PDP Cluster with Load balancer

In my previous blog post, I explained deploying of PDP cluster using WSO2 Identity Server. Each PDP in the cluster exposes their own authorization service (Entitlement service). Therefore we need to setup a load balancer to forward the incoming authorization queries among each PDPs. Then load balancer would expose only a one interface for PEP (Policy Enforcement Points) to query the PDP cluster. Also load balancer must be able to handle the load balancing algorithms and fail over scenarios.

However it is not straight forward to use, Apache HTTPD or any other load balancer. Because, By default, Entitlement service has been exposed as a secured service. It means that, to query an authorization decision from the PDP (WSO2 Identity Server), PEP needs to authenticate with it. So, two messages from the PEP to PDP (Identity Server) are sent. First one is for authenticating with Identity Server and second one is the actual authorization query for entitlement service. Therefore load balancer must deliver authentication and authorization query in to the same PDP (Identity Server) cluster node. you can achieve this by configuring session affinity in the load balancer.

However you would experience, it is some what difficult to configure session affinity and other required parameters in most of available load balancers. As a solution, It is very easy to use WSO2LB for WSO2 specific load balancing scenarios.

Lets try to configure PDP cluster with WSO2LB step by step.  (Please note, here I am going to setup PDP cluster and load balancer in same local machine (as localhost). Therefore configuration may little bit vary, if separate machines are used for each node.)

1. Download WSO2LB (version 1.0.2)  from here and Extract in to your file system (lets assume root directory as LB_HOME)

2 . Enable axis2 clustering in PDP nodes.

I assume you have already set a PDP cluster according to this blog post. But we need to enable the axis2 level clustering among WSO2 Identity Server nodes to work with load balancer.

It is recommended to follow following article to get more knowledge and details on Axis2 Clustering


Please configure following parameters in axis2.xml which can be found in <IS_HOME>/repository/conf directory

  • Enable clustering
<clustering class="org.apache.axis2.clustering.tribes.TribesClusteringAgent" enable="true">
  • Configure the membership scheme used in this setup. We are using wka (Well-Known Address based multi-casting)
<parameter name="membershipScheme">wka</parameter>
  • Configure the clustering domain/group.
<parameter name="domain">is.domain</parameter>
  • Configure TCP port used by this member.
<parameter name="localMemberPort">4002</parameter>
  • Configure The list of well-known members.. The well-known should be the WSO2 ESB server.

You need configure axis2.xml in all PDP nodes.. Please note clustering domain and well-known member configurations must be same in all nodes

3. Configure PDP cluster domain in the load balancer configuration

  • Open loadbalancer.xml which can be found at <LB_HOME>/repository/conf directory
  • Add cluster domain configuration under the <services> in load balancer config.

4. Disabling Autoscaling in WSO2LB

you would see error messages if you try to run this setup on a local network with enabling autoscaling. So you need to disable autoscaling

  • Delete <LB_HOME>/repository/deployment/server/synapse-configs/tasks/autoscaler.xml
  • Remove the autoscaleIn & autoscaleOut mediators from <LB_HOME>/repository/deployment/server/synapse-configs/sequences/main.xml

Now we are done with the configurations. PEP must send authentication query and the authorization queries to following url respectively

https://{LB IP}:{LB port}/services/AuthenticationAdmin

https://{LB IP}:{LB port}/services/EntitlementService.

WSO2LB would take care of forwarding of incoming messages to appropriate cluster nodes

It is recommended to follow this blog post to get more knowledge WSO2LB.

Entitlement mediator 

Entitlement mediator is a PEP(Policy Information Point) component which is shipped with WSO2ESB. Therefore you can easily configure the entitlement mediator with WSO2 Identity Server to authorize the BE services which are fronted by the WSO2 ESB. Documentation can be found here.

If you are using Entitlement mediator as the PEP to send requests to the load balancer, you need to configure the “remoteServiceUrl” as follows.

remoteServiceUrl=”https://{LB IP}:{LB port}/services”

In my setup load balancer is running on localhost and port 8246. Therefore configuration of mediator

<entitlementService remoteServiceUrl="https://localhost:8246/services/" remoteServiceUserName="admin" remoteServicePassword="admin"/>