Load balancing SSO

Similar Messages

• Load balancing multiple SSO mid-tier with single SSO database

  I want to load balance SSO middle tier servers and have them access a single SSO database. When you install infrastructure and select SSO only it creates a new infrastructure database. How can I install multiple SSO servers and point them to a single database. I am doing Load Balancing with F5 and read an Oracle WP where they mentioned an Oracle supported configuration where they load balanced SSO servers with F5.
  KB

  Two possible solutions:
  1.) Oracle 10gAS Enterprise Deployment Guide (B13998-03) follow the configuration for SSO configuration in Chapter 5.
  2.) I have not tried this but it should be logically possible with the SSO. 10gAS Administrators guide (B13995-05) Part III Advanced Administration. The success of this method assumes you have OID and SSO each installed in separate homes. You would be cloning the SSO home to another box as if it were a middle tier (it is still part of the infrastructure) then re-configuring it on the new box.
  Personally solution 1 is the best method. We are using F5 Big-IP with this configuration and it is working great.
  Hope this helps!

• APEX SSO and Load balancing: Could not determine workspace for application

  We had a single HTTP Server serving APEX in a 10.2.0.2 database configured with SSO to be used by the developers. APEX has been registered as a partner application and the login url has been CA Siteminder protected so that the SM_USER details are forwarded in the header for the application to use for authorization. Everything is fine so far.
  Now we have added a HTTP Server on another host and have it all set up for APEX and its pointing to the same database. APEX_ADMIN access works as normal, but applications previously using SSO now get the following error after entering the URL.
  Expecting p_company or wwv_flow_company cookie to contain security group id of application owner.
  Error ERR-7620 Could not determine workspace for application ().
  Using HTTP Watch I find that the application is not even trying to redirect to the login page.
  What is wrong here?

  APEX has been registered as a partner application as described in
  http://www.oracle.com/technology/products/database/application_express/howtos/sso_partner_app.html
  In the meantime I found metalink document 368746.1 which describes the cause of this problem. Please read carefully what I wrote, it all works when the the new APEX web server is turned off in the server farm on the load balancer and directed through the original web server. When running regapp.sql the hostname in the listener token was using the virtual hostname. This works fine if the request comes from the original APEX server which proofs that there is nothing wrong with the installation and set up of SSO. When directing the request to the new APEX web server the APEX_ADMIN page still works only existing work spaces using SSO don't seems to work anymore resulting in a error as described in the subject.
  As for metalink document 368746.1 naming the causes of this error:
  - there are no duplicate entries in WWSEC_ENABLER_CONFIG_INFO$
  -LISTENER_TOKEN clearly works for requests coming from the first web server
  -theoretically the web server listener port could be changed from 7777, but port 80 needs to be maintained here as production is mimiced as far down as possible.
  Is there some cache table which can be cleared? How is it that the flows schema (apex engine) can not find the work space when the request comes from a new web server which can however access the APEX_ADMIN pages.
  anyone?

• SSO with Webcache Load Balancing ???

  Hi,
  My system (in Win2K servers)
  +Infrastructure sever 9.0.2.3
  +Midtier1 using OC4J_BI_Forms 9.0.2.3
  +Midtier2 using OC4J_BI_Forms 9.0.2.3
  I have followed the Note:207668.1 to setup Webcache as load balancer for 2 Midtiers. I also completed the steps in the Note:241891.1 to re-register the two Midtiers again SSO server.
  The system runs well if I start OHS only on the Midtier1 or Midtier2. If I startup both OHS in the two Midtiers, when I connect to our apps using SSO, the SSO login windows is open to aks SSO userid and pass. When I key-in SSO userid and pass, there is an error in the Apache:
  apache.exe - Application error: The instruction at "..." could not be read.
  Please advice,
  Pham

  advice : get the apache trace dump to find out what stack it is in. I think you must open a TAR .
  The error possibly coming from mod_osso ?

• WLC 5508 LOAD BALANCING APs to HA-SSO

  Do somebody knows what´s going to happen about configuration when you migrate 2-WLC 5508 giving wireless services correctly, using load balancing with the APs to HA-SSO mode???
  At this time we have some AP groups in WLC1 and in WLC2 we don´t have the AP groups, what´s going to happen with the configuration of both WLCs, both configuration are going to be merged??
  REGARDS

  When you covert the pair into SSO, all the APs will go to the ACTIVE unit.  No unit will "live" in the standby unit because this unit will "share" the AP-support license between the two.
  This is the first step you need to get sorted.  Send an email to [email protected] and give them the exact details of what you want to do (i. e.  AP SSO) and then provide the serial number of your nominated active WLC and the serial number of your nominated standby WLC.

