High Availability

This section explains how to achieve high availability (HA) in the License Manager and in the Denodo Security Token server. This post-installation task is optional but necessary if you want to avoid having a single point of failure in the production environment of Denodo.

When a Denodo component starts (e.g. a Virtual DataPort server, the Scheduler server…), it requests permission to the License Manager to run. To do this, the component sends an HTTP request to the License Manager with details about the host where the component is going to run (host name, IP address, number of cores, etc.). If approved, the component starts.

Periodically, each component sends a request to the License Manager to keep running. If for some reason, the License Manager does not respond (e.g. the host where the License Manager runs is down), there is a grace period of 5 days. During this period, the Denodo server still runs normally and it keeps trying to renew the license. After 5 days of the License Manager not responding, the component will shut down. Note that during the grace period, the component will still run. However, if you stop it, you will not be able to start it again because a Denodo component will only start if it reaches the License manager.

On the other hand, Denodo Security Token server is the principal system for the Single Point of Access feature in Solution Manager. It starts the Single Sign-On mechanism that delegates the authentication to an external Identity Provider (e.g. Azure Active Directory, Okta, PingFederate, etc.) and generates a valid credential so the other applications can use it to gain access across all the components of the Denodo Platform.

It is strongly recommended to deploy License Manager and Denodo Security Token in a High Availablity (HA) architecture, so they do not become single points of failure for the Denodo ecosystem. Follow these steps to deploy it into high availability:

  1. Deploy a second installation into a different machine.

  2. Configure a load balancer for HA between the primary and secondary installations.

  3. Making all the Denodo Platform servers to connect to the License Manager through the HA load balancer.

  4. Configure all the requests to Denodo Security Token server through the HA load balancer.

The following diagram represents the deployment for HA of License Manager and the Denodo Security Token server.

Diagram of high availability architecture with the Solution Manager Installation

High availability architecture with the Solution Manager Installation

The License Manager and the Denodo Security Token support the active-passive approach. This means that the load balancer has to be configured to redirect all the requests to the primary node; and if the primary node fails, to send the requests to the secondary node.

Note

Your license must allow running two License Manager servers in active-passive HA configuration.

Step #1: Configuring the Solution Manager Installations for High Availability

  • Primary Node

    1. Install a Solution Manager platform into the main node.

    2. Log in to the Solution Manager administration tool you just installed and configure it to use an external database. The section Setting-Up an External Database explains how to do this.

      When doing this, consider enabling the high availability features of this external database to meet higher uptime requirements.

    3. Configure the desired authentication method at Configuration > Authentication menu. Once the installation is configured, export the configuration and save the file for use later. The section import and export explains how to do this.

      Note

      Subsequent Configuration > Authentication changes into the primary node, must be replicated manually into the secondary node.

  • Secondary Node

    1. In another computer, use the same installer to install the component Solution Manager. This will be the secondary node for the Installation. For this secondary installation, use the same license file you used for the primary Solution Manager.

    2. Log in to the Solution Manager administration tool of the secondary node and configure it to use the same external database as in primary node.

    3. Import the exported configuration from primary node. It will replicate the authentication configuration and others.

    4. After configuring the external database and the import completes, stop all the components, except the License Manager server, and the Denodo Security Token. The Solution Manager is not meant to be used on a cluster, only the License Manager and the Denodo Security Token is. To ensure it, use the specific startup scripts for these servers: licensemanager_startup.{sh|bat}, denodo_sso_startup.{sh|bat}

Step #2: Configuring the Load Balancer for High Availability

Important

In the load balancer, only configure the License Manager server and the Denodo Security Token server to work with high availability, not the Solution Manager server nor its administration tool. They are not designed to run on a cluster.

  1. In the load balancer of your organization, make an active-passive configuration for the previous nodes. Configure the rules and the health check of your convenience taking into account the correct scheme, ports and ping urls.

