Managing Administration Consoles Installed with Clustered Identity Servers

You can install the primary Administration Console and Identity Server on the same machine, even when Identity Server is going to be assigned to a cluster of Identity Servers. You can install a secondary Administration Console on another member of Identity Server cluster. You cannot configure Administration Console as a virtual group on an L4 switch. The L4 switch interferes with the communication process between Administration Console and Access Manager components. Each Access Manager component knows about its primary and secondary Administration Console, and knows how to communicate directly with each console. The component, rather than an L4 switch, needs to make the decision on which console it needs to contact.

However, traffic destined for a cluster of components (Identity Servers or Access Gateways) must pass through an L4. Figure 11-1 illustrates this configuration, showing Identity Servers on the same machine as Administration Consoles.

Figure 11-1 Identity Server Clustering with a Secondary Administration Console

  1. Install the primary Administration Console and an Identity Server on one machine by using Administration Console’s IP address when importing Identity Server component.

  2. Install the secondary Administration Console and a second Identity Server on another machine by using the primary Administration Console’s IP address when importing the second Identity Server.

  3. Specify the L4 VIP as the DNS for Identity Server cluster configurations that both Identity Servers use. (See Section 2.3, Configuring Identity Servers Clusters.)