Table of Contents

Operating the Cluster

When running PhenixID authentication services with a clustered configuration it is important that services, nodes and external dependencies are operated, maintained and monitored closely.  In general PAS has an central role in the day to day work of the users and should be handled accordingly.

Communication routes

Ensure ports required are opened at all times and that they are not closed by firewalls.  Latency between cluster nodes should be kept as low as possible.  Since PAS operates in an "eventually consistent" mode, the lower latency the better.

Shorter network glitches should not ba a problem but remaining interference in communications will cause significant  performance problems and in some cases complete failure.

Synchronized time

It is absolutely essential that all nodes are synchronizing time against the same time sync server(s)

Restarting of services/nodes

Restarting of services or the entire node should not be done in "un-monitored"manor. In cases where  nodes need to be restarted due to OS updates etc.  ensure that the nodes have time to reconnected to the cluster before restarting other nodes.

Verify logs

Put into daily routine to verify the logs of the cluster, identifying any anomalies or misbehaviour at an early stage.

Cluster Freeze on Windows

Caution

On Windows, the default behavior of the Windows Firewall can cause the internal Hazelcast cluster in PhenixID Authentication Services to freeze, which cause access to the configuration and the sessions to freeze, for approximately one minute when a node leaves the cluster.

This problem does only seem to occur if the Windows Firewall "Domain profile" is enabled.

This feature is called "stealth mode" and is enabled by default.

How to disable stealth mode

  1. Import the registry file (see below, save as a .reg-file)
  2. Reboot the Windows server
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableStealthMode"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableStealthMode"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableStealthMode"=dword:00000001
Cluster