Configuring ACE 4710 for Load Balancing Speech servers
Hello, I'm configuring ACE 4710's for the first time and I want to load balance my Nuance speech servers on port 554. Here's my configuration on ACE01:
hostname ace471001
interface gigabitEthernet 1/1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
shutdown
access-list ALL line 8 extended permit ip any any
rserver host nss01
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
interface vlan 1000
ip address 10.20.17.21 255.255.248.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
How would I configure my speech server to isten on 554?
Thanks in advance
Hello Reginald
Currently you have only basic network configuration, there is no loadbalancing config
I'm not sure what exactly you're asking about , but basically you need to have
- real servers configured on ACE (
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp999495)
- serverfarm configured on ACE (
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp1014522)
- L7 policy map (
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1171109 ,
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1027248 )
- L4 policy map , class-map (
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1027819)
And then apply it on necessary interface.
This is a general configuration, in your specific case you may need to configure some additinal features (e.g. I think you will need to have stickiness enabled
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/sticky.html but it depends on your application)
links are for old config guids , but basic is pretty much the same for all versions.
Please check them and try to narrow down your question a bit.
Similar Messages
-
ACE 4710 and load balancing with sticky cookie
Configuring load balancing with SSL termination and stickiness for a couple of citrix xenapp servers. I'm doing a source-NAT as the ACE resides in the DMZ and these particular servers reside on the inside arm of the firewall. The ACE is in bridged mode to load balance web servers that reside in the DMZ. Everything seems to work just fine, but the cookie stickiness does not seem to be working.
Hi David,
As you may know, using Wireshark to look at an HTTPS capture is only useful if you've installed the server SSL key.This is why I find it easier to use something like LiveHTTPHeaders or HTTPWatch.
When using cookie-insert, the ACE will not create any dynamic cookie entries. It will simply create one static entry for each rserver with a cookie value, such as R3911631338, and any client that gets load balanced to that rserver will receive a cookie with that value. So what you see there is what is expected.
You are correct in that when using location cookies that the server supplies, the ACE will create a dynamic entry when it sees the server response with the cookie. The cookie is included in the server's response, and the ACE will look for the value as configured. The cookie will also be sent to the client. If the cookie is not in the server's first response, you will need enable persistence-rebalance so that it will look in subsequent server responses. If the browser opens new connections with that cookie, then the ACE will stick to the same server.
My suggestion would be to get sticky working with cookie-insert first. Then if that meets your needs, go with that permanently. If you need to use server cookies, then once cookie insert is working, migrate your sticky to cookie location.
Sean -
Configuring RFC connections for load balancing.
Hi ,
We have the following landscape for our systems.
The database is installed on z/os , db2 (mainframe). The central services( SCS and ASCS) are also on the mainframe. So the message server is on mainframe.
The CI is on AIX and The DI is on AIX.
We have Logon groups configured and load balancing Configured and is RFC enabled.
1) When we connect to SAP using the SAPGUI and the portal connection is made to either CI or DI depending upon the best response times. Now recently we are running the mercury load testing, all the users are connecting to DI. Why are the users connecting to DI even though we have load balancing?
2) I have a system with SID BP0, with one CI and one DI. The logon group is BP0 and the message server name is cyrix. Now I have other another system EP0. I have created a RFC connection from EP0 to BP0. In SM59 I have selected the load balancing option, and provide the message server name, SID and logon group name. The connection does not work. If I connect directly to the CI or DI the connection works. Please tell me how can I configure load balancing for RFC connections.
Thanks
Manmath.Dear 917996,
There are two types of load balancing:
- Client-side load balancing (setting up the tnsnames.ora on client side). More information here (http://ggsig.blogspot.co.uk/2012/04/client-side-
load-balancing-in-oracle.html). Very good video produced my friend Igor Melnikov is here (http://www.dsvolk.ru/oracle/racdd4d/demos/video/loadbalance/client/clientloadbalance_viewlet_swf.html)
-Server-side load balancing (remote_listener and setting service parameter clb_goal). Very good Igor Melnikov's video is here (http://www.dsvolk.ru/oracle/racdd4d/demos/video/loadbalance/server/serverloadbalance_viewlet_swf.html).
I have read about client side and server side load balancing. By editing tnsnames.ora I have enabled client side load balancing which is suppose to select listeners at random. then why does it only go to second node?Could you please show your tnsnames.ora on client?
Please can anyone help me to configure server side load balancing with SCAN. I have read many many post but couldn't find a clear answer.Based on your output (remote_listener string cmbtrnrac-scan:1521) you have already configured the server side load balancing.
SQL> show parameter listener
NAME TYPE VALUE
listener_networks string
local_listener string (DESCRIPTION=(ADDRESS_LIST=(AD
DRESS=(PROTOCOL=TCP)(HOST=10.1
7.67.214)(PORT=1521))))
remote_listener string cmbtrnrac-scan:1521How many SCANs do you use? Do you use DNS?
regards,
Gennady -
ACE 4710 HTTPS load balance configuration
Have two ACE 4710 in HA setup. We would like to setup HTTPS loadbalance(actually just a primary and standby configuration in the serverfarm). Initially this would be for Exchange OWA connections but may expand to more HTTPS connections later.
I know there are several ways to do SSL with the ACE( client, server, end-to-end). I am just wanting to know the easiest way to deploy this? Is a certificate always needed on the ACE for each connection? In HA mode would a certificate be needed for both or does it replicate in some way to the other ACE?
Any configuration examples would be helpful.
Thanks.IF you terminate SSL on the ACE you need certificates and key on ace in the context in which you are doing the termination. The certs and keys need to be installed on the active and standby (manually unless using anm to manage).
when speaking of SSL
SSL termination refers to ace terminating SSL and sending to server as clear text
end to end - ACE terminates SSL (to look into payload to make a loadbalance decision or sticky decision) and then re-encrypts to the server, so to the client ACE is an ssl server and to the server the ace is an ssl client.
You can find some config examples at
http://docwiki.cisco.com/wiki/Category:Data_Center_Application_Services_Configuration_Examples -
Do i need to configure failover group for load balancing? srs3.1
hello
we are installing ssrs3.1 on two sunfire v210 for 20 sunrays
do i have to configure a failover group in order to have load balancing?
thxthx a lot..
finally yes it needs the failover to work with load balancing -
ACE 4710 server load balancing on ACE with routed model.
Hi experts,
Pls help me...i need server laod balance on ACE4710 with routed model sample configuration or configuration guide....thanks in advance....Here you go
-
ACE to load balance Citrix servers
Hello,
Have anyone configured ACE Modules to load balance Citrix Servers (HTTP) ?
Any special considerations needed?
Many thanks,HI Javier,
There is one complete design guide available on ciso site.
