Product Documentation

    Enable HA using a load balancer.

    To ensure high availability for applications, a load balancer can be configured between different infrastructure components, including multiple instances of SKSO web applications and SKSO and FIDO servers. The load balancer determines which target server is available to receive application connections, and distributes application requests to the appropriate one.

    SKSO has been tested with the open-source HAProxy load balancer, part of the standard Linux distribution. It is conceivable that SKSO will work with other load balancers; please contact StrongKey to discuss any requirements.

    StrongKey, in particular, has tested this HA proxy configuration with the following Linux distrbutions:

    • RHEL 9
    • Rocky 9

    INSTALLATION

    To install and configure HAProxy for use with the SKSO cluster, follow the steps below:

    1. Install the standard Linux distribution on one of the VMs provisioned for this setup.
    2. Login to the server as root.
    3. Install HAProxy using the Yellowdog Updater, Modified (yum) tool: 
      shell> yum install haproxy
    4. Create a self-signed certificate to be used by HAProxy, replacing the value in the -subj parameter with the value relevant to a specific site. The most important element within this parameter is the CN component—the value must match the FQDN of the VM used for this load balancer; so if one chooses to name the VM haproxy.mydomain.com then the -subj parameter may simply be /CN=haproxy.mydomain.com: 
      shell> openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/skso.key -out /etc/pki/tls/certs/skso.crt -subj "/CN=haproxy.strongkey.com"
    5. Concatenate the generated key and certificate files into a single file, preserving the names of the files as shown below: 
      shell> cat /etc/pki/tls/certs/skso.crt /etc/pki/tls/private/skso.key > /etc/pki/tls/certs/skso.pem
    6. Using a text editor, edit the HAProxy configuration file to make the following changes: 
      shell> vi /etc/haproxy/haproxy.cfg
    7. Replace the contents with the following and replace the <ip-skso1> and <ip-skso2> parameters with the IP addresses for the SKSO web applications: 
      global
  log 127.0.0.1 local0
  log 127.0.0.1 local1 debug
  maxconn 45000 # Total Max Connections.
  daemon
  nbproc 1 # Number of processing cores.
defaults
  timeout server 86400000
  timeout connect 86400000
  timeout client 86400000
  timeout queue 1000s
listen https_web
  bind *:443 ssl crt /etc/pki/tls/certs/skso.pem
  option tcplog
  mode http
  balance roundrobin
  option forwardfor
  cookie SERVER insert indirect nocache
  server web1 <ip-skso1>:8181 check ssl verify none cookie web1
  server web2 <ip-skso2>:8181 check ssl verify none cookie web2
    8. Create a firewall rule to open port 443 to allow the web application to communicate with the load balancer: 
      firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" port port=443 protocol=tcp accept'
firewall-cmd --reload
    9. Restart HAProxy: 
      shell> service haproxy restart
    10. Verify HAProxy is functioning as expected by accessing the URL in the browser. If it is functioning correctly, it will redirect to one of the configured SKSO servers. 
      https://<haproxy.strongkey.com>

    selinux

    If the above URL cannot be accessed in the browser, ensure that the selinux config has been set to permissive instead of enforcing. The following command will show the current status of selinux:

    shell> sestatus

    If it is set to enforcing, change it to permissive by running the following command (this is a temporary fix that will reset on machine reboot, and which will be updated in a future release):

    shell> setenforce 0