About High Availability Synchronization and Data Replication

The ActivID Appliance synchronization process consists of the following workflow:

To illustrate the workflow for each node, the following conventions are used in the diagram:

  • The status of the synchronization process is represented by the boxes.
  • The transitions between the synchronization statuses are represented by the links. These transitions can be triggered automatically or manually by the commands you executed. For more information, see Dual Mode synchronization options.
  • The Single Mode node workflow is represented in the grey boxes, while the colored boxes represent the Dual Mode workflow.
Important: In High Availability deployments, you must configure the archive of audit data on both appliances to purge data that is not synchronized between the nodes.
Status Description

Single Mode

Synchronization status is not applicable.

For the Front-End appliance (that is, when the ActivID Authentication Services are not installed), the HA options are not displayed.

Under Construction

The remote appliance is under construction, and the initialization and the configuration of the replication processes are under construction.

This status appears when the node has just been moved from Single Mode to Dual Mode, while the second node is still not configured properly.

Once the second node is configured as Dual Mode, the status automatically changes to Synchronized.

Synchronized

The replication processes are up and running. Both nodes are synchronized, no issue has been raised, and there is no delay on the synchronization

This status is “normal” when the system is in Dual Mode and running normally.

Out of Synchronization

 

 
  • The status of the local synchronization is Out of Synchronization (recoverable or unrecoverable).
  • If the remote appliance is active, its synchronization status is Out of Synchronization (recoverable or unrecoverable). Even in this context, where the communication between appliances is broken, both statuses should be consistent.

Out of Synchronization (recoverable) – both nodes are not synchronized, but the level of resynchronization is recoverable.

There are different causes of this status, for example, a network issue, or the remote appliance having an issue or is unresponsive. The breakdown time is limited.

For this (limited) period of time, the replication process is registering all data updates and is staying ready to synchronize as soon as the breakdown is fixed.

This status is set automatically by the supervisor. This status can appear on both nodes at the same time if the issue is a High Availability issue, for instance. The return to the Synchronized state is done automatically.

Out of Synchronization (reason) – both nodes are not synchronized, and the synchronization is not recoverable. The replication processes are stopped.

The cause of this breakdown can be a long network issue, or the node does not have the space to record the updates.

You can initialize the synchronization, or set the node in Single Mode, or replace the appliance.

The following list summarizes the possible reasons for this status:

  • Synch Canceled – you have manually canceled the synchronization. Or, if a local failure that impacts the synchronization is detected, then the synchronization process is automatically canceled.
  • Synchronization down – the synchronization processes are down. It requires maintenance.
  • Database down – the database is down. It requires maintenance. The status of the authentication service is also impacted.
  • Network down – the network is down. There might be issues with the local network card. It requires maintenance.
  • Init failed – synchronization initialization failed.
  • Unreachable – the remote appliance cannot be reached (a network issue), and therefore its status is unknown.

Availability of Synchronization Status Commands

This table summarizes the available commands depending on the synchronization status of the nodes.

 

 Synchronization Status Available Commands

Local Mode

Node local

Node remote

Set Dual

Set Single

Init Sync

Cancel Sync

Download File

Backup

Restore

Single Mode

Single Mode

N/A

X

 

 

 

 

X

X

Dual Mode

Under Construction

Under Construction

 

X

 

 

X

X

 

Dual Mode

Synchronized

Synchronized

 

X

 

X

 

X

 

Dual Mode

Out of Synchronization Recoverable

Unreachable

 

X

 

X

 

X

 

Dual Mode

Out of Synchronization Unrecoverable

Out of Synchronization Unrecoverable

 

X

X

 

 

X

 

Data Replication in Dual Mode

Note: You might need to check that updates are replicated once the connection is restored. Review the conflict warnings and notifications, then proceed to manual update if there are conflicting changes.

Deployment Components

When appliances are synchronized, the replication of components is described in below table.

When appliances are not synchronized (for example, the network is disconnected), the following warning appears:

"The update cannot be replicated to the other node immediately; the replication is delayed until both appliances are synchronized. Once the appliances synchronized, please double check your updates have been replicated properly or update your configuration once again"

If this happens, check the replication of the updates manually.

Deployment Components Synchronization process
(when set as dual, install as dual, synchronized)		 Dual Mode
(when both nodes are synchronized and running)

Application configuration files

Replicated on second node (as initial default values)

Not replicated between nodes

Date and Time settings

Not replicated between nodes

It is recommended to use automatic settings as time should be the same on both nodes.

Not replicated between nodes

It is recommended to use automatic settings as time should be the same on both nodes.

Customization Package

Replicated on second node (as initial default values)

Not replicated between nodes

Appliance Key Stores

Replicated on second node (as initial default values) except the appliance server SSL certificate which is defined per node at node installation

Not replicated between nodes except the ActivID AS server AES keys and IdP certificates (in software cryptography deployments)

Scheduled Backup Configuration

Not replicated between nodes and can be different on each node

Not replicated between nodes and can be different on each node

Monitoring/SNMP Configuration

Not replicated between nodes and can be different on each node

Not replicated between nodes and can be different on each node

Scheduled Archive audit Configuration

Not replicated between nodes and can be different on each node

Not replicated between nodes and can be different on each node

Troubleshooting

Replicated on second node (as initial default values)

Not replicated between nodes and can be different on each node
License Files

Replicated on second node

The Site Code ID is replicated on second node

Update is possible from each node

Replicated between nodes

OOB template files

Replicated on second node

Update is possible from each node.