Kindly go through the below mentioned URL for complete config for ACE to load balance CITRIX as follows:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/App_Networking/citrixdg_final.html
You will get othe design guides also which can be very useful:
http://www.cisco.com/en/US/netsol/ns751/networking_solutions_design_guidances_list.html
Sachin Garg -
Best practice for load balancing on SA540
Are there some 'best practice' guide to configure out load balancing on SA540 .?
I've got 2 ADSL lines and would like device to auto manage outgoing traffic .. Any idea ?
RegardsHi,
SA500 today implements flow based round robin load balancing scheme.
In the case of two WAN link (over ADSL), by default, the traffic should be "roughly" equally distributed.
So in general, users should have no need to configure anything further for load balancing.
The SA500 also supports protocol binding (~PBR) over WAN links. This mechanism offers more control on how traffic can flow.
For example, if you have 1 ADSL with higher throughput than the other ADSL link offers, you can consider to bind bandwidth-hungry app on the WAN link connecting to the higher ADSL link and the less bandwidth-hungary app on the other one. The other traffic can continue to do round robin. This way you won't saturate the low bandwidth link and give users better application experiences.
Regards,
Richard -
Does anyone have a recommended network, hardware and software configuration guide for a Portal installation running with multiple gateways load balanced (ie one URL) that talk to multiple servers?
David,
We've used Resonate (software) to load balance the gateways. It allows
you to group all the gateways under 1 virtual URL and load balance the
incoming connections over each gateway depending on the rules that you
define in Resonate. Look in the SUN portal whitepapers there is one that
talks about it specifically.
As far as load balancing the calls to the portals, the gateways will
automatically load balance across all the portals that they know about
using a simple round-robin rotation. You may be able to use Resonate in
front of the portals but you may need to activate persistance within
Resonate to ensure that the user always ends up on the portal that he
established his initial connection on (if you want that), check with Sun
on this one.
David Broeren wrote:
Recommended configuration for load balanced Portal with load balancer,
multiple gateways and multiple servers.
Does anyone have a recommended network, hardware and software
configuration guide for a Portal installation running with multiple
gateways load balanced (ie one URL) that talk to multiple servers?
Try our New Web Based Forum at http://softwareforum.sun.com
Includes Access to our Product Knowledge Base! -
Load Balance HTTPS servers with redirection
Hello,
I have been tasked with ACE configuration at work as the prior go-to guy for load balancing is no longer available. Trouble is, I have little idea what I’m doing when it comes to the ACE. So, forgive me if the question I have is super basic. After doing some research I put together a LB config, but its not working.
I was trying to load balance 10 servers, split into groups of 2 using 5 VIPS (1 VIP for each group of 2 servers). The servers serve an ssl web app.
Below is my configuration. What am I doing wrong? Does the config have any glaring errors? I've been staring at this thing on and off for a week and searching these forums trying to figure it out.
Any help provided will greatly appreciated.
probe tcp probe_443
port 443
interval 30
passdetect interval 5
probe https probe_https_test
interval 30
passdetect interval 5
ssl version all
request method get url /test.html
expect status 200 200
rserver host QA-1.1
ip address 10.200.162.126
inservice
rserver host QA-1.2
ip address 10.200.162.127
inservice
rserver redirect QA-group_1_redirect_rserver
webhost-redirection https://10.37.5.73/ 302
inservice
rserver host QA-2.1
ip address 10.200.162.22
inservice
rserver host QA-2.2
ip address 10.200.162.240
inservice
rserver redirect QA-group_2_redirect_rserver
webhost-redirection https://10.37.5.74/ 302
inservice
rserver host QA-3.1
ip address 10.200.162.181
inservice
rserver host QA-3.2
ip address 10.200.162.50
inservice
rserver redirect QA-group_3_redirect_rserver
webhost-redirection https://10.37.5.75/ 302
inservice
rserver host QA-4.1
ip address 10.200.162.23
inservice
rserver host QA-4.2
ip address 10.200.162.241
inservice
rserver redirect QA-group_4_redirect_rserver
webhost-redirection https://10.37.5.76/ 302
inservice
rserver host QA-5.1
ip address 10.200.162.182
inservice
rserver host QA-5.2
ip address 10.200.162.51
inservice
rserver redirect QA-group_5_redirect_rserver
webhost-redirection https://10.37.5.77/ 302
inservice
serverfarm host SF_QA-group_1_HTTPS
failaction reassign
predictor leastconns
probe probe_443
probe probe_https_test
rserver QA-1.1 443
inservice
rserver QA-1. 2 443
inservice
serverfarm host SF_QA-group_2_HTTPS
failaction reassign
predictor leastconns
probe probe_443
probe probe_https_test
rserver QA-2.1 443
inservice
rserver QA-2. 2 443
inservice
serverfarm host SF_QA-group_3_HTTPS
failaction reassign
predictor leastconns
probe probe_443
probe probe_https_test
rserver QA-3.1 443
inservice
rserver QA-3. 2 443
inservice
serverfarm host SF_QA-group_4_HTTPS
failaction reassign
predictor leastconns
probe probe_443
probe probe_https_test
rserver QA-4.1 443
inservice
rserver QA-4. 2 443
inservice
serverfarm host SF_QA-group_5_HTTPS
failaction reassign
predictor leastconns
probe probe_443
probe probe_https_test
rserver QA-5.1 443
inservice
rserver QA-5. 2 443
inservice
serverfarm redirect SF_ QA-group_1_REDIRECT
rserver QA-group_1_redirect_rserver
inservice
serverfarm redirect SF_ QA-group_2_REDIRECT
rserver QA-group_2_redirect_rserver
inservice
serverfarm redirect SF_ QA-group_3_REDIRECT
rserver QA-group_3_redirect_rserver
inservice
serverfarm redirect SF_ QA-group_4_REDIRECT
rserver QA-group_4_redirect_rserver
inservice
serverfarm redirect SF_ QA-group_5_REDIRECT
rserver QA-group_5_redirect_rserver
inservice
sticky ip-netmask 255.255.255.255 address source SRC_ QA-group_1_STICKY
serverfarm SF_ QA-group_1_HTTPS
timeout 30
replicate sticky
sticky ip-netmask 255.255.255.255 address source SRC_ QA-group_2_STICKY
serverfarm SF_ QA-group_2_HTTPS
timeout 30
replicate sticky
sticky ip-netmask 255.255.255.255 address source SRC_ QA-group_3_STICKY
serverfarm SF_ QA-group_3_HTTPS
timeout 30
replicate sticky
sticky ip-netmask 255.255.255.255 address source SRC_ QA-group_4_STICKY
serverfarm SF_ QA-group_4_HTTPS
timeout 30
replicate sticky
sticky ip-netmask 255.255.255.255 address source SRC_ QA-group_5_STICKY
