• State Not Answered
  • Replies 28 replies
  • Subscribers 94 subscribers
  • Views 7123 views
  • Users 0 members are here
Options
Related

Configuring a cluster

Boris
over 3 years ago

Hello experts!

There are two hosts: HV1 and HV2.

On each of the hosts, Job Server and Job Server DB: JS1 and JS2, DB1 and DB2.

Failover Cluster Windows 2019 was raised, in which JS and DB are combined. And we have JS-Cluster and DB-Cluster

We use SQL Always On(standard)

Difficulties with configuring a cluster in IDM:

1. In JobQueueInfo our clusters with errors
2. If we try to go to the web, then there is nothing there. Even if we go to 127.0.0.1:1880

How do I fix this? I looked at the instructions, but did not help. What am I missing?

  • 0 over 2 years ago in reply to Andreas Finsterbusch

    Thank you!

    I will write to support. If a solution to my problem appears, I will write here.

  • 0 over 2 years ago in reply to Andreas Finsterbusch

    We contacted support, but there is no more detailed instructions.

    I have enabled the logs on the job servers that we have in the cluster. The correct switching from node to node does not take place there. Maybe you can decipher our log and tell me what to fix?

    Logging severity: Warning.
    <e>2021-06-09 10:46:48 +03:00 - M2IDMJS-ONEIMSE - Error occurred in JobService.Initialize (thread: <Unknown>):
    [821045] Could not create job provider sqlprovider.
    [System.Reflection.TargetInvocationException] Exception has been thrown by the target of an invocation.
    [809012] Error reading configuration value ConnectString.
    [809004] Could not get value ConnectString.
    [809003] Error encrypting value.
    [System.Security.Cryptography.CryptographicException] Key not valid for use in specified state.
    <x>
    <d> at VI.JobService.JobService._InitializeJobProviders()
    at System.Activator.CreateInstance(Type type, Object[] args)
    at System.Activator.CreateInstance(Type type, BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)
    at System.RuntimeType.CreateInstanceImpl(BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes, StackCrawlMark& stackMark)
    at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
    at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
    ---- Start of Inner Exception ----
    at VI.JobService.MSSqlJobProvider..ctor(RequestDispatcher dispatcher, String id)
    at VI.Base.ConfigSettings._Init()
    at VI.Base.ConfigSettings._ReadConfig()
    ---- Start of Inner Exception ----
    at VI.Base.ConfigSettings._ReadConfig()
    at VI.Base.ConfigDataExtensions.CheckRequiredParameters(IConfigData category, String[] parameters)
    at VI.Base.EncryptedConfigData.Get(String valueName)
    ---- Start of Inner Exception ----
    at VI.Base.EncryptedConfigData.Get(String valueName)
    at VI.Base.EncryptedConfigScope._Decode(String data)
    ---- Start of Inner Exception ----
    at VI.Base.EncryptedConfigScope._Decode(String data)
    at System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope)<x>
    <r>2021-06-09 10:46:48 +03:00 - M2IDMJS-ONEIMSE - Serious: No job providers configured.<x>
    <r>2021-06-09 10:46:48 +03:00 - M2IDMJS-ONEIMSE - Serious: Provider value names: sqlprovider<x>
    <w>2021-06-09 10:46:48 +03:00 - M2IDMJS-ONEIMSE - Warning: The service has no write permissions for its own directory. These are required for automatic updates.<x>
    <e>2021-06-09 10:46:48 +03:00 - M2IDMJS-ONEIMSE - Error occurred in Job Service (thread: <Unknown>):
    [821049] Error starting One Identity Manager Service.
    [System.Exception] No job provider configured.<x>
    <d> at VI.JobService.JobService._StartJobService()<x>
    <w>2021-06-09 10:46:48 +03:00 - M2IDMJS-ONEIMSE - Warning: Error starting the service. Retrying after 00:01:30.<x>
    <e>2021-06-09 10:49:36 +03:00 - M2IDMJS-ONEIMSE - Error occurred in JobService.Initialize (thread: <Unknown>):
    [821045] Could not create job provider sqlprovider.
    [System.Reflection.TargetInvocationException] Exception has been thrown by the target of an invocation.
    [809012] Error reading configuration value ConnectString.
    [809004] Could not get value ConnectString.
    [809003] Error encrypting value.
    [System.Security.Cryptography.CryptographicException] Key not valid for use in specified state.
    <x>
    <d> at VI.JobService.JobService._InitializeJobProviders()
    at System.Activator.CreateInstance(Type type, Object[] args)
    at System.Activator.CreateInstance(Type type, BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)
    at System.RuntimeType.CreateInstanceImpl(BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes, StackCrawlMark& stackMark)
    at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
    at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
    ---- Start of Inner Exception ----
    at VI.JobService.MSSqlJobProvider..ctor(RequestDispatcher dispatcher, String id)
    at VI.Base.ConfigSettings._Init()
    at VI.Base.ConfigSettings._ReadConfig()
    ---- Start of Inner Exception ----
    at VI.Base.ConfigSettings._ReadConfig()
    at VI.Base.ConfigDataExtensions.CheckRequiredParameters(IConfigData category, String[] parameters)
    at VI.Base.EncryptedConfigData.Get(String valueName)
    ---- Start of Inner Exception ----
    at VI.Base.EncryptedConfigData.Get(String valueName)
    at VI.Base.EncryptedConfigScope._Decode(String data)
    ---- Start of Inner Exception ----
    at VI.Base.EncryptedConfigScope._Decode(String data)
    at System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope)<x>
    <r>2021-06-09 10:49:36 +03:00 - M2IDMJS-ONEIMSE - Serious: No job providers configured.<x>
    <r>2021-06-09 10:49:36 +03:00 - M2IDMJS-ONEIMSE - Serious: Provider value names: sqlprovider<x>
    <w>2021-06-09 10:49:36 +03:00 - M2IDMJS-ONEIMSE - Warning: The service has no write permissions for its own directory. These are required for automatic updates.<x>
    <e>2021-06-09 10:49:36 +03:00 - M2IDMJS-ONEIMSE - Error occurred in Job Service (thread: <Unknown>):
    [821049] Error starting One Identity Manager Service.
    [System.Exception] No job provider configured.<x>
    <d> at VI.JobService.JobService._StartJobService()<x>
    <w>2021-06-09 10:49:36 +03:00 - M2IDMJS-ONEIMSE - Warning: Error starting the service. Retrying after 00:01:30.<x>
    <e>2021-06-09 10:51:06 +03:00 - M2IDMJS-ONEIMSE - Error occurred in Job Service (thread: <Unknown>):
    [821049] Error starting One Identity Manager Service.
    [System.Exception] No job provider configured.<x>
    <d> at VI.JobService.JobService._StartJobService()<x>
    <w>2021-06-09 10:51:06 +03:00 - M2IDMJS-ONEIMSE - Warning: Error starting the service. Retrying after 00:01:30.<x>

