Configure a clustered environment with a reverse proxy

This section assumes that you are installing the Centrify for Apache package in a cluster that has a reverse proxy with multiple servers on the back end.

In the following example, the reverse proxy is running on a machine named A, Apache servers are running on machines named B and C, and the domain is domain.com. The figure summarizes the steps and where they are carried out.

To configure a clustered environment with a reverse proxy:

  1. Confirm that you have the DirectControl agent and the Centrify for Apache package installed as required.
  2. If the servers are joined to the domain controller (run adinfo to find out), run adleave on each Centrify-managed computer to “unjoin.”

  3. On machine A, run the following command to join machine A to the domain with aliases for B and C:

    adjoin -a B-a B.domain.com-a C-a C.domain.comdomain.com

    Add another -a (--alias) option for each additional Apache server. (See the Administrator’s Guide for Linux and UNIX for the description of the adjoin command.)

  4. If A has more than one hostname, use the following command to add hostnames:

    adkeytab -a -P http/other_host_name

  5. On machine A, run the following commands to replicate the keytabs from machine A onto machines B and C:

    cd /
    tar cvfz cluster.tgz/etc/krb5.keytab/var/centrifydc/kset.*
    scp cluster.tgz B:/
    scp cluster.tgz C:/

    If you have additional servers, run scp to copy cluster.tgz to each one.

  6. On machines B and C (and each additional server), run the following commands to install the keytabs from machine A and to start adclient:

    cd /
    tar xvfz cluster.tgz
    /usr/share/centrifydc/bin/centrifydc start

Note:   If the password for machine A is changed, run Step 5 and Step 6 after every change. This password is changed transparently in a protocol initiated by Active Directory; that is, Active Directory prompts the DirectControl agent for a new account password on an interval defined in the DirectControl agent adclient.krb5.password.change.interval configuration parameter (see the Configuration and Tuning Reference Guide for the description). The DirectControl agent then automatically generates a new password for the computer account and issues the new password to Active Directory. The default interval is 28 days.