Configuring Replication

If you are running multiple OneSpan Authentication Server instances using ODBC in a high-load scenario, we strongly recommend to disable OneSpan Authentication Server replication and set up replication on the ODBC database server level instead.

Slow responses from the OneSpan Authentication Server instances under load will disrupt the replication process!

This topic provides high-level instructions to configure replication between OneSpan Authentication Server instances in various situations.

Before configuring replication, ensure that you have exported any required encryption settings to all involved OneSpan Authentication Server instances (see Exporting and importing encryption settings).

Whenever you change or update the server license key, you need to reconfigure OneSpan Authentication Server replication!

To configure replication to a second OneSpan Authentication Server instance

These instructions assume that you have one OneSpan Authentication Server instance installed and operational (SVR-1), and want to set up another OneSpan Authentication Server instance (SVR-2) and replicate between the two instances.

Figure: Replication to a second OneSpan Authentication Server instance (ODBC)

1. Install OneSpan Authentication Server on SVR-2.
2. Configure OneSpan Authentication Server on SVR-2 identically to SVR-1 except for the IP address, using the Configuration Utility or the XML configuration file.
3. Verify that SVR-2 is working correctly.
4. On SVR-1, create a new OneSpan Authentication Server record for SVR-2.
5. On SVR-1, load the license key for SVR-2 into the OneSpan Authentication Server record just created.
6. On SVR-1, create a client record of type Administration Program for the Administration Web Interfaceon SVR-2.

   This will ensure that the Administration Web Interface for SVR-2 can connect to SVR-2 once the database is replaced.

7. Stop the OneSpan Authentication Server service or daemon on SVR-1 and SVR-2.
8. Create a complete copy of the database used by OneSpan Authentication Server on SVR-1. If you are using the embedded MariaDB database, see Data store backup: Strategies and Backing up the data store: Embedded MariaDB database.
9. Using the Configuration Utility, configure and enable OneSpan Authentication Server on SVR-1 to replicate to SVR-2.
10. The OneSpan Authentication Server service on SVR-1 may be restarted now when prompted – it will build up a replication queue until it can connect to SVR-2.
11. Overwrite the database used by the OneSpan Authentication Server instance on SVR-2 with the copy from SVR-1. If you are using the embedded MariaDB database, see Restoring an ODBC database from a backup.
12. Configure OneSpan Authentication Server on SVR-2 to replicate to SVR-1.
13. Enable replication to SVR-1 on SVR-2.
14. Restart the OneSpan Authentication Server service or daemon on SVR-2. If you did not restart the service on SVR-1 earlier, restart it now.

To configure replication to a third (or subsequent) OneSpan Authentication Server instance

These instructions assume that:

• You have two or more OneSpan Authentication Server instances (SVR-1 and SVR-2) replicating to each other.
• You want to add another OneSpan Authentication Server instance (SVR-3) in a simple replication chain.
• SVR-2 will be replicating with SVR-3.

Figure: Replication to a third OneSpan Authentication Server instance (ODBC)

1. Install OneSpan Authentication Server on SVR-3.
2. Configure OneSpan Authentication Server on SVR-3 identically to SVR-2 except for the IP address, using the Configuration Utility or the XML configuration file.
3. Verify that SVR-3 is working correctly.
4. On SVR-2, create a new OneSpan Authentication Server component for SVR-3.
5. On SVR-2, create a client record of type Administration Program for the Administration Web Interfaceon SVR-3.

   This will ensure that the Administration Web Interface for SVR-3 can connect to SVR-3 once the database is replaced.

6. On SVR-2, load the license key for SVR-3 into the OneSpan Authentication Server record just created.
7. Stop the OneSpan Authentication Server service or daemon on SVR-2 and SVR-3.
8. Create a complete copy of the database used by the IDENTIKEY Authentication Server on SVR-2. If you are using the embedded MariaDB database, see  Data store backup: Strategies and Backing up the data store: Embedded MariaDB database.
9. Using the Configuration Utility, configure and enable the OneSpan Authentication Server on SVR-2 to replicate to SVR-3.

   The OneSpan Authentication Server service on SVR-2 may be restarted now when prompted – it will build up a replication queue until it can connect to SVR-3.

10. Overwrite the database used by the OneSpan Authentication Server on SVR-3 with the copy from SVR-2. If you are using the embedded MariaDB database, see Restoring an ODBC database from a backup.
11. Configure the OneSpan Authentication Server on SVR-3 to replicate to SVR-2.
12. Restart the OneSpan Authentication Server service or daemon on SVR-3. If you did not restart the service on SVR-2 earlier, restart it now.

You may want to add redundancy replication to your system to add extra protection in case of connection problems or data corruption. Redundant replication adds an extra link to a standard replication chain, so that replication can occur via more than one route.

To add redundant replication

The instructions assume a replication chain, with replication being added between a primary OneSpan Authentication Server (P-SVR-2) and a backup OneSpan Authentication Server (B-SVR-1).

Figure: Adding redundant replication

1. Configure the OneSpan Authentication Server on B-SVR-1 to replicate to P-SVR-2. Ensure that the encryption settings are replicated. Use the import/export encryption settings facility.
2. Configure the OneSpan Authentication Server on P-SVR-2 to replicate to B-SVR-1. Ensure that the encryption settings are replicated. Use the import/export encryption settings facility.
3. Restart the OneSpan Authentication Server service or daemon on each machine.