...
| Info |
|---|
This article is |
...
valid for Digital Access 6.2 and later. |
This article describes how to
...
run Smart ID Digital Access component in distributed mode.
Distributed mode is used when the different functions in Digital Access component are distributed to several virtual appliances. A typical case is when you want to enforce the access in one appliance (PEP, Policy Enforcement Point) and process the authorization and authentication requests in one appliance (PDP, Policy Decision Point). In this case you will need two appliances. One that runs access point and another that runs the other Digital Access component services.
Administration service limitations
There can be only
...
...
in a node network.
...
Nodes running other services should be connected to the administration service node. Once a service has successfully connected to an administration service, then that service cannot easily be switched to work with another appliance's administration service.
...
| title | Configure distributed mode |
|---|
Log in on all hosts and go through the basic setup. The Administration Service UI setup system wizard should not be run on an appliance that will not run a local Administration service. Make a note of each host's network IP address which the other hosts should use to communicate with it.
| Expand | ||
|---|---|---|
| ||
|
| Expand | ||
|---|---|---|
| ||
|
...
- Set the value Internal Host to an external IP address.
- Make a note of the Service ID for all services, including the new services that have been created.
- When configuring the Policy service make sure to also configure XPI:REST.
...
- Go to Manage System > Database Service to configure it, see also Database service in Digital Access.
...
- Go to Manage System > OATH Configuration.
- Select Configure Database Connection.
...
Log on to the host running the Administration service and disable the services that this host should not run.
| Expand | ||
|---|---|---|
| ||
|
...
| title | On Orchestrator |
|---|
For each service that should be disabled, run the following command:
| Code Block |
|---|
docker exec orchestrator hagcli -s policy-service -o disable |
Log on to the host running the Administration service and enable distributed mode.
| Expand | ||
|---|---|---|
| ||
|
...
| title | On Orchestrator |
|---|
Run the following command:
| Code Block |
|---|
docker exec orchestrator hagcli -s distributed-service -o enable |
...
Disable all services you do not want to run on this host.
| Expand | ||
|---|---|---|
| ||
|
...
| title | On Orchestrator |
|---|
...
| Code Block |
|---|
docker exec orchestrator hagcli -s policy-service -o disable |
Since the Administration service is not hosted on this/these host(s), then an external one needs to be pointed to.
| Expand | ||
|---|---|---|
| ||
|
| Expand | ||
|---|---|---|
| ||
|
...
- In the console, select 2) Detailed server setup.
- Then select 6) Activate distributed mode.
To further manually configure any service on this appliance,
| Expand | ||
|---|---|---|
| ||
|
| Expand | ||
|---|---|---|
| ||
|
This article is valid for Smart ID 20.06 and later.
...
| Note |
|---|
|
Prerequisites
Two Digital Access components with services and docker swarm available
The following ports shall be open to traffic to and from each Docker host participating on an overlay network:
TCP port 2377 for cluster management communications
TCP and UDP port 7946 for communication among nodes
UDP port 4789 for overlay network traffic
For more details refer to: https://docs.docker.com/network/overlay/
Keep a note of IP addresses of nodes where access point is running.
Step-by-step instruction
Get token and stop services - manager node
Get cluster join token
SSH to the node running the administration service, that is, the manager node.
Get the cluster join token by running this command. This token will be used for joining worker nodes to the manager node.
Get token
| Code Block |
|---|
sudo docker swarm join-token worker |
The output of the command will be like:
| Code Block |
|---|
docker swarm join --token SWMTKN-1-5dxny21y4oslz87lqjzz4wj2wejy6vicjtqwq33mvqqni42ki2-1gvl9xiqcrlxuxoafesxampwq 192.168.253.139:2377 |
Stop services
Stop the running services.
Stop services
| Code Block |
|---|
sudo docker stack rm <your da stack name> |
Join as worker nodes
See Join as worker nodes in Set up high availability for Digital Access component.
At manager node
Remove labels, verify and identify nodes
SSH to manager node.
Remove label for all services which are not required on this node.
Remove label
Code Block sudo docker node update --label-rm da-access-point <nodeid>Verify if all nodes are part of cluster by running this command.
Verify if all nodes are part of cluster
Code Block sudo docker node ls
Identify nodes ID, master and worker where the service will be distributed.
Identify nodes
Code Block sudo docker node inspect --format '{{ .Status }}' h9u7iiifi6sr85zyszu8xo54lOutput: {ready 192.168.86.129} - IP address will help to identify the DA node
Update labels for each service
Update labels for each service which you want to run on worker nodes.
<node ID> is the id of the node on which the service will be running.
Commands to update labels
Code Block sudo docker node update --label-add da-policy-service=true <worker node ID> sudo docker node update --label-add da-access-point=true <worker node ID>Deploy your stack using this command. To run the command your working directory should be docker-compose.
Deploy DA stack
Code Block sudo docker stack deploy --compose-file docker-compose.yml -c network.yml -c versiontag.yml <your da stack name>
docker stack deployis the command to deploy services as stack.compose file flag is used to provide the file name of base docker-compose file.
-cis short for–compose-fileflag. It is used to provide override files for docker -compose.<your da stack name>is the name of the stack. You can change it based on requirements.
Additional information
| Expand | ||
|---|---|---|
| ||