search cancel

Gateway Cluster and Database Replication Configuration Example

book

Article ID: 202946

calendar_today

Updated On:

Products

CA API Gateway API SECURITY CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7) CA API Gateway Enterprise Service Manager (Layer 7) STARTER PACK-7 CA Microgateway

Issue/Introduction

When I set up Gateway, I should " Create a new Layer7 API Gateway database option" in 

2) Display Layer7 API Gateway configuration menu -> 2) Create a new Layer7 API Gateway database

In this step, I have an question about "Set Up the Layer7 API Gateway Cluster"

When I put the value in Cluster Host section , Should I put the DNS name for LTM(Load Balancer) or IP addr for this Server or DNS name for this node?

- I will plan to set this gateway cluster with 2 nodes. 

---------------------------------

Set Up the Layer7 API Gateway Cluster

---------------------------------

At any time type "quit" to quit.

Press "<" to go to the previous step.

 

This step lets you set up the Layer7 API Gateway cluster.

 

Enter the cluster hostname.

 

Cluster Host [172.26.142.246]: <yet to confirm>

Also, If I put this prompt with random value, How can I update this cluster host value when I get the right value?

1) Is it possible to update in Policy Manager - Manage Cluster-Wide-Properties? 

2) Do I need update any other configuration file in the Node? e.g. system.properties, node.properties files etc..

 

 

Environment

Release : 10.0

Component : API GATEWAY

Resolution

1) Is it possible to update in Policy Manager - Manage Cluster-Wide-Properties? 

** No random values are advised for this configuration 

2) Do I need update any other configuration file in the Node? e.g. system.properties, node.properties files etc..

** No for this configuration

3) Example How to Configure clustered Gateway Laboratory (2 nodes).

   Pre-reqs:   /etc/hosts file , IP and hostnames used for this example in both nodes:

 

172.17.38.11             PolicyManagerGateway.secuaz.cl        PolicyManagerGateway

172.17.38.20             GWnode1.secuaz.cl      GWnode1         vapgateway.secuaz.cl

172.17.38.30             GWnode2.secuaz.cl      GWnode2

 

Notes: 

-vapgateway.secuaz.cl  is the Cluster Name we will use later.

- Hostname, ClusterName, IP, need to be changed according your test environment

 

STEP 1

Configure CA API Gateway From GwNode1.

From Gateway menu . To select Configure system settings, enter 1.

 To select Configure networking and system time settings, enter 1.

  1. Complete these steps to finish the network configuration.

Configure the Basic Network Interface

Please select an interface to configure:

Note: I select the network interface eth0. 1

Enable interface on boot (y/n)? y

Would you like to configure IPv4 networking (y/n)? y

Enter the protocol (static/dhcp): static

Enter the IPv4 address: 172.17.38.20

Enter the IPv4 netmask: 255.255.255.0

Enter the IPv4 gateway: 172.17.38.11

Would you like to configure IPv6 networking (y/n)? n

Would you like to enter another network interface (y/n)? n

Configure the IPv4 Gateway and Interface

Would you like to change the current default IPv4 gateway and

interface (y/n)? y

Enter the IPv4 address of the default gateway: 172.17.38.11

Select the interface you wish to use as the IPv4 gateway device:

Note: We will select the network interface eth0.  1

 

Configure the Fully Qualified HostName

Enter the fully qualified hostname

[localhost.localdomain]: gwnode1.secuaz.cl

Configure the CA API Gateway Name Server

Enter one or more name server (comma separated): 172.17.38.11

Enter one or more search domain (comma separated): secuaz.cl

Configure Time Synchronization

The current time zone configuration is ‘America/Vancouver’.

Do you want to change the current time zone configuration (y/n)? y

Select a time zone from the following list. Please make a selection

(press [Enter] for next page):

Enter the number of your time zone region.

Select a time zone from the following list.

NoteNote the time zone that you configure for GWnode1 so

that you can configure GWnode2 with the same time zone when

you reach that step in the next machine. It is recommended that the

time zones match to complete these env successfully.

Enter the number of your time zone.