• SSO with SAP R/3 with load balancing as backend over the Web AS

  Hi,
  we have Netweaver 2004 at this time and we have to connect the portal to a BSP application in a load balancing environment.
  We set user mapping for the user and set the connection type from SAPLOGONTICKET to UIDPW. This is running for a test environment with only one R/3 system without load balancing.
  Does anyone know the setting parameters for a load balancing environment (ok, the message server and...?).
  Thank you.
  Best regards
  Patrizia

  Hi all,
  run into the same problem. Setting up a mapping with UIDPW in a non load balanced WEB-AS enviroment for BSP or Webdynpro for ABAP works fine. But if I go to set it up in a balanced system I can see the following behavior. The http request is send to the messageserver. This request enclosed my mapped user and password. The messageserver responds with an HTTP 301 wich contains one of my applicationservers, so far so good. The client sends a new request to the mentioned applicationserver but this time without the UIDPW. So the user will not be logged in.
  I was wondering if my backend have to issue logonticket too, cause today it only accept tickets from the portal.
  Is this is a bug or a feature?
  Regards,
  Bernd

• How to change the OraSSO login link in webcache/load balance

  Hi
  we have 10gAsR1 installed as a Portal instance. We have 6-server
  load balancer => webcache as loadbalancer (listening port 80)
  Wb ch1 and wb ch2 => webcache (listening port 7777)
  portal1 and portal2 => Portal listening 7778
  infra =>Infrastruture with repository Portal/Oracle SSO (listening 7777)
  This set up is working fine for our intranet setup, now we need to open this for couple of external clients. Well initially we need to open on the load balancer server on port 80 for external team to access, it works fine when we make it publc access.
  Now when we need to make it SSO (siteminder) enables, when users click on login link it first goes oracle sso then it internally redirects the page to site minder sso.
  Well, I have noted that the sso server details are mentioned in global setting sso/oid details. Since we need to open this for external client we have to add a DNS entry for this so that we can allow its access over firewall..
  Now I have made DNS name change at my infrserver level, now I need to update the change at the load balancer server (where wheb chache is running).
  Any one know how to chang the URL at load balancer.
  I am struck at this point please suggest how should i proceed..
  Thanks,

  Extract from Personalization Guide - Page Footer - Personalization Considerations
  * If you wish to personalize the URL that points to the Privacy Statement for a page that displays a standard Copyright and Privacy (that is, its Auto Footer property is set to true), set the Scope to OA Footer, in the Choose Personalization Context page of the Personalization UI.
  * If you wish to personalize the URL that points to the Privacy Statement for a page that displays a custom Copyright and Privacy (that is, its Auto Footer property is set to false), set the Scope to Page in the Choose Personalization Context page of the Personalization UI. In the following Page Hierarchy Personalization page , identify and personalize the Privacy page element.

• High Availability and load balancing

  Hi,
  I have 6513 catalyst with redundant sup720 and msfc. All the servers are connected to this switch and there is no vlan configuration. Here is the hardware config of the box.
  Mod Slot Ports Module-Type Model Sub Stat
  1 1 48 10/100/1000BaseT Ethernet WS-X6148-GE-TX no ok
  2 2 48 10/100BaseTX Ethernet WS-X6148-RJ-45 no ok
  3 3 48 10/100BaseTX Ethernet WS-X6148-RJ-45 no ok
  4 4 48 10/100BaseTX Ethernet WS-X6148-RJ-45 no ok
  5 5 48 10/100BaseTX Ethernet WS-X6148-RJ-45 no ok
  6 6 48 10/100BaseTX Ethernet WS-X6148-RJ-45 no ok
  7 7 2 1000BaseX Supervisor WS-SUP720-BASE yes ok
  15 7 1 Multilayer Switch Feature WS-SUP720 no ok
  8 8 2 1000BaseX Supervisor WS-SUP720-BASE yes
  I want to introduce a new 6513 chassis with same knid of configuration. Please help me out to configure these boxes to provide the high availabilty as well as load balancing for the server farm. Do I need to do any thing on the servers in terms of hwardare / software requirment to achieve the objective.
  thnaks & regards
  shalabh

