This page guides you through setting up deployment pattern 2, which is a HA clustered deployment of WSO2 Identity Server with WSO2 Identity Analytics. For more information about deployment pattern 2 and its high level architecture, see Deployment Patterns - Pattern 2.
This page guides you through setting up deployment pattern 1, which is a HA clustered deployment of WSO2 Identity Server. For more information about deployment pattern 1 and its high level architecture, see Deployment Patterns - Pattern 1. You can install multiple instances of WSO2 products in a cluster to ensure that if one instance becomes unavailable or is experiencing high traffic, another instance will seamlessly handle the requests. For complete information on clustering concepts, see Clustering Overview in the Common Product Administration Guide . Creating a cluster of WSO2 Identity Server instances involves a standard two node cluster for high availability. To ensure that the instances share governance registry artifacts, you must create a JDBC mount. At a high level, use the following options to cluster Identity Server with a minimum of two nodes. The first section includes instructions on setting up databases. The second section involves setting up a standard two node cluster, the third section involves setting up the Identity Server dashboard in a clustered environment and the third section includes additional configurations if you need to set up a load balancer to front your cluster. WSO2 products allow you to configure multiple user stores to store your users and their roles. Your user store can be one of the following: A Directory Service that can communicate over LDAP protocol like OpenLDAP Active Directory A database that can communicate over JDBC Set up a user store named WSO2UserStore. Note: The instructions in this tutorial demonstrate configuring a JDBC user store. Point all cluster nodes to the same user store in the See Configuring User Stores for more information on how to set up other types of user stores. Copy the JDBC driver (in this case MySQL driver) to the By default, WSO2 Identity Server is started with an embedded LDAP which comes with the product. Disable the embedded LDAP of node 2 by modifying embedded-ldap.xml which can be found in the Create the databases. See Setting up the Physical Database in the WSO2 Administration Guide for db scripts and more information. Alternatively, you can create more databases for each type of data to separate the data logically. Note that this will NOT make a difference in performance and is not actually neccessary. However, if you do wish to separate the data logically into separate databases, see the Setting Up Separate Databases for Clustering topic. Configure the datasource for the databases in both nodes of your cluster in the master-datasources.xml file found in the Mount the governance and configuration registry in the For more information on mounting the registry, see Sharing Databases in a Cluster. In the registry browser, verify that the governance collection is shown with the symlink icon. Follow the instructions below to cluster WSO2 Identity Server. Do the following changes to the Enable clustering on node 1 and node 2 by setting the clustering element to true: Use the well knownaddress(WKA) based clustering method. In WKA-based clustering, we need to have a subset of cluster members configured in all the members of the cluster. At least one well knownmemberhastobe operational at all times. Configure the Under the Note: You can also use IP address ranges for the Configure caching. From WSO2 Identity Server 5.2.0 onwards, distributed caching is disabled and it is not recommended to use this due to many practical issues that are related to configuring and running distributed caching properly. WSO2 Identity Server employs Hazelcast as the primary method of implementing cluster messages while using distributed caching in a simple setup. About Clustering For information on clustering, see Clustering WSO2 Products. About Caching Why caching Caching is an additional layer on top of databases. It enables to keep the recently used data that are fetched from the database in local memory, so that for subsequent data requests instead of fetching from the database the data can be served from the local memory. Caching has certain advantages and disadvantages that you need to evaluate when deciding on your caching strategy. The load on the underlying database or LDAP is reduced as data is served from already fetched data in memory. Improved performance due to the reduced number of database calls for repetitive data fetching. Coherency problems may occur when the data change is not immediately reflected on cached data if one node or an external system updates the database. Data in memory can become stale yet be served, e.g., serving data from memory while its corresponding record in the database is deleted. Caching in WSO2 Identity Server Historically WSO2 Identity Server used distributed caching to utilize the above-mentioned advantages as well as to minimize the coherence problem. However, in newer deployment patterns where the network is not tightly controlled, distributed caching fail in unexpected ways. Hence, we no longer recommend using distributed caching. Instead, it is recommended to have local caches (if required) and cache invalidation messages (if required) by considering the information given below. The ForceLocalCache property When Hazelcast clustering is enabled certain caches act as distributed caches. The Cache invalidation uses Hazelcast messaging to distribute the invalidation message over the cluster and invalidate the caches properly. This is used to minimize the coherence problem in a multi-node setup. Typical clustered deployment cache scenarios This is the recommended approach. Hazelcast messaging invalidates the caches. Invalidation clears only the caches in specific nodes. Other caches are cleared at cache expiration. Hazelcast communication is not used. As the decisions take time to propagate over nodes (default cache timeout is 15 minutes), there