Decision Insight 20200928 Save PDF Selected topic Selected topic and subtopics All content Cluster settings This page lists the different node settings to apply to an Axway Decision Insight (DI) cluster, depending on whether you have a primary/replica (PR) cluster or a high availability (HA) cluster. General configuration Regarding PR clusters Configuring SSO or LDAP on replica nodes (RN) has no effect as authentication is only done on the primary node (PN). Default protocol/cipher suite By default, TLS communication is configured to use TLSv1.2 protocol and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher suite. Parameter Default value Description com.systar.electron.type STANDALONE Node type: STANDALONE PRIMARY REPLICA HA com.systar.electron.host no default value, must be configured Host / IP of the PN, as seen in the internode communication network. com.systar.electron.port 9010 Communication port to: session sharing produce redolog checkpoint transfer distributed computings com.systar.electron.ha.host no default value, must be configuredfor HA node Host / IP of the HA Main node, as seen in the internode communication network. com.systar.electron.ha.token no default value, must be configuredfor HA node Security token used to access HA API com.systar.calcium.maxLag 2 seconds In milliseconds.Threshold used to define if a RN is correctly synchronized or late compared to the PN.Possible units are : seconds, minutes. If omitted, scalar is evaluated as milliseconds. com.systar.calcium.ha.maxLag 1 minutes In milliseconds.Threshold used to define if a HA backup node is correctly synchronized or late compared to the main node.Possible units are : seconds, minutes. If omitted, scalar is evaluated as milliseconds. com.systar.krypton.distributedcomputing.primaryComputingEnable true (Only for the PN)Activates the distributed computing feature on this primary. Set to false to deactivate distributed computing on that node. com.systar.krypton.distributedcomputing.replicaComputingEnable true (Only for RN(s))Activates the distributed computing feature on this replica. Set to false to deactivate distributed computing on that node. com.systar.krypton.distributedcomputing.startExecutionTimeout 1 minutes (Only for the PN)Timeout in seconds the PN waits for the start of a computing on an RN before executing the computing locally.Possible units are : seconds, minutes, hours, days. If omitted, scalar is evaluated as seconds. com.systar.krypton.distributedcomputing.executorSize 0 Maximum number of threads available for distributed computing on distributed nodes (RN or PN if seen as distributed node)If the value is equal to 0, the number of threads is equal to the number of cores of the computer. com.systar.electron.tls.enabled false Activate TLS to secure communications between primary and replicas. com.systar.electron.tls.keystore.keyPassword no default value Keystore Key Passwordmust be configured on primary and replica if TLS is enabled. com.systar.electron.tls.keystore.type JKS Keystore type (JKS or PKCS12)must be configured on primary and replica if TLS is enabled. com.systar.electron.tls.keystore.location no default value Keystore locationmust be configured on primary and replica if TLS is enabled. com.systar.electron.tls.keystore.password no default value Keystore passwordmust be configured on primary and replica if TLS is enabled. com.systar.electron.tls.truststore.type JKS Truststore type (JKS or PKCS12)must be configured on primary and replica if TLS is enabled. com.systar.electron.tls.truststore.location no default value Truststore locationmust be configured on primary and replica if TLS is enabled. com.systar.electron.tls.truststore.password no default value Truststore passwordmust be configured on primary and replica if TLS is enabled. PR configuration To activate a PR cluster, you must install at least 2 DI nodes, and ensure one of them is of type Primary, and the other of type Replica. Parameter Primary node value Replica node value com.systar.electron.type PRIMARY REPLICA HA configuration To activate a HA cluster, you must install at least 2 DI nodes, and ensure one of them is acting as Main node while the second is acting as Backup node. Parameter Main node value Backup node value com.systar.electron.type HA HA com.systar.electron.host Host / IP of the local host (main) Host / IP of the local host (backup) com.systar.electron.ha.host Host / IP of the remote host (backup) Host / IP of the remote host (main) com.systar.electron.ha.token Password of your choice Password of your choice A HA node always starts as backup. Use Switch backup to main procedure to activate main node. Secure cluster communications Primary/Replica and HA Main/Backup communications can be encrypted. When encryption is enabled, for security purpose, the mutual authentication is activated so that: The producer node (primary or HA main) authenticates consumer nodes that connect on it The consumer nodes (replicas or HA backup) check the endpoint identification (producer node) This mutual authentication is done using keystores and truststores on both side. The KeyStore Manager tool