  The config is the same for both switches:
  (this will enable port channel bundle, you can specify upto 16 ports..i would recommend 10)
  (config-if#)interface range gigabitethernet 1/1-2
  (config-if#)Description PORT-CHANNEL Interface
  (config-if#)switchport
  (config-if#)channel-group 1 mode on
  (config-if#)switchport trunk encapsulation dot1q
  (config-if#)switchport mode trunk
  (config-if#)speed 1000
  (config-if#)no shutdown
  (Enable SRM SSO)
  router(config)#redundancy
  router(config-red)#mode sso
  router(config-red)#end
  router#show redundancy states
  you should see my state = active
  peer state = standby hot
  where are your users come into the 6500's? if they are sitting on the 6500's I would recommend putting them in a separate vlan.

• SSL Setup in a load balanced portal

  Hi,
  We are implementing a portal landscape and also we are using a hardware based (Cisco ACE) load balancer for load balancing purposes.
  So the configuration would be:
  Portal requests --> Load Balancer --> Portal --> Backend
  We are trying to implement SSL until the portal server and I have a question regarding the SSL certificate installation process.
  The URL on the load balancer would be for example https://portaltest.mycompany.com which would load balance the requests between the application servers of the portal (https://sapeptest1.mycompany.com:50001/irj/portal and https://sapeptest2.mycompany.com:50001/irj/portal).
  So, first thing we will have to do would be to install an SSL certificate (signed by a Trusted CA) on the load balancer with a CN=portaltest.mycompany.com.
  I understand that for https to function properly, the host name in the URL we are using to get to the server should match the CN of the SSL certificate installed on the server.
  Now, can we install the same certificate (that we put on the LB) on the portal as well?
  (This might not work because the server type will be different)
  (or)
  Do we need to buy 2 certificates with the same CN and install one each on the LB and portal ?
  Can some one please suggest on how to proceed with the SSL setup and certificate installation process ?
  Thank You ,
  Raj

  Raj Kumar wrote:
  My question is about how to go about installing the certificates on the LB and on the portal.
  If you aren't using web dispatcher, then the details of the installation on the LB will depend on your LB (Cisco? Radware? etc?). I suggest contacting your LB vendor for that.
  Sen's link is for SSO, you want the [SSL procedure|http://help.sap.com/saphelp_nw70/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm].
  You probably don't need a signed cert on the portal server itself (depending on whether your LB validates the cert). You could just use the default self-signed cert, since users won't be connecting to it directly and so won't be troubled by warnings about untrusted certs: the traffic from the AS would still be encrypted, you would only lose out on the server authentication feature (which you don't need, since again users won't see it).
  On the other hand, do you really need SSL on portal server? That adds overhead at both the LB and portal. It's usually sufficient to use HTTP from the LB to the back-end, as long as the servers only allow connections from the LB. I realize you aren't using web dispatcher, but this looks like scenario #3 in [this diagram|http://help.sap.com/saphelp_nw70/helpdata/en/d8/a922d7f45f11d5996e00508b5d5211/frameset.htm]
  Regards,
  Sean

• Question about Load Balancing Wireless connections using WLC- F5- ISE

  Hi all,
  Can anyone give me some orientation how the radius auth process/handshake between the WLC and ISE changes once the F5 is installed in the middle in order to perform load balancing?
  We can do some kind of load balancing by configuring different radius servers on each WLC for which, I must configure the same shared secret in the WLC and ISE so the radius request/accept could be processed.
  Now that we have the F5 in the middle, do I need to create/configure the same shared secret in the F5 so radius transactions can be processed by this device?. Based on the following link, I must configure the F5 in the ISE like another NAD device (similar to the WLC) but I do not know if this additional configuration in the ISE includes the Auth parameter to be added in the ISE NAD (F5) configuration.
  How to properly use a load balancer in Cisco's Identity Services Engine
  http://www.networkworld.com/community/blog/load-balancing-cisco-identity-services-engine
  Our sheme is shown next,

  When you covert the pair into SSO, all the APs will go to the ACTIVE unit.  No unit will "live" in the standby unit because this unit will "share" the AP-support license between the two.
  This is the first step you need to get sorted.  Send an email to [email protected] and give them the exact details of what you want to do (i. e.  AP SSO) and then provide the serial number of your nominated active WLC and the serial number of your nominated standby WLC.

