Clustering an ITPAM 3.1 Orchestrator for scalability and high availability

Document ID : KB000021710
Last Modified Date : 14/02/2018
Show Technical Document Details


This document describes how the ITPAM Domain Orchestrator can be clustered over a secondary Domain Server to enhance scalability and high availability.


The following steps detail the installation of a clustered Domain Orchestrator, using CA Embedded Entitlements Manager (CA EEM) as a Security Server, Microsoft SQL Server 2005 as the database and Apache HTTP Server as the load balancer. A basic standalone Domain Orchestrator is often co-located with the database server and CA EEM, however in a clustered environment these shared components should be located on a separate server. For the loadbalancer, ITPAM is certified with Apache HTTP Server with the mod_jk module as the loadbalancer. Based on this we will need a minimum of three servers for our environment, one for each orchestrator node and one for the shared components (EEM, database, load balancer). This is in addition to the Server/Machines that should be managed by CA IT PAM Agents.

Install the Apache HTTP Server

The first step is to install the loadbalancer on the shared server. To do this:

  1. Ensure that you have access to the "Apache HTTP Server" (apache_2.2.14-win32-x86-openssl-0.9.8k.msi or later) and the corresponding "Apache to Tomcat Connector" ( These can be downloaded from In this doc we will use version 2.2.14, but any later 2.2.xx version can be used. . You can download the binary corresponding to the OS from and select the Binary Releases section to see a list of available downloads. In our example we are using "".

  2. Ensure that port 80 is available on this server for Apache. Microsoft IIS (for example) uses port 80 so ensure that IIS is uninstalled or disabled.

  3. Double-click on the install package "apache_2.2.14-win32-x86-openssl-0.9.8k.msi" to begin to install Apache HTTP Server.

    Figure 1

  4. Click the Run button in the Open File ? Security Warning dialog.

    Figure 2

  5. Click Next on the Welcome to the Installation Wizard for Apache HTTP Server 2.2.14 page.

    Figure 3

  6. Select the "I accept the terms in the license agreement" option and click the next button on the License Agreement page.

    Figure 4

  7. Click Next on the "Read This First" page.

    Figure 5

  8. Enter the Network Domain, Server Name and Administrator's Email Address on the Server Information page. Click the next button when done.

    Figure 6

  9. Verify that the Typical option is selected on the Setup Type page and click the Next button.

    Figure 7

  10. Click Next on the Destination Folder page to install the Apache HTTP Server to the default location. From here on out <APACHE_HOME> will refer to this directory which is C:\Program Files\Apache Software Foundation\Apache2.2.

    Figure 8

  11. Click the Install button on the Ready to Install the Program page.

    Figure 9

  12. Click the Finish button on the Installation Wizard Completed page after the product finishes installing.

    Figure 10

  13. Copy the file to the <APACHE_HOME>\modules and rename the file to

    Figure 11

  14. Create a file called mod-jk.conf in the directory <APACHE_HOME>\conf with the following contents:

    # Load mod_jk module
    # Specify the filename of the mod_jk lib

    LoadModule jk_module modules/

    # Where to find

    JkWorkersFile conf/

    # Where to put jk logs

    JkLogFile logs/mod_jk.log

    # Set the jk log level [debug/error/info]

    JkLogLevel error

    # Select the log format

    JkLogStampFormat "[%a %b %d %H:%M:%S %Y]"

    # JkOptions indicates to send SSK KEY SIZE

    JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories

    # JkRequestLogFormat

    JkRequestLogFormat "%w %V %T"

    # You can use external file for mount points.
    # It will be checked for updates each 60 seconds.
    # The format of the file is: /url=worker
    # /examples/*=loadbalancer

    JkMountFile conf/

    # Add shared memory.
    # This directive is present with 1.2.10 and
    # later versions of mod_jk, and is needed for
    # for load balancing to work properly
    #JkShmFile logs/jk.shm
    # Add jkstatus for managing runtime data
    <Location /jkstatus/>
    JkMount status
    Order deny,allow
    Allow from all

  15. Create a file called in the directory <APACHE_HOME>\conf with the following contents:

    #In for Domain clustering make following entries:
    # Mount the Servlet context to the ajp13 worker
    # Mount your applications
    # All the mirroring requests will go to the primary domain server
    #Request to upload report and resource will go to primary domain server
    #All the mirroring request will go to primany server
    #Agent start up request will go to primary domain server
    #Gwt requests which are specific to primary domain server like Manage Version
    #and Reporting will go to primary domain server only
    #Installation request will go to primary domain server
    #All the Secondary domain setting setting request will go to Primary domain servers
    #Agent installation request will go to load balancer
    #All the reports will be uploaded to the primary domain server only. So we will have
    #to map the URL which will be used to open the report to primary domain server.
    #The request for the oasis client should go to load balancer
    #The request for the third party installation should go to primary serverr

