Cluster Requirements
When CA Identity Portal is deployed in a cluster, its nodes use Java Groups technology to communicate and replicate configuration and state. By doing so, CA Identity Portal enhances performance and simplifies the process of committing or announcing a configuration change to all the nodes in the cluster.
test
When CA Identity Portal is deployed in a cluster, its nodes use Java Groups technology to communicate and replicate configuration and state. By doing so, CA Identity Portal enhances performance and simplifies the process of committing or announcing a configuration change to all the nodes in the cluster.
The requirements that are detailed in this article are not mandatory but the recommended requirements.
By default, the Java Groups discovery relies on UDP multicast. UDP multicast works only if the cluster nodes reside on the same network switch. In case the nodes reside on different network switches, enable layer 2 multicast spoofing on the network switches.
Alternatively, in case layer 2 multicast spoofing cannot be enabled and the nodes must reside on separate networks, CA Identity Portal can be configured to use TCP Unicast to overcome the broadcast limitations of network segmentation.
This article contains the following sections:
Selecting a Multicast Address
By default, the CA Identity Portal installer uses the following multicast address: 228.6.7.9
Verify that this address is not currently used. To verify, see Testing jgroups Multicast.
However, in case you are installing several CA Identity Portal environments on the same physical network (for example, a Development and a QA environment), use a different multicast address for each installation or CA Identity Portal cluster. Otherwise, you run the risk of nodes from the QA environment joining the Development cluster and vice versa.
Example:
The CA Identity Portal
Development
environment nodes use the multicast address: 228.6.7.9The CA Identity Portal
QA
environment nodes use the multicast address: 228.6.7.10Testing jgroups Multicast
Perform the following procedure to verify that the multicast address is not being used.
Follow these steps:
- Download thejgroups-3.3.1.Final.jarfile from the JGroups website:http://sourceforge.net/projects/javagroups/files/JGroups/3.3.1.Final/
- Copy thejgroups-3.3.1.Final.jarfile to each of the application servers to a folder of your choice.
- Open a command prompt to that folder.
- Run the jgroups Receiver Test on the first node. Ensure that the Java Runtime is installed.java -cp jgroups-3.3.1.Final.jar org.jgroups.tests.McastReceiverTest -mcast_addr 228.6.7.9 -port 46656
- Run the jgroups Sender Test on the second node:java -cp jgroups-3.3.1.Final.jar org.jgroups.tests.McastSenderTest -mcast_addr 228.6.7.9 -port 46656
- Type a custom message in the sender console and pressEnter.The message must be displayed in the receiver console on the other node.
- Switch the receiver and sender sides, and try again to validate that both the directions work.
What to do if jgroups discovery is not possible?
In some unique cases of network deployments, the cluster requirements cannot be met. In these cases, the following should be considered when working with the product:
- After performing configuration changes through the CA Identity Portal Admin UI, browse to the CA Identity Portal Admin UI on each node in the cluster and flush (Clear) the cache (In the Admin UI, navigate to Tools, Cache). Then refresh the Admin UI browser page to verify that the configuration changes reflect on each node.
- Cache based optimization in CA Identity Portal is available on a per node basis. For example, if a certain user search has been performed on a specific node in the cluster, the result set is cached only on the node and not replicated to the other cluster nodes.
Note:
In some cases, IPv6 addresses might interfere with the Java Groups operations. If you experience issues with the CA Identity Portal cluster, add the following parameter to the server startup for each CA Identity Portal node:-Djava.net.preferIPv4Stack=true