LogonBox can be configured to work in a High-Availability mode with 2 or more nodes.
Apart from your LogonBox servers, this configuration requires a separate server hosting a MySQL or Maria database (or a separate MySQL cluster if preferred), as well as a separate load balancer which will sit in front of your LogonBox servers.
A shared file store is also required for configuration items that are not held in the database, this can be a CIFS share or a Google Compute bucket.
This article details using a single MariaDB server.
Summary of steps required
- Configure MariaDB service
- Configure Node 1
- Configure Node 2
- Load Balance the connection
MariaDB
For LogonBox to work in high availability mode you first need to configure an external MariaDB service for the LogonBox nodes to connect to.
Ideally this would be a MariaDB high availability cluster itself, but for this example we will connect to a single MariaDB instance.
You can either build a new system yourself and install MariaDB on it, or you can start with a LogonBox image and modify that to only run MariaDB.
For this example, we will use this second option.
Deploy a LogonBox VM image as per the main install guides but don’t go through any of the setup wizard.
Once deployed, connect to a terminal or SSH to the system (SSH will need to be enabled from VMCentre on the console).
Stop the LogonBox service and remove the LogonBox software:
systemctl stop hypersocket-idm
apt remove hypersocket-idm
Now connect to the database and create users for each node that will connect to the system and set a password for the root account.
As we have used a LogonBox server the database we need has already been created. We will be using 2 nodes in this example so we will create two users (replacing ipaddressnod1 and ipaddressnode2 with the IPs of each node and mypass with your new root password for the database). Leave the password here as hypersocket as we will change this later:
mysql
SET PASSWORD FOR 'root'@'localhost' = PASSWORD('mypass');
GRANT ALL PRIVILEGES ON *.* TO 'hypersocket'@'ipaddressnode1' IDENTIFIED BY 'hypersocket';
GRANT ALL PRIVILEGES ON *.* TO 'hypersocket'@'ipaddressnode2' IDENTIFIED BY 'hypersocket';
FLUSH PRIVILEGES;
exit
Set the password for root to something secure, keep the hypersocket passwords as hypersocket for now as we will change these later.
Now we need to make MariaDB listen on something other than just localhost:
nano /etc/mysql/mariadb.conf.d/50-server.cnf
Change the bind-address from 127.0.0.1 to 0.0.0.0
Save the file with CTRL-X, Y, then restart mariadb with:
systemctl restart mysql
That concludes the MariaDB server initial setup.
LogonBox server Node 1
Deploy a new LogonBox server as per the standard deployment guide, including running through the web-based setup wizard. For the 2FA part, it doesn't matter what config is entered at this point as we will need to re-run the setup wizard once connected to the new database.
Once complete log on to your new LogonBox server using your admin account.
Navigate to System Configuration->Database.
Change the Vendor from MYSQL_LOCAL to MYSQL.
Set the Host to the IP/host of your MariaDB server.
Set the port to 3306.
Set the username and password to hypersocket.
Click Apply at the bottom, then restart the LogonBox service with the power icon at bottom right.
At this point, the LogonBox service will fail to start up as it has changed the password it uses for the database connection to a random one (give the service a couple of minutes to perform this configuration), so we need to get this new password and updated it on the MariaDB server.
On the LogonBox server do:
cat /opt/hypersocket-idm/conf/database.properties
and note the jdbc.password
On the database server connect to MariaDB with your root account and change the password for this node:
SET PASSWORD FOR 'hypersocket'@'ipaddressnode1' = PASSWORD('secretpassword');
FLUSH PRIVILEGES;
On the LogonBox server, restart the service from the terminal with:
systemctl restart hypersocket-idm
This should now give you access to the web UI.
You will now be prompted to run through the initial setup wizard again as we’re now pointing at the empty remote database.
Complete the Setup Wizard again this time using the options we want on our new server.
When the service restarts at the end of the wizard, log back on with your admin account.
In Updates, Features & Licensing, install the High Availability feature from the System tab and restart the service when requested.
Log on as your admin account again and navigate to System Configuration->Hazelcast Settings.
Set the Communication Protocol to TCP/IP.
Set the Outgoing interface to this node's IP address.
For Members in Cluster, add the IP of Node 2.
Click Apply.
Now click the High Availability tab in System Configuration.
We need to define an area where shared files will be stored. This can be either a Google Compute bucket or a CIFS file share on your network.
Enter the details to connect to your share and click Apply.
Note: This will create its own file structure on that share, so it would be best to ensure that this share is not used for anything else.
LogonBox server Node 2
Deploy another new LogonBox server as per the standard deployment guide, including running through the web-based setup wizard. For the 2FA part, it doesn't matter what config is entered at this point as we will be connecting to the main configuration afterwards.
Once complete log on to your new LogonBox server using your admin account.
Navigate to System Configuration->Database.
Change the Vendor from MYSQL_LOCAL to MYSQL.
Set the Host to the IP/host of your MariaDB server.
Set the port to 3306.
Set the username and password to hypersocket.
Click Apply at the bottom, then restart the LogonBox service with the power icon at bottom right.
At this point, the LogonBox service will fail to start up as it has changed the password it uses for the database connection to a random one, so we need to get this new password and updated it on the MariaDB server.
On the LogonBox server do:
cat /opt/hypersocket-idm/conf/database.properties
and note the jdbc.password
On the MariaDB server connect to MariaDB with your root account and change the password for this node:
SET PASSWORD FOR 'hypersocket'@'ipaddressnode2' = PASSWORD('secretpassword');
FLUSH PRIVILEGES;
On the LogonBox server, restart the service from the terminal with:
systemctl restart hypersocket-idm
This should now give you access to the web UI.
This time, as you are connecting to the configuration you already set up from Node 1, you should just be able to log in with your admin account
At this point you now have 2 LogonBox nodes connecting to the same external database, all that remains is to configure the same HA settings as per the other node.
Log back on with your admin account.
In Updates, Features & Licensing, install the High Availability feature from the System tab and restart the service when requested.
Log on as your admin account again and navigate to System Configuration->Hazelcast Settings.
Set the Communication Protocol to TCP/IP.
Set the Outgoing interface to this node's IP address.
For Members in Cluster, add the IP of Node 1.
Click Apply.
Now click the High Availability tab in System Configuration.
As we are now connected to the same database as Node 1, confirm the settings here match what was entered in Node 1.
At this point, any change made on either node will immediately take effect on the other node. The main HA configuration is complete.
Load Balance the connection
The final step to have your LogonBox systems working in a High Availability manner is to configure a Load Balancer in front of your LogonBox nodes to direct incoming traffic to either Node 1 or Node 2.
As many options exist for performing such balancing, this task is left to the reader.