serverfarm SF_ QA-group_5_HTTPS
timeout 30
replicate sticky
class-map match-all QA-group_1_HTTP
3 match virtual-address 10.37.5.73 tcp eq www
class-map match-all QA-group_1_HTTPS
3 match virtual-address 10.37.5.73 tcp eq https
class-map match-all QA-group_2_HTTP
3 match virtual-address 10.37.5.74 tcp eq www
class-map match-all QA-group_2_HTTPS
3 match virtual-address 10.37.5.74 tcp eq https
class-map match-all QA-group_3_HTTP
3 match virtual-address 10.37.5.75 tcp eq www
class-map match-all QA-group_3_HTTPS
3 match virtual-address 10.37.5.75 tcp eq https
class-map match-all QA-group_4_HTTP
3 match virtual-address 10.37.5.76 tcp eq www
class-map match-all QA-group_4_HTTPS
3 match virtual-address 10.37.5.76 tcp eq https
class-map match-all QA-group_5_HTTPS
3 match virtual-address 10.37.5.77 tcp eq www
class-map match-all QA-group_5_HTTPS
3 match virtual-address 10.37.5.77 tcp eq https
class-map type management match-any remote-management
2 match protocol http any
3 match protocol https any
4 match protocol icmp any
5 match protocol snmp any
6 match protocol ssh any
policy-map type management first-match remote-access
class remote-management
permit
policy-map type loadbalance first-match QA-group_1_REDIRECT
class class-default
serverfarm SF_ QA-group_1_REDIRECT
policy-map type loadbalance first-match QA-group_2_REDIRECT
class class-default
serverfarm SF_ QA-group_2_REDIRECT
policy-map type loadbalance first-match QA-group_3_REDIRECT
class class-default
serverfarm SF_ QA-group_3_REDIRECT
policy-map type loadbalance first-match QA-group_4_REDIRECT
class class-default
serverfarm SF_ QA-group_4_REDIRECT
policy-map type loadbalance first-match QA-group_5_REDIRECT
class class-default
serverfarm SF_ QA-group_5_REDIRECT
policy-map multi-match SERVICE_VIPS
class QA-group_1_HTTPS
loadbalance vip inservice
loadbalance policy HTTPS_ QA-group_1_HTTPS _L7_BALANCED
loadbalance vip icmp-reply
nat dynamic 1 vlan 25
class QA-group_1_HTTP
loadbalance vip inservice
loadbalance policy QA-group_1_REDIRECT
class QA-group_2_HTTPS
loadbalance vip inservice
loadbalance policy HTTPS_ QA-group_2_HTTPS _L7_BALANCED
loadbalance vip icmp-reply
nat dynamic 1 vlan 25
class QA-group_2_HTTP
loadbalance vip inservice
loadbalance policy QA-group_2_REDIRECT
class QA-group_3_HTTPS
loadbalance vip inservice
loadbalance policy HTTPS_ QA-group_3_HTTPS _L7_BALANCED
loadbalance vip icmp-reply
nat dynamic 1 vlan 25
class QA-group_3_HTTP
loadbalance vip inservice
loadbalance policy QA-group_3_REDIRECT
class QA-group_4_HTTPS
loadbalance vip inservice
loadbalance policy HTTPS_ QA-group_4_HTTPS _L7_BALANCED
loadbalance vip icmp-reply
nat dynamic 1 vlan 25
class QA-group_4_HTTP
loadbalance vip inservice
loadbalance policy QA-group_4_REDIRECT
class QA-group_5_HTTPS
loadbalance vip inservice
loadbalance policy HTTPS_ QA-group_4_HTTPS _L7_BALANCED
loadbalance vip icmp-reply
nat dynamic 1 vlan 25
class QA-group_5_HTTP
loadbalance vip inservice
loadbalance policy QA-group_4_REDIRECT
interface vlan 25
ip address 10.37.5.72 255.255.255.0
access-group input everyone
service-policy input remote-access
service-policy input SERVICE_VIPS
no shutdown
ip route 0.0.0.0 0.0.0.0 10.37.5.1Fnu,
Thank you so much for your reply.
At this point I can get to the real server IP's via ping and https in a browser from my PC. I can also ping the gateway and all the real server IP's from the ACE context i'm working on. However, the VIPS are not working. When I attempt to use one of the VIPS in the browser, the request times out. When I issue the command ":show service-policy" I see a hit count (which increments every time I try and reach the VIP via the browser) but the dropped counter is equal to the hit counter. I will paste the running config from the context I’m working in along with the output from the show service-policy command.
Any suggestions on how I can get this working would be greatly appreciated.
csc# show run
Generating configuration....
access-list Servers line 3 extended permit tcp any any eq https
access-list Servers line 5 extended permit tcp any any eq www
access-list everyone line 1 extended permit ip any any
access-list everyone line 2 extended permit icmp any any
probe tcp probe_443
port 443
interval 30
passdetect interval 5
rserver host QA-1.1
ip address 10.37.5.111
inservice
rserver host QA-1.2
ip address 10.37.5.88
inservice
rserver host QA-2.1
ip address 10.37.5.84
inservice
rserver host QA-2.2
ip address 10.37.5.89
inservice
rserver host QA-3.1
ip address 10.37.5.85
inservice
rserver host QA-3.2
ip address 10.37.5.90
inservice
rserver host QA-4.1
ip address 10.37.5.86
inservice
rserver host QA-4.2
ip address 10.37.5.81
inservice
rserver host QA-5.1
ip address 10.37.5.87
inservice
rserver host QA-5.2
ip address 10.37.5.92
inservice
rserver redirect QA-group_1_redirect_rserver
webhost-redirection https://10.37.5.93/ 302
inservice
rserver redirect QA-group_2_redirect_rserver
webhost-redirection https://10.37.5.94/ 302
inservice
rserver redirect QA-group_3_redirect_rserver
webhost-redirection https://10.37.5.95/ 302
inservice
rserver redirect QA-group_4_redirect_rserver
webhost-redirection https://10.37.5.96/ 302
inservice
rserver redirect QA-group_5_redirect_rserver
webhost-redirection https://10.37.5.97/ 302
inservice
serverfarm host SF_QA-group_1_HTTPS
failaction reassign
predictor leastconns
probe probe_443
rserver QA-1.1 443
inservice
rserver QA-1.2 443
inservice
serverfarm redirect SF_QA-group_1_REDIRECT
rserver QA-group_1_redirect_rserver
inservice
serverfarm host SF_QA-group_2_HTTPS
failaction reassign
predictor leastconns
probe probe_443
rserver QA-2.1 443
inservice
rserver QA-2.2 443
inservice
serverfarm redirect SF_QA-group_2_REDIRECT
rserver QA-group_2_redirect_rserver
inservice
serverfarm host SF_QA-group_3_HTTPS
failaction reassign
predictor leastconns
probe probe_443
rserver QA-3.1 443
inservice
rserver QA-3.2 443
inservice
serverfarm redirect SF_QA-group_3_REDIRECT
rserver QA-group_3_redirect_rserver
inservice
serverfarm host SF_QA-group_4_HTTPS
failaction reassign
predictor leastconns
probe probe_443
rserver QA-4.1 443
inservice
rserver QA-4.2 443
inservice
serverfarm redirect SF_QA-group_4_REDIRECT
rserver QA-group_4_redirect_rserver
inservice
serverfarm host SF_QA-group_5_HTTPS
failaction reassign
predictor leastconns
probe probe_443
rserver QA-5.1 443
inservice
rserver QA-5.2 443
inservice
serverfarm redirect SF_QA-group_5_REDIRECT
rserver QA-group_5_redirect_rserver
inservice
serverfarm host SF_QA-group_HTTPS
serverfarm host SF_QA-group__HTTPS
sticky ip-netmask 255.255.255.255 address source SRC_QA-group_1_STICKY
serverfarm SF_QA-group_1_HTTPS
timeout 30
replicate sticky
