Configure High Availability

High availability architectures provide the fault tolerance required today.

Access Gateway high availability consists of:

  • A single administration instance of Access Gateway. The administration instance or admin node is used to maintain and propagate configuration changes to worker nodes. Additionally, you can use the admin node as a normal Access Gateway instance.
  • One or more worker instances bound to the admin node, which service requests.
  • A customer provided load balancer that routes requests to the Access Gateway high availability cluster.

Overview of the Access Gateway high availability instance life-cycle:

  • An instance of Access Gateway is provisioned. This instance is called the Admin node. This node is configured normally, including defining protected applications. You aren't required to configure applications or IDP support before configuring high availability.
  • Second and subsequent instances of Access Gateway are provisioned. These instances are called worker nodes. These nodes are not configured with applications, but obtain all configurations from the admin node.
  • Worker nodes are then specifically configured to use the admin node for all configuration. After you configure them, worker nodes don't expose the Access Gateway Admin UI console. You can only access then using the command line interface.

Access Gateway High Availability architecture
Note

Note

In this diagram the admin node is shown also acting as a worker node. If the admin is NOT intended to also service requests, it can be omitted from the load balancers configuration.

Important Note

Important

The admin user interface (UI) is only available on admin nodes and those nodes which have yet to be configured as worker nodes. After an instance is configured as a worker, you can't access it using the admin UI. All administration of a an Access Gateway cluster must occur through the admin node and its admin UI.

Overview

Configuring high availability includes the following overall process:

  1. Configuring an admin node.
    During this step, the administration node is configured normally.
  2. Configuring a worker node.
    During this step, worker nodes are configured without any applications.
  3. Preparing the admin node.
    During this step, the command line interface is used on the admin node to alert or prepare the admin node for the addition of one or more worker nodes.
  4. Preparing the worker node.
    During this step, the command line interface is used on the worker node to prepare the worker for becoming a part of the Access Gateway cluster.
  5. Worker integration into cluster.
    After the previous steps, the worker is automatically integrated into the cluster. During this phase, the worker admin UI is disabled and worker exchanges keys and the admin node provides the configuration.
Access Gateway High Availability add worker node sequence diagram

 

Operations

To configure high availability:

  1. Reset the key associated with an Access Gateway node - Reset the keys in both the admin instance and the worker instance.
  2. Add a worker node to an Access Gateway cluster - Add one or more worker nodes to the cluster.
  3. Check the cluster configuration - Review the final configuration.

 

Reset the key associated with an Access Gateway node

Access Gateway nodes use various keys to intercommunicate. You must regenerate keys if you want to use an instance as a part of an Access Gateway High Availability cluster.
You only need to regenerate keys once per instance.

To reset a node's keys:

  1. Connect to the Access Gateway Management console.
    ssh oag-mgmt@[admin or worker]
  2. Select 5 - System.
  3. Select 8- High Availability Configuration.
    The High Availability Configuration menu displays.
  4. Select 1 - Reset Key node. The following Confirm the key reset message appears.
    This will reset keys being used by high availability sync process.
    If high availability is already setup, this option should not be used.
    Proceed with reset? [y/N]: 
  5. Enter y to reset or N to abort the reset process.
    The reset of either abort, or display a success message.
  6. Enter x to exit or any other menu item to continue.

 

Add a worker node to an Access Gateway cluster

Info

Note

When adding a worker node, both the administration node and the worker node must:

To add a worker node to a cluster:

  1. On the Admin node,

    1. Connect to the instance Access Gateway Management console.
      ssh oag-mgmt@[admin.tld]
    2. Select 5 - System.
    3. Select 8- High Availability Configuration.
      The High Availability Configuration menu displays.
      Access Gateway High Availability Setup (role)
      1 - Reset Key
      2 - Prepare Admin
      3 - Prepare Worker
      4 - List Nodes
      5 - Remove Node
      6 - Check Status
      
      X- Exit
      Choice: 

      Info

      Note

      The High Availability menu displays the current role of a Access Gateway node.
      Roles can be:

      • Single - The node has not yet been configured as either a worker or an admin.
      • Admin - The node has been configured as an administrator for High Availability.
      • Worker - The node has been configured as a worker for High Availability.
    4. Select 2 - Prepare Admin
      Info

      Note

      When you configure an admin node for high availability for the first time, select and execute the 1 - Reset Keys option to reset the instance's SSH keys.
      You only need to reset keys once per instance. See Command Line Management Console reference.

