For production environments, Ping Identity recommends setting up a cluster of ASE nodes for improved performance and availability.
Enable network time protocol (NTP) on each ASE node system. All cluster nodes must be in the same time zone.
To set up an ASE cluster node:
- Navigate to the config directory.
- Edit the ase.conf file:
-
Set
enable_cluster=true
for all cluster nodes. -
Confirm that the parameter mode is the same on
each ASE cluster node, either inline or
sideband.
Note:
If parameter mode values do not match, the nodes will not form a cluster.
-
Set
-
Edit the cluster.conf file:
-
Configure cluster_id with an identical value for
all nodes in a single cluster (for example:
cluster_id=shopping
). -
Enter the port number in the cluster_manager_port
parameter.
Note:
ASE node uses this port number to communicate with other nodes in the cluster.
- Enter an IPv4 address or hostname with the port number for peer_node, which is the first (or any existing) node in the cluster. Keep peer_node empty for the first cluster node.
- Provide the cluster_secret_key, which must be the same in each cluster node. It must be entered on each cluster node before the nodes to connect to each other.
Below is a sample cluster.conf file:
; API Security Enforcer's cluster configuration. ; This file is in the standard .ini format. The comments start with a ; semicolon (;). ; Section is enclosed in [] ; Following configurations are applicable only if cluster is enabled ; with true in ase.conf ; unique cluster id. ; valid character class is [ A-Z a-z 0-9 _ - . / ] ; nodes in same cluster should share same cluster id cluster_id=ase_cluster ; cluster management port. cluster_manager_port=8020 ; cluster peer nodes. ; a comma-separated list of hostname:cluster_manager_port or ; IPv4_address:cluster_manager_port ; this node will try to connect all the nodes in this list ; they should share same cluster id peer_node= ; cluster secret key. ; maximum length of secret key is 128 characters (deobfuscated length). ; every node should have same secret key to join same cluster. ; this field can not be empty. ; change default key for production. cluster_secret_key=OBF:AES:nPJOh3wXQWK/BOHrtKu3G2SGiAEElOSvOFYEiWfIVSdu
-
Configure cluster_id with an identical value for
all nodes in a single cluster (for example:
-
After configuring an ASE node, start the node by running the following
command:
/opt/pingidentity/ase/bin/start.sh