Load balancers with web servers & policy agents

I have a pair of host machines, hostA and hostB, running multiple web server instances, portalA, portalB, contentA, contentB, serviceA, serviceB, etc.
The two hosts, hostA and hostB, are sitting behind load balancers. ServiceA and serviceB must be protected by login and I have a policy agent installed on hostA and hostB for these two instances.
The load balancers respond to https://service/* and forward requests to http://serviceA:3456/* or http://serviceB:3456/* depending on the host selected by round-robin.
I've been told that serviceA and serviceB cannot be running on the default 443 port (although we could enable SSL if we wanted) in order to work nicely with the other web server instances that are behind the load balancers.
The problem is that the policy agent knows that it is running as http://serviceA:3456/.
The user makes a request to the load balancers for:
https://service/protected.html
The load balancer passes the request to:
http://serviceA:3456/protected.html
The agent sends a redirect to login which sends the user to:
http://service:3456/protected.html
This final URL is not available through the load balancers and it's obviously not the public URL.
I have fqdnDefault set to 'service.x.x' so the URL is rewritten to that extent. Is there a way to tell the agent that the port it's running on is not the public port (ie. that it's behind a NAT device)? Is there a way to tell the agent that it's should actually redirect to https and not http?

Hi,
CQ authoring does not leverage server side sessions, therefor you'll never loose data because of this.
But: As the cluster has a small delay on synchronisation, it could be, that on a write and subsequent read you'll get the old content, if you don't have sticky sessions (because both requests are not processed by the same server). Therefor I advise you to use sticky sessions in front of a CQ authoring cluster.
Jörg

Similar Messages

  • Error - Web Server Policy Agents setup

    Hi
    I get the following error message when I try to set up a Web Server Policy Agent on a box
    [https-jakarta]: failure: CORE3170: Configuration initialization failed: Error running init function load-modules: dlopen of /opt/SUNWam/agents/es6/lib/libames6.so failed (ld.so.1: webservd: fatal: libamsdk.so.2: open failed: No such file or directory)
    [https-jakarta]: failure: server initialization failed
    the name of the web server instance is https-jakarta.
    And it is talking to the Access Manager instance on the same box.(but set to a different web server instance)
    I set up the PA on the above web server instance and then when I try to start up the web server instance it throws up the above message.
    Any suggestions?
    Anand

    Hi
    I get the following error message when I try to set up a Web Server Policy Agent on a box
    [https-jakarta]: failure: CORE3170: Configuration initialization failed: Error running init function load-modules: dlopen of /opt/SUNWam/agents/es6/lib/libames6.so failed (ld.so.1: webservd: fatal: libamsdk.so.2: open failed: No such file or directory)
    [https-jakarta]: failure: server initialization failed
    the name of the web server instance is https-jakarta.
    And it is talking to the Access Manager instance on the same box.(but set to a different web server instance)
    I set up the PA on the above web server instance and then when I try to start up the web server instance it throws up the above message.
    Any suggestions?
    Anand

  • Load Balancing multiple web servers

    Hi All:
    I need to load balance 2 different web servers using sticky connections on a LocalDirector 416.
    I need to use cookie-passive mode, which of course relies on a cookie set by the web server.
    Problem: The name of the session cookie is different on each web server (IIS) and I'm not sure that I can change it.
    Question: What do I pass to the sticky command as the name of the cookie?
    Any ideas?
    craig

    fortunately the cookie are different on the 2 servers otherwise this feature would not work.
    The value you enter after the keyword cookie-passive is a 'name' and can be whatever you want (you can also leave it blank/empty).
    The LD will learn the cookie directly from the server.
    See the documentation at :
    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/localdir/ldv42/421guide/42ch05.htm#xtocid8565101
    I hope this answer your question.
    Gilles.

  • Load balancing of web servers in Siebel Analytics v 7.7.1?