Replicated between nodes

Domains

Replicated on second node

Replicated between nodes

Database Content

When appliances are synchronized, all database objects are replicated.

When appliances are not synchronized (for example, the network is disconnected), the database content diverges on both nodes. The following warning appears:

"Conflicting changes between the two nodes. The system is reconciling the data. Check your recent updates in Management Console and check the archived conflict auditing for detailed information"

When conflict resolution fails, you receive a notification which includes a list of objects (10 maximum), where:

  • <Domain> is the domain name
  • <GUI Label> is the label of the object as documented and displayed on the ActivID Management Console (for example, Channel, Role)
  • <name> is the object name (for example, IIS, Device Administrator)
  • <Code> is the code value (for example, CH_123, RL_458)

The following is an example of the warning:

Copy 
There might be conflicting changes between the nodes that will not be reconcilable. Before you continue, please check to be sure both nodes have the same values for the object(s) and related data listed below. To correct any possible issues, delete any incorrect object, and recreate it.
<Domain> <GUI Label> «  <name> » (code <code>)
<Domain> <GUI Label> «  <name> » (code <code>)
<Domain> <GUI Label> «  <name> » (code <code>)
<Domain> <GUI Label> «  <name> » (code <code>)
<Domain> <GUI Label> «  <name> » (code <code>)
..

Check the objects listed in order to correct potential issues. See the full list of objects (parent/children) which can have incorrect values following conflicting changes.

For guidance on how to eliminate conflicts in your High Availability deployment, save this information and contact HID Global Technical Support.

GUI Object Associated Objects

MC >Configuration>Assets>Asset Type

  • MC >Configuration>Assets
  • MC >Configuration>Asset Set
  • MC >Access Administration>Admin Groups:
    • Predefined Permissions Sets applying to the Asset Type
    • External Permissions Sets applying to the Asset Sets of the Asset Type
  • MC>Access Administration>Roles:
    • Predefined Permissions Sets applying to the Asset Type
    • External Permissions Sets applying to the Asset Type
    • External Permissions Sets applying to the Asset Sets of the Asset Type

MC >Configuration>Assets> Asset Types >Asset Set
  • MC >Configuration>Asset Set:
    • Description
  • MC >Access Administration>Admin Groups:
    • External Permissions Sets applying to the Asset Set
  • MC>Access Administration>Roles:
    • External Permissions Sets applying to the Asset Set
MC >Configuration>Authorization>Check Before or Send after profile
  • MC >Configuration>Authorization>Check Before or Send after profile:
    • Attributes
  • MC >Configuration>Channels:
    • Authorization Profiles Selection Rules

MC >Configuration>Channels
  • MC >Configuration>Channels:
    • Trusted Identity Providers
    • Authorization Profiles Selection Rules
    • Allowed Authentication Policies
  • User details:
    • Enabled Individual Permissions per channel
    • Enabled Individual Permission Sets per channel

MC>Access Administration>Permissions>Predefined permission set

  • MC>Access Administration>Permissions>Predefined permission set:
    • Enabled Individual Permissions
  • MC >Access Administration>Admin Groups:
    • Predefined Permissions Sets
  • MC>Access Administration>Roles:
    • Predefined Permissions Sets

MC>Configuration>User Repositories

  • MC>Configuration>User Repositories:
    • LDAP Configuration
    • User Attribute mapping
    • Referrals
  • Bound Groups and Roles:
    • MC>Access Administration>user Types: User Repositories
    • MC>Access Administration>Admin Groups: User Repositories
    • MC>Access Administration>Roles: Assignment rules
MC>Configuration>Radius>External Radius Server
  • MC>Configuration>Radius>External Radius Server:
    • Details
  • MC>Configuration>Radius>Radius Realm Proxy:
    • Details

MC>Access Administration>Roles

  • Predefined Permissions Sets
  • External Permissions Sets
  • Assignment Rules

MC>Access Administration>Permissions>External permission set

  • MC>Access Administration>Permissions>External permission set:
    • Individual permissions
    • Asset Type to which it is applicable
  • User details:
    • External Permissions Sets (on Assets)
  • MC>Access Administration>Admin Groups:
    • External Permission Sets
  • MC>Access Administration>Roles:
    • External Permission Sets

MC>Access Administration>User Types

  • Users:
    • Details (Admin Group)
    • Individual Permissions (on User Type)
  • MC>Access Administration>User Types:
    • User Repositories configuration
    • Authentication Policies
    • User Attributes
  • MC>Access Administration>Admin Groups:
    • User Repositories configuration
    • Predefined Permissions applying to the User Type
    • External Permissions
  • MC>Access Administration>Roles:
    • Predefined Permissions applying to the User Type