is a security risk in this method. To reduce the risk, reduce the default cache timeout period. To learn how to reduce the default cache timeout period, see Configuring Cache Layers - timeout. The data are directly acquired from the database. Eliminates the security risks caused due to not having cache invalidation. This method will create a performance degradation due to the lack of caching. To reduce the security risk created in the second scenario and to improve performance in comparison with the third scenario, disable the security-related caches and sustain the performance-related caches as local caches. This requires identification of these caches depending on the use case. This scenario is only recommended if the network has tight tolerance where the network infrastructure is capable of handling high bandwidth with very low latency. Typically this applies only when you deploy all the nodes in a single server rack having fiber-optic cables. In any other environments, this implementation will cause cache losses. Thus, this implementation is not recommended for general use. Configure the following. Change the datasource name to Change the datasource name to WSO2 products use Hazelcast as its default clustering engine. You can configure the hazelcast properties for the product nodes by following the steps given below. Create the The above configurations are explained below. If you have enabled log4j for hazelcast logging as shown above, be sure to enter the configuration shown below in the Configure the Identity Server node 1 using the following steps. Go to the In the This hostname is used by the IS cluster. It must be specified in the Follow all the configuration steps that were done in node 1 for node 2 as well. To enable synchronization for runtime artifacts you must have a shared file system. You can use one of the following depending on your environment. Create a symlink from the Instead of mounting the file system directly to the Follow the steps given below to set up the dashboard for the WSO2 Identity Server in a clustered environment. Change the service provider configuration for the dashboard in the Configure the Configure the Optionally, configure the If you need to set up the above WSO2 Identity Server cluster with Nginx, you can follow the instructions given below (you must do this after setting up the cluster following the above instructions). When clustering WSO2 Identity Server with a load balancer, make sure to enable sticky sessions. This is required for the management console and the dashboard to work and if we disable temporary session data persistence in the Sticky sessions for SSO Sticky sessions are required to ensure a flawless SSO workflow when temporary session data persistence is disabled. It is recommended to use sticky sessions for SSO in order to have a higher throughput. For more information on sticky sessions, see Sticky Sessions with Manager Nodes. The following is the deployment diagram with the load balancer. Use the following steps to configure NGINX Plus version 1.7.11 or nginx community version 1.9.2 as the load balancer for WSO2 products. (In these steps, we refer to both versions collectively as "Nginx".) Configure Nginx to direct the HTTP requests to the two worker nodes via the HTTP 80 port using the Note: Shown below is a general Nginx configuration. Click this link for more specific configuration with exposing various endpoints: Now that you've configured HTTP requests, you must also configure HTTPS requests. Configure Nginx to direct the HTTPS requests to the two worker nodes via the HTTPS 443 port using Note: The configurations for nginx community version and NGINX Plus are different here since the community version does not support the Configure Nginx to access the Management Console as Reload the Nginx server. If you have made modifications to anything other than the VHost files, you may need to restart the Nginx server instead of reloading: Create SSL certificates for both the manager and worker nodes using the instructions that follow: Execute the following command to import the created certificate file to the client truststore: While creating keys, enter the host name ( By default, WSO2 Identity Server runs on 9443 port. The following steps describe how you can configure a proxy port of 443. Open the It is not possible to configure proxy port from load balancer itself since there is a post request while authenticating to IS Dashboard. So, If you are planning to use Identity server Dashboard, you must do this configuration. Below configurations are also needed if you are using the dashboard. Configure the proxy port and host in the Configure proxy port and host in the Configure proxy port and host in the Now you can access the management console using the following URL: https://wso2.is.com/carbon/ If both nodes will be running on the same server, set the port offset to avoid port conflicts. Start the nodes using the following command on both nodes.
Configuring the user store
master-datasources.xml
and user-mgt.xml
files. <IS_HOME>/repository/component/lib
directory of both nodes. To do this, download the MySQL Java connector JAR from here and place it in the <IS_HOME>/repository/components/lib
directory.<IS_HOME>/repository/conf/identity
directory.<EmbeddedLDAP>
<Property name="enable">false</Property>
<--------------------->
<EmbeddedLDAP>
Configuring the datasources
This tutorial demonstrates deployment with a user management database (WSO2UMDB
) and an identity database (IDENTITYDB)
. <IS_HOME>/repository/conf/datasources
folder.
The code block below shows a sample configuration of the user mangement database and identity database for a mysql database. For instructions on how to configure the datasource depending on the type of database you created, see Changing the Carbon Database in the WSO2 Product Administration Guide.
<datasources>
<datasource>
<name>WSO2_CARBON_DB</name>
<description>The datasource used for registry and user manager</description>
<jndiConfig>
<name>jdbc/WSO2CarbonDB</name>
</jndiConfig>
<definition type="RDBMS">