sticky ip-netmask 255.255.255.255 address source SRC_QA-group_2_STICKY
serverfarm SF_QA-group_2_HTTPS
timeout 30
replicate sticky
sticky ip-netmask 255.255.255.255 address source SRC_QA-group_3_STICKY
serverfarm SF_QA-group_3_HTTPS
timeout 30
replicate sticky
sticky ip-netmask 255.255.255.255 address source SRC_QA-group_4_STICKY
serverfarm SF_QA-group_4_HTTPS
timeout 30
replicate sticky
sticky ip-netmask 255.255.255.255 address source SRC_QA-group_5_STICKY
serverfarm SF_QA-group_5_HTTPS
timeout 30
replicate sticky
class-map match-all QA-group_1_HTTP
3 match virtual-address 10.37.5.93 tcp eq www
class-map match-all QA-group_1_HTTPS
3 match virtual-address 10.37.5.93 tcp eq https
class-map match-all QA-group_2_HTTP
3 match virtual-address 10.37.5.94 tcp eq www
class-map match-all QA-group_2_HTTPS
3 match virtual-address 10.37.5.94 tcp eq https
class-map match-all QA-group_3_HTTP
3 match virtual-address 10.37.5.95 tcp eq www
class-map match-all QA-group_3_HTTPS
3 match virtual-address 10.37.5.95 tcp eq https
class-map match-all QA-group_4_HTTP
3 match virtual-address 10.37.5.96 tcp eq www
class-map match-all QA-group_4_HTTPS
3 match virtual-address 10.37.5.76 tcp eq https
class-map match-all QA-group_5_HTTP
3 match virtual-address 10.37.5.97 tcp eq www
class-map match-all QA-group_5_HTTPS
3 match virtual-address 10.37.5.97 tcp eq https
class-map type management match-any remote-management
2 match protocol http any
3 match protocol https any
4 match protocol icmp any
5 match protocol snmp any
6 match protocol ssh any
policy-map type management first-match remote-access
class remote-management
permit
policy-map type loadbalance first-match QA-group_1_REDIRECT
class class-default
policy-map type loadbalance first-match QA-group_2_REDIRECT
class class-default
serverfarm SF_QA-group_2_REDIRECT
policy-map type loadbalance first-match QA-group_3_REDIRECT
class class-default
serverfarm SF_QA-group_3_REDIRECT
policy-map type loadbalance first-match QA-group_4_REDIRECT
class class-default
serverfarm SF_QA-group_4_REDIRECT
policy-map type loadbalance first-match QA-group_5_REDIRECT
class class-default
serverfarm SF_QA-group_5_REDIRECT
policy-map multi-match SERVICE_VIPS
class QA-group_1_HTTPS
loadbalance vip inservice
loadbalance policy QA-group_1_REDIRECT
loadbalance vip icmp-reply
class QA-group_1_HTTP
loadbalance vip inservice
loadbalance policy QA-group_1_REDIRECT
class QA-group_2_HTTPS
loadbalance vip inservice
loadbalance policy QA-group_2_REDIRECT
loadbalance vip icmp-reply
class QA-group_2_HTTP
loadbalance vip inservice
loadbalance policy QA-group_2_REDIRECT
class QA-group_3_HTTPS
loadbalance vip inservice
loadbalance policy QA-group_3_REDIRECT
loadbalance vip icmp-reply
class QA-group_3_HTTP
loadbalance vip inservice
loadbalance policy QA-group_3_REDIRECT
class QA-group_4_HTTPS
loadbalance vip inservice
loadbalance policy QA-group_4_REDIRECT
loadbalance vip icmp-reply
class QA-group_4_HTTP
loadbalance vip inservice
loadbalance policy QA-group_4_REDIRECT
class QA-group_5_HTTPS
loadbalance vip inservice
loadbalance policy QA-group_5_REDIRECT
loadbalance vip icmp-reply
class QA-group_5_HTTP
loadbalance vip inservice
loadbalance policy QA-group_5_REDIRECT
interface vlan 25
ip address 10.37.5.98 255.255.255.0
access-group input everyone
service-policy input remote-access
service-policy input SERVICE_VIPS
no shutdown
ip route 0.0.0.0 0.0.0.0 10.37.5.1
csc# show service-policy SERVICE_VIPS
Status : ACTIVE
Interface: vlan 25
service-policy: SERVICE_VIPS
class: QA-group_1_HTTPS
loadbalance:
L7 loadbalance policy: QA-group_1_REDIRECT
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : ENABLED
VIP state: OUTOFSERVICE
VIP DWS state: DWS_DISABLED
Persistence Rebalance: DISABLED
curr conns : 0 , hit count : 122
dropped conns : 122
conns per second : 0
client pkt count : 122 , client byte count: 6164
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0
class: QA-group_1_HTTP
loadbalance:
L7 loadbalance policy: QA-group_1_REDIRECT
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : DISABLED
VIP state: OUTOFSERVICE
VIP DWS state: DWS_DISABLED
Persistence Rebalance: DISABLED
curr conns : 0 , hit count : 58
dropped conns : 58
conns per second : 0
client pkt count : 58 , client byte count: 3628
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0
class: QA-group_2_HTTPS
loadbalance:
L7 loadbalance policy: QA-group_2_REDIRECT
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
VIP DWS state: DWS_DISABLED
Persistence Rebalance: ENABLED
curr conns : 0 , hit count : 13
dropped conns : 0
conns per second : 0
client pkt count : 74 , client byte count: 7648
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0
class: QA-group_2_HTTP
loadbalance:
L7 loadbalance policy: QA-group_2_REDIRECT
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : DISABLED
VIP State: INSERVICE
VIP DWS state: DWS_DISABLED
Persistence Rebalance: ENABLED
curr conns : 0 , hit count : 3
dropped conns : 0
conns per second : 0
client pkt count : 12 , client byte count: 1398
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0
class: QA-group_3_HTTPS
loadbalance:
L7 loadbalance policy: QA-group_3_REDIRECT
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
VIP DWS state: DWS_DISABLED
Persistence Rebalance: ENABLED
curr conns : 0 , hit count : 34
dropped conns : 0
conns per second : 0
client pkt count : 201 , client byte count: 23495
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0
class: QA-group_3_HTTP
loadbalance:
L7 loadbalance policy: QA-group_3_REDIRECT
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : DISABLED
VIP State: INSERVICE
VIP DWS state: DWS_DISABLED
Persistence Rebalance: ENABLED
curr conns : 0 , hit count : 5
dropped conns : 0
conns per second : 0
client pkt count : 20 , client byte count: 1907
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0
class: QA-group_4_HTTPS
loadbalance:
L7 loadbalance policy: QA-group_4_REDIRECT
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
VIP DWS state: DWS_DISABLED
Persistence Rebalance: ENABLED
curr conns : 0 , hit count : 0
dropped conns : 0
conns per second : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0
class: QA-group_4_HTTP
loadbalance:
L7 loadbalance policy: QA-group_4_REDIRECT
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : DISABLED
VIP State: INSERVICE
VIP DWS state: DWS_DISABLED
Persistence Rebalance: ENABLED
curr conns : 0 , hit count : 2
dropped conns : 0
conns per second : 0
client pkt count : 8 , client byte count: 697
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0
class: QA-group_5_HTTPS
loadbalance:
L7 loadbalance policy: QA-group_5_REDIRECT
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
VIP DWS state: DWS_DISABLED
