Planning for high availability
IBM® Security Privileged Identity Manager virtual appliance with a load balanced cluster provides not only the expected high availability but also provides scalability.
Load Balancer settings and requirements
Load Balancing is a technique that helps in the distribution of requests or tasks between two or more virtual appliances in a predefined cluster. Each virtual appliance in this cluster is called a node. Use of multiple nodes in such a cluster increases reliability and availability through redundancy.
Load Balancer requirements
The most common mechanism to make a highly available deployment is to add a Load Balancer that distributes user requests to underlying servers. This deployment locks down any direct access to individual servers. In addition to making a highly available deployment of the IBM Security Privileged Identity Manager virtual appliance, it also provides horizontal scalability.
You can scale the cluster horizontally according to the number of concurrent users that you expect.
See Figure 1.
As shown in Figure 1, provide one or more backup Load Balancers or routers to avoid the Load Balancer itself from becoming a single point of failure.
The Load Balancer can be a dedicated hardware or software node that can route incoming requests to an IBM Security Privileged Identity Manager virtual appliance. This condition is true irrespective of whether the requests are coming from inside or outside a company network. See the request that is numbered as 1 in the diagram. Since these requests typically contain sensitive information such as user IDs or passwords, both the traffic paths must be over SSL. For example, see requests 1 and 2. The client request over SSL (marked #1) ends at the Load Balancer and a new SSL request (marked #2) is sent to a virtual appliance. Designated virtual appliance management consoles in the secured network can establish a direct connection requests to the virtual appliance (marked #3)
Load Balancer installation requirements
- Choose Layer-7 Load Balancer for this installation. Layer-4 Load Balancers do not provide the required function and must not be used for this architecture.
- The Load Balancer must contain a valid SSL certificate for the Privileged Access Agent to connect. For a self-signed certificate, the Root CA certificate with which the Load Balancer certificate is signed must be imported in the client truststore.
- The Load Balancer must be able to send separate SSL requests for each of the incoming requests.
Load Balancer configuration requirements
- Enable Session Affinity for the Load Balancer. Use a Load Balancer with session affinity to route the traffic for the same client session to the same virtual appliance.
- Set the client host IP into the X-Forwarded-For HTTP header. The IBM Security Privileged Identity Manager virtual appliance must know the client IP for its audit logs.
- The Load Balancer must detect unresponsive virtual appliances and stop directing any traffic to them.
- As shown in Figure 1, keep one or more of the Load Balancer backups ready to avoid the Load Balancer being a single point of failure.
- Set the Load Balancer to allow underscores in request headers. For example, set the value of the underscores_in_headers custom header directive to on in Nginx.