Layer7 API Management

Hello,

we are trying to find some information and documentation on how to install OAuth and MAG on existing Gateway cluster.

Already installed on one gateway. What changes in the process when installing on to a cluster? What are the steps?

Do you know someone who already installed the components on a cluster?

Thank you very much in advance

Imax,

Installing the OAuth and MAG in a cluster follows close to the same instructions and is very standard practice for our customers. As the OAuth Toolkit is a built in functionality of the gateway this will deploy all the required policy and dependency required for all the nodes in the same cluster so once you do this step on one node you do not need to do it on any other node in the cluster. As for MAG, you will need to ensure that the MAG RPM is installed on each of the nodes in the cluster so that the assertion are available. For the Policy Manager deployment portion, it follows the same logic as the OAuth Toolkit that once you deploy the policy and dependencies in the Policy Manager it makes it available throughout the cluster.

OAuth installation guide: Installation Workflow - CA API Management OAuth Toolkit - 3.1 - CA Technologies Documentation

MAG installation guide: https://wiki.ca.com/display/MAG24/Installation+and+Upgrade

Sincerely,

Stephen Hughes

CA Technologies
Director, CA Support

Hi

There is no difference when installing oauth or MAG in a cluster as opposed to a single node.

The cluster:

1)      Make sure both nodes have access to the OTK/MAG db.  Remember when in QA and Prod you should off-box the database for better performance and really the only supported manner from CA.

2)      MAG – you will need to install the rpm on both nodes.

3)      Policy – you will only need to do this once on a cluster.

a.       If the cluster is setup properly you will only need to create otk and run install from the installer once under the task menu

b.      Depending on how the architecture looks you will need to worry about where you install the token/authorization end points.

Hope this helps.

Thanks,

Derek Orr

CA Technologies |885 West Georgia Street Ste 500 | Vancouver, BC V6C 3G1

Office: 1-778-328-5285 | Mobile: +1 778 980 0029 | Derek.Orr@ca.com

<mailto:>[CA]

<http://www.ca.com/us/default.aspx>[Twitter]<http://twitter.com/CAInc>[LinkedIn]<http://www.linkedin.com/company/1372?goback=.cps_1244823420724_1>[Facebook]<https://www.facebook.com/CATechnologies>[YouTube]<http://www.youtube.com/user/catechnologies>[Google]<https://plus.google.com/CATechnologies>[Slideshare]<http://www.slideshare.net/cainc>

Hello Stephen and Derek,

thank you both for your answers.

The next step for us is to verify the procedures described and see how it works.

Do you think this procedures could be included in future releases of the wiki documentation?

Best Regards

Ioan

Hi imax,

I'm attaching an older graphic (pre-2.4) that may help.

In the recent release 2.4, we introduced separation of the OTK database from the MAG database. The upcoming release also uses a different policy installation method.   

I agree, the MAG cluster scenario should be revised and described in the documentation. I will add a backlog story.

Simon

Hello Simon,

thank you for your answer.

For now, we have to create the otk_db on the existing MySQL on the Gateways.

The replication is in place (configured as described in CA documentation, before creating the ssg database).

The next thing for us is to find the best solution for replicating the otk_db (maybe using the create_slave.sh specifying the otk_db when asked)

Also we will have to find a way to backup the otk_db (ssgbackup script is dumping only the ssg using the default settings)

Do you (or anybody else) have any suggestions or maybe some things to keep in mind in the scenario described above, please let us know.

Thank you again.

Regards

Ioan