LEGACY - Configure Identity Panel High Availability

Configuring HA for Identity Panel is a matter of configuring high availability for each of the critical sub-components. The easiest way to approach it is to design HA for each sub-service including:

• Web Application – Load balance at least two instances
• Web Maintenance Service – Install a copy on each web server instance
• Elastic Search – Configure load balanced cluster
• MongoDB – Configure primary/secondary replica set
• Panel Service – Install multiple independent copies
• Panel Check – Each server should have its own schedule panel check actions

High availability for Identity Panel requires a minimum of three servers, although five is preferred.

MongoDB

Install separate MongoDB instances on at least three servers (must be an odd number). This may be done as a side-effect of installing multiple copies of Identity Panel, or by downloading the MongoDB community distribution. 

For additional details see MongoDB replica set configuration.

Choose a replica set name (e.g. rs1)

Edit mongodb.cfg to contain:

replSet=rs1
storageEngine=wiredTiger

Edit the bind_ip and port directives and configure the firewall as needed to make it accessible to inbound network connections

Start the database service on the first server

Run mongo.exe 

Replica Set

Launch mongo.exe and run

rs.initiate()
rs.conf()
rs.status()

Add Secondaries

Edit the replSet, storageEngine, and network settings properties to each mongodb.cfg file. Restart or start the database service and launch mongo.exe

rs.add("host:port")
rs.conf()
rs.status()

Authentication

Optionally enable user authentication (recommended since the replica set is available on the local network)

Run:

use admin
db.createUser({ user: "", pwd: "<password", roles: [ { role: "uesrAdminAnyDatabase", db: "admin" } ] })

Exit mongo and add auth=true to each mongodb.cfg. Restart database service

SSL

If you environment requires SSL for connections to the database services see MongoDB Configure SSL.

Elastic Search

Elastic search may be configured on either the web servers or database servers. Choose a name for the search cluster (cluster1 below). For further details see Elastic setup configuration.

Create a DNS alias for the cluster name. Ensure it can be resolved as both a host name and an FQDN. This alias will be used in the Identity Panel connection string.

Edit Elastic\config\elasticsearch.yml and specify the following:

cluster.name: Cluster1
node.name: <server>
discovery.zen.ping.unicast.hosts: ["<server>", ...]
discovery.zen.minimum_master_nodes: 2

Web Application

After installing the web application on two servers the configuration must be customized to allow it function as part of a load-balanced set. Note: in the following documentation, all configuration items are located in Program Files\SoftwareIDM\IdentityPanelWeb\Web\config.json and paths are identified hierarchically using "Section:Key"

All changes must be made on both servers.

Create a windows account to use as the application pool account. Login as the account to ensure a user profile exists. Add the account to the IIS_IUSRS group and ensure it has read permissions on the IdentityPanelWeb directory, and read/write permissions on the log folder and on the config.json file.

Configure host bindings as needed for the load balancer. Once application setup is complete, you may go through the regular setup walkthrough.

Connection Strings

Start by editing Data:DefaultConnection:MongoConnectionString to have:

"mongodb://<server1>:27017,<server2>:...?replicaSet=rs1&readPreference=primaryPreferred&connectTimeoutMS=15000"

Edit Data:DefaultConnection:SearchConnectionString to have: "http://<clusterdns>:9200"

If encryption of connection strings is desired (e.g. to protect embedded auth credentials) edit Auth:ProtectMode to "CurrentUser"

Data Protection

Edit Application:DataProtectionSid to have either the objectSid of the application pool account, or "mine".

Version Control

Both servers must access the same version control folder. This may be accomplish by creating a file share and setting Application:VersionControl to the share location. Remember to escape literal backslashes. e.g. "\\\\path\\directory"

If your file share requires explicit authentication separate from the application pool credentials, for example as with an Azure storage account, you can specify Application:VersionNetMap "use \\\\path\\share /USER:user password"

Monitoring

You can optionally monitor the cluster using Application Insights by specifying ApplicationInsights:InstrumentationKey. This will initialize the application with Azure app insights and track on both the browser and server side.