Overview:
Introduction
This article is for anyone that is using Identity Server as their security provider for Geocortex Essentials, has a load balanced environment and would like to load balance Identity Server within that environment. Load balancing provides high-availability for your applications (reducing potential downtime), but it also increases the administration overhead for those systems that are running in the load balanced environment. If you aren't sure if you should load balance your applications, the best guidance will come from your IT/Network team.
There are four main steps in order to deploy Identity Server in a load balanced environment:
- Set the Identity Server signing certificate in all nodes
- Set the Identity Server configuration database
- Configure the web machine keys
- Encrypt the connection strings in the web.config file (Optional)
Solution:
Prerequisites
- Geocortex Essentials is installed on all nodes participating in the load balanced pool
- Geocortex Identity Server is installed on all nodes participating in the load balanced pool
- The load balancer is setup and working
1. Identity Server Signing Certificate
You must ensure that the signing certificate is the same on all nodes. You can do this by exporting one nodes' certificate (Geocortex, Signing, MachineName) and import it on other nodes, or generate a new certificate to use on all nodes.
To Export a Certificate (Original Install of Geocortex Essentials 4.4 or newer):
- On one of the nodes, go to Start -> Run -> MMC
- On the MMC go to File -> Add/Remove Snap-in
- From the available snap-ins on the left, select Certificates and Click Add >
- Select Computer account -> Next
- Select Local Computer -> Finish. Click OK
- Expand Certificates -> Personal -> Certificates
- Right-click the certificate with Friendly Name: Geocortex, Signing, <MACHINENAME>, All Tasks -> Export
- Click Next, then select Yes, export the private key
- Assign a password to the certificate
- Select .PFX, leave all the options as default
- Select the path and finish the wizard
- Log in to the other node(s) and repeat steps 1-6
- Import the certificate and provide Identity Server read permissions:
- Right-click in some blank space -> All Tasks -> Import
- Select the certificate you exported, provide the password and click Finish
- Right-click the recently added certificate, All tasks -> Manage Private Keys
- Click Add...
- Click Locations..., select the local server
- Under "Enter the object names to select" type: IIS APPPOOL\IdentityServerAppPool, then click Check Names to make sure the identity is recognized
- Click OK, then select the IdentityServerAppPool and, under permissions, disable Full Control and leave only Read
- Click OK
- Delete the certificate file (.PFX) that was exported
- Open a command line as Administrator, then navigate to C:\Program Files (x86)\Latitude Geographics\Geocortex Identity Server\Web\bin
- Run Geocortex.IdentityServer.Setup.exe with the following argument, to set the signing certificate:
Geocortex.IdentityServer.Setup.exe SigningCertificateName="CN=Geocortex, CN=Signing, CN=<MACHINENAME>"
- Recycle the IdentityServerAppPool or restart your entire IIS Web Server, then run the Geocortex Essentials Post Installation Configuration tool
- Complete the same procedure on any remaining nodes
2. Identity Server Configuration Database
To ensure that each node in the load balancer behaves the same, we must ensure that they all have the same configuration. By default, Identity Server uses a SQL Server CE database to store configuration options. When load balancing we can configure Identity Server to use a central SQL Server database. All nodes in the cluster will connect to the database to get the configuration. Alternatively, we can copy the configuration database files from node to node.
- On a SQL server, create a new database for Identity Server (Oracle databases can't be used). It can have any name.
- Create a SQL login and user that has full access to the new database. Identity Server will connect to the database as this user.
- Using the server name for the SQL database, the database name and the user and passwords you just created, build the connection string. It should look like:
Server=SERVERNAME;Database=DATABASE;User Id=IdentityServerUser;Password=xxxxxxxxx;
-
On one of the nodes running Identity Server, edit C:\Program Files (x86)\Latitude Geographics\Geocortex Identity Server\Web\Configuration\connectionStrings.config with a text editor, as Administrator.
