Creating an IdentityIQ Cluster

Today we will be looking at creating our very first IdentityIQ (IIQ) cluster. We will be focusing both on the environment setup as well as IIQ instance and cluster configuration.

The entire process of getting your own cluster setup and running will take up to 1 hour.

Architecture

The architecture I will be using will consist of four separate IIQ instances with the intention being to allow users to access one instance whilst the other instances can perform intensive tasks such as account and group aggregation. This will allow the IIQ UI to remain snappy to the user whilst offering superior processing power.

The diagram below shows an ideal architecture with a load balancer that sits in front of the IIQ instances as well as a separate database cluster for data redundancy, high availability and load balancing functionality. We will be focusing on creating the IIQ cluster circled in red.

Getting Started

I will be using Hyper-V to create the virtual machines required for this cluster setup. I would recommend good virtualisation software such as Hyper-V, VMware or VirtualBox.

I will be using MySQL version 5.7 as the database for this cluster. This post will not cover creating a database cluster but this would be recommended when using IIQ in production for data redundancy, load balancing, high availability as well as monitoring and automation.

If you have been following my post showing you how to setup your very first IIQ instance, all you need to do to create your own cluster is to set up some more instances of Tomcat and deploy the same files with the same database configuration. IIQ will then identify the different hosts in your cluster. You may however want to consider moving your database instance to a dedicated server – you can follow the appropriate section below to learn how to do this.

Virtual Machine Setup

We will start by creating new virtual machines using the Hyper-V interface with the following settings:

• 1 x MySQL server
  • Processor: 4 cores
  • Minimum Memory: 512 MB
  • Maximum Memory: 4096 MB
• 4 x IIQ servers
  • Processor: 2 cores
  • Minimum Memory: 512 MB
  • Maximum Memory: 2048 MB

Hyper-V offers a feature called Dynamic Memory which allows the amount of memory available to a VM to be dynamically changed within a given range. I will be using this feature and setting the minimum and maximum amount of memory allocated to these machines since I would like to save as much RAM as possible on my host machine whilst at the same time allowing these instances to boost when necessary.

IP Setup

We want to ensure our servers always have the same IP addresses and this can be done in two ways:

1. Assigning IP address leases via DHCP
2. Assigning manual IP addresses within the VM

We will be assigning the virtual machines with static IP addresses during the operating system installation according to the following mapping:

• db.sailpoint.blog :: 192.168.0.150
• s01.sailpoint.blog :: 192.168.0.151
• s02.sailpoint.blog :: 192.168.0.152
• s03.sailpoint.blog :: 192.168.0.153
• s04.sailpoint.blog :: 192.168.0.154

Setting up the servers

I have successfully installed a distribution of Linux called CentOS on these servers using the freely available ISO’s on their website. During the setup wizard I set the static IP addresses for each server using the mapping mentioned above and set the root passwords.

You can then update the servers using your package manager (in my case yum) to ensure all packages are up to date.

Database Server

The first stage of set up involves installing MySQL 5.7 on my server and configuring the databases and users needed for IIQ.

Please note: The following instructions may not be valid for non CentOS based distributions.

Add MySQL Yum repository

yum localinstall https://dev.mysql.com/get/mysql57-community-release-el7-9.noarch.rpm

Install MySQL Community Server via Yum

yum install mysql-community-server

Start MySQL server and enable the service via systemctl to start when the server boots

systemctl start mysqld
systemctl enable mysqld

We must now retrieve the temporary root password to our SQL server so we can prepare for IIQ installation. This can be achieved by running the following command to read the MySQL log

grep 'temporary' /var/log/mysqld.log

We can then use the MySQL shell to change this default password

mysql -u root -p

<<enter temporary password>>

ALTER USER 'root'@'localhost' IDENTIFIED BY 'NewPasswordHere!';
flush privileges;

Create the databases required by IIQ

create database identityiq;
create database identityiqPlugin;

Create the IIQ MySQL user and grant access to the newly created databases

create user identityiq identified by 'AjK3@TZYhdH@oP3';

grant all privileges on identityiq.* to identityiq;
grant all privileges on identityiqPlugin.* to identityiq;
flush privileges;

You should now have your database server setup with all the details required for IIQ. Keep note of these details as they will be needed during the IIQ setup.