Do you want to change the current timeservers configuration

(y/n)? y

Enter a comma separated list of the time servers to use for time

synchronization: pool.ntp.org

  1. Review your configuration settings:
  2. To apply the network changes above, enter y.

Note: It may take several minutes for the configuration to be applied successfully.

 

  1. Press Enter after the changes are applied. You should now see the Gateway

Configure System Settings menu.

  1. Return to the CA API Gateway main menu by entering x.

Configure the Privileged Shell Password and Edit the Host File

  1. You should see the CA API Gateway main menu. If not, login to GWnode1 using

these credentials:

Field Value

GWnode1 Login ssgconfig

Password : yourPassword

  1. To select Use a privileged shell (root), enter 3.

The underlying Linux operating system command line interface becomes available.

Note: The Linux operating system is case-sensitive.

 

  1. To enter the default CA API Gateway root password, enter 7layer.
  2. On first login, you must change your password. To accomplish this, you must first

enter the current password once. Then, you will enter the new password twice:

Field Value

Current UNIX Password 7layer

New UNIX Password : yourPassword

Retype Password : yourPassword

  1. You are now accessing the privileged Linux shell as the user root. To change to the

root directory, enter: cd /

  1. To edit the CA API Gateway host file on GWnode1, enter: vi /etc/hosts

 add the following lines

172.17.38.11             GwPolicyManager.secuaz.cl        GwPolicyManager

172.17.38.20             GWnode1.secuaz.cl GWnode1   vapgateway.secuaz.cl

172.17.38.30             GWnode2.secuaz.cl GWnode2

 

Note : vapgateway.secuaz.cl will be used as CLUSTER HOSTNAME later steps

 

  1. To return to the CA API Gateway main menu on GWnode1, enter exit.

Note: GWnode1 must be rebooted to apply your changes. Failure to reboot and log

back in successfully now may introduce errors in subsequent steps

 

 Complete these steps to reboot and log back in to GWnode1:

  1. To reboot GWnode1 and apply the network settings, enter r.
  2. To confirm that you want to reboot GWnode1, enter y.
  3. When GWnode1 finishes rebooting, verify that you can login with your

credentials:

GWnode1 Login : ssgconfig

Password : yourPassword

 ***The network configuration of GWnode1 is complete.****

 

STEP 2

Configure API Gateway on Node#2

From GWnode2 , Configure the Gateway Network Settings

1 The CA API Gateway main menu is displayed. To select Configure system settings,

enter 1.

  1. To select Configure networking and system time settings, enter 1.
  2. Complete these steps to finish the network configuration.

 

Configure the Basic Network Interface

Please select an interface to configure:

Note: We will select the network interface eth0. 1

Enable interface on boot (y/n)? y

Would you like to configure IPv4 networking (y/n)? y

Enter the protocol (static/dhcp): static

Enter the IPv4 address: 172.17.38.30

Enter the IPv4 netmask: 255.255.255.0

Enter the IPv4 gateway: 172.17.38.11

 

Would you like to configure IPv6 networking (y/n)? n

Would you like to enter another network interface (y/n)? n

Configure the IPv4 Gateway and Interface

Would you like to change the current default IPv4 gateway and

interface (y/n)? y

Enter the IPv4 address of the default gateway: 172.17.38.11

Select the interface you wish to use as the IPv4 gateway device:

Note: We will select the network interface eth0.  1

 

Configure the Fully Qualified HostName

Enter the fully qualified hostname

[localhost.localdomain]: GWnode2.secuaz.cl

Configure the Gateway Name Server

Enter one or more name server (comma separated): 172.17.38.11

Enter one or more search domain (comma separated): secuaz.cl

 

Configure Time Synchronization

The current time zone configuration is ‘America/Vancouver’.

Do you want to change the current time zone configuration

(y/n)? y

Select a time zone from the following list. Please make a selection (press [Enter] for next page): Enter the number of the time zone region that you entered in the

previous lab for GWnode1.

Select a time zone from the following list. Enter the number of

the time zone that you entered in the previous lab for GWnode1.

