Edge for Private Cloud v4.19.01
You install multiple instances of Edge SSO for high availability in two scenarios:
- In a single data center environment, install two Edge SSO instances to create a high availability environment, meaning the system continues to operate if one of the Edge SSO modules goes down.
- In an environment with two data centers, install Edge SSO in both data centers so that the system continues to operate if one of the Edge SSO modules goes down.
Install two Edge SSO modules in the same data center
You deploy two instances of Edge SSO, on different nodes, in a single data center to support high availability. In this scenario:
- Both instances of Edge SSO must be connected to the same Postgres server. Apigee recommends using a dedicated Postgres server for Edge SSO and not the same Postgres server that you installed with Edge.
- Both instances of Edge SSO must use the same JWT key pair as specified by the
SSO_JWT_SIGNING_KEY_FILEPATH
andSSO_JWT_VERIFICATION_KEY_FILEPATH
properties in the configuration file. See Install and configure Edge SSO for more on setting these properties. - You require a load balancer in front of the two instances of Edge SSO:
- The load balancer must support application generated cookie stickiness, and the session
cookie must be named
JSESSIONID
. - Configure the load balancer to perform a TCP or HTTP health check on Edge SSO. For TCP,
use the URL of Edge SSO:
http_or_https://edge_sso_IP_DNS:9099
Specify the port as set by Edge SSO. Port 9099 is the default.
For HTTP, include
/healthz
:http_or_https://edge_sso_IP_DNS:9099/healthz
- Some load balancer settings depend on whether you enabled HTTPS on Edge SSO. See the following sections for more information.
- The load balancer must support application generated cookie stickiness, and the session
cookie must be named
HTTP access to Edge SSO
If you are using HTTP access to Edge SSO, then configure the load balancer to:
- Use HTTP mode to connect to Edge SSO.
Listen on the same port as Edge SSO.
By default, Edge SSO listens for HTTP requests on port 9099. Optionally, you can use
SSO_TOMCAT_PORT
to set the Edge SSO port. If you usedSSO_TOMCAT_PORT
to change the Edge SSO port from the default, ensure that the load balancer listens on that port.
For example, on each Edge SSO instance you set the port to 9033 by adding the following to the config file:
SSO_TOMCAT_PORT=9033
You then configure the load balancer to listen on port 9033 and forwarding requests to an Edge SSO instance on port 9033. The public URL of Edge SSO in this scenario is:
http://LB_DNS_NAME:9033
HTTPS access to Edge SSO
You can configure the Edge SSO instances to use HTTPS. In this scenario, follow the steps in
Configure apigee-sso for HTTPS access. As
part of the process of enabling HTTPS, you set SSO_TOMCAT_PROFILE
in the Edge SSO
config file as shown below:
SSO_TOMCAT_PROFILE=SSL_TERMINATION
You can also optionally set the port used by Edge SSO for HTTPS access:
SSO_TOMCAT_PORT=9443
Then configure the load balancer to:
- Use TCP mode, not HTTP mode, to connect to Edge SSO.
- Listen on the same port as Edge SSO as defined by
SSO_TOMCAT_PORT
.
You then configure the load balancer to forward requests to an Edge SSO instance on port 9433. The public URL of Edge SSO in this scenario is:
https://LB_DNS_NAME:9443
Install Edge SSO in multiple data centers
In a multiple data center environment, you install an Edge SSO instance in each data center. One Edge SSO instance then handles all traffic. If that Edge SSO instance goes down you can then switch to the second Edge SSO instance.
Before you install Edge SSO in two data centers, you need the following:
The IP address or domain name of the Master Postgres server.
In a multiple data center environment, you typically install one Postgres server in each data center and configure them in Master-Standby replication mode. For this example, data center 1 contains the Master Postgres server and data center 2 contains the Standby. For more information, see Set up Master-Standby Replication for Postgres.
- A single DNS entry that points to one Edge SSO instance. For example, you create a DNS
entry in the form below that points to the Edge SSO instance in data center 1:
my-sso.domain.com => apigee-sso-dc1-ip-or-lb
- Both instances of Edge SSO must use the same JWT key pair as specified by the
SSO_JWT_SIGNING_KEY_FILEPATH
andSSO_JWT_VERIFICATION_KEY_FILEPATH
properties in the configuration file. See Install and configure Edge SSO for more on setting these properties.
When you install Edge SSO in each data center, you configure both to use the Postgres Master in data center 1:
## Postgres configuration
PG_HOST=IP_or_DNS_of_PG_Master_in_DC1
PG_PORT=5432
You also configure both data centers to use the DNS entry as the publicly accessible URL:
# Externally accessible URL of Edge SSO SSO_PUBLIC_URL_HOSTNAME=my-sso.domain.com # Default port is 9099. SSO_PUBLIC_URL_PORT=9099
If Edge SSO in data center 1 goes down, you can then switch to the Edge SSO instance in data center 2:
- Convert the Postgres Standby server in data center 2 to Master as described in Handling a PostgreSQL database failover.
- Update the DNS record to point
my-sso.domain.com
to the Edge SSO instance in data center 2:my-sso.domain.com => apigee-sso-dc2-ip-or-lb
- Update the config file for Edge SSO in data center 2 to point to the new Postgres Master
server in data center 2:
## Postgres configuration PG_HOST=IP_or_DNS_of_PG_Master_in_DC2
- Restart Edge SSO in data center 2 to update its configuration:
/opt/apigee/apigee-service/bin/apigee-service apigee-sso restart