can be easily used to generate keystores and truststores. Configuration The following are the configuration requirements: All nodes must have a truststore and a keystore. The Subject Alternative Name used (SAN) for the producer node must match the electron hostname used on consumer nodes; a verification is done. Here is an example of how to generate truststores and keystores with KeyStore Manager: Truststore are parameterized with a CA certificate. This CA certificate is also used to validate all the keys. KeyStore Manager commands ksm createCA ADI-CA -password changeit ksm createHostKey -ca ADI-CA -password changeit myprimary -dns myprimary.mydomain.com ksm createHostKey -ca ADI-CA -password changeit myreplica -dns myprimary.mydomain.com ksm exportHostKey -ca ADI-CA -password changeit -format JKS -exportpassword changeit myprimary ksm exportHostKey -ca ADI-CA -password changeit -format JKS -exportpassword changeit myreplica Then, in the conf directory of each node, you can copy the corresponding truststore and keystore and update the platform.properties file like below: HA configuration - platform.properties com.systar.electron.type=HA com.systar.electron.host=myha.mydomain.com com.systar.electron.tls.enabled=true com.systar.electron.tls.keystore.location=${com.systar.platform.conf.dir}/myha_keystore.jks com.systar.electron.tls.keystore.password=changeit com.systar.electron.tls.keystore.keyPassword=changeit com.systar.electron.tls.truststore.location=${com.systar.platform.conf.dir}/ADI-CA_truststore.jks com.systar.electron.tls.truststore.password=changeit Primary configuration - platform.properties com.systar.electron.type=PRIMARY com.systar.electron.host=myprimary.mydomain.com com.systar.electron.tls.enabled=true com.systar.electron.tls.keystore.location=${com.systar.platform.conf.dir}/myprimary_keystore.jks com.systar.electron.tls.keystore.password=changeit com.systar.electron.tls.keystore.keyPassword=changeit com.systar.electron.tls.truststore.location=${com.systar.platform.conf.dir}/ADI-CA_truststore.jks com.systar.electron.tls.truststore.password=changeit Replica configuration - platform.properties com.systar.electron.type=REPLICA com.systar.electron.host=myprimary.mydomain.com com.systar.electron.tls.enabled=true com.systar.electron.tls.keystore.location=${com.systar.platform.conf.dir}/myreplica_keystore.jks com.systar.electron.tls.keystore.password=changeit com.systar.electron.tls.keystore.keyPassword=changeit com.systar.electron.tls.truststore.location=${com.systar.platform.conf.dir}/ADI-CA_truststore.jks com.systar.electron.tls.truststore.password=changeit Related Links
Cluster settings This page lists the different node settings to apply to an Axway Decision Insight (DI) cluster, depending on whether you have a primary/replica (PR) cluster or a high availability (HA) cluster. General configuration Regarding PR clusters Configuring SSO or LDAP on replica nodes (RN) has no effect as authentication is only done on the primary node (PN). Default protocol/cipher suite By default, TLS communication is configured to use TLSv1.2 protocol and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher suite. Parameter Default value Description com.systar.electron.type STANDALONE Node type: STANDALONE PRIMARY REPLICA HA com.systar.electron.host no default value, must be configured Host / IP of the PN, as seen in the internode communication network. com.systar.electron.port 9010 Communication port to: session sharing produce redolog checkpoint transfer distributed computings com.systar.electron.ha.host no default value, must be configuredfor HA node Host / IP of the HA Main node, as seen in the internode communication network. com.systar.electron.ha.token no default value, must be configuredfor HA node Security token used to access HA API com.systar.calcium.maxLag 2 seconds In milliseconds.Threshold used to define if a RN is correctly synchronized or late compared to the PN.Possible units are : seconds, minutes. If omitted, scalar is evaluated as milliseconds. com.systar.calcium.ha.maxLag 1 minutes In milliseconds.Threshold used to define if a HA backup node is correctly synchronized or late compared to the main node.Possible units are : seconds, minutes. If omitted, scalar is evaluated as milliseconds. com.systar.krypton.distributedcomputing.primaryComputingEnable true (Only for the PN)Activates the distributed computing feature on this primary. Set to false to deactivate distributed computing on that node. com.systar.krypton.distributedcomputing.replicaComputingEnable true (Only for RN(s))Activates the distributed computing feature on this replica. Set to false to deactivate distributed computing on that node. com.systar.krypton.distributedcomputing.startExecutionTimeout 1 minutes (Only for the PN)Timeout in seconds the PN waits for the start of a computing on an RN before executing the computing locally.Possible units are : seconds, minutes, hours, days. If omitted, scalar is evaluated as seconds. com.systar.krypton.distributedcomputing.executorSize 0 Maximum number of threads available for distributed computing on distributed nodes (RN or PN if seen