Today we will be looking at creating our very first IdentityIQ (IIQ) cluster. We will be focusing both on the environment setup as well as IIQ instance and cluster configuration.
The entire process of getting your own cluster setup and running will take up to 1 hour.
The architecture I will be using will consist of four separate IIQ instances with the intention being to allow users to access one instance whilst the other instances can perform intensive tasks such as account and group aggregation. This will allow the IIQ UI to remain snappy to the user whilst offering superior processing power.
The diagram below shows an ideal architecture with a load balancer that sits in front of the IIQ instances as well as a separate database cluster for data redundancy, high availability and load balancing functionality. We will be focusing on creating the IIQ cluster circled in red.
I will be using Hyper-V to create the virtual machines required for this cluster setup. I would recommend good virtualisation software such as Hyper-V, VMware or VirtualBox.
I will be using MySQL version 5.7 as the database for this cluster. This post will not cover creating a database cluster but this would be recommended when using IIQ in production for data redundancy, load balancing, high availability as well as monitoring and automation.
If you have been following my post showing you how to setup your very first IIQ instance, all you need to do to create your own cluster is to set up some more instances of Tomcat and deploy the same files with the same database configuration. IIQ will then identify the different hosts in your cluster. You may however want to consider moving your database instance to a dedicated server – you can follow the appropriate section below to learn how to do this.
Virtual Machine Setup
We will start by creating new virtual machines using the Hyper-V interface with the following settings:
- 1 x MySQL server
- Processor: 4 cores
- Minimum Memory: 512 MB
- Maximum Memory: 4096 MB
- 4 x IIQ servers
- Processor: 2 cores
- Minimum Memory: 512 MB
- Maximum Memory: 2048 MB
Hyper-V offers a feature called Dynamic Memory which allows the amount of memory available to a VM to be dynamically changed within a given range. I will be using this feature and setting the minimum and maximum amount of memory allocated to these machines since I would like to save as much RAM as possible on my host machine whilst at the same time allowing these instances to boost when necessary.
We want to ensure our servers always have the same IP addresses and this can be done in two ways:
- Assigning IP address leases via DHCP
- Assigning manual IP addresses within the VM
We will be assigning the virtual machines with static IP addresses during the operating system installation according to the following mapping:
- db.sailpoint.blog :: 192.168.0.150
- s01.sailpoint.blog :: 192.168.0.151
- s02.sailpoint.blog :: 192.168.0.152
- s03.sailpoint.blog :: 192.168.0.153
- s04.sailpoint.blog :: 192.168.0.154
Setting up the servers
I have successfully installed a distribution of Linux called CentOS on these servers using the freely available ISO’s on their website. During the setup wizard I set the static IP addresses for each server using the mapping mentioned above and set the root passwords.
You can then update the servers using your package manager (in my case yum) to ensure all packages are up to date.
The first stage of set up involves installing MySQL 5.7 on my server and configuring the databases and users needed for IIQ.
Please note: The following instructions may not be valid for non CentOS based distributions.
Add MySQL Yum repository
yum localinstall https://dev.mysql.com/get/mysql57-community-release-el7-9.noarch.rpm
Install MySQL Community Server via Yum
yum install mysql-community-server
Start MySQL server and enable the service via systemctl to start when the server boots
systemctl start mysqld systemctl enable mysqld
We must now retrieve the temporary root password to our SQL server so we can prepare for IIQ installation. This can be achieved by running the following command to read the MySQL log
grep 'temporary' /var/log/mysqld.log
We can then use the MySQL shell to change this default password
mysql -u root -p <<enter temporary password>> ALTER USER 'root'@'localhost' IDENTIFIED BY 'NewPasswordHere!'; flush privileges;
Create the databases required by IIQ
create database identityiq; create database identityiqPlugin;
Create the IIQ MySQL user and grant access to the newly created databases
create user identityiq identified by 'AjK3@TZYhdH@oP3'; grant all privileges on identityiq.* to identityiq; grant all privileges on identityiqPlugin.* to identityiq; flush privileges;
You should now have your database server setup with all the details required for IIQ. Keep note of these details as they will be needed during the IIQ setup.