Persistence Rebalance: ENABLED
curr conns : 0 , hit count : 0
dropped conns : 0
conns per second : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0
class: QA-group_5_HTTP
loadbalance:
L7 loadbalance policy: QA-group_5_REDIRECT
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : DISABLED
VIP State: INSERVICE
VIP DWS state: DWS_DISABLED
Persistence Rebalance: ENABLED
curr conns : 0 , hit count : 0
dropped conns : 0
conns per second : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0 -
Load Balancing Directory Servers with Access Manager - Simple questions
Hi.
We are in the process of configuring 2 Access Manager instances (servers) accessing the same logical LDAP repository (comprising physically of two Directory Servers working together with Multi-Master Replication configured and tested) For doing this, we are following guide number 819-6258.
The guide uses BigIP load balancer for load balancing the directory servers. However, we intend to use Directory Proxy Server. Since we faced some (unresolved) issues last time that we used DPS, there are some simple questions that I would be very grateful to have answers to:
1. The guide, in section 3.2.10 (To configure Access Manager 1 with the Directory Server load balancer), talks about making changes at 4 places, and replacing the existing entry (hostname and port) with the load balancer's hostname and port (assuming that the load balancer has already been configured). It says that changes need not be made on Access Manager 2 since the LDAPs are in replication, and hence changes will be replicated at all places. However, the guide also states that changes have to be made in two files, namely AMConfig.properties, and the serverconfig.xml file. But these changes will not be reflected on Access Manager 2, since these files are local on each machine.
Question 1. Do changes have to be made in AMConfig.properties and serverconfig.xml files on the other machine hosting Access Manager 2?
Question 2: What is the purpose of putting these values here? Specifically, what is achieved by specifying the Directory server host and port in AMConfig.properties, as well as in serverconfig.xml?
Question 3. In the HTTP console, there is the option of specifying multiple primary LDAP servers, as well as multiple secondary LDAP servers. What is the purpose of these? Are secondary servers attempted when none of the list in the primary list are accessible? Also, if there are multiple entries in the primary server list, are they accessed in a round robin fashion (hereby providing rudimentary load balancing), or are other servers accessed only when the one mentioned first is not reachable etc.?
2. Since I do not have a load balancer setup yet, I tried the following deviation to the above, which, according to me, should have worked. If viewed in the HTTP console, LDAP / Membership / MSISDN and Policy configuration all pointed to the DS on host 1. When I changed all these to point to the directory server on host 2 (and made AMConfig.properties and serverconfig.xml on host 1 point to DS of host 2 as well), things should have worked fine, but apparently Access manager 1 could not be started. Error from Webserver:
[14/Aug/2006:04:30:36] info (13937): WEB0100: Loading web module in virtual server [https-machine_1_FQDN] at [search]
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: Exception in thread "EventService" java.lang.ExceptionInInitializerError
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: at com.iplanet.services.ldap.event.EventServicePolling.run(EventServicePolling.java:132)
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: at java.lang.Thread.run(Thread.java:595)
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: Caused by: java.lang.InterruptedException
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: at com.sun.identity.sm.ServiceManager.<clinit>(ServiceManager.java:74)
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: ... 2 more
In effect, AM on 1 did not start. On rolling back the changes, things again worked like previously.
Will be really grateful for any help / insight / experience on dealing with the above.
Thanks!Update to the above, incase anyone is reading:
We setup a similar setup in Windows, and it worked. Here is a detailed account of what was done:
1. Host 1: Start installer, install automatically, chose Directory server, Directory Administration server, Directory Proxy server, Web server, Access Manager.
All installed, and worked fine. (AMConfig.properties, serverconfig.xml, and the info in LDAP service, all pointed to HOST1:389)
2. Host 2: Start installer, install automatically, chose Directory server, Directory Administration server, Directory Proxy server, Web server, Access Manager.
All installed, and worked fine. (AMConfig.properties, serverconfig.xml, and the info in LDAP service, all pointed to HOST2:389)
3. Host 1: Started replication. Set to Master
4. Host 2: Started replication. Set to Master
5. Host 1: Setup replication agreement to Host 2
6. Host 2: Setup replication agreement to Host 1
7. Initiated the remote replica from Host 1 ----> Host 2
Note that since default installation uses abc.....xyz as the encryption key, setting this to same was not an issue.
9. Started webserver for Host 1 and logged into AM as amadmin.
10. Added Host 2 FQDN in DNS Aliases / Realms
11. Added http://HOST2_FQDN:80 in the Platform server (instance) list.
12. Started Host 2 webserver. Logged in AM on Host 2, things worked fine.
At this stage, note the following:
a) Host 1:
AMConfig.properties file has
com.iplanet.am.directory.host=host1_FQDN
and
com.iplanet.am.directory.port=389
serverconfig.xml has:
<Server name="Server1" host="host1_FQDN" port="389" type="SIMPLE" />
b) Host 2:
AMConfig.properties file has
com.iplanet.am.directory.host=host2_FQDN
and
com.iplanet.am.directory.port=389
serverconfig.xml has:
<Server name="Server1" host="host2_FQDN" port="389" type="SIMPLE" />
c) If one logs into AM, and checks LDAP servers for LDAP / Policy Configuration / Membership etc services, they all contain Host2_FQDN:389 (which makes sense, since replica 2 was initialized from 1)
Returning back to the configuations:
13. On Host 1, login into the Admin server console of the Directory server. Navigate to the DPS, and confgure the following:
a) Network Group
b) LDAP servers
c) Load Balancing
d) Change Group
e) Action on-bind
f) Allow all actions (permit modification / deletion etc.).
g) any other configuations required - Am willing to give detailed steps if someone needs them to help me / themselves! :)
So now, we have DPS configured and running on Host1:489, and distributing load to DS1 and DS2 on a 50:50 basis.