-
For the connection string called name="IdentityServerConfiguration", change the following two parameters:
connectionString="Server=SERVERNAME;Database=DATABASE;User Id=IdentityServerUser;Password=xxxxxxxxx;" and providerName="System.Data.SqlClient"
- For the connection string called name="ProviderDB", change:
connectionString="Server=SERVERNAME;Database=DATABASE;User Id=IdentityServerUser;Password=xxxxxxxxx;" and providerName="System.Data.SqlClient"
- Save the file
- Run the Geocortex Essentials Post Installation Configuration tool, go to the Identity Server page
- If you are not using SSL uncheck the Require SSL checkbox
- Finish the Post Installer
- Repeat steps 2-10 on the other node(s)
If it's not possible to use an external SQL database as the configuration store, you can manually copy the configuration file between nodes:
C:\Program Files (x86)\Latitude Geographics\Geocortex Identity Server\Web\App_Data\IdentityServerConfiguration.sdf
Ideally, all changes to Identity Server should be done on one server, then the configuration file gets copied to persist the changes to the other node(s). Every time there is a change in the Identity Server configuration, the file has to be copied over. This file cannot be placed in a network share.
If you want to use Identity Server users, you can also copy over the file that contains the user database:
C:\Program Files (x86)\Latitude Geographics\Geocortex Identity Server\Web\App_Data\IdentityServerUsers.sdf
3. Web Application Machine Keys
The machine keys (Validation key / encryption key) for the Identity Server application should be set and shared among the nodes.
To set the machine key:
- Navigate to the Identity Server application in IIS manager
- From there, select Sites -> Web Site -> Geocortex -> IdentityServer
- Open the Machine Key configuration panel
- Under Validation key and Decryption key, disable Automatically generate at runtime and Generate a unique key for each application
- In the right panel, click Generate Keys
- Copy the generated values for the keys and save them to a secure location
- In the right panel, click Apply, then close IIS Manager
- Login to the other node(s), repeat steps 1-4
- Paste the values obtained from the first server
- In the right panel, click Apply, then close IIS Manager
For more information about machine keys, consult this TechNet article: http://technet.microsoft.com/en-us/library/cc731979(v=ws.10).aspx
4. Advanced: Encrypting the Connection Strings for Identity Server
When installing Identity Server to more than one computer, we should configure it to use a shared database for configuration and internal usernames and password (Option 1 in step 2). Since we have to store database connection info as plain text in connection strings, it is best to encrypt this file. Configuration file encryption is done by the "aspnet_regiis" command which is installed as part of the .NET framework. In these instructions, the command is referenced only by its name but you may need to run it using its full path:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
To ensure that all nodes can decrypt the files, we must share an RSA key between all nodes. Note that this is not the same as the Machine Key that is used to encrypt session state.
- Open a command prompt as an Administrator on your workstation.
- Run the following command to generate an encryption key:
aspnet_regiis -pc "IdentityServerKeyContainer" -exp
The -pc flag will generate an encryption key container, and the -exp flag will denote that container as exportable.
- Then export the key to a file, including the private key: the private key is used to decrypt the config section so each web server will need it.
aspnet_regiis -px "IdentityServerKeyContainer" deploykey.xml -pri
The deploykey.xml file contains the encryption key, which we'll be loading on the nodes running Identity Server. Keep it safe - it's got the private key in it.
Once you have the deploykey file, perform the following steps on each node:
- Copy deploykey.xml to the server(s), then run this command to import the key:
aspnet_regiis -pi "IdentityServerKeyContainer" deploykey.xml
- Delete deploykey.xml once the key is imported. Then, grant access to the key to the Identity Server app pool user account: ?
?aspnet_regiis -pa "IdentityServerKeyContainer" "IIS APPPOOL\IdentityServerAppPool"
- Edit the file:
Add the following section after the configSections element:
<configProtectedData> <providers> <add keyContainerName="IdentityServerKeyContainer" useMachineContainer="true" description="Uses RsaCryptoServiceProvider to encrypt and decrypt" name="IdentityServerCryptoProvider" type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </configProtectedData>
- Encrypt the web.config connectionStrings section, specifying the provider name as follows:
aspnet_regiis -pef "connectionStrings" "C:\Program Files (x86)\Latitude Geographics\Geocortex Identity Server\Web" -prov "IdentityServerCryptoProvider"
The connectionStrings.config external file will now be encrypted, just copy the connectionStrings.config file to the other nodes running Identity Server. Since we used a shared key to encrypt the information, the other nodes will be able to decrypt and read the configuration.
Optional: If you'd also like to encrypt the "membership" provider section, run the following command:
aspnet_regiis -pef "system.web/membership" "C:\Program Files (x86)\Latitude Geographics\Geocortex Identity Server\Web" -prov "IdentityServerCryptoProvider"
Comments
0 comments
Article is closed for comments.