<configuration>
<url>jdbc:h2:./repository/database/WSO2CARBON_DB;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=60000</url>
<username>wso2carbon</username>
<password>wso2carbon</password>
<driverClassName>org.h2.Driver</driverClassName>
<maxActive>50</maxActive>
<maxWait>60000</maxWait>
<testOnBorrow>true</testOnBorrow>
<validationQuery>SELECT 1</validationQuery>
<validationInterval>30000</validationInterval>
<defaultAutoCommit>false</defaultAutoCommit>
</configuration>
</definition>
</datasource>
<datasource>
<name>WSO2UserStore</name>
<description>The user store</description>
<jndiConfig>
<name>jdbc/WSO2UserStore</name>
</jndiConfig>
<definition type="RDBMS">
<configuration>
<url>jdbc:h2:./repository/database/WSO2UM_DB;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=60000</url>
<username>wso2carbon</username>
<password>wso2carbon</password>
<driverClassName>org.h2.Driver</driverClassName>
<maxActive>50</maxActive>
<maxWait>60000</maxWait>
<testOnBorrow>true</testOnBorrow>
<validationQuery>SELECT 1</validationQuery>
<validationInterval>30000</validationInterval>
<defaultAutoCommit>false</defaultAutoCommit>
</configuration>
</definition>
</datasource>
<datasource>
<name>WSO2_IDENTITY_DB</name>
<description>The datasource used for registry, user management and identity</description>
<jndiConfig>
<name>jdbc/WSO2IdentityDS</name>
</jndiConfig>
<definition type="RDBMS">
<configuration>
<url>jdbc:mysql://wso2is-pattern1-mysql-service:3306/WSO2_IDENTITY_DB?autoReconnect=true&useSSL=false</url>
<username>wso2carbon</username>
<password>wso2carbon</password>
<driverClassName>com.mysql.jdbc.Driver</driverClassName>
<maxActive>80</maxActive>
<maxWait>60000</maxWait>
<minIdle>5</minIdle>
<testOnBorrow>true</testOnBorrow>
<validationQuery>SELECT 1</validationQuery>
<validationInterval>30000</validationInterval>
<defaultAutoCommit>false</defaultAutoCommit>
</configuration>
</definition>
</datasource>
</datasources>
<datasource>
<name>BPS_DS</name>
<description></description>
<jndiConfig>
<name>bpsds</name>
</jndiConfig>
<definition type="RDBMS">
<configuration>
<url>jdbc:mysql://wso2is-pattern1-mysql-service:3306/WSO2_IDENTITY_DB autoReconnect=true&verifyServerCertificate=false&useSSL=true</url>
<username>wso2carbon</username>
<password>wso2carbon</password>
<driverClassName>com.mysql.jdbc.Driver</driverClassName>
<maxActive>100</maxActive>
<maxWait>10000</maxWait>
<maxIdle>20</maxIdle>
<testOnBorrow>true</testOnBorrow>
<validationQuery>SELECT 1</validationQuery>
<validationInterval>30000</validationInterval>
<useDataSourceFactory>false</useDataSourceFactory>
<defaultAutoCommit>false</defaultAutoCommit>
</configuration>
</definition>
</datasource>
Mounting the registry
registry.xml
file found in the <IS_HOME>/repository/conf
folder to share the registry across all nodes in the cluster. The code block below shows a sample configuration.<dbConfig name="sharedregistry">
<dataSource>jdbc/WSO2IdentityDS</dataSource>
</dbConfig>
<remoteInstance url="https://localhost:9443/registry">
<id>sharedregistry</id>
<dbConfig>sharedregistry</dbConfig>
<readOnly>false</readOnly>
<registryRoot>/</registryRoot>
<enableCache>true</enableCache>
<cacheId>jdbc:mysql://wso2is-pattern1-mysql-service:3306/WSO2_IDENTITY_DB</cacheId>
</remoteInstance>
<mount path="/_system/config" overwrite="true">
<instanceId>sharedregistry</instanceId>
<targetPath>/_system/config</targetPath>
</mount>
<mount path="/_system/governance" overwrite="true">
<instanceId>sharedregistry</instanceId>
<targetPath>/_system/governance</targetPath>
</mount>
Clustering Identity Server for high availability
<IS_HOME>/repository/conf/axis2/axis2.xml
file for both nodes.
<clustering class="org.wso2.carbon.core.clustering.hazelcast.HazelcastClusteringAgent" enable="true">Specify the name of the cluster this node will join.
<parameter name="domain">wso2.is.domain</parameter>
<
parameter
name
=
"membershipScheme"
>wka</
parameter
>
localMemberHost
and localMemberPort
entries. These must be different port values for the two nodes if they are on the same server to prevent any conflicts.<
parameter
name
=
"localMemberHost"
>127.0.0.1</
parameter
>
<
parameter
name
=
"localMemberPort"
>4000</
parameter
>
members
section, add the hostName
and port
for each WKA member. As we have only two nodes in our sample cluster configuration, we will configure both nodes as WKA nodes.<members>
<member>
<hostName>127.0.0.1</hostName>
<port>4000</port>
</member>
<member>
<hostName>127.0.0.2</hostName>
<port>4010</port>
</member>
</members>
hostName
. For example, 192.168.1.2-10. This should ensure that the cluster eventually recovers after failures. One shortcoming of doing this is that you can define a range only for the last portion of the IP address. You should also keep in mind that the smaller the range, the faster the time it takes to discover members since each node has to scan a lesser number of potential members.ForceLocalCache
property within the <cache>
section in the carbon.xml
file in the <IS_HOME>/repository/conf
directory is there to mark that all the caches should act like local caches even in a clustered setup. (This is by default set to true
)<ForceLocalCache>true</ForceLocalCache>
Scenario Local Caching Distributed Caching Hazelcast Clustering Distributed Invalidation Description 1. All caches are local with distributed cache invalidation Enabled Not Applicable Enabled Enabled 2. All caches are local without distributed cache invalidation Enabled Not Applicable Disabled Disabled 3. No caching Disabled Disabled Disabled Disabled 4. Certain caches are disabled while the remaining are local Enabled for the available local caches Not Applicable Enabled Enabled 5. Distributed caching enabled Disabled—the ForceLocalCache
property is set to false
.Enabled Enabled Not Applicable jdbc/WSO2UserStore
in user-mgt.xml (located in <IS_HOME>/repository/conf/
). This refers to the user store you configured in the Configuring the user store section above. <UserManager>
<Realm>
<Configuration>
...
<Property name="dataSource">jdbc/WSO2UserStore</Property>
</Configuration>
...