14. Now, log into AM on Host 1, and instead of Host1_fqdn:389 (for DS) in the following places, specify Host1_fqdn:489 (for the DPS)--
LDAP Authentication
MSISDN server
Membership Service
Policy configuation.
Verified that this propagated to the Policy Configuration service and the LDAP authentication service that are already registered with the default organization.
15. Log out of AM. Following the documentation, modify directory.host and directory.port in AMConfig.properties to point to Host 1_FQDN and 489 respectively. Make this change in AMConfig.properties of both Host 1 as well as 2.
16. Edit serverconfig.xml on both hosts, and instead of they pointing to their local directory servers, point both to host1_FQDN:489
17. When you start the webserver, it will refuse to start. Will spew errors such as:
[https-host1_FQDN]: Sun ONE Web Server 6.1SP5 B06/23/2005 17:36
[https-host1_FQDN]: info: CORE3016: daemon is running as super-user
[https-host1_FQDN]: info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_04] from [Sun Microsystems Inc.]
[https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [amserver]
[https-host1_FQDN]: warning: WEB6100: locale-charset-info is deprecated, please use parameter-encoding
[https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [ampassword]
[https-host1_FQDN]: warning: WEB6100: locale-charset-info is deprecated, please use parameter-encoding
[https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [amcommon]
[https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [amconsole]
[https-host1_FQDN]: warning: WEB6100: locale-charset-info is deprecated, please use parameter-encoding
[https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [search]
[https-host1_FQDN]: warning: CORE3283: stderr: netscape.ldap.LDAPException: error result (32); matchedDN = dc=sun,dc=com; No such object (DN changed)
[https-host1_FQDN]: warning: CORE3283: stderr: Got LDAPServiceException code=-1
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getConnection(DSConfigMgr.java:357)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewFailoverConnection(DSConfigMgr.java:314)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewConnection(DSConfigMgr.java:253)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewProxyConnection(DSConfigMgr.java:184)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewProxyConnection(DSConfigMgr.java:194)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.initLdapPool(DataLayer.java:1248)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.(DataLayer.java:190)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.getInstance(DataLayer.java:215)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.getInstance(DataLayer.java:246)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.ldap.SMSLdapObject.initialize(SMSLdapObject.java:156)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.ldap.SMSLdapObject.(SMSLdapObject.java:124)
[https-host1_FQDN]: warning: CORE3283: stderr: at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
[https-host1_FQDN]: warning: CORE3283: stderr: at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
[https-host1_FQDN]: warning: CORE3283: stderr: at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
[https-host1_FQDN]: warning: CORE3283: stderr: at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
[https-host1_FQDN]: warning: CORE3283: stderr: at java.lang.Class.newInstance0(Class.java:350)
[https-host1_FQDN]: warning: CORE3283: stderr: at java.lang.Class.newInstance(Class.java:303)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.SMSEntry.(SMSEntry.java:216)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.ServiceSchemaManager.(ServiceSchemaManager.java:67)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.am.util.AMClientDetector.getServiceSchemaManager(AMClientDetector.java:219)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.am.util.AMClientDetector.(AMClientDetector.java:94)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.mobile.filter.AMLController.init(AMLController.java:85)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:262)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:322)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ApplicationFilterConfig.(ApplicationFilterConfig.java:120)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3271)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardContext.start(StandardContext.java:3747)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
[https-host1_FQDN]: failure: WebModule[amserver]: WEB2783: Servlet /amserver threw load() exception
[https-host1_FQDN]: javax.servlet.ServletException: WEB2778: Servlet.init() for servlet LoginLogoutMapping threw exception
[https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:949)
[https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:813)
[https-host1_FQDN]: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3478)
[https-host1_FQDN]: at org.apache.catalina.core.StandardContext.start(StandardContext.java:3760)
[https-host1_FQDN]: at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
[https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
[https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
[https-host1_FQDN]: at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
[https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
[https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
[https-host1_FQDN]: at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
[https-host1_FQDN]: ----- Root Cause -----
[https-host1_FQDN]: java.lang.NullPointerException
[https-host1_FQDN]: at com.sun.identity.authentication.UI.LoginLogoutMapping.init(LoginLogoutMapping.java:71)
[https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:921)
[https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:813)
[https-host1_FQDN]: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3478)
[https-host1_FQDN]: at org.apache.catalina.core.StandardContext.start(StandardContext.java:3760)
[https-host1_FQDN]: at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
[https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
[https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
[https-host1_FQDN]: at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
[https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
[https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
[https-host1_FQDN]: at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
[https-host1_FQDN]:
[https-host1_FQDN]: info: HTTP3072: [LS ls1] http://host1_FQDN:58080 [i]ready to accept requests
[https-host1_FQDN]: startup: server started successfully
Success!
The server https-host1_FQDN has started up.
The server infact, didn't start up (nothing even listening on 58080).
However, if AMConfig.properties is left as it originally was, and only serverconfig.xml files were changed as mentioned above, web servers started fine, and things worked all okay. (Alright, except for some glitches when viewed in /amconsole. If /amserver/console is accessed, all is good. Can this mean that all is still not well? I am not sure).
So far so good. Now comes the sad part. When the same is done on Solaris 9, things dont work. You continue to get the above error, OR the following error, and the web server will refuse to start:
Differences in Solaris and Windows are as follows:
1. Windows hosts have 1 IP and hostname. Solaris hosts have 3 IPs and hostnames (for DS, DPS, and webserver).
No other difference from an architectural perspective.
Any help / insight on why the above is not working (and why the hell does the documentation seem so sketchy / insecure / incorrect).
Thanks a bunch! -
Windows Event Collector - Built-in options for load balancing and high availability ?
Hello,
I have a working collector. config is source initiated, and pushed by GPO.
I would like to deploy a second collector for high availability and load balancing. What are the available options ? I have not found any guidance on TechNet articles.
As a low cost option, is it fine to simply start using DNS round-robin with a common alias for both servers pushed as a collector name through GPO ?
In my GPO Policy, if I individually declare both servers, events are forwarded twice, once for each server. Indeed it does cover high availability, but not really optimized.
Thanks for your help.Hi,
>>As a low cost option, is it fine to simply start using DNS round-robin with a common alias for both servers pushed as a collector name through GPO ?