  16. Create a file called in the directory <APACHE_HOME>\conf with the contents below. In the contents below you will notice that there are two nodes: node1 and node 2 which will refer to the Primary Domain Orchestrator and the additional cluster node for the Domain Orchestrator in the cluster, respectively. Within each node you have to provide a host name, which is either the ip address or the fully qualified domain name (which we have chosen), and the Apache JServ Protocol port number, which is 8009 by default and does not need to be changed.

    #Define list of workers that will be used for mapping requests
    worker.list=loadbalancer, status, Primaryloadbalancer
    # Load-balancing behaviour
    # Mirroring Load-balancing behaviour
    # Define node1
    # modify the host as your host IP or DNS name.
    # Define Node2
    # modify the host as your host IP or DNS name.
    # Status worker for managing load balancer

    When you finish creating the three files, it should look like the screenshot below.

    Figure 12

  17. Modify <APACHE_HOME>\conf\httpd.conf file by adding the lines below after line 126 in the document. You will add this after the line that reads
    #LoadModule vhost_alias_module modules/ Make sure to save the file when finished.
    #Load balancing module
    Include conf/mod-jk.conf

    Figure 13

  18. Restart Apache by clicking on the green arrow in the notifications area of the taskbar in the lower-right of the desktop, highlighting Apache2.2 in the popup menu, and clicking Restart in the popup menu.

    Figure 14

    Now open a browser and type in the URL for the loadbalancer and you should see "It works!"

    Figure 15

    At this point the Apache Server is set up as a loadbalancer for the CA IT PAM nodes that we are about to install.

CA Process Automation 3.1 Installation

Now we will install the ITPAM Domain Orchestrator (or node1 in our loadbalancer). These instructions assume that you have a database available with a user that has create database permissions. In this document we will use Sql Server 2005. Also a Java Development Kit (JDK) is installed and ready to reference in the ITPAM installation. And finally EEM should be installed and you should have the EiamAdmin user's password.

CA Process Automation Third Party Installation (CD1)

  1. Welcome Screen

    Figure 16

  2. Prerequisites List (JBOSS and Hibernate are required)

    Figure 17

  3. JDBC Jar required for installation (MS SQL Server used in this case). The jar location is populated automatically from the installation media.

    Figure 18

  4. Specify the location of the CD2 media, this will launch the CA PAM 3.1 Domain Installer (the installer can only be launched from the Third Party installer on CD1)

    Figure 19

CA Process Automation Domain Installation (CD2)

  1. Initial Domain Install Panel

    Figure 20

  2. Select the I accept the agreement option on the License Agreement page and click Next.

    Figure 21

  3. Browse to the Java Home directory for the JDK which is under C:\Program Files\Java\jdk1.6.0_18. If you have already setup a JAVA_HOME variable in your System Environment Variables you will not see this page. Click Next when done.

    Figure 22

  4. SSO and Load Balancer configuration

    Check the Configure Load Balancer option, type in node1 in the Load Balancer Worker Node text field, and type in the fully qualified domain name for the Apache http server in the Public Host Name text field (this is the host name you used above when you got "It works!" in the browser) In the file, you defined two nodes, node1 and node2. Here you are specifying that this CA IT PAM Primary Domain Orchestrator is node1. Click Next when done.

    Figure 23

  5. Type in the Company name. Click Next when completed.

    Figure 24

  6. Enter <password> for the Certificate password to be used for installing additional CA IT PAM Orchestrators. You may make this password the same or different than the password used for the itpamcert.p12 certificate (to be used later when registering the EEM application) which by default is "itpamcertpass". You will need this password in the future when installing additional CA IT PAM Orchestrators. Click Next when completed.

    Figure 25

  7. Click Next on the Select Start Menu Folder page to accept the default options.

    Figure 26

  8. Host Ports are displayed as default. Ensure that these ports are not in use on your server. Select to Install as Service (note, the CA Process Automation Orchestrator service must be started after the installation is complete; the service is initially configured to 'Manual' Startup Type)

    Figure 27

  9. PowerShell policy

    This allows for central configuration of the PowerShell path and sets the execution of scripts to "Remote Signed" which allows CA Process Automation to run PowerShell scripts.