</Realm>
</UserManager>
jdbc/WSO2IDENTITYDB
in identity.xml (located in <IS_HOME>/repository/conf/identity
) of both node1 and node2. This refers to the datasource Configuring the datasources section above.<JDBCPersistenceManager>
<DataSource>
<Name>jdbc/WSO2IDENTITYDB</Name>
</DataSource>
<!-- <SkipDBSchemaCreation>false</SkipDBSchemaCreation> -->
</JDBCPersistenceManager>
Configuring Hazelcast properties
hazelcast.properties
file with the following property configurations, and copy the file to the <IS_HOME>/repository/conf/
directory. #Disabling the hazelcast shutdown hook
hazelcast.shutdownhook.enabled=false
#Setting the hazelcast logging type to log4j
hazelcast.logging.type=log4j
wso2carbon.log
file.log4j.properties
file (stored in the <IS_HOME>/repository/conf/
directory). This can be used to configure the log level for hazelcast logging. For a clustered production environment, it is recommended to use INFO as the log level as shown below.log4j.logger.com.hazelcast=INFO
Changing hostnames and ports
<IS_HOME>/repository/conf/tomcat/catalina-server.xml
file and add the proxy port as 443.<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="9443"
proxyPort="443"
........
<!--
optional attributes:
proxyPort="80"
-->
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="9763"
proxyPort="80"
<IS_HOME>/repository/conf/carbon.xml
directory, define the hostname for your server.<HostName>wso2.is.com</HostName>
<MgtHostName>wso2.is.com</MgtHostName>
/etc/hosts
file as:127.0.0.1 wso2.is.com
Enabling artifact synchronization
<IS_HOME>/repository/deployment
path to the "Deployment" directory of the shared file system that you created in step 2 of this section.<IS_HOME>/repository/tenants
path to the "Tenants" directory of the shared file system that you created in step 2 of this section.<IS_HOME>/repository/deployment
and <IS_HOME>/repository/tenants
paths, a symlink is created to avoid issues that may occur if you delete the product to redeploy it; in which case the file system would get mounted to a non existing path.Setting up the dashboard
<
IS_HOME>/repository/conf/identity/sso-idp-config.xml
file.<AssertionConsumerServiceURLs><AssertionConsumerServiceURL>https://is.wso2.com/dashboard/acs</AssertionConsumerServiceURL></AssertionConsumerServiceURLs>
<DefaultAssertionConsumerServiceURL>https://is.wso2.com/dashboard/acs</DefaultAssertionConsumerServiceURL>
proxyHost
and proxyHTTPSPort
in the <IS_HOME>/repository/deployment/server/jaggeryapps/dashboard/conf/site.json
file with your IP or hostname and the port."proxyHost" : "is.wso2.com",
"proxyHTTPSPort" : "443",
proxyHos
t and proxyHTTPSPort
in the <WSO2IS_HOME>/repository/deployment/server/webapps/shindig/WEB-INF/web.xml
file with your IP or hostname and the port.shindig.host=is.wso2.com
shindig.port=443
<IS_HOME>repository/conf/datasources/master-datasources.xml
file to set up the user dashboard.Fronting with a loadbalancer (Nginx)
<IS_HOME>/repository/conf/identity/identity.xml
file. Configuring Nginx
http://is.wso2.com/<service>
. To do this, create a VHost file (is.http.conf
) in the /etc/nginx/conf.d
directory and add the following configurations into it.
upstream wso2.is.com {
server xxx.xxx.xxx.xx3:9763;
server xxx.xxx.xxx.xx4:9763;
}
server {
listen 80;
server_name is.wso2.com;
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_read_timeout 5m;
proxy_send_timeout 5m;
proxy_pass http://wso2.is.com;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
https://is.wso2.com/<service>
. To do this, create a VHost file (is.https.conf
) in the /etc/nginx/conf.d
directory and add the following configurations into it.sticky
directive.
https://mgt.is.wso2.com/carbon
via HTTPS 443 port. This is to direct requests to the manager node. To do this, create a VHost file ( mgt.is.https.conf
) in the /etc/nginx/conf.d
directory and add the following configurations into it.server {
listen 443;
server_name mgt.is.wso2.com;
ssl on;
ssl_certificate /etc/nginx/ssl/mgt.crt;
ssl_certificate_key /etc/nginx/ssl/mgt.key;
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_read_timeout 5m;
proxy_send_timeout 5m;
proxy_pass https://xxx.xxx.xxx.xx2:9443/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
error_log /var/log/nginx/mgt-error.log ;
access_log /var/log/nginx/mgt-access.log;
}
$sudo service nginx reload
$sudo service nginx restart
Create SSL certificates
$sudo openssl genrsa -des3 -out server.key 1024
$sudo openssl req -new -key server.key -out server.csr
$sudo cp server.key server.key.org
$sudo openssl rsa -in server.key.org -out server.key
$sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
keytool -import -trustcacerts -alias server -file server.crt -keystore client-truststore.jks
is.wso2.com
or mgt.is.wso2.com
) as the common name.Configure the Proxy Port in IS Nodes
<IS_HOME>/repository/conf/tomcat/catalina-server.xml
file and add the proxy port 443 in https connector as follows.<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="9443"
proxyPort="443"
<IS_HOME>/repository/deployment/server/jaggeryapps/dashboard/conf/site.json
file as follows:{
"proxy":{
"proxyHost":"nginx.mycomp.org"
"proxyHTTPSPort":"443",
"proxyContextPath":"",
"servicePath":"/services"
}
}
<IS_HOME>/repository/deployment/server/jaggeryapps/portal/conf/site.json
file as follows:{
"proxy":{
"proxyHost":"nginx.mycomp.org"
"proxyHTTPSPort":"443",
"proxyContextPath":""
},
"fido":{
"appId":""
}
}
<IS_HOME>/repository/deployment/server/webapps/shindig/WEB-INF/web.xml
<context-param>
<param-name> system.properties </param-name>
<param-value>
<![CDATA[
shindig.host=
shindig.port=443
aKey=/shindig/gadgets/proxy?container=default&url=
]]>
Running the cluster
Starting up and verifying product nodes
Minimum High Availability Deployment for WSO2 IS Analytics
This section explains how to configure WSO2 Identity Server Analytics in a distributed setup. You can configure alerts to monitor these APIs and detect unusual activity, manage locations via geo location statistics and to carry out detailed analysis of logs relating to the APIs. WSO2 IS Analytics is powered by WSO2 DAS. The following diagram indicates the minimum deployment pattern used for high availability.
