Introduction
vSEC:CMS can be configured in a Microsoft (MS) Windows Server Failover Clustering environment to ensure high availability of the application. This article will describe how this failover clustering can be set up in such an environment.
Prerequisites
The following prerequisites are required:
- Configured MS Windows Server Cluster with at least 1 additional shared storage;
- vSEC:CMS is installed on each cluster node;
- The vSEC:CMS dat folder, which is where the database file for the vSEC:CMS is located, is configured to point to the vSEC:CMS database file that is located on the shared storage;
- vSEC:CMS Service should be running on one node. All other nodes where the vSEC:CMS is installed the service should be stopped.
If you are using MS SQL as the database and you are on version 6.1.X or later then you don’t need shared storage. Refer to the sample example deployment MS SQL Used below for details on how to configure in this scenario.
High Level Architecture
The diagram below describes how vSEC:CMS can be configured in an MS cluster environment to ensure high availability. vSEC:CMS needs to be installed on each node (Node 1 and Node 2 below) with the vSEC:CMS database file stored on a shared storage.
Access to the nodes should be configured as Active-Passive.
Example Deployment
In this section we will provide examples how this can be setup depending on what database type you use.
The steps below are guidelines only. It is expected that the person carrying out the deployment has expertise and experience with using MS clustering. The steps below may need to be adjusted and/or changed depending on your environment.
If you use a MS CA you will already be familiar with an Enrollment Agent (EA) certificate being required to be available to vSEC:CMS. In a cluster environment you will need to ensure that the same EA certificate is available on both nodes. This can be done by issuing an EA certificate to the service account that vSEC:CMS service runs under and exporting it as a .pfx along with the private key. Then you should import the .pfx into the local certificate store of the vSEC:CMS service account on each node (for example you can use MMC to do this). Verify that on each of the nodes that the EA certificate is selected for the CAs that you use from the Options - Connections page in the Enrollment Agent section.
Internal SQLite Used
This section will describe the steps to be carried out to deploy vSEC:CMS into a MS clustered environment where two nodes are used and the database used is internal SQLite.. It will be expected that the MS clustered environment is already set up and functional. This document does not provide the steps to set up an MS cluster environment.
It will be required that at minimum you have already successfully completed the configuration steps described in the article Setup Evaluation Version of vSEC:CMS. The instructions in this document are applicable regardless of whether you are running the evaluation version or a production version.
Setup Steps
1. Install vSEC:CMS on each of the nodes;
2. Stop the vSEC:CMS service (vSEC:CMS Service) on each node;
3. In the shared storage location create a folder called dat which will be used to store the database for the vSEC:CMS;
4. Copy all the files of the vSEC:CMS dat folder into the dat folder created in step 3 above. It will be presumed that you have already set up a vSEC:CMS that is configured and ready to be used. Therefore in this case you would copy all of the files in the dat folder for this system into the dat folder created in step 3. Depending on how your vSEC:CMS service is configured to run, whether the service runs under the default local SYSTEM account or it runs under a dedicated Windows account, it may be necessary to change the permissions on the dat folder of the vSEC:CMS in order to access this folder;
5. Once the files are copied into the dat folder on the shared storage, delete the dat folder on each of the vSEC:CMS installations on each of the nodes;
6. Configure the vSEC:CMS database file on each node to point to the shared storage. In order to point each vSEC:CMS dat folder to the shared storage a symbolic link will need to be configured. For example, if the shared storage resides at the location \\shared_storage then run the following command from a command prompt to configure the symbolic link on each of the nodes:
C:\>mklink /d "C:\Program Files (x86)\Versasec\vSEC_CMS S-Series\dat" "\\shared_storage\dat"
7. Start the vSEC:CMS service on one of the nodes.
8. From the Failover Cluster Manager right click your cluster and select Configure a Service or Application. Follow the wizard instructions and from the Select Service or Application dialog select Generic Service. Select the vSEC:CMS Service and follow the wizard instructions to complete.
9 If you are using the vSEC:CMS Operator Console Service then it will be necessary to add this service to the cluster. From the Failover Cluster Manager go to the node that is active and under Service and Applications right click the service that you added in step 8 above and select Add a resource. Select Generic Service and select vSEC:CMS – Operator Console Service. Follow the wizard to complete the setup.
10. If you are using the vSEC:CMS User Self-Service then it will be necessary to add this service to the cluster. From the Failover Cluster Manager go to the node that is active and under Service and Applications right click the service that you added in step 8 above and select Add a resource. Select Generic Service and select vSEC:CMS – User Self Service. Follow the wizard to complete the setup.
This completes the setup.
If the vSEC:CMS is already operational and is being moved into a clustered failover setup then it will be necessary to copy the contents of the dat folder of the operational vSEC:CMS to the location of dat folder on the shared storage.
The Windows service account that the vSEC:CMS service uses needs to have permissions to read/write/execute on the dat folder on the shared storage.
MS SQL Used
This section will describe the steps to be carried out to deploy vSEC:CMS into a MS clustered environment where two nodes are used and the database used is MS SQL. It will be expected that the MS clustered environment is already set up and functional. This document does not provide the steps to set up an MS cluster environment.
It will be required that at minimum you have already successfully completed the configuration steps described in the article Setup Evaluation Version of vSEC:CMS. The instructions in this document are applicable regardless of whether you are running the evaluation version or a production version.
Setup Steps
1. Install vSEC:CMS on each of the nodes. On one of the nodes you should configure all of the settings etc that is required for your environment;
2. Stop the vSEC:CMS service (vSEC:CMS Service) on each node;
3. From the fully configured node copy all the files of the vSEC:CMS dat folder into the dat folder of the other node(s). Depending on how your vSEC:CMS service is configured to run, whether the service runs under the default local SYSTEM account or it runs under a dedicated Windows account, it may be necessary to change the permissions on the dat folder of the vSEC:CMS in order to access this folder;
4. Start the vSEC:CMS service on one of the nodes.
5. From the Failover Cluster Manager right click your cluster and select Configure a Service or Application. Follow the wizard instructions and from the Select Service or Application dialog select Generic Service. Select the vSEC:CMS Service and follow the wizard instructions to complete.
6 If you are using the vSEC:CMS Operator Console Service then it will be necessary to add this service to the cluster. From the Failover Cluster Manager go to the node that is active and under Service and Applications right click the service that you added in step 5 above and select Add a resource. Select Generic Service and select vSEC:CMS – Operator Console Service. Follow the wizard to complete the setup.
7. If you are using the vSEC:CMS User Self-Service then it will be necessary to add this service to the cluster. From the Failover Cluster Manager go to the node that is active and under Service and Applications right click the service that you added in step 5 above and select Add a resource. Select Generic Service and select vSEC:CMS – User Self Service. Follow the wizard to complete the setup.
This completes the setup.
Comments
0 comments
Please sign in to leave a comment.