as distributed node)If the value is equal to 0, the number of threads is equal to the number of cores of the computer. com.systar.electron.tls.enabled false Activate TLS to secure communications between primary and replicas. com.systar.electron.tls.keystore.keyPassword no default value Keystore Key Passwordmust be configured on primary and replica if TLS is enabled. com.systar.electron.tls.keystore.type JKS Keystore type (JKS or PKCS12)must be configured on primary and replica if TLS is enabled. com.systar.electron.tls.keystore.location no default value Keystore locationmust be configured on primary and replica if TLS is enabled. com.systar.electron.tls.keystore.password no default value Keystore passwordmust be configured on primary and replica if TLS is enabled. com.systar.electron.tls.truststore.type JKS Truststore type (JKS or PKCS12)must be configured on primary and replica if TLS is enabled. com.systar.electron.tls.truststore.location no default value Truststore locationmust be configured on primary and replica if TLS is enabled. com.systar.electron.tls.truststore.password no default value Truststore passwordmust be configured on primary and replica if TLS is enabled. PR configuration To activate a PR cluster, you must install at least 2 DI nodes, and ensure one of them is of type Primary, and the other of type Replica. Parameter Primary node value Replica node value com.systar.electron.type PRIMARY REPLICA HA configuration To activate a HA cluster, you must install at least 2 DI nodes, and ensure one of them is acting as Main node while the second is acting as Backup node. Parameter Main node value Backup node value com.systar.electron.type HA HA com.systar.electron.host Host / IP of the local host (main) Host / IP of the local host (backup) com.systar.electron.ha.host Host / IP of the remote host (backup) Host / IP of the remote host (main) com.systar.electron.ha.token Password of your choice Password of your choice A HA node always starts as backup. Use Switch backup to main procedure to activate main node. Secure cluster communications Primary/Replica and HA Main/Backup communications can be encrypted. When encryption is enabled, for security purpose, the mutual authentication is activated so that: The producer node (primary or HA main) authenticates consumer nodes that connect on it The consumer nodes (replicas or HA backup) check the endpoint identification (producer node) This mutual authentication is done using keystores and truststores on both side. The KeyStore Manager tool can be easily used to generate keystores and truststores. Configuration The following are the configuration requirements: All nodes must have a truststore and a keystore. The Subject Alternative Name used (SAN) for the producer node must match the electron hostname used on consumer nodes; a verification is done. Here is an example of how to generate truststores and keystores with KeyStore Manager: Truststore are parameterized with a CA certificate. This CA certificate is also used to validate all the keys. KeyStore Manager commands ksm createCA ADI-CA -password changeit ksm createHostKey -ca ADI-CA -password changeit myprimary -dns myprimary.mydomain.com ksm createHostKey -ca ADI-CA -password changeit myreplica -dns myprimary.mydomain.com ksm exportHostKey -ca ADI-CA -password changeit -format JKS -exportpassword changeit myprimary ksm exportHostKey -ca ADI-CA -password changeit -format JKS -exportpassword changeit myreplica Then, in the conf directory of each node, you can copy the corresponding truststore and keystore and update the platform.properties file like below: HA configuration - platform.properties com.systar.electron.type=HA com.systar.electron.host=myha.mydomain.com com.systar.electron.tls.enabled=true com.systar.electron.tls.keystore.location=${com.systar.platform.conf.dir}/myha_keystore.jks com.systar.electron.tls.keystore.password=changeit com.systar.electron.tls.keystore.keyPassword=changeit com.systar.electron.tls.truststore.location=${com.systar.platform.conf.dir}/ADI-CA_truststore.jks com.systar.electron.tls.truststore.password=changeit Primary configuration - platform.properties com.systar.electron.type=PRIMARY com.systar.electron.host=myprimary.mydomain.com com.systar.electron.tls.enabled=true com.systar.electron.tls.keystore.location=${com.systar.platform.conf.dir}/myprimary_keystore.jks com.systar.electron.tls.keystore.password=changeit com.systar.electron.tls.keystore.keyPassword=changeit com.systar.electron.tls.truststore.location=${com.systar.platform.conf.dir}/ADI-CA_truststore.jks com.systar.electron.tls.truststore.password=changeit Replica configuration - platform.properties com.systar.electron.type=REPLICA com.systar.electron.host=myprimary.mydomain.com com.systar.electron.tls.enabled=true com.systar.electron.tls.keystore.location=${com.systar.platform.conf.dir}/myreplica_keystore.jks com.systar.electron.tls.keystore.password=changeit com.systar.electron.tls.keystore.keyPassword=changeit com.systar.electron.tls.truststore.location=${com.systar.platform.conf.dir}/ADI-CA_truststore.jks com.systar.electron.tls.truststore.password=changeit