Active-Passive Shield API

The Workspace Control Shield API feature enhances reliability with an Active-Passive setup in Workspace Control console. The Primary Shield API is Active by default, while the Secondary API acts as a Passive backup, taking over if the Primary fails. Configuring the Secondary API is optional but recommended for better availability. To ensure robustness, install the Primary and Secondary APIs on separate servers.

The Workspace Control Console and Agent use registry keys to manage the configuration.

  • PrimaryShieldApiUrl: The URL of the Active Primary Shield API.

  • SecondaryShieldApiUrl: The URL of the Passive Secondary Shield API (optional).

  • PrimaryShieldAPIActive: A flag indicating the current active API. A value of "yes" signifies the Primary API is Active, any other value indicates the Secondary API is Active.

 

Primary and Secondary Shield API configuration

For configuration of Primary and Secondary Shield API, follow the below steps.

  1. Fresh Installation: Workspace Control Console and Workspace Control Agent

    During the fresh installation of the Ivanti Workspace Control Console and Workspace Control Agent, both Shield APIs can be configured through the datastore configuration wizard. The wizard allows you to enter the details for the Primary Shield API, and optionally, for the Secondary Shield API.

  2. Silent Installation: Workspace ControlConsole and Workspace Control Agent

    During the silent installation of the Workspace Control Console and Workspace Control Agent, you can configure both the Primary and Secondary Shield APIs. For detailed steps and parameters, refer to the Silent Installation Section.

  3. Configuring the Secondary Shield API (If Not Previously Configured)

    4. If the Secondary Shield API was not configured earlier, it can be set up using the following methods:

    • For Workspace Control Console: Navigate to the Database Configuration section and open the Create/Connect Database Wizard. Enter the details for the Secondary Shield API, then click Next to proceed with providing the database details.

    • For Workspace Control Agent: Use the command %respfdir%\svc\res.exe /configApi to configure the Secondary Shield API for the IWC Agent. For more information, see Reconfiguring the Shield API.

Reconfiguring the Shield API

The command %respfdir%\svc\res.exe /configApi can be used to reconfigure the Shield API in several scenarios, provided that the Workspace Control Console or Workspace Control Agent is already set up with a Shield API. The following situations may require reconfiguration:

  1. Switching to a Different Shield API. If you need to connect to a different Shield API.

  2. Updating the TLS Certificate. When the TLS certificate on the Shield API server has been updated or replaced, you must reconfigure the Workspace Control Console or Workspace Control Agent with the new Shield API details to download the latest TLS certificate.

  3. Adding a Secondary Shield API. If the Workspace Control Agent was initially configured with only the Primary Shield API and you wish to add a Secondary Shield API.