This article reviews the steps to deploy Identity Server (IDS) for high availability. High availability will require providing an external database and multiple virtual instances of Identity Server (IDS). This configuration expects that a shared data folder is available. Setting up load balancing or database replication is outside the scope of this article. This guide also assumes that both IDS instances will not be running at the same time.
Provision servers
Provision database servers, application servers, load balancers and shared data folder.
Recommended specs:
- Shared data folder - 128 GB
- Database server(s) - 2 cores, 2 GB RAM, 20 GB HDD (excluding OS)
- Application server(s) - 8 cores, 8 GB RAM, 64 GB HDD (excluding OS)
- Shared data folder mounted as a drive letter/path
Install and configure PostgreSQL
Please see the PostgreSQL documentation for installing PostgreSQL, configuring host authentication, replication and SSL on the database server. This guide assumes version 11, scram-sha-256 host auth and SSL with self-signed certs enabled.
Create database
Create the database on the database server using the following commands where dbauser and dbapassword are the administrative database user.
SET PGPASSWORD=dbapassword
psql.exe -U dbauser -c "CREATE ROLE identity LOGIN PASSWORD 'idsdbpassword' NOSUPERUSER INHERIT CREATEDB NOCREATEROLE NOREPLICATION;"
psql.exe -U dbauser -c "CREATE DATABASE identity WITH OWNER = identity ENCODING = 'UTF8' TEMPLATE = template0 TABLESPACE = pg_default CONNECTION LIMIT = -1;"
psql.exe -U dbauser -c "CREATE EXTENSION IF NOT EXISTS hstore;" identity
Configure replication for this database as necessary.
Install Identity Server (primary)
Follow the instructions to Install IDS on Windows on the primary application server. Do not reboot the PC (or start the Windows service) after installation.
Configure database connection
Assuming IDS was installed to the default installation directory, create a file called data.properties with the following contents in C:\identity-server (or custom installation directory).
data.jdbc.url=jdbc\:postgresql\://dbserverhostname:5432/identity?sslmode=require
data.jdbc.driverClass=org.postgresql.Driver
data.path=./data
data.jdbc.password=idsdbpassword
data.jdbc.user=identity
Be sure to update values such as dbserverhostname and idsdbpassword accordingly.
Also make sure to set data.path to the drive letter/path where the shared storage is mounted on the application server. If a network share is required for shared storage, use a directory symbolic link.
C:\identity-server>mklink /D C:\identity-server\data \\server\share\folder
If SSL is not enabled on the database server, remove "?sslmode=require".
Configure Identity Server (primary)
Start the "PI Identity Server" Windows service and configure the following settings for the primary Identity Server instance:
- First run setup and software license
- HTTPS certificate
- HTTPS cipher suites
- LDAPS authentication
- Card formats
- PACS synchronization (for example, C•CURE 9000)
After all applicable IDS configuration is complete, stop the "PI Identity Server" Windows service.
Install Identity Server (secondary)
Follow the instructions to Install IDS on Windows on the secondary application server. Do not reboot the PC (or start the Windows service) after installation.
Copy the following configuration files from the primary instance to the secondary instance. These files should be monitored for configuration drift, if possible.
Assuming IDS was installed to the default installation directory, the files will be located in C:\identity-server on both servers:
- application.properties
- auth.jks
- ccure-sql.json
- data.properties
- keystore.jks
Start the "PI Identity Server" Windows service on the secondary instance and activate the license under Settings > License. You may also need to configure SNMP again.
Data migration
At this point, the high availability deployment is complete. If you need to migrate data from an existing non-HA deployment, then do the following:
First perform an IDS backup. Please note that if you choose "store on this server", you should download the file to a safe place so that it can be used later on the new server.
Then restore the IDS backup to the new primary IDS instance. When that is complete, you can also reconfigure any child IDS instances to point to this new parent.
Configure APM
To introduce additional JAVA_OPTS into the Identity Server JVM, do the following:
- Stop "PI Identity Server" Windows Service from Services
- Uninstall Windows Service - C:\identity-server\service\bat\uninstallService.bat (right-click Run as administrator)
- Edit C:\identity-server\service.properties - Starting with 2, add "wrapper.java.additional.#" lines for each individual option. Do not remove "wrapper.java.additional.1" for any reason
wrapper.java.additional.2 = -javaagent:C:\Program Files\Appdynamics\javaagent\javaagent.jar
wrapper.java.additional.3 = -Dappdynamics.agent.applicationName=identity-server
wrapper.java.additional.4 = -Dappdynamics.controller.hostName=apm
wrapper.java.additional.5 = -Dappdynamics.controller.port=443
wrapper.java.additional.6 = -Dappdynamics.controller.ssl.enabled=true
wrapper.java.additional.7 = -Dappdynamics.agent.accountAccessKey=secret - Install Windows Service - C:\identity-server\service\bat\installService.bat (right-click Run as administrator)
- Start "PI Identity Server" Windows Service from Services