IdentityIQ Servers

The first thing we will need to install and configure on these servers is the JDK so that we can continue with the Tomcat installation.

Installing Java Development Kit (JDK)

I will be using Oracle Java JDK version 1.8.0_241.

Once you have downloaded the JDK to your local machine, you will need to upload this to a temporary location on your IIQ server.

You should then install the JDK

rpm -i jdk-8u241-linux-x64.rpm

Installing Apache Tomcat

We will begin by preparing our enviornment for the installation of Apache Tomcat.

Lets start by creating a new group for Tomcat

groupadd tomcat

The next step is to create a new user for Tomcat. The command below will create an new user called “tomcat”, disable shell access, add the user to the “tomcat” group created above and finally set the home directory to “/opt/tomcat”

useradd -s /bin/false -g tomcat -d /opt/tomcat tomcat

Download Apache Tomcat

Extract the contents of the archive and move the extracted files to /opt

tar -xzvf apache-tomcat-8.5.54.tar.gz
mv apache-tomcat-8.5.54/* /opt/tomcat/

Change the owner and the group for all of these tomcat related files

chown -hR tomcat:tomcat /opt/tomcat/

The final step is to test Tomcat is functioning correctly. We will do this by starting the Tomcat server using the following commands

cd /opt/tomcat/bin/
./startup.sh

You can test whether your Tomcat instance was installed successfully by browsing to http://yourhost:8080 where you should see a page similar to this screenshot

Please Note: This would be a good time to ensure all of the Tomcat instances are working as expected.

The next step is to register Tomcat as a service and ensure it runs as the tomcat user we set up earlier.

Stop the server

cd /opt/tomcat/bin/
./shutdown.sh

Open the systemd directory and create a new file named “tomcat.service”

cd /etc/systemd/system/
vi tomcat.service

Paste the following content

[Unit]
Description=Tomcat 8.5 Server
After=network.target

[Service]
Type=forking

User=tomcat
Group=tomcat

ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/opt/tomcat/bin/shutdown.sh

[Install]
WantedBy=multi-user.target

Save the file and exit.

Since we tested Tomcat using the startup script as root, we will need to empty the logs folder to ensure our new user “tomcat” can write logs. We will also need to empty the work folder since Tomcat will need to be able to write files there.

rm /opt/tomcat/logs/* -rf
rm /opt/tomcat/work/* -rf

Reload the systemd daemon, start tomcat using the newly created service and tell the system to run at boot

systemctl daemon-reload
systemctl start tomcat
systemctl enable tomcat

This would be a good time to ensure all of the Tomcat instances are working as expected.

Installing IdentityIQ

This step will be a short one since I have already created a post explaining how to setup IIQ.

Please refer to the post and install IIQ on one of your IdentityIQ servers.

You will have to transfer the database creation script to your database server and execute the queries there. You can do this by using SCP to transfer the creation script. You can then use the mysql console to import this file.

Please refer to this post – Installing IdentityIQ.

If you followed all the instructions correctly, you should be at a stage where you have installed IIQ on one server and have managed to create the tables needed in your database.

We can now restart our Tomcat server and test whether IIQ has been installed successfully on one server.

systemctl restart tomcat

Adding hosts to cluster

This can be achieved by copying the IIQ files from the first instance to the other instances.

I will do this by using the Linux SCP binary

scp -rp /opt/tomcat/webapps/identityiq [email protected]:/opt/tomcat/webapps/

scp -rp /opt/tomcat/webapps/identityiq [email protected]:/opt/tomcat/webapps/

scp -rp /opt/tomcat/webapps/identityiq [email protected]:/opt/tomcat/webapps/

Please be sure to change the command above to include your username and host/ip address.

This command will create the IIQ directory on the remote server and copy all of the files. We will execute this command for each server to ensure the files have been copied to every instance.

Verifying Cluster Setup

We can now restart Tomcat on all instances

systemctl restart tomcat

Log into any of the IIQ instances as spadmin

Click on the Settings icon, click Administrator Console. Then click Environment on the left. If the cluster setup was successful, you will see all of the hosts on this page as well as some useful information such as CPU and memory usage.