Configure a clustered environment with a reverse proxy
This section assumes that you are installing the Centrify for Apache package in a cluster that has a reverse proxy with multiple servers on the back end.
In the following example, the reverse proxy is running on a machine named A, Apache servers are running on machines named B and C, and the domain is domain.com. The figure summarizes the steps and where they are carried out.
To configure a clustered environment with a reverse proxy:
- Confirm that you have the DirectControl agent and the Centrify for Apache package installed as required.
- If the servers are joined to the domain controller (run adinfo to find out), run adleave on each Centrify-managed computer to “unjoin.”
-
On machine A, run the following command to join machine A to the domain with aliases for B and C:
adjoin -a B-a B.domain.com-a C-a C.domain.comdomain.com
Add another -a (--alias) option for each additional Apache server. (See the Administrator’s Guide for Linux and UNIX for the description of the adjoin command.)
-
If A has more than one hostname, use the following command to add hostnames:
adkeytab -a -P http/other_host_name
-
On machine A, run the following commands to replicate the keytabs from machine A onto machines B and C:
cd /
tar cvfz cluster.tgz/etc/krb5.keytab/var/centrifydc/kset.*
scp cluster.tgz B:/
scp cluster.tgz C:/If you have additional servers, run scp to copy cluster.tgz to each one.
-
On machines B and C (and each additional server), run the following commands to install the keytabs from machine A and to start adclient:
cd /
tar xvfz cluster.tgz
/usr/share/centrifydc/bin/centrifydc start
Note: If the password for machine A is changed, run Step 5 and Step 6 after every change. This password is changed transparently in a protocol initiated by Active Directory; that is, Active Directory prompts the DirectControl agent for a new account password on an interval defined in the DirectControl agent adclient.krb5.password.change.interval configuration parameter (see the Configuration and Tuning Reference Guide for the description). The DirectControl agent then automatically generates a new password for the computer account and issues the new password to Active Directory. The default interval is 28 days.