    Application

    Default port

    Ping endpoint

    License Manager

    10091

    /pingLicenseManager

    Denodo Security Token

    19090 / 19443

    /sso/ping

    For example, to detect if the primary License Manager server is up, send a GET request to https://<Solution Manager host>:10091/pingLicenseManager and check that returns the HTTP success status code 200 (see Ping to Solution Manager Server for more details).

  2. Configure the load balancer with Path-based Routing for /sso requests, because not all artifacts deployed in the web-container port (19090/19443 by default) support HA.

Step #3: Configuring Access Through the Load Balancer

  • Denodo Platform environments

  1. Check that the clocks of both HA nodes and Denodo Platform machines are in sync. On Windows, check that the option Synchronize your clock is enabled. On Linux, check that the Network Time Protocol (NTP) service is enabled.

    Note

    The clocks of these computers need to be in sync as much as possible. That is, both computers must be set to the same time and date. Otherwise, the Denodo components may not be able to retrieve a license properly. Not having the clocks synchronized may cause the Virtual DataPort servers to remain in “grace period” or shutting down when reaching the grace period.

  2. To guarantee that Denodo Platform will access through the load balancer, configure your existing environments to point the defined load balancer for the License Manager and the Denodo Security Token. Directly editing these properties manually or graphically using the Control Center. See the specific section about Denodo Security Token for more information.

Denodo Platform configured to access through the load balancer using the Control Center

Configuring the specific Server Access for Denodo Platform in Automated Mode (Cloud):

Server access configured to use the load balancer
  • Solution Manager Platform

  1. To ensure that Solution Manager will access through the load balancer for Single Sign-On access, edit <SOLUTION_MANAGER_HOME>/conf/SSOConfiguration.properties configuring the sso.url property with the load-balancer URL

    sso.url=https://load-balancer.com
    
  • Denodo Security Token - Identity Provider Registration

This section only applies if the Denodo Security Token is going to be used for Single Sign-On delegation to an Identity Provider. Use the complete load-balancer URL during the client registration process on the external Identity Provider, and ensure the correct redirect parameter for it. Take into account the different relative URIs by authentication type:

  • OAuth: /sso-oauth/oauth-login by default. Register as redirect URI in OAuth server the complete load-balancer URL: https://load-balancer.com:19443/sso/sso-oauth/oauth-login and configure it for the property oauth.redirectUri in the file <NODE-HOME>/conf/denodo-sso/SSOTokenConfiguration.properties for each node.

    oauth.redirectUri=https://load-balancer.com:19443/sso/sso-oauth/oauth-login
    
  • OpenID Connect: /sso-openid/openid-login by default. Register as redirect URI in OpenID Connect server the complete load-balancer URL: https://load-balancer.com:19443/sso/sso-openid/openid-login

    and configure it for the property openid.redirectUri in the file <NODE-HOME>/conf/denodo-sso/SSOTokenConfiguration.properties for each node.

    openid.redirectUri=https://load-balancer.com:19443/sso/sso-openid/openid-login
    
  • SAML: /sso-saml/SSO relative assertion consumer service URL. Use this assertion consumer service during SAML client registration: https://load-balancer.com:19443/sso/sso-saml/SSO and configure the Service Provider Base URL accordingly. Fill the property saml.sp-BaseEntityUrl in the file <NODE-HOME>/conf/denodo-sso/SSOTokenConfiguration.properties for each node.

    saml.sp-BaseEntityUrl=https://load-balancer.com:19443/sso/sso-saml
    

    In case of SSL/TLS termination proxy, for the load-balancer, another configuration is required. Edit (for each node) the configuration file <NODE-HOME>/conf/denodo-sso/SSOTokenConfiguration.properties to add the property forwardedHeader.enabled = true. This is an optional property that enables/disables the use of Forwarded and X-Forwarded-* headers to reflect the client-originated protocol and address. Useful when a client connects to the Denodo Security Token server through an HTTP proxy or a load balancer.

    Make sure that in the configuration of the load balancer, the headers Forwarded and X-Forwarded-* are filled correctly.

The section Updating Solution Manager with High Availability provides best practices regarding how to update a cluster of License Manager and Denodo Security Token.