WSO2 Identity Server Analytics supports a deployment scenario that has focus on high availability (HA) along with HA processing. To enable HA processing, you should have two WSO2 IS Analytics servers in a cluster.
For this deployment, both nodes should be configured to receive all events. To achieve this, clients can either send all the requests to both the nodes or each request to any one of the two nodes (i.e., using load balancing or failover mechanisms). If clients send all the requests to both nodes, the user has to specify that events are duplicated in the cluster (i.e., the same event comes to all the members of the cluster). Alternatively, if a client sends a request to one node, internally it sends that particular request to the other node as well. This way, even if the clients send requests to only one node, both IS Analytics nodes receive all the requests.
In this scenario, one IS Analytics node works in active mode and the other works in passive mode. However, both nodes process all the data.
If the active node fails, the other node becomes active and receives all the requests.
When the failed node is up again, it fetches all the internal states of the current active node via synching.
The newly arrived node then becomes the passive node and starts processing all the incoming messages to keep its state synched with the active node so that it can become active if the current active node fails.
Warning: Some of the requests may be lost during the time the passive node switches to the active mode.
Prerequisites
Before you configure a minimum high availability IS Analytics cluster, the following needs to be carried out.
- Download the WSO2 IS Analytics distribution. Click DOWNLOAD ANALYTICS in the WSO2 Identity and Access Management page.
- Take the following steps to install WSO2 IS Analytics. Sicne this procedure is identical to installing WSO2 Data Analytics Server (DAS), these steps take you to the DAS documentation for details.
- Ensure that you have met the Installation Prerequisites.
- Go to the installation instructions relevant to your operating system:
- Follow the steps below to set up MySQL.
Download and install MySQL Server.
Download the MySQL JDBC driver.
Unzip the downloaded MySQL driver zipped archive, and copy the MySQL JDBC driver JAR (
mysql-connector-java-x.x.xx-bin.jar
) into the<IS Analytics_HOME>/repository/components/lib
directory of all the nodes in the cluster.- Enter the following command in a terminal/command window, where
username
is the username you want to use to access the databases.mysql -u username -p
- When prompted, specify the password that will be used to access the databases with the username you specified.
Create two databases named
userdb
andregdb.
About using MySQL in different operating systems
For users of Microsoft Windows, when creating the database in MySQL, it is important to specify the character set as latin1. Failure to do this may result in an error (error code: 1709) when starting your cluster. This error occurs in certain versions of MySQL (5.6.x) and is related to the UTF-8 encoding. MySQL originally used the latin1 character set by default, which stored characters in a 2-byte sequence. However, in recent versions, MySQL defaults to UTF-8 to be friendlier to international users. Hence, you must use latin1 as the character set as indicated below in the database creation commands to avoid this problem. Note that this may result in issues with non-latin characters (like Hebrew, Japanese, etc.). The following is how your database creation command should look.
mysql> create database <DATABASE_NAME> character set latin1;
For users of other operating systems, the standard database creation commands will suffice. For these operating systems, the following is how your database creation command should look.
mysql> create database <DATABASE_NAME>;
Execute the following script for the two databases you created in the previous step.
mysql> source <IS Analytics_HOME>/dbscripts/mysql.sql;
From WSO2 Carbon Kernel 4.4.6 onwards there are two MySQL DB scripts available in the product distribution. Click here to identify as to which version of the MySQL script to use.
Configure the datasource in the
<IS Analytics_HOME>/repository/conf/analytics/analytics-conf.xml
file as shown in the code extract below. As it is possible to maintain the data in one database, you can point all three datasources to a single database.
Alternatively, if you want to separate the data logically, create the following two databases in MySQL and point to the respective database as shown in the extract below.WSO2_ANALYTICS_EVENT_STORE_DB
WSO2_ANALYTICS_PROCESSED_DATA_STORE_DB
<analytics-record-store name="EVENT_STORE"> <implementation>org.wso2.carbon.analytics.datasource.rdbms.RDBMSAnalyticsRecordStore</implementation> <properties> <property name="datasource">WSO2_ANALYTICS_EVENT_STORE_DB</property> <property name="category">read_write_optimized</property> </properties> </analytics-record-store> <analytics-record-store name="EVENT_STORE_WO"> <implementation>org.wso2.carbon.analytics.datasource.rdbms.RDBMSAnalyticsRecordStore</implementation> <properties> <property name="datasource">WSO2_ANALYTICS_EVENT_STORE_DB</property> <property name="category">write_optimized</property> </properties> </analytics-record-store> <analytics-record-store name="PROCESSED_DATA_STORE"> <implementation>org.wso2.carbon.analytics.datasource.rdbms.RDBMSAnalyticsRecordStore</implementation> <properties> <property name="datasource">WSO2_ANALYTICS_PROCESSED_DATA_STORE_DB</property> <property name="category">read_write_optimized</property> </properties> </analytics-record-store>
Required configurations
When configuring the minimum high availability cluster following setups should be done for both nodes.
- Do the following database-related configurations.
