Skip to main content

The last thing you want is a hardware failure to knock your remote access services offline. Setting up your WiKID two-factor authentication servers for replication will allow quick recovery in the event of a failure.


  • 2 gigs of memory
  • Disable IPv6

First, validate that both machines have the same time otherwise you will have some issues. If they are too far apart, you can reset the time using the date command:

# date
will show the current date and time. It can be set by using ntpdate
# ntpdate
Second, be sure that IPv6 is disabled.  On Red Hat linux flavors, this is done by adding the following to /etc/
alias ipv6 off
alias net-pf-10 off
And then restarting the server.

If you are running a non-appliance version of WiKID, be sure that you have installed the compatibility library:
yum install compat-libstdc++-296

Now set up the Primary server as you normally would, without replication (that is, when prompted during the setup command, select No for replication). Once the Primary is configured with a certificate, any network clients, etc., stop the server. Currently, each time you add a new network client you will have to rerun the sync command, so it is best to set up all the network clients first.

Now install the Secondary server and run setup. When prompted about replication, select Y and set it as the Secondary. Enter the IP address of the Primary. Do not start the Secondary server yet.

Return to the Primary and re-run the setup command ('wikidctl setup' on the 3.x servers). Select No when asked if you want to change the networking and you will get to the replication prompt. Select Yes to configure replication. Choose Primary and enter the IP address of the Secondary server. Enter the passphrase for root on the Secondary when prompted. With the wikid server stopped, sync the Primary to the Secondary by running this command on the Primary:

wikidctl sync
This command will copy all the files and the database to the Secondary. It will over-write those files.

Start the servers, starting with the Secondary. Be sure to always start the Secondary server first! You should see a confirmation that replication started on both servers.

Testing replication and recovery

Create a new user in the Primary and check the logs. Now, stop the Primary and stop the Secondary and then on the Secondary server, type:

wikidctl promote
Choose Y to indicate that you want this server to be the Primary.  If you have a new Secondary server set up, use it's IP Address as the Secondary. If not, just use a fake IP such as (assuming that is not a working IP address on your network).  It is ok to enter the IP address of the old Primary as the new Secondary - it will not take affect if the Primary is not running. You will be prompted for the Primary's passphrase. Enter it and you will see the message "Replication role changed and configuration saved. You can now start this server". Before you do, run:
wikidctl setup
And change the IP address for this server to the IP address of the old Primary. For replication, select No, if you do not want to set up another Secondary at this time.

Start the server and browse to it's IP address. Check that the user added is in the database correctly. If so, replication is working.

To demote the Secondary server, simply run:

wikidctl demote
Before starting the servers, it is good practice to rerun sync from the Secondary to the Primary if you have made any changes.

N.B.:As of 3.0, the server can be started without a passphrase by creating /etc/WiKID/security and entering "WAUTH_PASSPHRASE=passphrase" on the first line. This allows a restart without manual intervention, required for automated failover.

NB:There is a known issue with replication. Syncing changes the owner of the postgresql config files to root. Correct this by running this command on the secondary server after running sync:

# chown -R postgres:postgres /var/lib/pgsql/

Also, if you have trouble connecting the two servers via ssh, edit /etc/ssh/sshd_config and make the following changes:

#UseDNS yes
UseDNS no
# GSSAPI options
GSSAPIAuthentication no
#GSSAPIAuthentication yes

To turn replication off on a master, run

wikidctl demote

And select none.


Copyright © WiKID Systems, Inc. 2017 | Two-factor Authentication