  • 0 over 2 years ago in reply to Boris

    Error reading configuration value ConnectString.
    [809004] Could not get value ConnectString.
    [809003] Error encrypting value.
    [System.Security.Cryptography.CryptographicException] Key not valid for use in specified state.

    This means in most cases, that the Job Service user has no access to the private.key file used to encrypt the database.

    r>2021-06-09 10:46:48 +03:00 - M2IDMJS-ONEIMSE - Serious: No job providers configured.<x>
    <r>2021-06-09 10:46:48 +03:00 - M2IDMJS-ONEIMSE - Serious: Provider value names: sqlprovider<x>
    <w>2021-06-09 10:46:48 +03:00 - M2IDMJS-ONEIMSE - Warning: The service has no write permissions for its own directory. These are required for automatic updates.<x>

    The Job Service needs to have write access to its own directory.

  • 0 over 2 years ago in reply to Markus Weiss-Ehlers
    Markus Weiss-Ehlers said:
    This means in most cases, that the Job Service user has no access to the private.key file used to encrypt the database.

    And where should the private.key be placed (in which folder)? I thought when I installed the service and the installer was pointing the way to the key, he was copying it.

  • 0 over 2 years ago in reply to Boris

    According to the error the JobService can not read or decrypt the connection string stored in the JobService configuration file.
    On startup unencrypted sensitiv information is encrypted by the JobService. The key is stored using a Windows API bound to the machine and account.

    Reusing a JobService configuration file for a different account or on a different machine causes this error.
    If you copied the configuration from the other node, edit it and reenter the connection information.
    If you use a shared binary directory, reenter the connection information and activate the "Do not protect encrypted configuration" option. This option has side effects that need to be considered.

  • 0 over 2 years ago in reply to Boris

    A copy of the private.key file has to be placed into the installation directory of the JobService.
    Private key files are consumed (and deleted) by the JobService and stored bound to account and machine (using a Windows API) on startup.

    When changing account or machine the private key file has to be copied into the installation directory of the Jobservice prior to it's startup. Per combination of account an machine this has to be done once.

    When using a shared installation directory the above is required once per cluster node or the option "Do not protect private keys" can be activated. This option has security implications!

  • 0 over 2 years ago in reply to Boris

    The private.key file will be removed during startup if not configured otherwise. Are you trying to share the private.key between both instances?

  • 0 over 2 years ago in reply to Markus Weiss-Ehlers

    What I've done:
    1. In the designer, I made a Job server, and checked the boxes on the Server Cluster and One Identity Server installed
    2.I installed the service through the designer on the necessary servers, during installation indicated the path to the distribution kit and the key
    3.Saved the configuration file from the designer indicating the queue
    4. I start the Windows service under a specially created account for each job server
    5.Gave full rights to this account to the folder C:\Program Files\One Identity
    6. Copied the configuration file to each job server. Applied. I saved it. Restart the service

    PS. Data Base is encrypted


  • 0 over 2 years ago in reply to Andreas Finsterbusch

    I copied the key to the program directory, it disappears. But the problem remained