Follow the steps below to configure the
<IS Analytics_HOME>/repository/conf/datasources/master-datasources.xml
file as required.Note that you can point all these datasources to a single database as it is not technically neccessary to separate the data into different databases. However, if required, you can have separate databases as well.
The steps given below demonstrate the flow assuming you have created separate databases for each. If you are using a single database instead, simply point the datasources indicated below to a single database.Enable all the nodes to access the users database by configuring a datasource to be used by user manager as shown below.
<datasource> <name>WSO2UM_DB</name> <description>The datasource used by user manager</description> <jndiConfig> <name>jdbc/WSO2UM_DB</name> </jndiConfig> <definition type="RDBMS"> <configuration> <url>jdbc:mysql://[MySQL DB url]:[port]/userdb</url> <username>[user]</username> <password>[password]</password> <driverClassName>com.mysql.jdbc.Driver</driverClassName> <maxActive>50</maxActive> <maxWait>60000</maxWait> <testOnBorrow>true</testOnBorrow> <validationQuery>SELECT 1</validationQuery> <validationInterval>30000</validationInterval> </configuration> </definition> </datasource>
Enable the nodes to access the registry database by configuring the
WSO2REG_DB
data source as follows.<datasource> <name>WSO2REG_DB</name> <description>The datasource used by the registry</description> <jndiConfig> <name>jdbc/WSO2REG_DB</name> </jndiConfig> <definition type="RDBMS"> <configuration> <url>jdbc:mysql://[MySQL DB url]:[port]/regdb</url> <username>[user]</username> <password>[password]</password> <driverClassName>com.mysql.jdbc.Driver</driverClassName> <maxActive>50</maxActive> <maxWait>60000</maxWait> <testOnBorrow>true</testOnBorrow> <validationQuery>SELECT 1</validationQuery> <validationInterval>30000</validationInterval> </configuration> </definition> </datasource>
For detailed information about registry sharing strategies, see the library article Sharing Registry Space across Multiple Product Instances.
Point to your database
WSO2_ANALYTICS_EVENT_STORE_DB
andWSO2_ANALYTICS_PROCESSED_DATA_STORE_DB
in the<IS Analytics_HOME>/repository/conf/datasources/analytics-datasources.xml
file as shown below.<datasources-configuration> <providers> <provider>org.wso2.carbon.ndatasource.rdbms.RDBMSDataSourceReader</provider> </providers> <datasources> <datasource> <name>WSO2_ANALYTICS_EVENT_STORE_DB</name> <description>The datasource used for analytics record store</description> <definition type="RDBMS"> <configuration> <url>jdbc:mysql://[MySQL DB url]:[port]/WSO2_ANALYTICS_EVENT_STORE_DB</url> <username>[username]</username> <password>[password]</password> <driverClassName>com.mysql.jdbc.Driver</driverClassName> <maxActive>50</maxActive> <maxWait>60000</maxWait> <testOnBorrow>true</testOnBorrow> <validationQuery>SELECT 1</validationQuery> <validationInterval>30000</validationInterval> <defaultAutoCommit>false</defaultAutoCommit> </configuration> </definition> </datasource> <datasource> <name>WSO2_ANALYTICS_PROCESSED_DATA_STORE_DB</name> <description>The datasource used for analytics record store</description> <definition type="RDBMS"> <configuration> <url>jdbc:mysql://[MySQL DB url]:[port]/WSO2_ANALYTICS_PROCESSED_DATA_STORE_DB</url> <username>[username]</username> <password>[password]</password> <driverClassName>com.mysql.jdbc.Driver</driverClassName> <maxActive>50</maxActive> <maxWait>60000</maxWait> <testOnBorrow>true</testOnBorrow> <validationQuery>SELECT 1</validationQuery> <validationInterval>30000</validationInterval> <defaultAutoCommit>false</defaultAutoCommit> </configuration> </definition> </datasource> </datasources> </datasources-configuration>
For more information, see Datasources in DAS documentation.
To share the user store among the nodes, open the
<IS Analytics_HOME>/repository/conf/user-mgt.xml
file and modify thedataSource
property of the<configuration>
element as follows.<configuration> ... <Property name="dataSource">jdbc/WSO2UM_DB</Property> </configuration>
The datasource name specified in this configuration should be the same as the datasource used by user manager that you configured in sub step a, i.
In the
<IS Analytics_HOME>/repository/conf/registry.xml
file, add or modify thedataSource
attribute of the<dbConfig name="govregistry">
element as follows.<dbConfig name="govregistry"> <dataSource>jdbc/WSO2REG_DB</dataSource> </dbConfig> <remoteInstance url="https://localhost:9443/registry"> <id>gov</id> <cacheId>user@jdbc:mysql://localhost:3306/regdb</cacheId> <dbConfig>govregistry</dbConfig> <readOnly>false</readOnly> <enableCache>true</enableCache> <registryRoot>/</registryRoot> </remoteInstance> <mount path="/_system/governance" overwrite="true"> <instanceId>gov</instanceId> <targetPath>/_system/governance</targetPath> </mount> <mount path="/_system/config" overwrite="true"> <instanceId>gov</instanceId> <targetPath>/_system/config</targetPath> </mount>
Do not replace the following configuration when adding in the mounting configurations. The registry mounting configurations mentioned in the above steps should be added in addition to the following.