    Figure 28

  10. CA Process Automation EEM configuration

    Select EEM for the Security Server drop-down list on the Select Security Server Type page to use EEM as the security Server. Click Next when finished.

    Figure 29

    Fill in your EEM server name and check the checkbox for Register Application. Also fill in your EEM certificate password. By default this is "itpamcertpass".

    Click the "Register Application" button.

    Figure 30

    Enter the EiamAdmin Credentials:

    Figure 31

    Figure 32

    • PAMAdmins and PAMUsers groups are created and pamadmin and pamuser users are created within EEM as part of the registration process; policy modifications for these groups and users, as well as user maintenance can be performed in EEM

    • PAMAdmins and PAMUsers groups in EEM:

      Figure 33

      pamadmin and pamuser users in EEM

      Figure 34

      Click the "Test EEM Settings" button and enter credentials pamadmin/pamadmin

      Figure 35

  11. CA Process Automation Installation Database Configuration

    • The Repository and Runtime databases can now be separated to allow for easier maintenance and to enhance performance. After the databases have been created, click 'Check the Database Settings' to ensure they are configured correctly.

    • After selecting the Type of Database the rest of the fields are populated with default values except the User Name and Password fields; be sure to denote a meaningful 'Repository Database' value if separate from the Runtime databases

      Figure 36

  12. Database settings for Process Automation Runtime and Queues databases. Check 'copy from main repository' to copy the parameters from the previous (Repository) database settings.

    Figure 37

  13. Database settings for the Process Automation Report databases

    Figure 38

Installation Complete

Figure 39

Node1 of our cluster is installed. You can now access the itpam URL for your apache http server (i.e. http://servername/itpam) which should now direct you to login to node1.

So now we need to install node2.

Install an Additional Cluster Node for the Domain Orchestrator

NOTE: Follow the above instructions for installing a JDK on this node before launching the installation.

Open a browser on the node2 machine and navigate to http://servername/itpam where servername is the name of your apache http server. This will connect you to the load balancer, and if it was configured properly, it should direct you to the login page of CA IT PAM. Login as an administrator. (i.e. pamadmin)

  1. Select the Installation tab on the left side and highlight the "Install Cluster Node for Domain Orchestrator" panel.

    Figure 40

  2. Click the Install button in the right.

    Figure 41

  3. Select "Always trust content from this publisher" and click Run.

    Figure 42

  4. Click Next.

    Figure 43

  5. Accept the license and click Next.

    Figure 44

  6. Select the directory where the orchestrator will be installed. Click Next.

    Figure 45

  7. Click Next to install Jboss and Hibernate.

    Figure 46

  8. Click Next.

    Figure 47

    Figure 48

  9. Click Next.

    Figure 49

    Figure 50

  10. Jboss and Hibernate installs were successful. Click Next.

    Figure 51

    Leave this screen as it is. It will copy the installation media from the node1 orchestrator to the node2 orchestrator. Click Finish. This may take some time.

    To monitor what is going on behind the scenes, browse to the directory you specified for the orchestrator install and see the file that should be growing in size as you refresh the explorer screen.

    Figure 52

    Figure 53

  11. Click Next.

    Figure 54

  12. Accept the license agreement and click Next.

    Figure 55

  13. Browse to the path to your JDK and click next.

    Figure 56

    Notice that the checkboxes on this screen are greyed out. That is because we have selected to install a cluster orchestrator so it uses a lot of the settings from the primary orchestrator to fill in on this installation. Make sure to enter the worker node name for this new orchestrator. This name should match what you entered in the file for this machine when you configured Apache. The Public Host Name should be the fully qualified domain name for the host where Apache is installed and the port number that Apache uses (by default it is port 80).

    Figure 57

  14. Enter the company name and click Next.

    Figure 58

  15. Enter the certificate password. The default is "itpamcertpass". If you changed it for the node1 installation, make sure you enter the correct password here.

    Figure 59

  16. Click Next.

    Figure 60

  17. Select to Install as Windows Service. Notice the display name is the name of your Apache http server. Click Next.

    Figure 61

  18. Click Next.

    Figure 62

  19. Click Next.

    Figure 63

  20. EEM is used here and cannot be changed because node1 uses EEM. Click Next.

    Figure 64

  21. EEM information is copied over from node1 and cannot be changed here. Click Next.

    Figure 65

  22. All Database information is copied over from node1 and cannot be edited here. Click Next.

    Figure 66

  23. Click Next.

    Figure 67

  24. Click Next and the installation starts.

    Figure 68

    Figure 69

    Node2 is now complete. You should now be able to start the node2 service and access Apache which will load balance between node1 and node2.