Installing Edge SSO for high availability

Edge for Private Cloud v4.18.01

You install multiple instances of Edge SSO for high availability in two scenarios:

  • In a single data center environment, install two Edge SSO instances to create a high availability environment, meaning the system continues to operate if one of the Edge SSO modules goes down.
  • In an environment with two data centers, install Edge SSO in both data centers so that the system continues to operate if one of the Edge SSO modules goes down.

Install two Edge SSO modules in the same data center

You deploy two instances of Edge SSO, on different nodes, in single data center to support high availability. In this scenario:

  • Both instances of Edge SSO must be connected to the same Postgres server. Apigee recommends using a dedicated Postgres server for Edge SSO and not use the same Postgres server that you installed with Edge.
  • You require a load balancer in front of the two instances of Edge SSO:
    • The load balancer must support application generated cookie stickiness, and the session cookie must be named JSESSIONID.
    • Configure the load balancer to perform a TCP or HTTP health check on Edge SSO. For TCP, use the URL of Edge SSO:

      http_or_https://edge_sso_IP_DNS:9099

      Specify the port as set by Edge SSO. Port 9099 is the default.

      For HTTP, include /healthz:

      http_or_https://edge_sso_IP_DNS:9099/healthz
    • Some load balancer settings depend on whether you enabled HTTPS on Edge SSO. See the following sections for more information.

Using HTTP access to Edge SSO

If you are using HTTP access to Edge SSO, then configure the load balancer to:

  • Use HTTP mode to connect to Edge SSO
  • Listen on the same port as Edge SSO

    By default, Edge SSO listens for HTTP requests on port 9099. Optionally, you can use SSO_TOMCAT_PORT to set the Edge SSO port. If you used SSO_TOMCAT_PORT to change the Edge SSO port from the default, ensure that the load balancer listens on that port.

For example, on each Edge SSO instance you set the port to 9033 by adding the following to the config file:

SSO_TOMCAT_PORT=9033

You then configure the load balancer to listen on port 9033 and forwarding requests to an Edge SSO instance on port 9033. The public URL of Edge SSO in this scenario is:

http://LB_DNS_NAME:9033

Using HTTPS access to Edge SSO

You can configure the Edge SSO instances to use HTTPS. In this scenario, follow the steps in Configure apigee-sso for HTTPS access. As part of the process of enabling HTTPS, you set SSO_TOMCAT_PROFILE in the Edge SSO config file as shown below:

SSO_TOMCAT_PROFILE=SSL_TERMINATION 

You can also optionally set the port used by Edge SSO for HTTPS access:

SSO_TOMCAT_PORT=9443

If you are using HTTPS access to Edge SSO, then configure the load balancer to:

  • Use TCP mode, not HTTP mode, to connect to Edge SSO
  • Listen on the same port as Edge SSO as defined by SSO_TOMCAT_PORT

You then configure the load balancer to forward requests to an Edge SSO instance on port 9433. The public URL of Edge SSO in this scenario is:

https://LB_DNS_NAME:9443

Install Edge SSO in multiple data centers

In a multiple data center environment, you install an Edge SSO instance in each data center. One Edge SSO instance then handles all traffic. If that Edge SSO instance goes down you can then switch to the second Edge SSO instance.

Before you install Edge SSO in two data centers, you need the following:

  • The IP address or domain name of the Master Postgres server.

    In a multiple data center environment, you typically install one Postgres server in each data center and configure them in Master-Standby replication mode. For this example, data center 1 contains the Master Postgres server and data center 2 contains the Standby. For more information, see Set up Master-Standby Replication for Postgres.
  • A single DNS entry that points to one Edge SSO instance. For example, you create a DNS entry in the form below that points to the Edge SSO instance in data center 1:

    my-sso.domain.com => apigee-sso-dc1-ip-or-lb

When you install Edge SSO in each data center, you configure both to use the Postgres Master in data center 1:

## Postgres configuration.
PG_HOST=IP_or_DNS_of_PG_Master_in_DC1
?PG_PORT=5432

You also configure both to use the DNS entry as the publicly accessible URL:

# Externally accessible URL of Edge SSO.
SSO_PUBLIC_URL_HOSTNAME=my-sso.domain.com
# Default port is 9099.
SSO_PUBLIC_URL_PORT=9099

If Edge SSO in data center 1 goes down, you can then switch to the Edge SSO instance in data center 2:

  • Convert the Postgres Standby server in data center 2 to Master as described in Handling a PostgreSQL Database Failover.
  • Update the DNS record to point my-sso.domain.com to the Edge SSO instance in data center 2:
    my-sso.domain.com => apigee-sso-dc2-ip-or-lb
  • Update the config file for Edge SSO in data center 2 to point to the new Postgres Master server in data center 2:
    ## Postgres configuration.
    PG_HOST=IP_or_DNS_of_PG_Master_in_DC2
  • Restart Edge SSO in data center 2 to update its configuration:
    /opt/apigee/apigee-service/bin/apigee-service apigee-sso restart