Do you want to change the current timeservers configuration (y/n)? y

Enter a comma separated list of the time servers to use for

time synchronization: pool.ntp.org

 

  1. To apply these network changes, enter y.

Note: It may take several minutes for the configuration to be applied successfully.

  1. Press Enter after the changes are applied. You should now see the Gateway

Configure System Settings menu.

 

  1. Return to the CA API Gateway main menu by entering x.

 

Configure the Privileged Shell Password and Edit the Host File

  1. You should see the CA API Gateway main menu. If not, login to the CA API

Gateway using these credentials:

Field Value

GWnode1 Login ssgconfig

Password :yourPassword

  1. To select Use a privileged shell (root), enter 3.
  2. Enter the CA API Gateway default root password 7layer.

 

  1. On first login, you must change your password. To accomplish this, you must first

enter the current and new passwords:

Current UNIX Password 7layer

New UNIX Password yourPassword

 

To edit the CA API Gateway host file, enter: vi /etc/hosts

Add the following lines :

 

172.17.38.11             PolicyManagerGateway .secuaz.cl    PolicyManagerGateway

172.17.38.20             GWnode1.secuaz.cl GWnode1         vapgateway.secuaz.cl

172.17.38.30             GWnode2.secuaz.cl GWnode2

 

  1. To return to the CA API Gateway main menu, enter exit.

Note : The server must be rebooted to apply your changes. Failure to reboot and log back into the server successfully now may introduce errors in subsequent steps for this lab. Complete these steps to reboot and log back in to GWnode2:

 

  1. To reboot GWnode2 and apply the network settings, enter r.
  2. To confirm that you want to reboot GWnode2, enter y.

Note: Scroll down to view the progress bar as GWnode2 reboots.

  1. When GWnode2 reboots, verify that you can login with these credentials:

GWnode2 Login ssgconfig

Password : YourPassword

****The network configuration for GWnode2 is complete.

  

STEP 3

Configure Database Replication

  1. From GWnode1 confirm ping works vice/versa to GWnode2

         ping gwnode2.secuaz.cl –c 5

 confirm the same works from GWnode2 to GWnode1

 

Configure Slave Permissions on GWnode1 for the GWnode2 User

 

  1. From GWnode1.
  2. From Menu select Use a privileged shell (root), enter 3.
  3. cd /opt/SecureSpan/Appliance/bin

Note: All Linux commands are case sensitive.

  1. To run the add_slave_user.sh script, enter this command:

          ./add_slave_user.sh –v

 

  1. Complete these steps to finish the configuration wizard:

 

Configure Slave User Permissions on GWnode1

Enter hostname or IP for the SLAVE: GWnode2.secuaz.cl

Enter replication user: repluser

Enter replication password: replpass

Enter MySQL root user: root

Enter MySQL password: 7layer

Is this the Primary (1) or Secondary (2)database node?

Note: The database will restart after you enter 1. -  1

MySQL appears to be properly configured

with server_id=1

Do you want to continue? Y

 

  1. To return to the CA API Gateway main menu, enter exit.

  

STEP 4

Configure Slave Permissions on GWnode2 for the GWnode1 User

 

  1. From the lab environment, select GWnode2.
  2. You should see the CA API Gateway main menu. If not, login to GWnode2 using the standard credentials.
  3. To select Use a privileged shell (root), enter 3.

          cd /opt/SecureSpan/Appliance/bin

  1. To run the add_slave_user.sh script, enter this command:

        ./add_slave_user.sh –v

 

  1. Complete these steps to finish the configuration wizard:

 

Configure Slave User Permissions on GWnode2

Enter hostname or IP for the SLAVE GWnode1.secuaz.cl

Enter replication user: repluser

Enter replication password: replpass

Enter MySQL: root user: root

Enter MySQL password: 7layer

Is this the Primary (1) or Secondary (2) database

node?

Note: The database will restart after you enter 2. =  2

MySQL appears to be properly configured with

server_id=2

Do you want to continue? y

 

 You should see this screen output:

 

 To return to the CA API Gateway main menu, enter exit.

