You must install and configure Atrium Single Sign-On for high availability before installing the TrueSight Presentation Server. Although Atrium Single Sign-On supports SAML and two-factor authentication, the TrueSight Presentation Server does not support these capabilities. To view the supported external authentication. see Atrium Single Sign-On system requirements.
When you choose to implement Atrium Single Sign-On with its embedded database, BMC recommends that you set up two independent ASSO servers and manually keep them in sync.
For example, you would create a user on ASSO Server1 and create the same user on ASSO Server2.
You cannot copy configuration data from one Atrium Single Sign-On server to another if the host names are different, and Atrium Single Sign-On does not provide a mechanism to import and export, or copy from one ASSO server to another.
In the event of a failure, perform the following steps to re-register active Atrium Single Sign-On server with the Presentation Server:
When integrating Atrium Single Sign-On with your LDAP system, you can configure two ASSO servers and use a load balancer to connect to the TrueSight Presentation Server.
You can configure the ASSO servers as though they were Active/Active nodes; however, you must configure the load balancer as described in the following steps.
Atrium Single Sign-On keeps the passive node in sync using built-in Atrium Single Sign-On technology; therefore, you do not need to manually configure synchronization activities.
Typical high-availability deployment
When you configure an Atrium Single Sign-On cluster, one ASSO server member assumes the role of primary, and the other members are secondary members. Only the primary node can answer requests authoritatively. In some cases, the secondary nodes will forward their requests to the current primary node. The primary node selection process determines the elder node, which is the node that was started first in the cluster.
You can determine the current elder node in an Atrium Single Sign-On cluster by reviewing the ASSO HA page. To access the ASSO HA page, you must log on to the ASSO console and access the following URL (example): https://atssoY1.example.com/atriumsso/atsso/ha
Derby DB Enabled
Apache MQ Enabled
Elder Site Id
Elder Boot Time
Last Update Received
In this example, the Site ID for atssoY1.example.com is 01, which is also the value of Elder Site Id. Site ID 01 is typically assigned to the admin node, so both the admin node and the primary have the same site ID.
For an ideal configuration, ensure that atssoY1.example.com is reachable through the load balancer and that atssoY2.example.com is not.
So that you know when to manually switch from the primary ASSO node to a secondary node in a controlled manner, you must monitor the primary node to ensure that it is alive or determine that its performance is degrading. To determine if the server is running, enter and bookmark the following URL:
Administrators responsible for large environments with a high user load can modify the settings in the setenv.sh and server.xml files. To ensure that that resources do not contribute to system instability, BMC oversized the the Atrium Single Sign-On nodes.
In some cases, the Atrium Single Sign-On server would significantly increase thread count for a short time. Setting this value to 3000, as shown in the following example, addresses that problem.
maxThreads="3000" scheme="https" secure="true"
As a best practice, BMC recommends that you adhere to the following procedure when restarting the Atrium Single Sign-On nodes in a high-availability environment. BMC's testing has found that if you adhere to this process, you could successfully restart the system on a daily basis, if necessary.
Restart process for Atrium Single Sign-On in a high-availability environment
Wait until tomcat is ready on secondary node.
Enable the secondary node in the LB.
Wait 60 seconds for the LB to connect to the targeted active node.
Disable the primary node in the LB.
Wait 5 mins for the nodes to sync.
Wait until tomcat is ready on the primary node.
Enable the primary node in the LB.
Wait 60 seconds for LB to connect to the targeted active node.
Disable the secondary node in the LB.
Wait 5 mins for nodes to sync.
Adhering to the following guidelines will further aid in the high-availability implementation of Atrium Single Sign-On within a TrueSight installation:
As long as the ASSO server has the required resources, you can point multiple TrueSight Presentation Servers or other products to a single Atrium Single Sign-On implementation.
Because Atrium Single Sign-On does not provide any export or import utilities, if you require a disaster recovery solution, you must install configure two independently-deployed ASSO servers. The two ASSO servers will have to be synchronized with manual reconciliation.