• Load Balancing not load balancing!

  Hi,
  We have inherited a 6.3 2005 Q1 installation of Access Manager that has the following problem.
  All logons appear to be load balanced correctly however all Policy Agent requests are expressing a preference for one or other node at a time.
  For example, during the last 4 days all PA traffic has been hitting Srv01. This leads to an 80/20 balance. This morning on Srv01 an error in the amSession logs appeared on Srv01, "SessionRequestHandler NullPointerException" and from this point on Srv02 started to take the Policy Agent requests. So now the traffic is still 80/20 but wth Srv02 handling the 'lion's share'.
  Can anyone point me to documentation that describes in detail how Load Balancing working in the products?
  Thanks,
  EddieT

  Hi,
  Sorry I should have been more specific. The error we are seeing has been reported before but no resolution posted.
  Thanks.
  29/05/2009 08:57:05:119 AM IST: Thread[service-j2ee,11,main]
  ERROR: SessionRequestHandler encounterd exception
  com.iplanet.sso.SSOException: Session was not obtained.
  at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:177)
  at com.iplanet.sso.SSOTokenManager.createSSOToken(SSOTokenManager.java:305)
  at com.sun.identity.session.util.RestrictedTokenContext.unmarshal(RestrictedTokenContext.java:125)
  at com.iplanet.dpro.session.service.SessionRequestHandler.processRequest(SessionRequestHandler.java:139)
  at com.iplanet.dpro.session.service.SessionRequestHandler.process(SessionRequestHandler.java:112)
  at com.iplanet.services.comm.server.PLLRequestServlet.handleRequest(PLLRequestServlet.java:195)
  at com.iplanet.services.comm.server.PLLRequestServlet.doPost(PLLRequestServlet.java:147)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:767)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:860)
  at sun.reflect.GeneratedMethodAccessor203.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:585)
  at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:249)
  at java.security.AccessController.doPrivileged(Native Method)
  at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
  at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:282)
  at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:165)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:257)
  at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
  at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:161)
  at java.security.AccessController.doPrivileged(Native Method)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:263)
  at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
  at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:225)
  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:173)
  at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
  at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
  at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:933)
  at com.sun.enterprise.web.connector.httpservice.HttpServiceProcessor.process(HttpServiceProcessor.java:234)
  at com.sun.enterprise.web.HttpServiceWebContainer.service(HttpServiceWebContainer.java:2124)

• Load balancing OIF

  I have two servers running two different OIF instances (http://oif1.domain.com:7777, http://oif2.domain.com:7777)
  We have a F5 load balancing with url (https://f5oif.domain.com) balancing the above urls
  How do I load balance these oif instances. They run both as idp and sp mode.
  I tried changing the server name in each as F5 url but get error in oif restart. I changed the SP and IdP metadata but still the same error.
  Is it possible to load balance OIF instances ? What special steps I have to do ? Do I have to reinstall OIF for enabling load balancing.
  Can the SSL of F5 work with non SSL OIF instances ?
  Thanks for the help.

  There is no need to choose a virtual hostname, as it is required for Cold Failover
  Cluster in the advanced installation procedure.
  3. Choose the transient data store in the advanced installation procedure.
  4. Install all Oracle Identity Federation instances pointing to the same transient data
  store.
  5. In the F5 load balancer administration console, create a pool with all Oracle
  Identity Federation instances, and enable the application persistence property for
  this pool. Set the persistence type to Active HTTP Cookie, set the method to
  insert, and the set expiration to the desired value.
  6. Create a virtual server member mapped to the newly created pool.
  7. Enable HTTP monitoring on all member nodes in the pool.
  8. On all Oracle Identity Federation servers instances, change the ServerName and
  Port parameters in the httpd.conf file to the Virtual Server name and port.
  9. For all Oracle Identity Federation servers that are both load-balanced and
  integrated with OracleAS Single Sign-On, register the load balancer URL (for
  example, http://lbr.us.oracle.com:80) to all load-balanced Oracle
  Identity Federation servers by running this command from the command prompt:
  <OIF_HOME>/sso/bin/ssoreg.bat -oracle_home_path %ORACLE_HOME% -site_name
  <Load_Balancer_Host_Name> -config_mod_osso TRUE -mod_osso_url
  <Load_Balancer_URL:Port>
  10. On all Oracle Identity Federation servers, update the configuration by running this
  command from the command prompt:
  dcmctl updateconfig
  11. Restart the HTTP server from the Oracle Enterprise Manager console on all the
  Oracle Identity Federation server instances.
  12. In the Oracle Identity Federation administration console, under Server
  Configuration - > Server Properties, change the server hostname and port
  number to the Virtual Server name and port number of the load balancer.
  13. Restart the Oracle Identity Federation instances from the Oracle Enterprise
  Manager console.
  14. Distribute the new metadata file to the peer providers.
  Edited by: user11129635 on May 31, 2009 2:15 PM

