WALLIX CERTIFIED PROFESSIONAL

WCP
WALLIX HIGH AVAILABILITY
WALLIX HA SOLUTIONS

1. WALLIX Bastion HA (WABHA): Only for hardware appliances

connected with a direct link

2. WALLIX HA Replication: For hardware or virtual appliances

© Copyright WALLIX 3
 WALLIX BASTION HA

Company confidential – © Copyright WALLIX 2017 4

WALLIX BASTION HA
▪ WALLIX Bastion HA:
• Only for 2 hardware appliances connected directly with a crossover cable on eth1

• Master (active) /Slave (passive) mode

• The services on the Slave (passive) are down

• 2 hardware appliances are sharing a virtual IP address (configured on the master)

• Based on DRBD (Distributed Replicated Block Device), mirroring on the slave:

• The bastion configuration Master Slave
• The connection logs eth1 Physical HA link eth1

• The session records eth0

Crossover ethernet cable
eth0

© Copyright WALLIX 5
WALLIX BASTION HA
▪ Configuration steps:

1. Be sure that the 2 bastions have the same version and hotfix

2. Configure SMTP server on the Master (optional)

3. Be sure that the clock of 2 Bastions are synchronized (it is recommended to configure
NTP server)

4. Configure eth1 interfaces of 2 Bastions with static IP address on a dedicated network

5. Connect eth1 interfaces of 2 Bastions with a crossover ethernet cable

6. eth0 of the 2 Bastions should be connected to the same network

7. Connect to Master Bastion using SSH and get the root privilege

8. Run the command WABHASetup

© Copyright WALLIX 6
WALLIX BASTION HA

Network configuration of the master

Network configuration of the Slave

© Copyright WALLIX 7
 WALLIX BASTION HA
• Starting the
configuration of the
WABHA

• Configuring the IP
address of the HA
interface of the
remote peer
• Configuring the
Virtual IP Address
and Mask
• Configuring mail
address to receive
the HA notifications

• Configuring
wabadmin and
wabsuper
passwords of the
remote peer
© Copyright WALLIX 8
WALLIX BASTION HA

Check the state of drbd synchronization

drbd synchronization has finished

The Master

The Slave

© Copyright WALLIX 9
WALLIX BASTION HA
▪ What does happen when there is a switch-over

The New Master

The New Slave

© Copyright WALLIX 10
WALLIX BASTION HA
▪ Maintenance:
• Stop wabha service
root@wb-training-master:~# systemctl stop wabha

• Start wabha service

root@wb-training-master:~# systemctl start wabha

• Check the HA status of the Bastion

root@wb-training-master:~# WABHAStatus

• Reconfiguring the cluster network: This command should be launched

on the Master
root@wb-training-master:~# WABHASetup --reconfigure_hosts

• Replacing a faulty machine: This command should be launched on the

Master to add a new slave
root@wb-training-master:~# WABHASetup --configure_new_slave

© Copyright WALLIX 11
WALLIX BASTION HA
▪ Maintenance: Version upgrade or hotfix installation
1. Install the new version or hotfix on the Master → This will stop WABHA service on
the slave (Wait until the installation is complete on the Master)

2. Install the new version or hotfix on the Slave → This will restart WABHA service on
the slave

3. Cluster updated and WABHA working

Master Slave

1 Update Master WABHA not working WABHA stopped

2 Master updated Update Slave

WABHA not workingUpdate Slave

3 Master updated Slave updated

WABHA working Update Slave

© Copyright WALLIX 12
WALLIX BASTION HA
▪ Split-Brain: How it happens ?

• If the HA link is disconnected → Both cluster peers will be Master

• When the HA link is restored → DRBD will detect a divergence on the shared partition
• A notification containing the list of the last files modified on both Bastions is sent

▪ Split-Brain : How to resolve ?

• Select a reference peer, one with the most modifications. The other peer will be the
outdated peer, and it will lose all modifications have been done during split-brain.
• Launch the command below on both peers.

root@outdated_peer:~# drbdadm secondary wab

root@reference_peer:~# drbdadm primary wab
root@outdated_peer:~# drbdadm invalidate wab
root@reference_peer:~#(drbdadm cstate WALLIX Bastion | grep -q StandAlone) && drbdadm connect wab
root@outdated_peer:~# (drbdadm cstate WALLIX Bastion | grep -q StandAlone) && drbdadm connect wab
root@reference_peer:~# systemctl start wabha
root@outdated_peer:~# systemctl start wabha

© Copyright WALLIX 13
 WALLIX HA
REPLICATION

Company confidential – © Copyright WALLIX 2017 14

WALLIX HA REPLICATION
▪ Should be configured only with WALLIX support assistance
On the same site

▪ For 2 virtual appliances on the same or different sites SSH tunnel

▪ For 2 Hardware appliances on different sites

On different sites
▪ Actif/Actif mode → No Virtual IP address and no
automatic switch-over

▪ Replication of the configuration through SSH Tunnel (on SSH tunnel

eth0 or eth1 interface).

© Copyright WALLIX 15
WALLIX HA REPLICATION

▪ The connections can be distributed among peers using a load

balancer or WALLIX Access Manager

cluster

Load Balancer WALLIX Access

Manager

▪ Master/Slave or Master/Master configuration: define in which

direction the configuration is replicated

© Copyright WALLIX 16
WALLIX HA REPLICATION
▪ Master/Slave mode: Master

• Configuration is replicated from the master to the

Slave Configuration
replication
• The configuration should be modified only on the
Master
Slave
• Possibility to configure many slaves
Master

SSH tunnel SSH tunnel

SSH tunnel

Slave Slave Slave

© Copyright WALLIX 17
WALLIX HA REPLICATION
▪ Master/Master mode:

• Configuration is replicated in both directions

Master

• Configuration can be modified on both appliances

• Cannot configure many masters Configuration

replication

Master

© Copyright WALLIX 18
WALLIX HA REPLICATION
▪ Limitations:

• By default, the audit data are not replicated. An optional solution can
be configured to do it automatically every day.

• Password Manager is enabled only on one Master Bastion and the

password change at check-in should not be enabled.

© Copyright WALLIX 19