NSD1442 How to setup a cluster with Nordic Edge OTP... Fact Situation

NSD1442 How to setup a cluster with Nordic Edge OTP Server
Fact
Nordic Edge One Time Password Server 3.x
Situation
This document describes how to setup Nordic Edge One Time Password Server (OTP Server) in a OTP Server cluster.
Requirements are:
- Two OTP Server
- OTP Server configured with SMS and/or Pledge (Can be used with any authentication methods)
IP addresses in this example
OTP Server 1: 192.168.92.238
OTP Server 2: 192.168.92.183
OTP Server redundancy
OTP Server support full active-active cluster. This means that users can login with two factor authentication to
any of the OTP Servers within the same OTP Server cluster. For example. A user authenticates with username
and password with OTP Server 1. Then the user receives and enters the one-time password to OTP Server 2 for
verification.
Setup OTP Server redundancy
To configure a cluster each OTP Server will be pointed to each other. In this example OTP Server 1 will point to
OTP Server 2 and OTP Server 2 will point to OTP Server 1. Each OTP Server should be configured with the same
OTP configuration for OTP databases, OTP clients and OTP delivery methods.
At OTP Server 1:
●
Edit C:\Program Files\NordicEdge\OTPServer3\hazelcast.xml. (/opt/NordicEdge/OTPServer3/
hazelcast.xml in Unix/Linux)
●
Change tcp-ip enabled to “true”.
●
Change interface to the IP address of OTP Server 2. In this case 192.168.92.183.
●
Save and close the file.
●
Restart the OTP Server 1.
At OTP Server 2:
●
Edit C:\Program Files\NordicEdge\OTPServer3\hazelcast.xml. (/opt/NordicEdge/OTPServer3/
hazelcast.xml in Unix/Linux)
●
Change tcp-ip enabled to “true”.
●
Change interface to the IP address of OTP Server 2. In this case 192.168.92.238.
●
Save and close the file.
●
Restart the OTP Server 2.
Both OTP Servers has now joined the OTP cluster:
Configure the VPN Gateway or application with multiple OTP Servers
After the OTP Servers are configured as a cluster the VPN gateway or application must be configured with the
addresses and ports to the OTP Servers in the cluster. In this scenario we user OTP web test application to
demonstrate how to configure two OTP Servers with redundancy.
●
●
●
●
Open the configuration for OTP test web app. C:\inetpub\wwwroot\OTPServerWebTestApp\Web.config
Add the IP adresses to both OTP Server 1 and OTP Server 2. In this case
192.168.92.238:3100;192.168.92.183:3100
Save and close the file.
Restart the IIS server.
Test the OTP Server cluster
In this test we are going to login with username and password. Then we shutdown OTP Server 1 and enters the
one-time password which will be verified by OTP Server 2. This simulates an active-active cluster environment and
login sessions and one-time passwords are shared within the OTP cluster.
●
Browse to the OTP web test application. E.g. http://192.168.92.100/OTPServerWebTestApp/
CustomLogin.aspx
●
Login with username and password.
The login request was handled by OTP Server 1:
●
Shutdown
OTP Server
1.
Enter the one-time
password.
Login was successful:
The one-time password was verified successfully by OTP Server 2:
OTP Server cluster configuration
The OTP
groupServer
nametest.
and password option can be used to create separate clusters. For example OTP Servers production
and
<group>
<name>ne-otp-prod</name>
<password>SecretPassword</password>
</group>
With Servers
the tcp-ip
option
you can configure one or many OTP Server, specific ports or if a range of IP addresses for
OTP
in the
cluster.
<tcp-ip enabled="true">
<hostname>otpserver1.domainlocal</hostname>
<hostname>otpserver2.domainlocal</hostname>
<hostname>otpserver3.domainlocal:1980</hostname>
<interface>192.168.1.21</interface>
<interface>192.168.1.0-7</interface>
</tcp-ip>
More information about cluster configuration can be found at www.hazelcast.com