Scale out
Workspace ONE Access
for high availability in
VMware Aria Suite Lifecycle

To increase high availability options in
Workspace ONE Access
, use
VMware Aria Suite Lifecycle
.
Note that the VMware Identity Manager and
Workspace ONE Access
terms are used interchangeably in
VMware Aria Suite Lifecycle
product documentation.
For a
Workspace ONE Access
cluster and replace certificate actions, take a snapshot of the
Workspace ONE Access
nodes before performing any scaling operations. For related information about replacing the VMware Identity Manager certificate, see Replace your Workspace ONE Access certificate by using VMware Aria Suite Lifecycle.
You should configure a load balancer and add its VIP to the certificate before performing the scale-out operation. For information about configuring a load balancer, see the
VMware Aria Automation
and
VMware Aria Automation Orchestrator
Load Balancing
product documentation.
For additional information, refer to the
Workspace ONE Access
load-balancingdocumentation to configure highly-available identity provider for
VMware Aria Automation
.
Workspace ONE Access
does not support SSL passthrough. You must manually import the certificate into the load balancer before performing this scale-out operation.
  • Take a snapshot of the
    Workspace ONE Access
    node and
    VMware Aria Suite Lifecycle
    before you perform the scale-out operation. Scale out allows you to go from one node to three nodes.
  • Verify that there is a certificate already added in the
    VMware Aria Suite Lifecycle
    Locker. This certificate should include in the SAN field the FQDN of the three nodes and load balancer. IPs are optional.
  • Verify that there is a single A and single PTR DNS record created for each of the two new nodes and the load balancer.
  • The Scale Out operation requires four additional IPs - two for the secondary nodes, one for the load balancer, and one for the delegate IP. The delegate IP does not require a DNS record.
  • Replace the certificate on the standalone
    Workspace ONE Access
    node. The certificate should also have the SAN entries of all the three nodes or wild-card certificate. For information on replacing certificates, see Replace certificate for VMware Aria Suite Lifecycle products.
  • Scale-In is not supported when you deploy
    Workspace ONE Access
    cluster through
    VMware Aria Suite Lifecycle
    .
    If you apply KB 87185 patch on a single node appliance, and then perform scale-out to cluster operations, follow KB 87185 to apply the patch on the scaled out nodes.
  1. Navigate to
    Environments
    , on the environment page, click
    Add Component
    .
  2. Enter the
    Infrastructure
    details and click
    Next
    .
  3. Enter the
    Network
    details and click
    Next
    .
    Verify that the primary node and the additional components use the same default gateway and they are connected with each other.
  4. On the
    Product Properties
    , the certificate details are auto-populated.
  5. On the
    Components
    tab, select
    Take product snapshot
    or
    Retain product snapshot taken
    . If the
    Take product snapshot
    is set to true, the snapshot is taken prior to starting scale out, and can be rolled back to its initial state during a scale out failure, the snapshot is taken with the prefix
    LCM_AUTOGENERATED
    . If the
    Retain product snapshot taken
    is set to true, it can be retained.
    A snapshot rollback action is available for the failed scale out request on the requests page.
  6. Enter the load balancer host name.
  7. Enter a delegate IP address.
    The delegate IP address is used internally as a proxy to postgres master (primary). It should be a free or an available IP address. This is not same as the IP address used to load-balance the application.
    You can add two components of type secondary and provide an FQDN and IP address. It is recommended for a
    Workspace ONE Access
    cluster to contain of three nodes behind a load balancer.
  8. Click
    and run the pre-check.
  9. Click
    Submit
    .
    If you do not restart the appliance, the scale-out procedure fails with an
    unable to find root certificate
    error.