The first thing we will need to install and configure on these servers is the JDK so that we can continue with the Tomcat installation.
Installing Java Development Kit (JDK)
I will be using Oracle Java JDK version 1.8.0_241.
Once you have downloaded the JDK to your local machine, you will need to upload this to a temporary location on your IIQ server.
You should then install the JDK
rpm -i jdk-8u241-linux-x64.rpm
Installing Apache Tomcat
We will begin by preparing our enviornment for the installation of Apache Tomcat.
Lets start by creating a new group for Tomcat
The next step is to create a new user for Tomcat. The command below will create an new user called “tomcat”, disable shell access, add the user to the “tomcat” group created above and finally set the home directory to “/opt/tomcat”
useradd -s /bin/false -g tomcat -d /opt/tomcat tomcat
Download Apache Tomcat
Extract the contents of the archive and move the extracted files to /opt
tar -xzvf apache-tomcat-8.5.54.tar.gz mv apache-tomcat-8.5.54/* /opt/tomcat/
Change the owner and the group for all of these tomcat related files
chown -hR tomcat:tomcat /opt/tomcat/
The final step is to test Tomcat is functioning correctly. We will do this by starting the Tomcat server using the following commands
cd /opt/tomcat/bin/ ./startup.sh
You can test whether your Tomcat instance was installed successfully by browsing to http://yourhost:8080 where you should see a page similar to this screenshot
Please Note: This would be a good time to ensure all of the Tomcat instances are working as expected.
The next step is to register Tomcat as a service and ensure it runs as the tomcat user we set up earlier.
Stop the server
cd /opt/tomcat/bin/ ./shutdown.sh
Open the systemd directory and create a new file named “tomcat.service”
cd /etc/systemd/system/ vi tomcat.service
Paste the following content
[Unit] Description=Tomcat 8.5 Server After=network.target [Service] Type=forking User=tomcat Group=tomcat ExecStart=/opt/tomcat/bin/startup.sh ExecStop=/opt/tomcat/bin/shutdown.sh [Install] WantedBy=multi-user.target
Save the file and exit.
Since we tested Tomcat using the startup script as root, we will need to empty the logs folder to ensure our new user “tomcat” can write logs. We will also need to empty the work folder since Tomcat will need to be able to write files there.
rm /opt/tomcat/logs/* -rf rm /opt/tomcat/work/* -rf
Reload the systemd daemon, start tomcat using the newly created service and tell the system to run at boot
systemctl daemon-reload systemctl start tomcat systemctl enable tomcat
This would be a good time to ensure all of the Tomcat instances are working as expected.
This step will be a short one since I have already created a post explaining how to setup IIQ.
Please refer to the post and install IIQ on one of your IdentityIQ servers.
You will have to transfer the database creation script to your database server and execute the queries there. You can do this by using SCP to transfer the creation script. You can then use the mysql console to import this file.
If you followed all the instructions correctly, you should be at a stage where you have installed IIQ on one server and have managed to create the tables needed in your database.
We can now restart our Tomcat server and test whether IIQ has been installed successfully on one server.
systemctl restart tomcat
Adding hosts to cluster
This can be achieved by copying the IIQ files from the first instance to the other instances.
I will do this by using the Linux SCP binary
scp -rp /opt/tomcat/webapps/identityiq email@example.com:/opt/tomcat/webapps/ scp -rp /opt/tomcat/webapps/identityiq firstname.lastname@example.org:/opt/tomcat/webapps/ scp -rp /opt/tomcat/webapps/identityiq email@example.com:/opt/tomcat/webapps/
Please be sure to change the command above to include your username and host/ip address.
This command will create the IIQ directory on the remote server and copy all of the files. We will execute this command for each server to ensure the files have been copied to every instance.
Verifying Cluster Setup
We can now restart Tomcat on all instances
systemctl restart tomcat
Log into any of the IIQ instances as spadmin
Click on the Settings icon, click Administrator Console. Then click Environment on the left. If the cluster setup was successful, you will see all of the hosts on this page as well as some useful information such as CPU and memory usage.