    Hi Experts,
    Can we load balance the Webservers in Siebel Analytics 7.7.1 version? If Yes, can you please give me the steps how to setup this?
    Thanks,
    Madhukar

    Hello Mr. Tripathi ,
    Option 2 is the more typical way to increase capacity.   Of course you can also increase capacity by simply adding additional server nodes to a single instance.  if you are trying avoid downtime due to loss of one of the application servers, option 2 will still work.  Just because the primary application server goes down does not mean the secondary will become unavailalbe.  There are some cases where the secondary server could be interrupted, such as if the jms provider was on the primary instance, but there is an automatic fail-over of jms provider and other funcionality such as user sessions.
    I think option 2 is the most easy to implement for you.  Having 2 seperate systems  access the same database could cause some complications with DB locking which are hard to troubleshoot.
    Regards,
    Nathan

  • OATS - Playback is not working in OpenScript for Load Testing with Web/Http

    Hi,
    I am able to record the script in Open Script successfully, but when I try to playback the same without making any changes....its fails with error : Failed to solve variable web.input.Submit using path .//input[@name='Submit']/@value
    I have already commented the part where password will be matched in the code....thus, login/bad credentials related issues is ruled out as well.
    Please help with me some solution.
    Following is the recorded script:
    import oracle.oats.scripting.modules.basic.api.internal.*;
    import oracle.oats.scripting.modules.basic.api.*;
    import oracle.oats.scripting.modules.http.api.*;
    import oracle.oats.scripting.modules.http.api.HTTPService.*;
    import oracle.oats.scripting.modules.utilities.api.*;
    import oracle.oats.scripting.modules.utilities.api.sql.*;
    import oracle.oats.scripting.modules.utilities.api.xml.*;
    import oracle.oats.scripting.modules.utilities.api.file.*;
    public class script extends IteratingVUserScript {
        @ScriptService oracle.oats.scripting.modules.utilities.api.UtilitiesService utilities;
        @ScriptService oracle.oats.scripting.modules.http.api.HTTPService http;
        public void initialize() throws Exception {
            http.setUserAgent("Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.2)");
            http.setAcceptLanguage("en-US");
         * Add code to be executed each iteration for this virtual user.
        public void run() throws Exception {
            beginStep("[1] FLEXCUBE - PRIVATE BANKING", 0);
                http.window(2, "window[@index='0']").get(
                        "http://10.180.59.185:9500/wm", null, null, true, "UTF8",
                        "UTF8");
                    http.solveXPath("web.input.Submit", "/window[@index='0']",
                            ".//input[@name='Submit']/@value", "Sign In", 0,
                            EncodeOptions.None);
                    http.solveXPath("web.input.strutstokenname",
                            "/window[@index='0']",
                            ".//input[@name='struts.token.name']/@value",
                            "struts.token", 0, EncodeOptions.None);
                    http.solveXPath("web.input.strutstoken", "/window[@index='0']",
                            ".//input[@name='struts.token']/@value",
                            "CFSZKA9Z6RSWJTW8TT35GXCNIOIGMJGA", 0,
                            EncodeOptions.None);
            endStep();
            beginStep("[2] FLEXCUBE - PRIVATE BANKING - Home", 8538);
                http.form(
                        14,
                        "window[@index='0']//form[((@id='formLogin' and @name='formLogin') or @action='http://10.180.59.185:9500/wm/j_spring_security_check;jsessionid=B8396BEC73D829538F5E55FEE125330D') and @index='0']")
                        .submit(null,
                                http.postdata(
                                        http.param("j_username", "HOHEAD1"),
                                        http.param("j_password",
                                                "a99fad1866af01d9375627d5d08d7f1c11ed4d3f6d5d2372d40908884a15b8e6"),
                                        http.param("Submit",
                                                "{{web.input.Submit,Sign In}}"),
                                        http.param("struts.token.name",
                                                "{{web.input.strutstokenname,struts.token}}"),
                                        http.param("struts.token",
                                                "{{web.input.strutstoken,CFSZKA9Z6RSWJTW8TT35GXCNIOIGMJGA}}")),
                                null, true, null, null, null, null, null);
            endStep();
            beginStep("[3] FLEXCUBE - PRIVATE BANKING", 9875);
                http.link(
                        28,
                        "window[@index='0']//a[@text='Logout' and (@href='http://10.180.59.185:9500/wm/logout.jsp?logoutToken=0.1189281079747162' or @index='159')]")
                        .click();
            endStep();
        public void finish() throws Exception {

