Configuring LogonBox for High Availability

Christopher Dakin

LogonBox can be configured to work in a High-Availability mode with 2 or more nodes.

This article details the steps required to configure this feature.

 

Summary of steps required

  • Configure MySQL service
  • Configure Node 1
  • Configure Node 2
  • Load Balance the connection

 

MySQL

For LogonBox to work in high availability mode you first need to configure an external MySQL service for the LogonBox nodes to connect to.

Ideally this would be a MySQL high availability cluster itself, but for this example we will connect to a single MySQL instance.

You can either build a new system yourself and install MySQL on it, or you can start with a LogonBox image and modify that to only run MySQL.

For this example, we will use this second option.

Deploy a LogonBox VM image as per the main install guides but don’t go through any of the setup wizard.

Once deployed, connect to a terminal or SSH to the system.


Stop the LogonBox service and remove the LogonBox software:

systemctl stop hypersocket-idm
apt remove hypersocket-idm

 

Now connect to the database and create users for each node that will connect to the system and set a password for the root account.

As we have used a LogonBox server the database we need has already been created. We will be using 2 nodes in this example so we will create two users:

mysql
SET PASSWORD FOR 'root'@'localhost' = PASSWORD('mypass');
GRANT ALL PRIVILEGES ON *.* TO 'hypersocket'@'ipaddressnode1’ IDENTIFIED BY 'hypersocket';
GRANT ALL PRIVILEGES ON *.* TO 'hypersocket'@'ipaddressnode2’ IDENTIFIED BY 'hypersocket';
FLUSH PRIVILEGES;
exit

Set the password for root to something secure, keep the hypersocket passwords as hypersocket for now as we will change these later.

 

Now we need to make MySQL listen on something other that just localhost:

nano /etc/mysql/mariadb.conf.d/50-server.cnf

Change the bind-address from 127.0.0.1 to 0.0.0.0

Save the file with CTRL-X, Y, then restart mysql with:

systemctl restart mysql

 

That concludes the MySQL server initial setup.

 

LogonBox server Node 1

Deploy a new LogonBox server as per the standard deployment guide, including running through the web-based setup wizard. For the 2FA part, skip that section as we will be doing this config again in a moment.

Once complete log on to your new LogonBox server using your admin account.

Navigate to System Configuration->Database.

Change the Vendor from MYSQL_LOCAL to MYSQL.

Set the Host to the IP/host of your MySQL server.

Set the port to 3306.

Set the username and password to hypersocket.

Click Apply at the bottom, then restart the LogonBox service with the power icon at bottom right.

 

 

At this point, the LogonBox service will fail to start up as it has changed the password it uses for the database connection to a random one, so we need to get this new password and updated it on the MySQL server.

On the LogonBox server do:

cat /opt/hypersocket-idm/conf/database.properties

and note the jdbc.password

 

On the MySQL server connect to MySQL with your root account and change the password for this node:

SET PASSWORD FOR 'hypersocket'@'10.1.2.3' = PASSWORD('secretpassword');
FLUSH PRIVILEGES;

 

On the LogonBox server, restart the service from the terminal with:

systemctl restart hypersocket-idm

This should now give you access to the web UI.

 

You will now be prompted to run through the initial setup wizard again as we’re now pointing at a remote database which is empty.

Complete the Setup Wizard again.

When the service restarts at the end of the wizard, log back on with your admin account.

 

In Updates, Features & Licensing, install the High Availability feature from the System tab and restart the service when requested.

 

Log on as your admin account again and navigate to System Configuration->Hazelcast Settings.

Set the communication protocol to TCP/IP.

Set the Outgoing interface to this node's IP address.

For Members in Cluster, add the IP of Node 2.

Click Apply.

 

Now click the High Availabilty tab in System Configuration.

We now need to define an area where shared files will be stored. This can be either a Google Compute bucket or a CIFS file share on your network.

Enter the details to connect to your share and click Apply.

Note: This will create its own file structure on that share, so it would be best to ensure this share is not used for anything else.

 

LogonBox server Node 2

Deploy another new LogonBox server as per the standard deployment guide, including running through the web-based setup wizard. For the 2FA part, skip that section as we will be connecting to the main configuration afterwards.

Once complete log on to your new LogonBox server using your admin account.

Navigate to System Configuration->Database.

Change the Vendor from MYSQL_LOCAL to MYSQL.

Set the Host to the IP/host of your MySQL server.

Set the port to 3306.

Set the username and password to hypersocket.

Click Apply at the bottom, then restart the LogonBox service with the power icon at bottom right.

 

 

At this point, the LogonBox service will fail to start up as it has changed the password it uses for the database connection to a random one, so we need to get this new password and updated it on the MySQL server.

On the LogonBox server do:

cat /opt/hypersocket-idm/conf/database.properties

and note the jdbc.password

 

On the MySQL server connect to MySQL with your root account and change the password for this node:

SET PASSWORD FOR 'hypersocket'@'10.1.2.4' = PASSWORD('secretpassword');
FLUSH PRIVILEGES;

 

On the LogonBox server, restart the service from the terminal with:

systemctl restart hypersocket-idm

This should now give you access to the web UI.

 

This time, as you are connecting to the configuration you already set up from Node 1, you should just be able to log in with your admin account

At this point you now have 2 LogonBox nodes connecting to the same external database, all that remains is to configure the same HA settings as per the other node.

 

Log back on with your admin account.

In Updates, Features & Licensing, install the High Availability feature from the System tab and restart the service when requested.

 

Log on as your admin account again and navigate to System Configuration->Hazelcast Settings.

Set the communication protocol to TCP/IP.

Set the Outgoing interface to this node's IP address.

For Members in Cluster, add the IP of Node 1.

Click Apply.

 

Now click the High Availabilty tab in System Configuration.

 

As we are now connected to the same database as Node 1, confirm the settings here match what was entered in Node 1.

At this point, any change made on either node will immediately take effect on the other node. The main HA configuration is complete.

 

Load Balance the connection

The final step to have your LogonBox systems working in a High Availability manner is to configure a Load Balancer in front of your LogonBox nodes to direct incoming traffic to either Node 1 or Node 2.

As many options exist for performing such balancing, this task is left to the reader.