Introduction
Topics:
This guide describes how to extend a typical two host environment described in the One Identity Cloud Access Manager Installation Guide to include two additional hosts to provide both redundancy and additional capacity. One host will be deployed in the DMZ to become a clone of the Cloud Access Manager Proxy host and the other will be deployed on the internal network to become a clone of the Cloud Access Manager Security Token Service (STS) host.
Figure 1 represents a typical high availability deployment using four Cloud Access Manager hosts.
Figure 1: Cloud Access Manager high availability deployment
Cloning the database
Cloud Access Manager requires an instance of Microsoft SQL Server Edition 2012,
2008R2 or 2008 to store its configuration, audit and session data. In a high availability Cloud Access Manager environment the database should also be configured for high availability, for example using SQL Server AlwaysOn Availability Groups.
The Security Token Service (STS) hosts need to access the database using a single hostname/IP address for the database cluster. The nodes in the database cluster can be deployed either on dedicated hosts or on the STS hosts. Please refer to the Microsoft SQL Server documentation that describes how to deploy SQL Server for high availability.
The database can be configured for high availability either before or after cloning the STS host. Whichever option you choose, before you clone an STS host, you need to make sure the database can be remotely accessed by TCP/IP and that Cloud Access Manager is using this connection method rather than the default shared memory connection method which will only allow local access.
To verify that SQL Server is configured to allow access using TCP/IP
- In SQL Server Configuration Manager, in the console pane, expand SQL Server Network Configuration.
- In the console pane, click Protocols for <Instance Name> for the database instance used by Cloud Access Manager.
-
In the details pane, ensure that the TCP/IP protocol is Enabled. If it is not enabled, right-click and select Enable.
- Next, verify that the database is configured to allow access using a fixed port. To do this, double-click TCP/IP to display the TCP/IP Properties page.
- From the IP Addresses tab, check that the TCP Dynamic Ports field is not populated in the IPAll section. If it is populated, clear the port range to ensure a fixed port is used to access the database.
-
In the TCP Port field, verify a port is specified to access the database. For example, the default SQL Server port 1433.
- If you have made changes to the TCP/IP configuration, you now need to restart the SQL Server service.
- In the console pane, click SQL Server Services.
- In the details pane, right-click SQL Server instance name, and then click Restart to stop and restart the SQL Server service.
To verify that Cloud Access Manager is configured to access the database using TCP/IP
-
Login to the STS host and access the Cloud Access Manager Administration UI using the Cloud Access Manager Administration (fallback login) shortcut on the desktop. Using the fallback shortcut allows you to access the instance of the STS running on the host you are logged into. This is important if you change the database connection settings as each STS host stores a copy of the connection details. If you change the connection details, you must update them on each STS host.
NOTE: If you plan to configure your database for high availability after configuring Cloud Access Manager for high availability, you need to repeat this section for each STS host. This is true if the database hostname/IP address or port changes as a result of changing the database configuration for high availability. For example, if the database now needs to be accessed using the virtual IP address of the cluster.
- Click the gear icon to navigate to Settings, and then click Show Advanced Settings.
- Click Configure the Database.
-
The Data Source should contain the hostname or IP address to connect to the database and optionally the port number and database instance. If the hostname/IP is not present or has changed since configuring the database for high availability, update the database and click Save.
NOTE: The port number is required when using a port number other than the standard SQL Server port 1433. A comma is used to append a port number to the hostname/IP address. In addition the instance name is required when using a named instance rather than a default instance. A backslash is used to append the instance name.
-
Click the Configuration Status icon in the top-right corner, verify that you can see each host and that the status of the components on each host is running and configured.
NOTE: If you do not see your hosts, revisit the database settings and verify that the connection details are correct. You may also need to check that any firewalls between the two hosts are configured to allow access to the database.
Cloning the STS host
To clone the STS host
- Provision a new host alongside the existing Cloud Access Manager Security Token Service (STS) host on the internal network. For simplicity, we recommend that the host is of the same hardware and operating system type as the existing host, however no technical limitation applies.
- On the new STS host, either mount the Cloud Access Manager software ISO or extract the Cloud Access Manager software .ZIP file to a temporary location.
- Start the Autorun and navigate to the Install section.
- Click Install on the Cloud Access Manager IIS Components.
- Accept the License Agreement. Click Next.
- Click Production Installation.
- Enter the same user account used during the installation of the first STS host. Click Next.
-
Click Install to deploy the components required for the new STS host.
NOTE: The STS host requires the Microsoft .NET framework version 4.5. If this is not already installed on the host, the installer will download and install the Microsoft .NET framework from the internet.
- When the installation is complete, click Launch to start the configuration wizard. The configuration wizard will guide you through the steps to connect your new STS host to your existing environment.
- When prompted for the database connection details, select the My database server is not an SQL Express instance installed on the same machine as Cloud Access Manager check box and enter the same data source used in the previous section, for example, the same data source used by the first STS host.
- On the Proxy Settings page confirm the settings are the same as those on the initial STS host, and then click Next.
- When all items are complete on the Configuring Cloud Access Manager page, click Finish.
-
When the configuration wizard has finished, click the Configuration Status icon in the top-right corner and verify that:
- You can see the new STS host.
- The status of the components on the host is running and configured.
- Restart the Cloud Access Manager proxy service on the existing proxy host.
Verifying the new STS host
To verify that the new STS host is working correctly
-
Verify that users can log in to the Cloud Access Manager portal as normal using the hostname configured on the Proxy Settings configuration page:
https://<proxy host FQDN>/CloudAccessManager
- Stop the World Wide Web Publishing service on the existing Security Token Service (STS) host so that only the new STS host is running.
- Verify that users can still log in to the Cloud Access Manager portal as normal.
- Restart the World Wide Web Publishing service on the existing host and stop the World Wide Web Publishing service on the new STS host.
- Verify that users can still log in to the Cloud Access Manager portal as normal.
- Restart the World Wide Web Publishing service on the new host.
-
From within the Cloud Access Manager Administration UI, click the Configuration Status icon in the top-right corner. Verify that you can see each Cloud Access Manager host and that the status of the components on each host is running and configured.
NOTE: Some components may not show as running until users have accessed the Cloud Access Manager application portal.