<dbConfig name="wso2registry"> <dataSource>jdbc/WSO2CarbonDB</dataSource> </dbConfig>
- Update the
<IS Analytics_HOME>/repository/conf/axis2/axis2.xml
file as follows to enable Hazlecast clustering for both nodes.Set
clustering class="org.wso2.carbon.core.clustering.hazelcast.HazelcastClusteringAgent"
totrue
as shown below to enable Hazlecast clustering.<clustering class="org.wso2.carbon.core.clustering.hazelcast.HazelcastClusteringAgent" enable="true">
Enable wka mode on both nodes as shown below. For more information on wka mode, read About membership schemes.
<parameter name="membershipScheme">wka</parameter>
Add both the nodes as well known members in the cluster under the
members
tag in each node as shown in the example below.<members> <member> <hostName>[node1 IP]</hostName> <port>[node1 port]</port> </member> <member> <hostName>[node2 IP]</hostName> <port>[node2 port]</port> </member> </members>
For each node, enter the respective server IP address as the value for the
localMemberHost
property as shown below.<parameter name="localMemberHost">[Server_IP_Address]</parameter>
Configure the
<IS Analytics_HOME>/repository/conf/event-processor.xml
file as follows to cluster IS Analytics in the Receiver.Enable the
HA
mode by setting the following property.<mode name="HA" enable="true">
Disable the
Distributed
mode by setting the following property.<mode name="Distributed" enable="false">
For each node, enter the respective server IP address under the
HA mode
Config section as shown in the example below.When you enable the HA mode for WSO2 IS Analytics, the following are enabled by default:
State persistence: If there is no real time use case that requires any state information after starting the cluster, you should disable event persistence by setting the
persistence
attribute tofalse
in the<IS Analytics_HOME>/repository/conf/event-processor.xml
file as shown below.<persistence enable="false"> <persistenceIntervalInMinutes>15</persistenceIntervalInMinutes> <persisterSchedulerPoolSize>10</persisterSchedulerPoolSize> <persister class="org.wso2.carbon.event.processor.core.internal.persistence.FileSystemPersistenceStore"> <property key="persistenceLocation">cep_persistence</property> </persister> </persistence>
When state persistence is enabled for WSO2 IS Analytics, the internal state of IS Analytics is persisted in files. These files are not automatically deleted. Therefore, if you want to save space in your IS Analytics pack, you need to delete them manually.
These files are created in the
<IS Analytics_HOME>/cep_persistence/<tenant-id>
directory. This directory has a separate sub-directory for each execution plan. Each execution plan can have multiple files. The format of each file name is<TIMESTAMP>_<EXECUTION_PLAN_NAME>
(e.g,1493101044948_MyExecutionPlan
). If you want to clear files for a specific execution plan, you need to leave the two files with the latest timestamps and delete the rest.- Event synchronization: However, if you set the
event.duplicated.in.cluster=true
property for an event receiver configured in a node, IS Analytics does not perform event synchronization for that receiver.
<!-- HA Mode Config --> <mode name="HA" enable="true"> ... <eventSync> <hostName>[Server_IP_Address]</hostName>
The following node types are configured for the HA deployment mode in the
<IS Analytics_HOME>/repository/conf/event-processor.xml
file.eventSync
: Both the active and the passive nodes in this setup are event synchronizing nodes as explained in the introduction. Therefore, each node should have the host and the port on which it is operating specified under the<eventSync>
element.Note that the
eventSync
port is not automatically updated to the port in which each node operates via port offset.management
: In this setup, both the nodes carry out the same tasks, and therefore, both nodes are considered manager nodes. Therefore, each node should have the host and the port on which it is operating specified under the<management>
element.Note that the
management
port is not automatically updated to the port in which each node operates via port offset.presentation
: You can optionally specify only one of the two nodes in this setup as the presenter node. The dashboards in which processed information is displayed are configured only in the presenter node. Each node should have the host and the port on which the assigned presenter node is operating specified under the<presentation>
element. The host and the port as well as the other configurations under the<presentation>
element are effective only when thepresenter enable="false
property is set under the<!-- HA Mode Config -->
section.
Update the
<IS Analytics_HOME>/repository/conf/analytics/spark/spark-defaults.conf
file as follows to use the Spark cluster embedded within IS Analytics.- Keep the
carbon.spark.master
configuration aslocal
. This instructs Spark to create a Spark cluster using the Hazelcast cluster. Enter
2
as the value for thecarbon.spark.master.count
configuration. This specifies that there should be two masters in the Spark cluster. One master serves as an active master and the other serves as a stand-by master.
The following example shows the
<IS Analytics_HOME>/repository/conf/analytics/spark/spark-defaults.conf
file with changes mentioned above.carbon.spark.master local carbon.spark.master.count 2
For more information, see Spark Configurations in DAS documentation.
Important: If the path to
<IS Analytics_HOME>
is different in the two nodes, please do the following.- Keep the
In order to share the C-Apps deployed among the nodes, configure the SVN-based deployment synchronizer. For detailed instructions, see Configuring SVN-Based Deployment Synchronizer.
IS Analytics Minimum High availability Deployment set up does not use a manager and a worker. For the purpose of configuring the deployment synchronizer, you can add the configurations relevant to the manager for the node of your choice, and add the configurations relating to the worker for the other node.
If you do not configure the deployment synchronizer, you are required to deploy any C-App you use in the IS Analytics Minimum High Availability Deployment set up to both the nodes.
If the physical IS Analytics server has multiple network interfaces with different IPs, and if you want Spark to use a specific Interface IP, open either the
<IS Analytics_HOME>/bin/load-spark-env-vars.sh
file (for Linux) or<IS Analytics_HOME>/bin/load-spark-env-vars.bat
file (for Windows), and add the following parameter to configure the Spark IP address.export SPARK_LOCAL_IP=<IP_Address>
Starting the cluster
Once you complete the configurations mentioned above, start the two IS Analytics nodes. If the cluster is successfully configured, the following CLI logs are generated.
