Configure High Availability¶
Securden comes with High availability architecture to ensure uninterrupted and a reliable supply of credentials. Configuring High Availability (with PostgreSQL database as the backend) To configure high availability in Securden Unified PAM, 2 or more servers have to be deployed.
Note
High Availability configuration steps are also available as separate guides for the default PostgreSQL as the backend database and optional MS SQL serveras the backend separately. You may refer to them if needed.
- Primary server with bundled PostgreSQL database.
- One secondary standby server with bundled PostgreSQL database.
- One more application server without a database (optional).
Securden uses an active-active approach to high availability support. A primary server and a secondary server will be active at the same time and will have their own databases. In the event of a primary server going down, users can connect to the secondary standby server. Additionally, any number of application servers can be deployed for load distribution.
Two types of secondary servers can be deployed and both have different use cases. You may choose one of the options below:
Case 1: Automatic failover with active standby. When the secondary server is deployed as a standby server, the database will be replicated and periodically synchronized with the primary server database. You will be able to enable automatic failover only when one of the secondary servers deployed is of this type. Only one such server can be deployed and it has to be deployed in the same subnet as the primary server for the automatic failover to work.
Case 2: Load distribution using application servers without database. You can also deploy a secondary server as an application server without a database. The secondary server will only have the securden application installed and not a database. Since there is no separate database other than the one in the primary server, automatic failover will not be possible. This type of secondary server is useful when you need to deploy more than one secondary server. It is mainly used for load distribution by ensuring no single server bears too much demand and reduces application response time for users.
Note
- For automatic failover to work, the database port (5858) of the standby server must be accessible from the primary application server. Also, ensure that the standby server is in the same subnet as that of the primary server.
- The primary and secondary servers must be running the same version of Securden. Navigate to User Details (User icon at the top right corner) >> About >> Version to check the current product version. Contact Securden Support if you need any assistance.
Pre-requisites: A primary server with Securden Unified PAM up and running and using the bundled PostgreSQL database. Refer to ourinstallation guide to install the application.
Summary of Steps¶
- Step 1: Setting up a secondary server
- Step 2: Configuring High Availability in the primary server.
- Step 3: Downloading and Transferring the high availability package.
- Step 4: Configuring the Secondary server.
- Step 5: Verifying the high availability setup
Step 1: Setting up a Secondary Server¶
- Identify a machine that would act as a secondary server. Consider the current Securden Unified PAM installation as the primary server.
- Install Securden Unified PAM on the chosen machine. Refer to our installation guide if you need help with the installation process.
Note
Make sure both the machines are running the same version of Securden Unified PAM.
Navigate to User Details (On the top right corner) >> About >> Versionto check for the current product version. Contact Securden Support for any Assistance.
Step 2: Configuring HA in the primary server¶
- Navigate to Admin>> High Availability in the GUI of Securden Unified PAM in the primary server.
- Click the ‘Configure Secondary Application Server’ button and enter the following details regarding the secondary server.
Server Identifier - Provide a name that helps identify the secondary application server.
Address - hostname/ IP address of the machine where the secondary server instance has been installed.
Secondary Type - Two types of secondary servers can be deployed: Application server without database and Standby Server. Select Standby and click Save.
STEP 3: Downloading and deploying the high availability package¶
- Once the details of the secondary server have been saved, a pop-up with the title ‘Download and Deploy the High Availability Package’ will appear in which you will have an option to download the package as a zip file. You can also download the package from the main High Availability GUI too. Navigate to Admin >> High Availability >> High Availability. In this GUI you will have the download option right next to the secondary server in the server list.
- Transfer the downloaded zip file to the secondary server.
STEP 4: Configuring the secondary server¶
- Stop the server if it is running. Open windows service manager (run services.msc) and stop Securden PAM Service.
- Put the High availability package under the “
/bin” directory. - Open Command Prompt with administrator privileges and navigate to the
“< Securden Installation folder(Secondary)>/bin” directory.
Then execute the following command: ApplyHAPackage.exe-
.zip - Securden secondary server shares the same encryption key as the
primary server.Ensure the location of securden.key as mentioned in
“
/conf/securden_key.location” is accessible from the secondary server. (You can open securden_key.location with any text editor) - Start the service again on the secondary server. To start the service, open Windows service manager (run services.msc) and start Securden PAM service.
Securden High availability setup is now ready.
STEP 5: Verifying High availability¶
- Navigate to admin>>High availability in the GUI of the primary server.
- Check the status column for the secondary server. If the status shows “Running”, It means high availability is available working properly.
Deploying additional secondary application servers without DB (Optional)¶
You can deploy any number of secondary application servers without database. You need to deploy additional servers only if you need to distribute the load between multiple servers. To deploy additional secondary application servers without database, follow Step 1 through Step 5 again and except for “Standby” as secondary type in Step 2, select “App server without DB”
Troubleshooting Tip¶
Status column for the secondary shows “Data sync in progress” for a long time or Data replication to standby stopped.
Solution¶
This issue can occur when the database port (5858) of the primary server is not accessible from the secondary standby server or vice-versa. Run the following Telnet commands to verify these connections:
In secondary server: Telnet
In primary server: Telnet
If these two connections are not working, you should be able to resolve it by creating an inbound firewall rule to allow access to the database port in both primary and secondary standby servers.
To add an inbound rule,
- Open “Windows Defender Firewall with Advanced security”
- Go to Inbound Rules and select New Rule. Add the following rule.
- Rule Type: Port
- Protocols and Port: TCP, 5858
- Action: Allow the connection
- Profile: Domain, Private, Public
- Name(Example): TCP5858
- Click Finish