• Cluster (Load balancing) implementation in obiee 10g

  Hi All,
  We need to implement clustering (Active-Active for Load balancing) in our project. We use both analytics and bi publisher. We also need to deploy analytics/bipublisher in to weblogic server for SSO purpose.
  Now we have two machines.
  As of now We did the installation of obiee10g (while installing we selected "Complete" button) in both machines. Could any body tell us how to implement clustering w.r.t to weblogic.
  To proceed futher we need to know..
  +1. Did normal clusrtering method in 10g with oc4j server differs when we deploy application in weblogic server..?+
  +2. Can I use any of the two machines to create a shared folder and place rpd to give the path in REPOSITORY_PUBLISHING_DIRECTORY or should I use third machine other than these two machine..???+
  Any help is greatly apprciated.
  Thanks & Regards,

  Hi User,
  Did you configured clustering wrt to OC4j or WLS..?
  A. Weblogic.
  2. Can you tell me how it differs wrt WLS..??
  A. We can't explain here please refer the following link.
  http://www.iwarelogic.com/2010/01/supply-chain-management-w-r-t-oracle-applications-312/
  http://docs.oracle.com/cd/E23943_01/upgrade.1111/e10126/wls_oc4j_comparisons.htm
  3.On top of these two machines we have a virtual IP?
  A. You can use virtual Ip's.
  In your project Weblogic also clustering mode am I write?
  What could be the process.. First we need to follow the clustering method as if there was no WLS and later deploy the application and need to do the changes wrt to WLServer (or) First we need to deploy the application in WLServer and for clustering need to do changes in/wrt to WLServer..??
  A . First we need to deploy the application in WLServer and for clustering need to do changes in/wrt to WLServe.
  Note: As per my knowledge please implement this way.
  1. Deploy analytic.war in your weblogc.
  2. If it is possible please implement Weblgoc clustering also.
  3. SSO implementation.
  4. Cluster implementation.
  This is the way am implemented in my project.
  My project tool details.
  1. Weblogic
  2. OBIEE 10.1.3.4.1
  3. Oracle 11g
  4. OS - AIX
  If you have any concerns please post me.
  Award points it is useful.
  Thanks,
  Satya
  Edited by: satya R on Apr 1, 2012 9:03 PM

• OAM 11g integration with Kerberos on cluster with load-balanced virtualhost

  Hello!
  I need to make a Kerberos integration with OAM.
  I find following notes about OAM 11g: WNA Configuration for HA Clusters [ID 1365888.1] (https://support.oracle.com/epmos/faces/ui/km/SearchDocDisplay.jspx?_afrLoop=223640518878014&type=DOCUMENT&id=1365888.1&displayIndex=1&_afrWindowMode=0&_adf.ctrl-state=14ehvbh4z2_61).
  "In an OAM Clustered environment, the OAM Principal for WNA must be the same on all tiers i.e. the load-balanced virtualhost for the OAM cluster.
  Therefore each OAM managed server will reference the same keytab file, generated for Principal HTTP/<virtualhost.domain>, and the keytab file will be in the same location on all OAM managed servers.
  For example: ${DOMAIN_HOME}/domains/${DOMAIN_NAME}/config/fmwconfig/oam/<keytab filename>.
  After copying the keytab file to the same directory on all OAM managed server machines, complete the configuration of the Kerberos authentication module in OAM Administration Console (/oamconsole).
  The AdminServer will ensure that the oam-config.xml file on all OAM managed server tiers in the cluster is updated with this configuration."
  The question is; When I generate oam.keytab with following command, What is the name of the server that I will must put in the command? Virtualhost (load-balanced), Node1 or Node2?
  ktpass -princ HTTP/<servername>@DOMAIN -pass XXXXXXX mapuser DOMAIN\user -out oam.keytab.
  Thanks in advance and best regards!
  PS: Sorry if my english is not clear.

