9.2 Multiple application servers

You can install multiple MyID application servers to work in conjunction with your multiple MyID web servers.

You can use your load balancer to distribute traffic to the different web servers, and then you can configure each web server to communicate with a different MyID application server. All the application servers are connected to the same MyID database.

When you install the COM proxies on the web servers, you can decide which application server to use; this allows you to distribute the load. For example, you might have four web servers and two application servers – web servers A and B have the proxies for application server Alpha, while web servers C and D have the proxies for application server Beta installed.

To set up multiple application servers:

  1. Establish an operational MyID system using a single application server.

  2. On the primary application server, export the registry key that contains the master key.

    The master key is located in the following part of the registry:

    HKEY_LOCAL_MACHINE\SOFTWARE\Intercede\Edefice\Mastercard

    You must make sure that all of the application servers use the same master key.

    If you are using an HSM, you must install the HSM client software before you can import the key onto the additional application server. You must follow the instructions in your HSM integration guide; however, you do not need to create a partition or run GenMaster to create a key, as these have already been carried out on the primary application server.

    For nShield HSMs, if you do not have a remote file system configured, you must manually copy any keys from the machine that created the key to the same location on the other MyID application servers. See the Configure remote file system / client connectivity section in the Entrust nShield HSM Integration Guide for details.

    You can use GenMaster to specify a registry key or to add the HSM PIN to the registry of the additional application server. See the Configuring the master keys for an additional application server section in the Installation and Configuration Guide for details.

    If you require additional information on using multiple application servers with HSMs, contact customer support, quoting reference SUP-90.

  3. If you are using a Microsoft Windows CA, issue a new Enrollment Agent certificate along with its private key. You must also export the KRA certificate on the app server and import it to each application server.

  4.  On each additional application server:

    1. Import the master key registry settings.
    2. Run the MyID product installation program to install the application server.

    3. If you are using a Microsoft Windows CA, each additional application server requires an Enrollment Agent certificate.

      Normally this will be a different enrollment agent certificate for each application server, but if required you can export a copy of the enrollment agent certificate and private key from the original application server and configure on each additional application server.

      If you manually import the same enrollment agent certificate onto additional application servers, you must write the certificate to a certificate store called edefice, using the certutil utility:

      certutil -addstore -f -user edefice my.cer

      where my.cer is the name of the file to which you exported the certificate.

      Note: If your system uses a different certificate store for EA certificates, change edefice to the name of the appropriate store.

      Note: The private key must also be present on the machine; for example, imported as a pfx file.

    4. Disable the following service:

      • eBureauService (only installed on systems that have been configured for bureau integration)

      This service must be running on the primary application server only. If you do not disable the service on the additional application servers, you may experience problems.

    5. If you have multiple MyID certificate services, make sure you set the RecordSize parameter in the registry for each to a value of 1.

      The default registry location for this parameter is:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eCertificateSrv\Parameters

      Note: If you have multiple instances of the MyID certificate services running on the same application server, the registry key will be different from eCertificateSrv for the additional instances.

    6. Export the COM proxies from the application server to the appropriate web server.

      This allows you to distribute the traffic amongst your application servers.

    7. On systems that use signing certificates (for example, PIV or CIV implementations):

      1. Check the registry key on the primary application server:

        HKEY_LOCAL_MACHINE\SOFTWARE\Intercede\Edefice\PIV

      2. For each of the signing certificates (for example, CHUIDSigningCertificate or SecurityObjectSigningCertificate) check the location of the certificate, then copy the file from that location on the primary application server to the same location on the additional application server.
      3. Update the registry on the additional application server for each signing certificate to match the primary application server.

    8. Confirm that the MyID .udl files in the Windows System32 folder point to the correct database server.

      These files start with the name you provided for the MyID database; for example, MyID.udl, MyIDaudit.udl and MyIDarchive.udl.

      Note: To edit the .udl files, you must open a Windows command prompt, navigate to the System32 folder, then type the name of the .udl file and press Enter.

    9. Restart the MyID application server.