Admin renomination workflow

Admin renomination is the process of adding a new instance of Access Gateway and making that new instance the admin node. A new instance is typically the most recent version.

Topics

Before you begin

Verify that:

  • The admin node doesn't serve requests. As a best practice, don't include the admin node as part of the load balanced set of instances serving user requests.
  • All members of the cluster, including the original and nominated worker node, are running Access Gateway v2020.8.3 or later. If you encounter a worker node that isn't running v2020.8.3 or later, an error resembling FAILED - Incompatible Node List - <incompatible Node hostname List>. Update worker nodes to version - 2020.8.3 or later returns and the renomination process gets terminated.
  • The nominated worker node is able to resolve all worker node DNS names.
  • Worker nodes must be able to resolve the nominated node's DNS name.

  • You have access to the Access Gateway Command Line console.

  • Each Access Gateway node can reach yum.oag.okta.com. You can test connectivity to the Access Gateway yum repository using the Access Gateway Management console.

    To test connectivity:

    1. Using secure shell, connect to the Access Gateway Management console: ssh oag-mgmt@admin
    2. Select 1-Network.
    3. Select 7- Connectivity test.
    4. Enter host: yum.oag.okta.com
    5. Enter port: 443

    Review connection yum.oag.okta.com confirmation message. In case of an error, confirm that the host yum.oag.okta.com is reachable using port 443 from the network where Access Gateway is deployed.

Perform admin renomination

While renomination is in progress, the Access Gateway Admin UI console is locked.

Attempts to access the Access Gateway Admin UI console result in a page similar to the following:

The following high availability management operations are supported:

  1. Nominate a worker to become cluster admin
  2. Authorize admin to begin renomination process
  3. Perform post renomination tasks

Before running the renomination process, ensure that nodes meet the following requirements:

  • All nodes are reachable using SSH.
  • All nodes, including the admin, nominated worker, and all other workers are running Access Gateway v2020.8.3 or later.

Nominate a worker to become cluster admin

On the worker node that you want to nominate as a cluster admin:

  1. Connect to the worker instance's Access Gateway Management console:ssh oag-mgmt@[workder.tld]
  2. Select 5 - System.
  3. Select 8- High Availability Configuration.
  4. Select 7- Cluster Manager.

      The cluster management menu appears:

      Copy
      Access Gateway Cluster Manager (Worker)
      1 - Authorize Node Nomination
      2 - Authorize Node as Admin node

      X- Exit
      Choice:

      Selecting 1-Authorize Node Nomination on a worker node results in an error: Operation not supported on worker node, press any key to continue.

      Attempting to run the Authorize Node Nomination process while another authorization process is in progress results in an error: Admin Nomination in progress for node - <nominatedNode Hostname>.

  5. Select 2 - Authorize Node as Admin node.

  6. The worker node then presents a confirmation dialog box. Enter Y to continue or N to abort.

    If the Cluster manager package isn't installed or supported on the admin node, an error message appears:

    Copy
    Cluster Manager package was not found on Admin Node - OAG Version - 2020.7.0

    Upgrade the admin node before continuing.

  7. The worker node generates and displays an authorization code, which you must provide to the admin node.

    Copy the following authorization code:

    Copy

    The authorization token required to initiate setup for nominated admin node: worker-c:8ba1c123-715d-4b70-ab5d-0e41493bef73
    Copy the token and paste it on the admin node when prompted.
    Press enter to continue

Authorize admin to begin renomination process

On the current admin node:

  1. Connect to the instance's Access Gateway Management console:ssh oag-mgmt@[admin.tld].
  2. Select 5 - System.
  3. Select 8- High Availability Configuration.
  4. Select 7- Cluster Manager.

  5. The cluster management menu appears:

    Access Gateway Cluster Management (Admin) 1 - Authorize Node Nomination 2 - Authorize Node as Admin node X- Exit Choice:
  6. Select 1 - Authorize Node Nomination.

    Selecting 2-Authorize Node as Admin node on an admin node results in an error: Operation not supported on admin node, press any key to continue.

    Attempting to run the Authorize Node as Admin node process when another authorization is in progress results in this error: Admin Nomination in progress.

  7. The current admin node displays this message:

    Copy 
    NOTE: Please ensure that the admin node is ready for setup and you have the authorization 
    token displayed on the on the worker node. 

    Enter the authorization token displayed on the nominated admin node:

    Press the Enter key when complete.

    The renomination process begins.

When complete, the existing admin becomes a standalone node.

The nominated worker then becomes the admin node for the updated cluster.

Perform post renomination tasks

Perform the following steps after the rolling upgrade:

  1. Enter the IP address of the newly upgraded admin node into DNS as admin.
  2. Decommission the original admin node or add the original admin node as a worker node to the updated cluster.