Shared Database setup

This page describes how you can:

  • Set up a shared database for 2 M-Pin SSO instances
  • Apply the same server secrets to both servers
  • Implement a load balancer in front of them.


  1. Install REDIS and PostgreSQL on the DB host:

    sudo apt-get update
    sudo apt-get install redis-server postgresql

  2. Create a new user and a new schema and grant all privileges on the schema to the user. A list of the parameters used in the database are given below:​

    Field Description
    <DB_USER> postgresql username
    <DB_PASSWORD> postgresql password
    <DB_NAME> postgresql schema name
    <DB_HOST> private IP of the DB node

    sudo su – postgres
    psql

    postgres=# CREATE USER <DB_USER> WITH PASSWORD '<DB_PASSWORD>';
    postgres=# CREATE DATABASE <DB_NAME>;
    postgres=# GRANT ALL PRIVILEGES ON DATABASE <DB_NAME> to <DB_USER>;
    postgres=# \q
    exit
  3. Configure PostgreSQL and REDIS listeners:

    • edit /etc/postgresql/9.3/main/pg_hba.conf and allow connections to postgresql from hosts on the private network by adding the following line:
      host all all 172.0.0.0/8 md5

    You can also allow access only from the sso hosts.

    • edit /etc/postgresql/9.3/main/postgresql.conf, find the listen_addresses line and change to:
      listen_addresses = '<private_IP_address>'

    • edit /etc/redis/redis.conf and change the bind config line to:
      bind <private_IP_address>

  4. Restart services:

    /etc/init.d/redis-server restart /etc/init.d/postgresql restart


To start the installation process, install M-Pin SSO on both nodes by following the 'Direct Download' instructions in the 'Installation' menu section of these docs. Making sure you:

  • Answer 'n' on the second node, when you are given the option to “Create a Credentials File for this installation? [y/n]”.
  • Copy /opt/mpin/credentials.json from node 1 into /opt/mpin in node 2.

Then execute sudo apt-get install libpq5 on both nodes.


  1. Stop MpinSSO:

    sudo /etc/init.d/mpinSSO stop

  2. Reconfigure DB settings in /opt/sso/authentic2/settings.py

    Find the DATABASES section and change it from:

    DATABASES = {
      'default': {
          'ENGINE': 'django.db.backends.sqlite3',
          'NAME': '/opt/sso/sso.db'
      }
    }

    to:

    DATABASES = {
      'default': {
          'ENGINE': 'django.db.backends.postgresql_psycopg2',
          'NAME': “<DB_NAME>”,
          'HOST': “<DB_HOST>”,
          'PORT': 5432,
          'PASSWORD': “<DB_PASSWORD>”,
          'USER': “<DB_USER>”,
          'OPTIONS': {
                      'autocommit': True,
                      }
      }
    }
  3. Remove stale django cache: sudo rm -rf /var/cache/authentic2/*

  4. Run initial database migration scripts (First node only). Type the following commands:
    sudo su – mpin
    cd /opt/sso
    find authentic2/ |grep migrations |xargs rm -f 2>/dev/null
    ./schema_migrations.sh
    ./do_migrations.sh

  5. Recreate initial-setup user (First node only)
    export PYTHONPATH=/opt/sso/libs
    export LD_LIBRARY_PATH=/opt/sso/libs
    ./authentic2-ctl create_initial_setup 2>/dev/null

  6. Change redis configuration of MPIN core: edit /opt/mpin/config_rps_sso.py and change the line:
    redisHost = "127.0.0.1"
    to:
    redisHost = “<private_IP_address>”
    exit

  7. Restart MpinSSO and Mpin Core: sudo /etc/init.d/mpinSSO start
    sudo /etc/init.d/mpin stop && sudo /etc/init.d/mpin start

Log onto the AWS console. Create a load balancer, add both instances and a security group that permits HTTP traffic.

You may use /static/mpinsso/images/m-pin-sso.png as a healthcheck URL.
As AWS ELB load balancer does not currently support UDP, you cannot use it to load-balance RADIUS traffic. Instead, you can use Amazon's Route 53 to do DNS-based load-balancing.
Configuring Route 53 is outside the scope of this document.

To re-create an initial-setup user, enter the following command on ALL nodes:
sudo echo True>/opt/sso/initial_setup