The Identity Manager User Application comes with cluster support, and instructions to set it up using JBoss or Websphere. However, there is more to a High Availability Userapp solution than configuring a clustered cache. In this article, I will explain how to set up a HA Userapp cluster, and a HA front-end load balancer configuration using JBoss mod_cluster.

Architecture

In summary, the architecture would comprise:

• • A DNS entry to an IP switch

• • An IP switch pointing to one Apache front-end, and failing over to another if the first is not available

• • A primary SLES-based Apache server with the JBoss mod_cluster module, which will round-robin requests to the UserApp to 1 of N UserApp servers.

• • An identically-configured secondary Apache front-end

• • Two (almost) identically configured UserApp servers on JBoss and SLES, which will self-register with the front-end Apache servers, and point to the ID Vault via an IP switch

• • An IP switch pointing to one ID Vault, failing over to the other if the first is not available, and another IP address that points back to the UserApp servers in the same manner

• • Two Identity Vault servers running the driverset containing the User Application driver, with the driver pointing to a Userapp server via the IP switch

Without going into the details of a Disaster Recovery Plan or IP Switching configuration, this configuration can be deployed such that servers are split between data-centres, and in the event of a server going down, or even a whole data-centre, the Userapp will still be available.

An important thing to note about the configuration I will describe is that the UserApp servers do not "know" about the Apache servers, and the Apache servers do not know about the UserApp servers (i.e. they are not configured with each others DNS names or IP addresses), so adding capacity to the solution by adding another UserApp server, or moving one to a faster machine with a different IP address, does not require manual configuration of DNS names or IP addresses after installation.

The first step to achieve this "low configuration" cluster, is to create an install script to install the UserApp with a cluster configuration, and then update JBoss with the mod_cluster plugin. After that, we create a installer for the Apache Front-end.

Attached to this article is all the scripts and config files. Any binaries mentioned below can be downloaded from JBoss sites. If you cant find the JBoss in tar.gz format, install it from the installer that comes with the UserApp and tar it up. You wont need IP switches to test it out. All you need is two or four SLES 10/11 servers. You can install the UserApp and the Apache server on a single machine in a DEV environment.

UserApp Installer

The UserApp installer consists of the following files:

• • install.sh - Linux script to call the Novell installer and create the other required configuration files

• • IDMProv.war - the default Novell User Application package

• • bin/IdmUserApp.jar - the default Novell User Application installer

• • bin/jboss-5.0.1.GA.tar.gz - a standard JBoss Application Server package

• • bin/jdk-6u17-linux-i586-rpm.bin - the required JVM for the UserApp

• • bin/mod_cluster-1.1.0.CR3-bin.tar.gz - the Java binaries for the mod_cluster package

• • bin/ojdbc14.jar - the Oracle JDBC driver

• • A conf directory with configuration files:

• • • .silent.properties - configuration files for the Novell Userapp installer (one for each environment)

• • • .properties - properties files with settings for each environment

• • • idm_java.sh - environment variables for the JVM

• • • idm_jboss.sh - environment variables for JBoss start script

• • • novelluserapp.sh - an init script for starting JBoss as a service in SLES

• • • a jboss directory with a few config files to harden the JMX and Web Console that comes with JBoss, and the following files to set up mod_cluster:

• • • • jbossweb.sar/server.xml - adds the ModClusterListener service and sets a jvmRoute attribute to ${jboss.mod_cluster.jvmRoute}, which is stored as a JBoss start-up variable during the install, and having the same value as the Userapp Engine id

• • • • jbossweb.sar/META-INF/jboss-beans.xml - adds a dependancy so ModClusterListener starts before the JBoss Web Service

• • • mod_cluster-jboss-beans.xml - a modified config file to remove a service dependancy in the mod_cluster 1.1 CR3 release (a bug - the dependancy between the web service and the mod_cluster service are the wrong way around in this release)

Only the env.properties and env.silent.properties files need to be copied and modified. For example, for a development environment, create dev.properties and dev.silent.properties and modify the values to suit.

When editing the .properties file, please note:

• • JBOSS_PARTITION is a name that will identify the JBoss cluster, and cannot be the same as another cluster in the network

• • JBOSS_PARTITION_UDP is the UDP broadcast address that the Apache servers will use to advertise themselves to userapp servers, and must not be the same as another cluster on the network

• • The DB parameters much match the equivalent ones in the .silent.properties, but the DB_ADMIN_USER will be used to install the database (so the equivalent in the silent properties file is left blank)

When editing the .silent.properties file, please note:

• • We don't want the database to be installed by the default installer - the install.sh script will do it for the first server only (a choice when running the script)

• • At a minimum, change the LDAP settings, Database settings and DN settings

• • the Master Key must be the same for each server in the cluster. For the first server, set NOVL_MASTER_KEY to nothing, and after the installation completes, copy the value from /opt/novell/idm/masterkey.txt and use this config for future servers in the cluster

After running install.sh and verifying that the UserApp server is up-and-running, follow the Novell documentation for configuring the Userapp as the first of a cluster (in the Administration tab).

When everything is running, install another server. tail the log file /opt/jbossxxx/server/idm/log/server.log. If everything is working you should see the two servers join the cluster.

Apache Front-end Installer

The front-end load balancer requires a SLES build without the Apache service, but with the wwwrun user and www group present.

The JBoss project (Redhat) provide a tar.gz package for mod_cluster that includes the directory structure and files for an Apache 2.2 installation with the mod_cluster module and pre-requisites configured. I.e. there is no RPM.

This installer simply un-zips the JBoss distribution to /opt, copies the apachectl command to /etc/init.d so Apache can start as a service, and sets up some environment variables for the mod_cluster module to use the correct UDP port and subnet.

This installer package consists of the following files:

• • install.sh - a custom shell script to install the mod_cluster distribution

• • mod_cluster-1.1.0.CR3-linux2-x64-ssl.tar.gz - the Linux 64-bit binary mod_cluster package from JBoss

• • conf/.apache_lb.sh - an environment variable file for each environment

• • common/httpd.conf - an overridden httpd.conf file that uses environment variables instead of hard-coded values

For each environment (cluster), the .apache_lb.sh file simply needs to be edited to provide the unique UDP address to advertise on, and the subnet to accept registrations from, which should be the same as the server being installed. I.e. the Apache servers and Userapp servers should be in the same subnet.

When the installer finishes, it will start Apache. It will advertise to the UserApp servers, which should register with mod_cluster. Navigate to http://:6666/mod_cluster_manager and all Userapp servers should be shown. Navigate to http:///idm and the Welcome Page of one of the Userapp servers should be displayed.

Troubleshooting

The JBoss logs are in /opt/jbossxxx/server/idm/log/server.log.
The Apache logs are in /var/log/apache.
Google is your friend.

--------------------------------
Editor's Note: When it comes to disaster recovery, Novell has some extraordinary offerings. Check it out.