      Important Note

      Important

      Access Gateway Replication uses the hostname setting from the command line console.
      Ensure that you update the hostname for both admin and worker nodes using the command line console System (5) > Change Hostname (1).

      . . .

    5. The admin node generates and displays an authorization code, which must be provided to the worker node.
      Copy the authorization code given:
      Authorization token required to initiate setup from worker nodes is given
      below. Copy the following text below this line and paste it on worker node when prompted.
      oag.okta.com:8ba1c123-715d-4b70-ab5d-0e41493bef73
      Worker nodes available so far:
      . . . 			
      					
      The admin node then waits for worker nodes.
    Important Note

    Important

    At this point, the admin node waits for connections from worker nodes. Leave the window open until all workers nodes have been added. Entering X prematurely will cause the admin node to assume the process is complete and stop listing for worker node additions.
    Enter X only after adding all worker nodes

    1. Return to the command prompt on the instance, which is being attached as a worker node.
  2. On each worker node,
    1. Connect to the instance Access Gateway Management console.
      ssh oag-mgmt@[worker.tld]
    2. Select 5 - System.
    3. Select 8- High Availability Configuration.
      The High Availability Configuration menu displays.
    4. Select 3 - Prepare Worker.
      Info

      Note

      When you configure a worker node for high availability for the first time, select and execute the 1 - Reset Keys option to reset the instance's SSH keys.
      You only need to reset keys once per instance. See Command Line Management Console reference..

    5. The worker displays:
      Checking HA readiness for host worker. . .   
      
      Note: Please ensure that admin node is ready for setup and you have the
      authorization token displayed on admin node.
      
      Enter the authorization token displayed on admin node: admin.. . . .com:927da506-7efb-4520-bd32-dd03b86f2a9b
      

      After it's entered, the worker node connects to the admin node and exchanges authorization and confirmation information similar to the following:
      Requesting admin  node admin. . . .com to allow connection  
      Node worker. . .com successfully added on admin node
      Synchronizing current configuration  
       
      Press enter to continue ....
      
    6. When prompted, press any key to continue.
    7. Enter X to exit or any other menu item to continue.

    The worker instance is now configured and ready for use.

On the admin node:

  1. Return to the admin instance Access Gateway Management console.
  2. Examine results of adding the new worker node similar to:
    Authorization token required to initiate setup from worker nodes is given
    below. Copy the text below this line and paste it on worker node when prompted.
    
    admin. . .com:927da506-7efb-4520-bd32-dd03b86f2a9b
    Worker nodes available so far:
    worker1. . .com
    worker2. . .com
    worker3. . .com
    Note the addition of the new worker node.
  3. Enter X to exit or any other menu item to continue.

 

Check the cluster configuration

To review or check the status of an Access Gateway High Availability Cluster:

  1. Connect to the Access Gateway Management console.
    ssh oag-mgmt@[admin or worker]
  2. Select 5 - System.
  3. Select 8- High Availability Configuration.
    The High Availability Configuration menu displays.
  4. Select 6 -Check Status.
  5. A list of cluster instances is displayed with their associated status.
    Use the Up/Down/Page Up/Page Down/Home/End keys to scroll through the list, which is similar to:
     
    HA Synch Status    Up/Down/Page Up/Page Down/Home/End - Scroll    x-exit
    worker1.yourdoman.tld:    Pass
    worker2.yourdoman.tld:    Pass
    . . . 
    workern.yourdoman.tld:    Fail										
    					
    Where:
    • Pass: Reachable, functioning worker node.
    • Fail: Non-functional worker. See the node log for details.
  6. Enter x to exit.