The vSEC:CMS can be configured in a Microsoft (MS) Windows Server Failover Clustering environment to ensure high availability of the application.
The following prerequisites are required:
1. Configured MS Windows Server Cluster with at least 1 additional shared storage;
2. vSEC:CMS is installed on each cluster node;
3. vSEC:CMS dat folder, which is where the database file for the vSEC:CMS is located, is configured to point to the vSEC:CMS database file that is located on the shared storage;
4. vSEC:CMSService should be running on one node. All other nodes where the vSEC:CMS is installed the service should be stopped.
High level Architecture
The diagram below describes how the vSEC:CMS can be configured in an MS cluster environment to ensure high availability. The vSEC:CMS needs to be installed on each node (Node 1 and Node 2 below) with the vSEC:CMS database file stored on a shared storage.
This section will describe the steps to be carried out to deploy the vSEC:CMS into a MS clustered environment where two nodes are used. It will be expected that the MS clustered environment is already setup and functional. This document does not provide the steps to setup an MS cluster environment.
1. Install the vSEC:CMS on each of the nodes;
2. Stop the vSEC:CMS service (vSEC:CMS Service) on each node;
3. In the shared storage location create a folder called dat which will be used to store the database for the vSEC:CMS;
4. Copy the files of the vSEC:CMS dat folder into the dat folder created in step 3 above. It will be necessary to change the permissions on the dat folder of the vSEC:CMS in order to access this folder;
5. Once the files are copied into the dat folder on the shared storage, delete the dat folder on each of the vSEC:CMS installations on each of the nodes;
6. Configure the vSEC:CMS database file on each node to point to the shared storage. In order to point each vSEC:CMS dat folder to the shared storage a symbolic link will needs to be configured. For example, if the shared storage resides at the location '\\shared_storage' then run the following command from a command prompt to configure the symbolic link:
C:\>mklink /d "C:\Program Files (x86)\Versasec\vSEC_CMS vSEC:CMS\dat" "\\shared_storage\dat"
7. Start the vSEC:CMS service on one of the nodes.
8. From the Failover Cluster Manager right click your cluster and select Configure a Service or Application. Follow the wizard instructions and from the Select Service or Application dialog select Generic Service. Select the vSEC:CMS Service and follow the wizard instructions to complete.
9. If you are using the Operator console service then it will be necessary to add this service to the cluster. From the Failover Cluster Manager go to the node that is active and under Service and Applications right click the service that you added in step 8 above and select Add a resource. Select Generic Service and select vSEC:CMS - Operator Console Service. Follow the wizard to complete the setup.
10. If you are using the User Self-Service then it will be necessary to add this service to the cluster. From the Failover Cluster Manager go to the node that is active and under Service and Applications right click the service that you added in step 8 above and select Add a resource. Select Generic Service and select vSEC:CMS - User Self Service. Follow the wizard to complete the setup.
11. This completes the setup.
Important: If the vSEC:CMS is already operational and is being moved into a clustered failover setup then it will be necessary to copy the contents of the dat folder of the operational vSEC:CMS to the location of dat folder on the shared storage.
Important: The Windows service account that the vSEC:CMS service uses needs to have permissions to read/write to the dat folder on the shared storage.
Failover Cluster and User Self-Service
In setups where user self-service is configured it will be necessary to have an operator configured that will perform administration key operations for user's using the self-service application. These operators can either be in the form of a token or an encrypted key store.
If the operator is in the form of a token then an operator must logon to vSEC:CMS to re-activate User Self-Service after the instance has moved from one node to another.
If the operator is in the form of an encrypted key store then the failover mechanism will be performed without any requirement for an operator to log on and re-activate the User Self-Service. Therefore, in this setup the failover will occur seamlessly.
Important: It will be necessary to fully configure the user self-service connection on the vSEC:CMS on both nodes.