id
peer_node=

; cluster secret key.
; maximum length of secret key is 128 characters (deobfuscated length).
; every node should have same secret key to join same cluster.
; this field can not be empty.
; change default key for production.
cluster_secret_key=OBF:AES:nPJOh3wXQWK/BOHrtKu3G2SGiAEElOSvOFYEiWfIVSdu

  4. After configuring an ASE node, start the node by running the following command:

    /opt/pingidentity/ase/bin/start.sh

Scaling up the ASE cluster

Scale up the ASE cluster by adding nodes to an active cluster without disrupting traffic.

About this task

To add a new cluster node:

Steps

  1. Enter the peer_node IP address or hostname in the cluster.conf file of the ASE node.

  2. Start the ASE node.

    For more information, see Start the ASE node.

    Example:

    If the IP of the first node is 192.168.20.121 with port 8020, then the peer_node parameter would be 192.168.20.121:8020.

    ; ASE cluster configuration. These configurations apply only when
; you have enabled cluster in the api_config file.
; Unique cluster ID for each cluster. All the nodes in the same cluster
; should have the same cluster ID.
cluster_id=ase_cluster
; Cluster management port.
cluster_manager_port=8020
; Cluster's active nodes. This can be a comma separated list of nodes in
; ipv4_address:cluster_manager_port format.
peer_node=192.168.20.121:8020

    Result:

    The new node will synchronize configuration and cookie data from the peer nodes. After loading, it will become part of the cluster.

Scaling down the ASE cluster

A node can be removed from an active cluster without disrupting traffic.

About this task

To remove a node from an active cluster:

Steps

  1. Stop the ASE node to be removed.

  2. Set the enable_cluster option as false in its ase.conf file.

    Result:

    The removed node retains the cookie and certificate data from when it was part of the cluster.

Deleting a cluster node

An inactive cluster node has either become unreachable or has been stopped.

About this task

When you delete a stopped cluster node, the operation does not remove cookie and other synchronized data.

Steps

  1. To find which cluster nodes are inactive, use the cluster_info command:

    /opt/pingidentity/ase/bin/cli.sh cluster_info -u admin -p
cluster id : ase_cluster
cluster nodes
127.0.0.1:8020 active
Step 1.1.1.1:8020 active
Step 2.2.2.2:8020 inactive
172.17.0.4:8020(tasks.aseservice) active
172.17.0.5:8020(tasks.aseservice) inactive
tasks.aseservice2:8020 not resolved

  2. Using the cluster_info command output, you can remove the inactive cluster nodes 2.2.2.2:8020 and 172.17.0.5:8020.

  3. To delete the inactive node, use the delete_cluster_node command:

    /opt/pingidentity/ase/bin/cli.sh delete_cluster_node  <IP:Port>

Stopping ASE cluster

You can stop an ASE cluster on any node in the cluster.

About this task

To stop the entire cluster:

Steps

  1. Run the following command on any node in the cluster:

    /opt/pingidentity/ase/bin/stop.sh cluster –u admin –p

    Result:

    When the cluster stops, each cluster node retains all the cookie and certificate data.