2.3 Using High Availability and Load Balancing with Secure API Manager

Secure API Manager supports high availability and load balancing for the different components with the use of an L4 switch. You must install and deploy an L4 switch for each component that you want to cluster in your environment, and also ensure that you use session persistence in the L4 switch. You must also install a Networking File System (NFS) server to provide content synchronization between the nodes in the clusters.

Secure API Manager uses your browser's session storage to facilitate seamless high availability and load balancing for the different Secure API Manager components. Here are some reasons why you would want to cluster the different components:

  • Analytics: Clustering the Analytics server provides a backup of the analytics information in case of disasters or hardware failures.

  • API Gateway: Clustering the API Gateway facilitates the API authorizations by load balancing the authorizations to the different nodes in the cluster and providing a backup of the APIs in case of a disaster or hardware failure.

  • Database Service: Clustering the Database Service provides a backup of your configuration information stored on the Database Service in case of a disaster or hardware failure.

  • Lifecycle Manager: Clustering the Lifecycle Manager allows for high availability to the Store, Publisher, management console, and administration console. If one node goes down, users can still access and use whichever console they need.

Use the following information to enable load balancing with an L4 switch and an NFS server.

2.3.1 Enabling High Availability and Load Balancing

Secure API Manager supports high availability and load balancing for the different components with the use of an L4 switch. If you want high availability and load balancing, you must install and deploy an L4 switch for each component that you want to cluster. If you use an L4 switch, ensure that you use session persistence in the L4 switch. For example, if you want to cluster the Database Service and Analytics, you must deploy two separate L4 switches. You deploy one L4 switch for each component you deploy.

Ensure that you use sticky sessions or session persistence in the L4 switches. Otherwise, as API developers and administrators are working and their existing sessions change, Secure API Manager requires users to re-authenticate before they can continue their work. If the L4 switches have sticky sessions, users and administrators do not have to re-authenticate.

You must configure the following ports in the L4 switch for the various Secure API Manager components.

Table 2-1 L4 Ports

Component

Ports

Database Service

5432: Postgres

Lifecycle Manager

9444: HTTPS Servlet Transport

 

5673: Internal Message Broker

 

9763: WebSockets

API Gateway

8246: NIO/PT Transport

 

9446: HTTPS Servlet Transport

 

9102: WebSockets

Analytics

7613: Throttling authentication

 

7713: Throttling secure transport

 

9443: HTTPS servlet transport

Use the following information to help you deploy an L4 switch for the components you want to cluster.

  1. Install an L4 switch and ensure that you use session persistence.

  2. Deploy two or more separate appliances for each component that you want to cluster. Each appliance must have a separate IP address and the L4 switch provides the DNS name of the component.

  3. Ensure that the L4 switch is configured to use sticky sessions. For a given browser session, the session must remain on the same Secure API Manager node over time unless the Secure API Manager node becomes unavailable.

  4. Follow the L4 switch documentation to configure the L4 switch to provide load balancing for the Secure API Manager nodes. Use the information provided in Table 2-1 to configure the appropriate ports on the L4 switch.

  5. Repeat the steps for each component that you deploy.

2.3.2 Configuring Content Synchronization for High Availability Using a Network File System Server

Secure API Manager supports high availability and load balancing with an L4 switch in front of the different components to cluster the components. You must deploy at least two separate appliances of the same component for high availability and load balancing. However, you must also use a Network File System (NFS) server to synchronize the content between the multiple nodes in the cluster to provide high availability and load balancing.

Secure API Manager stores configuration information in the Database Service component as well as in the file system on the other components. When you cluster the Lifecycle Manager and the API Gateway, Secure API Manager uses the NFS server to synchronize the configuration files between the clustered nodes. If you do not use the NFS server, the files are not synchronized and you can lose the configuration information of your APIs and corrupt the APIs.

Secure API Manager mounts the API-M_HOME/repository/deployment/server directory from the two nodes to the shared file system, in order to share all APIs and throttling policies between all the nodes, thereby avoiding the vulnerability of a single point of failure.

Before you deploy Secure API Manager you must already have an NFS server in your IT environment or you must install and configure an NFS server. The Deployment Manager validates that the NFS server is up and communicating and if it is not, the deployment does not continue.

Secure API Manager does not provide an NFS server for you. You are responsible for maintaining the NFS server. You must perform the following steps to ensure that the NFS server contains the proper content for Secure API Manager to function.

  1. Ensure that you have a supported version of the NFS server deployed and running in your IT environment. For more information, see Deployment Requirements of Secure API Manager.

  2. Create an empty folder with the proper permissions on the NFS server where Secure API Manager stores the shared content.

    1. Create an empty directory with any name. Ensure that you record this directory name for later use. For example: /sapim-gw

    2. Ensure that the directory has the correct NFS permissions (read, write, and execute).

    3. For security, map the incoming Linux identities from Secure API Manager of user 802 group 802 by adding an entry to /etc/exports on the NFS server. For example:

      /sapim-gw *(rw,sync,no_subtree_check,all_squash,anonuid=802,anongid=802
    4. Export this using the command exportfs -a.

  3. During the configuration of the API Gateway and the Lifecycle Manager, you must enter the following information for the NFS server:

    sharedStorageHost

    Specify the IP address or DNS name of the NFS server.

    sharedStorageMount

    Specify the name of the directory you created on the NFS server in Step 2.