    Hi,
    I think your password is encrypted. Try replace password "a99fad1866af01d9375627d5d08d7f1c11ed4d3f6d5d2372d40908884a15b8e6" with your password.
    Or Get output of obfuscate("your password") and replace "a99fad1866af01d9375627d5d08d7f1c11ed4d3f6d5d2372d40908884a15b8e6" with {{@deobfuscate( output of obfuscate("your password") )}}
    Regards,
    Deepu M

  • File Load Frequency with Web Apps

              I have noticed the following behavior with WebLogic 6SP2 on windows:
              Reload files (such as jsp or html) if the file has been modified would not work
              for web applications except the default application.
              I tried both without specifying any in the web.xml and specifying explicitly (weblogic.jsp.pageCheckSeconds).
              Both have no effect on the web applications.
              Is this a known bug or something i am missing. Any suggestions are appreciated.
              Sam
              

    this is a known issue in 6.0
              Already fixed in 6.1 (in beta now)
              Sam He wrote:
              > I have noticed the following behavior with WebLogic 6SP2 on windows:
              >
              > Reload files (such as jsp or html) if the file has been modified would not work
              > for web applications except the default application.
              >
              > I tried both without specifying any in the web.xml and specifying explicitly (weblogic.jsp.pageCheckSeconds).
              > Both have no effect on the web applications.
              >
              > Is this a known bug or something i am missing. Any suggestions are appreciated.
              >
              > Sam
              

  • CF Licensing on two front end web servers

    I'm currently running CF 9 Standard on a since server that runs as my web and db server.  I use Rackspace Cloud btw.
    I've been thinking about changing my infrustructure around so it would look like this:
    - 1 Load Balancer
    - 2 Web Servers
    - 1 Database Server
    My question is about licensing on the 2 web servers.
    - Is it possible to use a single CF Standard license to cover both web servers (since they are just syncing each other, they are basically the same server but split into two separate virtual machines), or would I need to purchase 2 individual licenses to make this work?
    Any help or advice is appreciated. Thanks!

    Thanks vishu,
    I can read the license agreement, but it's the interpretation of legal wording that I'm having troubles with.  Basically, I'm looking for a real world YES or NO to my question.  I'm sure others have had this question, that's why I came to this forum.
    2.1 General Use. You may install and use one copy of the Software on up to the Permitted Number of your compatible Computers as long as, when required by the Software, you present a valid serial number for each copy; and
    2.2 Distribution from Server. You may copy an image of the Software onto file server(s) within your Internal Network for the purpose of downloading and installing the Software onto Computers within the same Internal Network for use as permitted by Section 2.1; and
    2.3 Server Use. You may install the Software on Computer file server(s) within your Internal Network only for use of the Software initiated by an individual from a Computer within the same Internal Network as permitted by Section 2.1. The total number of users (not the concurrent number of users) able to use the Software on such Computer file server(s) may not exceed the Permitted Numbe

  • Policy Agent doesn't reset Sun  Access Manager session time idle value

    Hi,
    We have the following setup in our environment:
    - apache web server/web and policy agent 2.2 for apache 2.0.54
    - webmethods portal server (jetty)
    -Sun Access Manager (with Sun Directory Server)
    We use policy agent for authentication purpose only (via Sun Access Manager/LDAP) when the users access the portal. We have custom code that creates session in Sun Access Manager for custom LDAP services. For testing purpose, we configure SAM session to have Max Session Timeout at 120mins and Time Idle at 15mins. I would assume that, after the initial login request, for all subsequent accesses to the portal the policy agent should intercept the request and reset the Time Idle value of SAM session. However, when I monitor time idle value using SAM console, session tab, the time idle value didn't change when the portal user access pages, submit actions, etc. I can see in the debug log of policy agent that requests are being intercepted/processed, but the time idle didn't get reset.
    Does anyone know if this is a bug in configuration or in policy agent itself or am I making the wrong assumption?
    Thanks a lot for the help.