Based on the description, we can utilize DNS round robin to distribute workloads and increase fault tolerance. By default, DNS uses round robin to rotate the order of RR data returned in query answers where multiple RRs of the same type exist for a queried
DNS domain name. This feature provides a simple method for load balancing client use of Web servers and other frequently queried multihomed computers. Besides, by default, DNS will perform round-robin rotation for all RR types.
Regarding DNS round robin, the following article can be referred to for more information.
Configuring round robin
http://technet.microsoft.com/en-us/library/cc787484(v=ws.10).aspx
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Best regards,
Frank Shen -
CF8/JRun4 Cluster for Load Balancing
Does anyone have an example of how to set up a CF8/JRun4
cluster for load balancing?
I have three servers:
x004 - Linux - Apache2 (10.0.0.54,10.1.0.54)
x020 - Linux - JRun4/CF8 (10.0.0.70,10.1.0.70)
x021 - Linux - JRun4/CF8 (10.0.0.71,10.1.0.71)
Every server in our network has two network cards. One
network card is attached to 10.0.x.x which has a gateway to the
internet and runs at 100Mbps and is firewalled, and the other is
attached to 10.1.x.x which runs at 1Gbps and is internal with no
gateway. I'm trying to set it up so web traffic arrives on
10.0.0.54 into Apache and mod_jrun20 bootstraps a cluster named
STST using 10.1.0.54 which consists of STST_x020 coldfusion server
running on x020 and STST_x021 running on x021. I want the
communications between JRun4 on x020 and x021 to occur on the
10.1.x.x network and eventhough JRun and ColdFusion will only use
the 10.1.x.x network I still need the 10.0.x.x network card
attached for other purposes which require a gateway. I have
installed JRun4/CF8 about 10 times already and it seems I have no
control over what network JRun4 clusters on... sometimes it will
communicate on one, sometimes the other and without being able to
set which network is being used there always seems to be "network
error" on at least one of the two CF8 servers. I was able to get
everything working fine by disabling the network cards on the
10.0.x.x network and re-installing everything... but as soon as I
added the network cards back the whole thing was broken again.
How is this supposed to work? Most of the examples are either
no clustering or clustering on the same machine with Apache running
on the same box... I don't see any clustering across machines
examples.
How do I install a connector on a web server which doesn't
have JRun on it and get wsconfig to connect to a multi-machine
cluster when wsconfig only accepts a single IP address as a host
and the cluster is not listed?
How do I get JRun to bind to a specific network card?
Does this work if I choose a J2EE server other than JRun?
Any help anyone can provide is greatly appreciated. I'm
getting close to giving up which means staying on the non-clustered
environment and figuring out how we can deal with scalability by
switching to something else.The article at
http://www.adobe.com/go/1e8e9170
is specific to configuring two or more cluster nodes that reside on
separate networks, e.g. 10.0.1.0/24 and 10.0.2.0/24. (The article
doesn't state it, but you can only use unicast peers if your
cluster nodes host a single instance of JRun or multiple instances
of JRun in the same cluster domain. When performing unicast
discovery, JRun looks for all Jini groups and not just the cluster
group.)
Anyhow, that's not your problem. The simplest solution is you
haven't enabled the jrun.servlet.jrpp.JRunProxyService service. I'm
most familiar with the Windows version of JRun, but I'm assuming
the directory structure is similar across platforms. In
<jrun_root>/servers/<name>/SERVER-INF/jrun.xml, set the
deactivated attribute of the jrun.servlet.jrpp.JRunProxyService
service to false and restart JRun. You should now see JRun
listening on the appropriate port. (The default for the first
manually created instance is 51000.) You can limit the proxy
service to a single interface using the interface attribute.
If you have enabled the proxy service, verify your security
settings in <jrun_root>/lib/security.properties. It's usually
best to limit access to specific hosts. Comment out the
jrun.subnet.restriction parameter and set the jrun.trusted.hosts to
the IP address of your web server, e.g. 10.1.0.54.
Forcing all JRun processes/services to listen on a single
interface isn't difficult, but it does require modifying quite a
few configuration files by hand. If you need assistance with that,
I can elaborate.
Configuring the JRun module under Apache is pretty
straightforward. If you're not using virtual hosts, it's very
simple. If you are using virtual hosts, it's still simple, but your
JRun configuration can be virtual host-specific.
On your Apache server, you'll want to create a directory
structure for the JRun module. I'll assume
/opt/jrun/lib/wsconfig/1, but you can use anything you want. Once
the directory structure is created, extract the appropriate JRun
module from wsconfig.jar to the new directory. You're most likely
interested in the Apache 2.0 module,
wsconfig.jar/connectors/apache/intel-linux/prebuilt/mod_jrun20.so.
Let's assume you've extracted the module to
/opt/jrun/lib/wsconfig/1/mod_jrun20.so. Your Apache service account
should have read, write, and execute permissions on the
/opt/jrun/lib/wsconfig/1 directory.
The JRun module configuration is normally appended to your
current httpd.conf file by wsconfig. Here's a sample configuration:
LoadModule jrun_module
"/opt/jrun/lib/wsconfig/1/mod_jrun20.so"
<IfModule mod_jrun20.c>
JRunConfig Verbose false
JRunConfig Apialloc false
JRunConfig Ssl false
JRunConfig Ignoresuffixmap false
JRunConfig Serverstore
"/opt/jrun/lib/wsconfig/1/jrunserver.store"
JRunConfig Bootstrap 10.1.0.70:51000
#JRunConfig Errorurl <optionally redirect to this URL on
errors>
#JRunConfig ProxyRetryInterval 600
#JRunConfig ConnectTimeout 30
#JRunConfig RecvTimeout 30
#JRunConfig SendTimeout 30
AddHandler jrun-handler .jsp .jws .cfm .cfml .cfc .cfr
.cfswf
</IfModule>
You may also want to update your DirectoryIndex directive
with an appropriate index page, e.g. index.cfm.
After the first request to a page handled by the JRun module
is received, the module will query the boostrap server,
10.1.0.70:51000, for a list of cluster peers. If you've configured
your cluster correctly, a line similar to following will be written
to /opt/jrun/lib/wsconfig/1/jrunserver.store:
proxyservers=10.1.0.70:51000;10.1.0.71:51000
You can create/edit this file manually as well.
Unfortunately, the bootstrap option only accepts one server. If
your bootstrap server is down, the JRun module will use the values
in jrunserver.store directly, if the file exists.
Here's a complete list of JRun module options:
metrics *
debugger *
ssl *
verbose
traceflags
serverstore
bootstrap
errorurl
apialloc
ignoresuffixmap
proxyretryinterval
connecttimeout
recvtimeout
sendtimeout
sslcalist
Options flagged with an asterisk can only be configured at
the Apache server level. All other options can be configured at the
server level and/or the virtual host level. The usage of these
options is in the JRun documentation, and the JRun module source
code is included in wsconfig.jar. Keep in mind that versions of the
JRun module shipped prior to ColdFusion 8 were coded to assign the
connecttimeout and sendtimeout options to the socket connection
timeout. Whichever option appeared last in your configuration ended
up as the final value. This has been fixed in ColdFusion 8 and
presumably the next release of the JRun updater.
