Deploying a high-availability cluster of Integration Servers

Creating and configuring a high-availability cluster of Linux-based Integration Servers involves the following steps:

1. Installing components of the high-availability cluster of Integration Servers

   You need to install the components of the high-availability cluster on separate Linux devices. The installation is performed on the command line.

   • On one device, perform the installation and initial configuration of the Integration Server that will act as the primary Integration Server.
   • On another device, perform the installation and initial configuration of the Integration Server that will act as the reserve Integration Server.

     The Kaspersky Security 6.4 solution supports the installation of no more than one reserve Integration Server as part of a high-availability cluster of Integration Servers.

     The procedures for installing the primary and reserve Integration Servers are the same as the procedure for installing a standalone Integration Server. By default, any installed Integration Server has the standalone role, you can change the roles of the Integration Servers later, see step 3.

   • On a third device, which is separate from the devices with the primary and reserve Integration Servers, install and configure the solution that will be used as the load balancer.
2. Creating a certificate for components of the high-availability cluster

   To manage the certificate, you need to use the certificate management tool:

   1. On the primary Integration Server device, run the following command to create a certificate for the Linux-based Integration Server. In the --address option, specify additional addresses: the address of the reserve Integration Server and the address of the load balancer:

      sudo /opt/kaspersky/viis/bin/certificate_manager.sh create-self-signed-certs --outputFolder <path to the directory with the certificate> --address <address of the reserve Integration Server> --address <address of the load balancer>

      The certificate is created in the specified directory.

   2. On the primary Integration Server device, replace the certificate of the primary Integration Server:

      sudo /opt/kaspersky/viis/bin/certificate_manager.sh replace --certificatePath <path to certificate>

3. Configuring interaction between the primary and reserve Integration Servers

   On the Integration Server that will become the primary Integration Server, use the Integration Server REST API to do the following (open the description of REST API requests):

   1. Assign the "primary" role to the Integration Server (PUT /api/3.0/server/configuration/role).

      Assigning the "primary" role on the Integration Server makes available the reserve Integration Server registration and de-registration functionality. The primary Integration Server starts duplicating information about the virtual infrastructure to the reserve Integration Server and periodically synchronizes data between the primary and reserve Integration Servers.

   2. Get the certificate of the reserve Integration Server (GET /api/3.0/sslConfig/getCertificate?address=<address>:<port>).
   3. Add the certificate of the reserve Integration Server to the list of trusted certificates on the primary Integration Server (POST /api/3.0/sslConfig/certificateValidator/rules).
   4. Register the Integration Server that will become the reserve Integration Server on the primary Integration Server (POST /api/3.0/ha/instances).

      The registered Integration Server gets the "reserve" role. As a result, the Integration Server with the "reserve" role can get information about the virtual infrastructure from the primary Integration Server and provide information about SVMs to Light Agents whenever the primary Integration Server is unavailable. The rest of the Integration Server functions are blocked for the reserve Integration Server.

4. Configuring the connection of solution components to the Integration Server as part of a high-availability cluster

   In the settings of SVMs and Light Agents, you need to specify the address and port of the load balancer as the address and port for connecting to the Integration Server.

Page top