  David,
  Your Principal name should be the SSO LB URL.(ie :sso.mycomany.com)
  ktpass -princ HTTP/sso.mycomany.com@DOMAIN -pass XXXXXXX mapuser DOMAIN\user -out oam.keytab.
  Also make sure sso.mycomany.com has a reverse DNS configured correctly.
  you can check using dig command
  ping sso.mycomany.com
  What ever the ip-address
  dig -x <IP-ADDRESS>
  Check in the reverse DNS section there should be 1 record.
  ;; ANSWER SECTION:
  1.1.1.1.in-addr.arpa. 3600 IN PTR sso.mycomany.com.
  Let me know if you have more questions.
  Thanks
  Saurabh

• Portal Landscape - With 2 CSM (load balance) related question

  Hi,
    We are currently having a portal landscape (Dev, QA -2 app servers, PRD - 4 app servers). The load balancing happens on Production Portal using CSM (load balancer) and it does SSL offloading for security encryption and it lands onto one of the application servers. When we try to login to portal it authenticates using the LDAP (OID). And we have some links which takes to backend R/3, BW etc (we use SAP load balance using SMLG logon group)
  Now due to another special project the following is what we are planning:
  1. Adding couple of more application servers for production portal or having seperate second portal landscape itself
  2. Adding couple of more application servers for R/3 production server (load balance can be done with special logon group for that)
  Questions are:
  1. When we land into current production portal page and click a iview link for the special project it should go only to those special portal app servers (planning to do through another CSM) and from their to backend R/3. In this scenario how the authentication (or sso ticket) happens when it goes from CSM to another CSM, will it ask for login again or any issue will happen with SSO ticket ?
  2. If we decide to go for second portal landscape and in the same scenario when login to current prod portal page and click a iview link for the special project it should go to that another production portal,in that case what will happen to the login authentication happened through the first portal and SSO ticket ?
  3. Suppose if we go to the second production portal directly through a website and if the user tries to login using the same id to first portal how portal will deal in terms of security (SSO) and also how backend R/3 will behave when same id comes as part of SSO.
  Or if anyone thinks of any other issue apart from SSO or encryption related things which i need to be aware of, kindly let me know.
  Thanks,
  Murali.

  I am not sure what CSM is, but I would expect it only does ssl offloading and a sort of "reverse proxy" against the cluster.
  >1. When we land into current production portal page and click a iview link for the special project it should go only to those special portal app servers (planning to do through another CSM) and from their to backend R/3. In this >scenario how the authentication (or sso ticket) happens when it goes from CSM to another CSM, will it ask for login again or any issue will happen with SSO ticket ?
  This depends on the host name you use for the two CSM clusters. If they have the same subdomain, there should be no problem as the SAP Logon Ticket (MYSAPSSO2) cookie is issued to the sub domain of the portal.
  If they do not have the same subdomain, the second CSM cluster will receive the request without the MYSAPSSO2 cookie, and will therefore trigger reauthentication.
  >2. If we decide to go for second portal landscape and in the same scenario when login to current prod portal page and click a iview link for the special project it should go to that another production portal,in that case what will >happen to the login authentication happened through the first portal and SSO ticket ?
  It will fail, as the MYSAPSSO2 cookie from the first portal is not recognized in the second. However, you can easily setup so that the second portal trusts the first and does a logon based on its credentials
  >3. Suppose if we go to the second production portal directly through a website and if the user tries to login using the same id to first portal how portal will deal in terms of security (SSO) and also how backend R/3 will behave >when same id comes as part of SSO.
  I assume both portal will be setup against the same LDAP/UME source. Therefore it will allow the logon. The backend systems should trust both the first and second portal (STRUSTSSO2 transaction)
  I think your architecture choice comes down to if the new project has special considerations with regards to versioning of portal. If it does, it would be sensible to separate it into a separate portal (and you can always integrate them with the first portal through portal federation if you have a relatively new version).
  Regards
  Dagfinn