Select and configure a dynamic discovery setup for clustered PingFederate environments.
The S3_PING discovery method has been deprecated due to AWS deprecation of the SigV2 signing method. When deployed in AWS, the suggested discovery method is NATIVE_S3_PING. See the JGroups documentation for alternatives when deployed in other environments.
AWS_PING enables you to scale your PingFederate infrastructure using Amazon Elastic Compute Cloud (Amazon EC2) instances in the Amazon Web Service (AWS) cloud, in one or multiple regions. PingFederate queries AWS for a list of eligible EC2 instances. If PingFederate receives at least one node, a cluster exists, and it joins that cluster. If PingFederate receives no node, it forms a new cluster. Permissions to ec2:Describe* actions must either be enabled in the AWS Identity and Access Management (IAM) role assigned to the EC2 instance or be associated with the access_key parameter that you provide as part of the dynamic discovery configuration. Furthermore, you may also use a combination of tags and filters, in which case only EC2 instances that satisfy both criteria are returned.
S3_PING, SWIFT_PING, and NATIVE_S3_PING enable the flexibility to use both public and private cloud storage. PingFederate maintains cluster membership information in a centralized repository, a bucket in Amazon Simple Storage Service (Amazon S3) or a container in an OpenStack infrastructure. PingFederate contacts the repository for a list of nodes. If PingFederate receives at least one node, a cluster exists, and it joins the cluster and updates the repository with its information, including its IP address. If PingFederate receives no node, it forms a new cluster and updates the repository with its information so that the next node can find the new cluster. When PingFederate shuts down, it removes itself from the list and pushes an update to the repository.
NATIVE_S3_PING uses AWS SDK and provides a more stable connection by using built-in security features such as obtaining credentials through IAM server instance profiles. This protocol is the recommended dynamic discovery mechanism when you are running in AWS but not using Kubernetes.
DNS_PING uses DNS A or SRV records to perform discovery. This protocol is the recommended dynamic discovery mechanism when using Kubernetes. For more information, see http://www.jgroups.org/manual4/index.html#_dns_ping.
You can configure dynamic discovery in the <pf_install>/pingfederate/server/default/conf/tcp.xml file. You do not need to configure the pf.cluster.tcp.discovery.initial.hosts property in the run.properties file.
You must manually configure or synchronize the dynamic discovery properties in the tcp.xml file on each node. The tcp.xml file is not synchronized automatically across the nodes in a cluster, nor is it part of the Replicate Configuration process. Restart PingFederate servers if they are running.
After the initial setup, your nodes are ready to be deployed, undeployed, and redeployed as traffic volume changes.
Discovery mechanisms are separate from runtime state-management architectures. Discovery mechanisms determine how to find nodes to retrieve cluster information for the purpose of joining and rejoining a cluster. Runtime state-management architectures determine which nodes session-state information is shared to and fetched from.
PingFederate supports adaptive clustering and directed clustering runtime state-management architectures. When opting for dynamic discovery, consider enabling adaptive clustering whenever possible. If multiple regions are involved, configure multi-region support for adaptive clustering as well. For more information and configuration steps, see Adaptive clustering.
Regardless of the chosen runtime state-management architecture, all nodes must still be able to communicate with other nodes for clustering-protocol messages. For more information, see Runtime state-management architectures.