The following is displayed in the CLIs of both nodes, and it indicates that the registry mounting is successfully done.
[2016-01-28 14:20:53,596] INFO {org.wso2.carbon.registry.core.jdbc.EmbeddedRegistryService} - Configured Registry in 107ms [2016-01-28 14:20:53,631] INFO {org.wso2.carbon.registry.core.jdbc.EmbeddedRegistryService} - Connected to mount at govregistry in 7ms [2016-01-28 14:20:53,818] INFO {org.wso2.carbon.registry.core.jdbc.EmbeddedRegistryService} - Connected to mount at govregistry in 0ms
A CLI log similar to the following is displayed for the first node you start to indicate that it has successfully started.
[2016-01-28 14:32:40,283] INFO {org.wso2.carbon.core.clustering.hazelcast.HazelcastClusteringAgent} - Using wka based membership management scheme [2016-01-28 14:32:40,284] INFO {org.wso2.carbon.core.clustering.hazelcast.util.MemberUtils} - Added member: Host:10.100.0.46, Remote Host:null, Port: 4000, HTTP:-1, HTTPS:-1, Domain: null, Sub-domain:null, Active:true [2016-01-28 14:32:40,284] INFO {org.wso2.carbon.core.clustering.hazelcast.util.MemberUtils} - Added member: Host:10.100.0.46, Remote Host:null, Port: 4001, HTTP:-1, HTTPS:-1, Domain: null, Sub-domain:null, Active:true [2016-01-28 14:32:41,665] INFO {org.wso2.carbon.core.clustering.hazelcast.HazelcastClusteringAgent} - Hazelcast initialized in 1379ms [2016-01-28 14:32:41,728] INFO {org.wso2.carbon.core.clustering.hazelcast.HazelcastClusteringAgent} - Local member: [9c7619a9-8460-465d-8fd0-7eab1c464386] - Host:10.100.0.46, Remote Host:null, Port: 4000, HTTP:9763, HTTPS:9443, Domain: wso2.carbon.domain, Sub-domain:worker, Active:true [2016-01-28 14:32:41,759] INFO {org.wso2.carbon.core.clustering.hazelcast.HazelcastClusteringAgent} - Elected this member [9c7619a9-8460-465d-8fd0-7eab1c464386] as the Coordinator node [2016-01-28 14:32:41,847] INFO {org.wso2.carbon.event.processor.manager.core.internal.HAManager} - CEP HA Snapshot Server started on 0.0.0.0:10005 [2016-01-28 14:32:41,850] INFO {org.wso2.carbon.event.processor.manager.core.internal.HAManager} - Became CEP HA Active Member [2016-01-28 14:32:41,885] INFO {org.wso2.carbon.core.clustering.hazelcast.HazelcastClusteringAgent} - Cluster initialization completed
Once you start the second node, a CLI log similar to the following will be displayed for the first node to indicate that another node has joined the cluster.
[2016-01-28 14:34:13,252] INFO {org.wso2.carbon.core.clustering.hazelcast.wka.WKABasedMembershipScheme} - Member joined [504bceff-4a08-46fe-83e6-b9561d3fff81]: /10.100.0.46:4001 [2016-01-28 14:34:15,963] INFO {org.wso2.carbon.event.processor.manager.commons.transport.client.TCPEventPublisher} - Connecting to 10.100.0.46:11224 [2016-01-28 14:34:15,972] INFO {org.wso2.carbon.event.processor.manager.core.internal.EventHandler} - CEP sync publisher initiated to Member '10.100.0.46:11224'
A CLI log similar to the following is displayed for the second node once it joins the cluster.
[2016-01-28 14:34:27,086] INFO {org.wso2.carbon.analytics.spark.core.internal.SparkAnalyticsExecutor} - Spark Master map size after starting masters : 2
Following are some exceptions you may view in the start up log when you start the cluster.
When you start the passive node of the HA cluster, the following errors are displayed.
This is because the artifacts are yet to be deployed in the passive node even though it has received the sync message from the active node. This error is no longer displayed once the start up for the passive node is complete.
When the Apache Spark Cluster is not properly instantiated, the following errors are displayed.
All the nodes in the Spark cluster should be started in order to stop this exception from occurring.
Testing the HA deployment
The HA deployment you configured can be tested as follows.
- Access the Spark UIs of the active master and the stand-by master using <
node ip>:8081
in each node.- Information relating to the active master is displayed as shown in the example below.
- Information relating to the stand-by master is displayed as shown in the example below.
- Information relating to the active master is displayed as shown in the example below.
- Click the links under Running Applications in the Spark UI of the active master to check the Spark application UIs of those applications. A working application is displayed as shown in the following example.
- Click the Environment tab of a Spark application UI to check whether all the configuration parameters are correctly set. You can also check whether the class path variables in this tab can be accessed manually.
- Check the Spark UIs of workers to check whether they have running executors. If a worker UI does not have running executors or if it is continuously creating executors, it indicates an issue in the Spark cluster configuration. The following example shows a worker UI with a running executor.
- Check the symbolic parameter, and check if you could manually access it via a
cd <directory>
command in the CLI. - Log into the IS Analytics Management Console and navigate to Main => Manage => Batch Analytics => Console to open the Interactive Analytics Console. Run a query in this console.