    Thanks for the reply, Shivaram. The issue appears to occur at random time, not accurately at the 3 min interval as you mention. I tested changing this value to 1, theoretically, after one 1 minute of idle time, accessing a link would make the agent reset the time idle value for the user session in SAM, but it didn't even after 3 minutes. This seems to be either a policy agent or system access manager bug.
    We performed a 'vanilla' test using the apache server manual pages (only plain HTML, no POST requests), the pages are protected by the policy agent. At the first login, rwe were prompted to enter credential to be validated by SAM/LDAP, and then a user session is created in SAM session table. We browse around the manual pages, once in a while, certain pages cause the policy agent to reset the time idle. However, revisiting these links after a few minutes doesn't reset the idle value. Caching setting has been disable as well. Could there be or lack of some settings in AMConfig.properties or AMAgent.properties that might have caused this behavior?
    Thanks for all your help,

  • Safari cannot load balance with https

    I am a developer for a web site which runs ASP.NET pages on Windows Server 2003, IIS 6.0. We use Basic Authentication and HTTPS.
    We are using a load balancing solution to distribute the load to 4 web servers.
    We have been using this setup for over 5 years with IE and Firefox/Mozilla/Netscape browsers.
    Recently I have been asked to make Safari browsers work with our site ... MAC, Windows and iPhone versions.
    On all 3 platforms I am seeing the same problem ...
    The load balancer uses the SSL 3.0 Session ID to determine if the requests to the site are coming from the same client (browser) and thus will ensure that all requests from that browser go to the same web server.
    This works fine with IE, Firefox ... it does not work with any version of Safari. When the load balancer gets a request from a single Safari browser session, it sends the requests to multiple servers, causing issues with the pages returned.
    If I run Safari with an HTTP debugger ... like Fiddler (where it uses a proxy server) ... Safari works fine.
    Some questions:
    1. Does Safari expose the SSL 3.0 session id in the same manner as the other browsers ... i.e. an un-encrypted version of the header.
    2. Does Safari send many concurrent requests? Firefox and IE limit concurrent requests to 2.
    3. Could Safari be timing out it's SSL 3.0 session id frequently or quickly?
    4. Is there a reason Safari does not send the http Basic Authentication header with every request once it authenticates with a particular realm?
    3. Are there any other possible causes of this problem?
    What do you think?

    Thank you for your reply.
    The session server id is being maintained by Safari and when the connections are kept on a single server (like when I use Fiddler's proxy to connect) it works fine.
    The SSL 3.0 Session ID is part of the SSL handshake which is used to establish an https connection. It is established between the browser and the web server as part of encypting the traffic.
    As I understand it ... part of the SSL 3.0 protocol is to include an un-ecrypted header along with the encrypted data.
    Our load balancing sofware is using a portion of this header (as it is un-encrypted and thus it can read it) to establish when requests are coming from the same web browser. This is the SSL Session ID.
    If the Session ID is the same, it will send all traffic to the same web server ... as it knows it is the same web browser.
    The problem arises in that the load balancer is not able to indentify requests from the same Safari browser as part of the same secure session.
    So I am trying to understand what Safari is doing within the SSL header ... as it is not normally visible to standard web debugging tools ... they only show the http headers.
    Unfortunately I cannot easily change out the load balancing software or change it to use session state ids. I am trying to understand how Safari handles this to determine strategies to resolve this issue ... and thus allow my client base to use their Safari browsers to access out service.
    What do you think?