 

STEP 5

Configure Replication on GWnode1

  1. From the lab environment, select GWnode1.
  2. You should see the GWnode1 main menu. If not, login to GWnode1 using the standard credentials.
  3. To select Use a privileged shell (root), enter 3.
  4. Enter the root password of YourPassword.
  5. To change to the Linux directory with the required script files, enter this command:

cd /opt/SecureSpan/Appliance/bin

 

  1. To run the create_slave.sh script, enter this command:

./create_slave.sh -v

 

 Complete these steps to finish the configuration wizard:

 

Configure Replication on GWnode1

Enter hostname or IP for the MASTER GWnode2.secuaz.cl

Enter replication user: repluser

Enter replication password replpass

Enter MySQL: root user: root

Enter MySQL password: 7layer

Do you want to clone a database from

GWnode2.secuaz.cl (yes or no)? no

 Verify that the output on your screen matches the screen shown here:

To return to the CA API Gateway main menu, enter exit.

 

STEP 6

Configure Replication on GWnode2

 

  1. From the lab environment, select GWnode2.
  2. You should see the GWnode2 main menu. If not, login to GWnode2 using the standard credentials.
  3. To select Use a privileged shell (root), enter 3.
  4. Enter the root password of YourPassword.
  5. cd /opt/SecureSpan/Appliance/bin

To run the create_slave.sh script, enter this command:

        ./create_slave.sh -v

  1. Complete these steps to complete the replication wizard:

 

Configure Replication on GWnode2

Enter hostname or IP for the MASTER GWnode1.secuaz.cl

Enter replication user: repluser

Enter replication password replpass

Enter MySQL: root user: root

Enter MySQL password: 7layer

Do you want to clone a database from

GWnode1.secuaz.cl (yes or no)? no

 Verify that the output on your screen matches the screen shown here:

 To return to the CA API Gateway main menu, enter exit.

 

 STEP 7

Create the Primary Database Node on: GWnode1

 

      From  GWnode1.

  1. To select the Display CA API Gateway Configuration menu, enter 2.
  2. To Create a new CA API Gateway database, enter 2.

 

 Complete these steps to create the Primary Database Node:

Configure Gateway Database

Database connection? yes

Enter the database hostname. Database Host: localhost

Enter the database port. Database Port: 3306

Enter the database name. Database Name: ssg

Enter the database user: Database Username gateway

Enter the database password. Database Password: 7layer

Confirm Database Password: 7layer

Enter the administrative database user. Administrator

Database Username: root

Enter the administrative database password.

Administrator Database Password: 7layer

Configure Database Failover Connection? yes

Enter the database failover hostname.

Database Failover Host: GWnode2.secuaz.cl

Enter the database failover port.

Database Failover Port: 3306

Configure the SSM Administrator

Enter the CA API Gateway Policy Manager

administrative user (3-128 characters).

Policy Manager Username: admin

Enter the Policy Manager administrative password (3-128

characters).

Policy Manager Password:7layer

Confirm Policy Manager Password: 7layer

Configure the Gateway Cluster

Enter the cluster hostname.

Cluster Host: vapgateway.secuaz.cl

Enter the cluster passphrase (6-128 characters). Cluster

Passphrase: 7layer

Confirm Cluster Passphrase: 7layer

Enable the Gateway Database Node

Enable or disable the node.

Enabled: yes

 

  1. Review the database configuration settings.

 

Note: Verify that your cluster hostname is correct, vapgateway.secuaz.cl.

Otherwise, you may not be able to configure a success example .

 

  1. Press Enter to continue.

 

Resolve Configuration Results Error

Complete these steps if you receive the error message displayed here. If you do not receive this error message, skip this section.

complete these steps to address the configuration results error:

 Resolve Configuration Results Error

 

  1. Unexpected error saving configuration 'Could not send Message.'
  2. Would you like to re-configure? no
  3. Enter the cluster passphrase (6-128 characters). Cluster Passphrase: 7layer
  4. Press Enter to continue.
  5. To select Configure the CA API Gateway, enter 3.
  6. Complete these steps to validate the database:
  7. Configure CA API Gateway Database

Database connection? yes

Enter the database hostname. Database Host: localhost

Enter the database port. Database Port: 3306

Enter the database name. Database Name: ssg

Enter the database user: Database Username gateway

Enter the database password. Database Password: 7layer

Confirm Database Password: 7layer

Enter the administrative database user. Administrator

Database Username: root

Enter the administrative database password.

