To setup an ASE cluster, the following four steps must be completed:
Pre-requisites
- Obtain list of IP addresses and ports required for ASE cluster nodes
- Enable NTP on your system.
- If adding an existing ASE instance to a cluster, backup the ASE data first. When a node is added to a cluster, it synchronizes the data from the other nodes and overwrites existing data.
To setup an ASE cluster node:
- Navigate to the config directory
- Edit ase.conf file:
- Set
enable_cluster=true
for all cluster nodes. - Make sure that the value in the parameter mode is same on each ASE cluster node, either inline or sideband. If the value of mode parameter does not match, the nodes will not form a cluster.
- Set
- Edit the cluster.conf file
- Configure
cluster_id
with an identical value for all nodes in a single cluster (for example,cluster_id=shopping
) - Enter port number in the cluster_management_port (default port is 8020) parameter. ASE node uses this port number to communicate with other nodes in the cluster.
- Enter an IPv4 address or hostname with the port number for the peer_node which is the first (or any existing) node in the cluster. Keep this parameter empty for the first node of the cluster.
- Provide the obfuscated
cluster_secret_key
. All the nodes of the cluster must have the same obfuscatedcluster_secret_key
. This key must be entered manually on each node of the cluster for the nodes to connect to each other. - For the first node of the ASE cluster,
peer_node
should be left empty. On other nodes of the ASE cluster, enter the IP address or the hostname of the first cluster in the node in thepeer_node
variable.
- Configure
Here is a sample cluster.conf file:
; API Security Enforcer's cluster configuration.
; This file is in the standard .ini format. The comments start with a semicolon (;).
; Section is enclosed in []
; Following configurations are applicable only if cluster is enabled with true in ase.conf
; unique cluster id.
; valid character class is [ A-Z a-z 0-9 _ - . / ]
; nodes in same cluster should share same cluster id
cluster_id=ase_cluster
; cluster management port.
cluster_manager_port=8020
; cluster peer nodes.
; a comma-separated list of hostname:cluster_manager_port or IPv4_address:cluster_manager_port
; this node will try to connect all the nodes in this list
; they should share same cluster id
peer_node=
; cluster secret key.
; maximum length of secret key is 128 characters (deobfuscated length).
; every node should have same secret key to join same cluster.
; this field cannot be empty.
; change default key for production.
cluster_secret_key=OBF:AES:nPJOh3wXQWK/BOHrtKu3G2SGiAEElOSvOFYEiWfIVSdummoFwSR8rDh2bBnhTDdJ:7LFcqXQlqkW9kldQoFg0nJoLSojnzHDbD3iAy84pT84
After configuring an ASE node, start the node by running the following command:
/opt/pingidentity/ase/bin/start.sh