  • Load balance with a reverse proxy in front

    I have a CSS11501 load balancing 2 web servers. We want to use an Aventail in front of it as a reverse proxy, to control access to these servers. How can I ensure that the two servers will be load balanced, and make sure that an end user always hits the same server during his session since the client will always be the Aventail? thanks in advance

    Is your proxy spoofing client ip address ?
    If yes, nothing special needs to be done.
    If not, the problem is to sticky client to the same server.
    We can't use sticky srcip because all traffic comes from a single ip.
    The only solution is to use cookies.
    You can use arrowpoint cookies.
    You can find a sample config at :
    http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a0080094398.shtml
    Regards,
    Gilles.

  • "Unable to load IAmWebPolicy" with Policy Agent 2.2 on Sun App Server 8.2

    I'm trying to install the Policy Agent for App Server 9.0/9.1 to App Server 8.2 (which claims to be supported). Identity Manager is the target resource. I get this when I try accessing the /idm root context:
    Exception caught in AmWebPolicyManager initializer: Unable to load IAmWebPolicy: com.sun.identity.agents.policy.AmWebPolicy
         at com.sun.identity.agents.policy.AmWebPolicyManager.<clinit>(AmWebPolicyManager.java:135)
    Thanks,
    Steve Maring

    You were absolutely correct
    I've resolved this issue - the problem was caused by two things:
    1. There is a new version of a library called libxml2.so that I had to get from Sun (they provided version 2.6.7)
    2. My web server with the agent on it is on a seperate box from the identity server. These two servers were out of sync in terms of their system time (ie, the solaris box with the agent / web server was about 8 minutes ahead of the solaris box with the identity server)
    Once both of these things were fixed (the time issue most importantly), the web server would not hang anymore.

  • Possible to deploy Dist Auth in the same web container with Policy Agent?

    I have a client who has limited hardware resources and wants to deploy the distributed authentication UI in the same web container as the policy agent. Has anyone successfully done this?

    I'm sure it's possible just make sure the DAUI context (e.g. /distAuth) in the agent's configuration for the web server is in the not enforced list properties for the agent.
    However, it's so easy just to put an Apache HTTP server/tomcat and run daui, then setup another web server (Sun, Apache, etc.) with an agent or vice versa and you don't have to worry about the agent clobbering DAUI.

  • Protecting a REST web service with Policy Agent

    I have deployed a REST web service in Glassfish using Jersey Annotations. A UI in the same Glassfish instance is protected by a policy agent that forces users through a login page. I would like to protect the REST web service with BASIC Authentication using the same policy agent. Is this possible? Is there supporting documentation?

    Hi Daniel,
    When you publish a message through Rest, hope your Restful service will receive/process the posted message?
    So
    YourBizTalk -->(Post Message to)-->RestFulService
    From the error message, "the published message could not be routed because no subscribers were found.", it seems like the this Restful service is a
    wrapper (or service interface) for BizTalk at client end( where message has been posted thru Rest) and actual posted message is “processed” by BizTalk and the error "" is from BizTalk "after" Rest. This message says the message you posted
    through rest is not found subscription at their end.
    So
    YourBizTalk -->(Post Message to)-->RestFulService -->Clients'BizTalk.
    Here problem is at Clients'BizTalk as shown where the posted message to their BizTalk is not processed because no subscription has been found.
    If this answers your question please mark it accordingly. If this post is helpful, please vote as helpful by clicking the upward arrow mark next to my reply.

  • Has anyone got the IIS Policy Agent 3.0 working with an ASP web application

    Hi,
    Can anyone pllease please confirm if they have managed to get the IIS Policy Agent 3.0 working for a asp/asp.net web site on IIS 7 running on Windows Server 2008 64 bit.?
    I have installed the 32bit version of the agent as my web site must support 32 bit applications.
    I have created a simple web site which works fine with the policy agent configured if the page is html, If I rename the html page to be of type asp I get an Object Move error.
    I would much appreciate if someone could confirm if they have managed to get an asp web site working with the policy agent.
    Note: The Policy Agent 2.2 worked perfectly with asp on IIS 6.0.
    Thanks in advance,
    Tommy.