Administrator Database Password: 7layer

Configure Database Failover Connection? yes

Enter the database failover hostname.

Database Failover Host: GWnode2.secuaz.cl

Enter the database failover port.

Database Failover Port: 3306

Configure the CA API Gateway Cluster

Enter the cluster passphrase (6-128 characters). Cluster

Passphrase: 7layer

Enable the CA API Gateway Database Node

Enable or disable the node.

Enabled: yes

  1. To continue applying the configuration, press Enter.
  2. Verify that your configuration summary matches the configuration summary given here and press Enter to continue:

Verify that you received the configuration results and click enter.

 

**Verify the CA API Gateway Status

  1. To select Manage CA API Gateway status and verify the status of the Gateway database, enter 7.

Note: The database can take time to startup. If you check the status of the database Immediately after creating it, the Node Status may be STARTING. Repeat this step

Until the Node Status is RUNNING.

  1. Press Enter to continue.
  2. To return to the CA API Gateway Application menu, enter x.

  

STEP 8

Configure Replication on the Secondary Database Node: GWnode2

 

  1. Go to GWnode2.
  2. To select Display CA API Gateway Configuration Menu, enter 2.
  3. To Configure the CA API Gateway, enter 3.
  4. Complete these steps to configure the gateway:

Configure the Gateway

Database connection? yes

Enter the database hostname. Database Host: GWnode1.secuaz.cl

Enter the database port. Database Port: 3306

Enter the database name. Database Name: ssg

Enter the database user: Database Username gateway

Enter the database password. Database

Password: 7layer

Confirm Database Password: 7layer

Configure Database Failover Connection? yes

Enter the database failover hostname. Database

Failover Host: localhost

Enter the database failover port. Database Failover

Port: 3306

Configure the Gateway Cluster..

Enter the cluster passphrase (6-128 characters).Cluster Passphrase: 7layer

Confirm Cluster Passphrase: 7layer

Enable the Gateway Database Node

Enable or disable the node. Enabled: yes

 

  1. Verify that your configuration summary matches ,Press Enter to continue.
  2. Your configuration results message should state that the configuration was

successfully applied. Press Enter to continue.

  1. To return to the CA API Gateway main menu, enter x.
  2. To reboot the Gateway and join the cluster, enter r.
  3. To confirm that you want to reboot the Gateway, enter y.

Note: Rebooting GWnode2 now is required to apply your configuration changes.

Failure to reboot GWnode2 now may cause subsequent labs to fail.

 

  1. When the GWnode2 finishes rebooting, login with these credentials:

GWnode2 Login ssgconfig

Password YourPassword

 

  1. To select the Display CA API Gateway Configuration menu, enter 2.
  2. To select the Manage CA API Gateway Status option and check on the status of the Gateway database, enter 7.

Note: The database can take time to startup. If you check the status of the database immediately after creating it, the Node Status may be STARTING. Repeat this step until the Node Status is RUNNING.

 

  1. When the Node Status is RUNNING, press Enter to return to the CA API Gateway status options menu.
  2. Enter to return to the CA API Gateway main menu.
  3. Your database was successfully created on GWnode1 and replicated to

GWnode2. Both databases are considered the Master of each other for replication and failover.

 16. Query the status of replication on both nodes: mysql -e "show slave status\G"

Healthy Replication will show as follows:

Slave_IO_Running  : yes
Slave_SQL_Running : yes

***Next Step will be Install and configure Policy Manager to login  the clustered gateway using :  vapgateway.secuaz.cl:8443 ***

Additional Information

https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-4/install-configure-upgrade/install-the-policy-manager.html