I think that's a good start. If you need more information or
can't find what you need in the JRun or ColdFusion documentation,
let me know.
If you're looking for resiliency, I highly recommend
expanding your configuration to include a second web server and a
hardware load-balancer (preferably one that supports redudancy via
multiple paths and devices, e.g. devices from Cisco, F5, or Foundry
Networks). Often, however, running Apache on the ColdFusion
server(s) provides adequate performance, and round-robin DNS
records coupled with the ability to update DNS quickly in the event
of a failure may be all you need for load-balancing and
failover. -
Webdispatcher for Load balancing
Hi All,
We have implemented EP7. The portal is configured to redirect to https.
Now we want to use sapwebdispatcher for load balancing.
We are performing the following steps to configure the sapwebdispatcher
1. uncar the icmadmin.SAR
2. sapwebdisp -bootstrap
The following screen appears:
This bootstrap will perform the following steps:
1. create profile file "sapwebdisp.pfl"for SAP Web Dispatcher (if not already existing)
2. create user for web based administration in file "icmauth.txt"(if not already exisiting)
3. start SAP Web Dispatcher with the created profile
After the bootstrap you can use the web based administration
Generating Profile "sapwebdisp.pfl"
Hostname of Message Server (rdisp/mshost): <hostname>
HTTP Port of Message Server (ms/http_port): 8101
Checking connection to message server...OK
Unique Instance Number for SAP Web Dispatcher (SAPSYSTEM): 38
HTTP port number for SAP Web Dispatcher: 8101
Create configuration for s(mall), m(edium), l(arge) system (default: medium): l
WARNING: Maximum number of sockets supported on this system: 2045
Please check the operating system configuration
Profile "sapwebdisp.pfl" generated
Authentication file "icmauth.txt" generated
Web Administration user is "icmadm" with password "xxxxxxxxx"
Restart sapwebdisp with profile: sapwebdisp.pfl
sapwebdisp started with new pid 14014
Web administration accessible with "http://<hostname>:8101/sap/wdisp/admin/default.html"
SAP Web Dispatcher bootstrap ended (rc=0)
<hostname>47> *** WARNING: Could not start service 8101 for protocol HTTP on host "<hostname>m"(on all adapters)
SAP Web Dispatcher up and operational (pid: 14014) ***
Now, if I use any port other than 8101 for HTTP port number for SAP Web Dispatcher the webdispatcher does not work.
If i use port 8101(which i am using currently) then the webdispatcher does the load balancing however i cannot access the http://<hostname>:8101/sap/wdisp/admin/default.html url
Can anyone help me getting both thigs: load balancing and the webdisp admin page also.
Thanks!!
Regards,
RohitHi Rohit,
this is your Profile File
Generating Profile "sapwebdisp.pfl"
Hostname of Message Server (rdisp/mshost): <hostname>
HTTP Port of Message Server (ms/http_port): 8101
Checking connection to message server...OK
Unique Instance Number for SAP Web Dispatcher (SAPSYSTEM): 38
HTTP port number for SAP Web Dispatcher: 8101
Create configuration for s(mall), m(edium), l(arge) system (default: medium): l
WARNING: Maximum number of sockets supported on this system: 2045
Please check the operating system configuration
Profile "sapwebdisp.pfl" generated
Authentication file "icmauth.txt" generated
Web Administration user is "icmadm" with password "xxxxxxxxx"
Restart sapwebdisp with profile: sapwebdisp.pfl
sapwebdisp started with new pid 14014
Web administration accessible with "http://<hostname>:8101/sap/wdisp/admin/default.html"
You have wrongly configured your HTTP port number for SAP Web Dispatcher make it as 80 by default
Sample Profile File:
Profile generated by sapwebdisp bootstrap
unique instance number
SAPSYSTEM = 1
add default directory settings
DIR_EXECUTABLE = .
DIR_INSTANCE = .
Accessibility of Message Servers
rdisp/mshost = Hostname
ms/http_port = 8101
SAP Web Dispatcher Parameter
wdisp/auto_refresh = 120
wdisp/max_servers = 100
wdisp/shm_attach_mode = 6
configuration for small scenario
icm/max_conn = 100
icm/max_sockets = 1024
icm/req_queue_len = 300
icm/min_threads = 5
icm/max_threads = 15
mpi/total_size_MB = 20
#maximum number of concurrent connections to one server
wdisp/HTTP/max_pooled_con = 100
wdisp/HTTPS/max_pooled_con = 100
SAP Web Dispatcher Ports
icm/server_port_0 = PROT=HTTP,PORT=80
icm/server_port_1 = PROT=ROUTER,PORT=443
Swapnil -
Clustering for load balancing only
I wish to set up 2 WLS 8.1 machines to run an application independently to
share load (no replication of sessions, beans etc).
Can I create a cluster for the two servers and not turn on any session or
bean replication, then configure the IIS or Apache plug-in to use the
cluster and therefore create some load balancing?
Chris
Chris,
Yes you can certainly use a Cluster simply for load balancing. There is no
mandate that you have to take advantage of session state replication in the
cluster.
~Ryan Upton
"Chris Steains" <[email protected]> wrote in message
news:[email protected]..
> I wish to set up 2 WLS 8.1 machines to run an application independently to
> share load (no replication of sessions, beans etc).
>
> Can I create a cluster for the two servers and not turn on any session or
> bean replication, then configure the IIS or Apache plug-in to use the
> cluster and therefore create some load balancing?
>
>
> Chris
>
>
Maybe you are looking for
-
Problem: oad.log file empty.
I have installed ias9i (1.0.2.2) on AIX cluster (4 cards). Installation went successfuly. Discoverer proceses started but I can't log into discoverer viwer. The message is: "Unable to bind oad" So I followed all advaices published on metalink: 1. Nsl
-
How to display a button with an icon?
Hi, I'd like to display an SAP-icon on a button. In this thread How can I show an Icon in the tapStripItem-title? Thomas Jung gave the following example: > I don't know if this definetely works with tabstrips > items but it does work with buttons and
-
Firefox did not fully uninstall
It all began innocently enough, as these things do... I am using a Dell Dimension 5150 with XP Pro and Service Pack 3. When I finally (recently) decided to install Firefox, I wanted it to integrate with Win I.E. 8. I can't remember which add-on I ins
-
I need your help to correct the following issue: -timestamp in logs is one hour ahead than the server time. I am using jboss-4.0.3SP1 and jdk1.5.0_10 In order to solve this problem I have tried almost everything that I could find about this on intern
-
apple help i can't back up or restore my phone please help and i also can't enter itunes store