    I managed to make Agent 3 work with IIS 7 for a sample application based on aspx in Dev environment .... after modifying the sample application, I got the same errors as "Object removed" and others .... I have no idea what the hell. Fortunately, a super .Net start here spent a few minutes to do some twicking on IIS, and make it work again .... don't ask me what he did, I am pretty dump, and no idea. :)
    Thanks

  • Web Policy Agent 2.1 for Apache 1.3.27 with Identity Server 6.1

    Web Policy Agent 2.1 for Apache 1.3.27 with Identity Server 6.1
    Does anybody has a working combination of the above ? I get a ID login page and after that I always get a access denied page. I get this exception on the agent logs:
    2004-10-14 16:28:00.917 Warning 6347:c1818 PolicyAgent: in get_cookie: no cooki
    e in ap_table
    2004-10-14 16:28:01.895 Warning 6359:c1818 PolicyAgent: Invalid URL for propert
    y (com.sun.am.policy.agents.accessDeniedURL) specified
    2004-10-14 16:28:56.742 Warning 6349:c1818 PolicyAgent: am_web_is_access_allowe
    d(http://xx.xx.xx.net:8080/, GET) denying access: status = access de
    nied (20)
    2004-10-14 16:28:56.743 128 6349:c1818 RemoteLog: User testuser1 was denie
    d access to http://xx.xx.xx.net:8080/.
    2004-10-14 16:28:56.831 -1 6349:c1818 PolicyAgent: URL Access Agent: acces
    s denied to testuser1
    We can ignore Invalid URL property part because its just looking for a custom url in place there. I have cookies enabled in my browser. I even turned on the prompt option. No luck yet.
    Any suggestions would be of great help.
    Thanks,
    Sunil.

    From your description, since the agent installs file with a different JRE, I would suspect it has something to do with the availability of JCE provider in the first JRE. By default, WebSphere's JRE is equipped with IBM JCE provider which is what the agent uses to encrypt the necessary
    information. If this provider is not configured correctly it could result in the error that you are seeing. Please check the WebSphere installation and make sure that the JRE used by it has the necessary IBM JCE provider configured. The java.security file for this should contain something like:
    security.provider.1=sun.security.provider.Sun
    security.provider.2=com.ibm.crypto.provider.IBMJCE
    security.provider.3=com.ibm.jsse.IBMJSSEProvider
    security.provider.4=com.ibm.security.cert.IBMCertPath
    security.provider.5=com.ibm.crypto.pkcs11.provider.IBMPKCS11
    Also, make sure that when you are installing the agent you specify the Java Home as prompted by the agent to point to the location where this JRE is installed. Typically this is under WebSphere/AppServer/java directory. HTH, Jerry

Maybe you are looking for

  • Text messages on Macbook pro

    How do I get text messages from my phone to my macbook pro?

  • Start with java stored procedure in SQLDeveloper

    Hi, i'm a newbe in writing PL/SQL stored procedures. Thats the reason to wont to write some java stored procedures for an ORACLE 10g. I'm using the SQLDeveloper. My Problem is: how can i start to write java stored procedures. Where have i to put them

  • Report for pur reqs

    We need to have a better way to identify who is responsible for approving requisitions that are submitted across all of Amsted Rail. This will serve as an auditing report to verify that the correct people are set up and controlling the correct accoun

  • Problems installing Visio 2013 Professional on my Windows 8.1 system

    I have a recently built developer machine with Windows 8.1 Professional.  I have Office 2013 installed and running in 32-bit mode.  When the 64-bit install of Visio failed we got the 32-bit setup for Visio 2013 plus SP1.  That failed so I went out an

  • ORA-00904 running queries in Plus

    Hi, I'm receiving some intermittent ORA-00904 errors when I run some of my queries. It's generally "dim_item"."rowid" invalid identifier. It can be other tables, but is almost invariably "rowid" as the invalid field. We're running 9.0.2.54.03 Plus ve