PingIntelligence

Setting up an ASE cluster

Complete the following steps to setup an API Security Enforcer (ASE) cluster.

Before you begin

You must:

  1. Obtain a list of Internet Protocol (IP) addresses and ports required for ASE cluster nodes.

  2. Enable Network Time Protocol (NTP) on your system.

  3. Back up the ASE data if you’re adding an existing ASE instance to a cluster.

When a node is added to a cluster, it synchronizes the data from the other nodes and overwrites existing data.

About this task

The following diagram provides an overview of the basic steps to setup and start an ASE cluster.

Flowchart of steps to start an ASE cluster

To setup an ASE cluster node:

Steps

  1. Go to the config directory.

  2. Edit the ase.conf file:

    1. Set enable_cluster=true for all cluster nodes.

    2. Make sure that the value in the parameter mode is the same on each ASE cluster node, either inline or sideband.

      If the value of mode parameter does not match, the nodes will not form a cluster.

  3. Edit the cluster.conf file:

    1. Configure cluster_id with an identical value for all nodes in a single cluster.

      Example:

      [.parmname]cluster_id=[.option]shopping````

    2. Enter the port number in the cluster_management_port parameter.

      The ASE node uses this port number to communicate with other nodes in the cluster.. The default port is 8020.

    3. Enter an IPv4 address or host name with the port number for the peer_node, which is the first (or any existing) node in the cluster.

      Keep this parameter empty for the first node of the cluster.

    4. Provide the obfuscated cluster_secret_key.

      All the nodes of the cluster must have the same obfuscated cluster_secret_key. You must enter this key manually on each node of the cluster for the nodes to connect to each other.

    5. For the first node of the ASE cluster, peer_node should be left empty. On other nodes of the ASE cluster, enter the IP address or the host name of the first cluster in the node in the peer_node variable.

      Example:

      The following is a sample cluster.conf file:

      ; API Security Enforcer's cluster configuration.
      ; This file is in the standard .ini format. The comments start with a semicolon (;).
      ; Section is enclosed in []
      ; Following configurations are applicable only if cluster is enabled with true in ase.conf
      ; unique cluster id.
      ; valid character class is [ A-Z a-z 0-9 _ - . / ]
      ; nodes in same cluster should share same cluster id
      cluster_id=ase_cluster
      ; cluster management port.
      cluster_manager_port=8020
      ; cluster peer nodes.
      ; a comma-separated list of hostname:cluster_manager_port or IPv4_address:cluster_manager_port
      ; this node will try to connect all the nodes in this list
      ; they should share same cluster id
      peer_node=
      ; cluster secret key.
      ; maximum length of secret key is 128 characters (deobfuscated length).
      ; every node should have same secret key to join same cluster.
      ; this field cannot be empty.
      ; change default key for production.
      cluster_secret_key=OBF:AES:nPJOh3wXQWK/BOHrtKu3G2SGiAEElOSvOFYEiWfIVSdummoFwSR8rDh2bBnhTDdJ:7LFcqXQlqkW9kldQoFg0nJoLSojnzHDbD3iAy84pT84
  4. After configuring an ASE node, start the node by running the following command:

    /opt/pingidentity/ase/bin/start.sh