SSO with Webcache Load Balancing ???

Similar Messages

• How to change the OraSSO login link in webcache/load balance

  Hi
  we have 10gAsR1 installed as a Portal instance. We have 6-server
  load balancer => webcache as loadbalancer (listening port 80)
  Wb ch1 and wb ch2 => webcache (listening port 7777)
  portal1 and portal2 => Portal listening 7778
  infra =>Infrastruture with repository Portal/Oracle SSO (listening 7777)
  This set up is working fine for our intranet setup, now we need to open this for couple of external clients. Well initially we need to open on the load balancer server on port 80 for external team to access, it works fine when we make it publc access.
  Now when we need to make it SSO (siteminder) enables, when users click on login link it first goes oracle sso then it internally redirects the page to site minder sso.
  Well, I have noted that the sso server details are mentioned in global setting sso/oid details. Since we need to open this for external client we have to add a DNS entry for this so that we can allow its access over firewall..
  Now I have made DNS name change at my infrserver level, now I need to update the change at the load balancer server (where wheb chache is running).
  Any one know how to chang the URL at load balancer.
  I am struck at this point please suggest how should i proceed..
  Thanks,

  Extract from Personalization Guide - Page Footer - Personalization Considerations
  * If you wish to personalize the URL that points to the Privacy Statement for a page that displays a standard Copyright and Privacy (that is, its Auto Footer property is set to true), set the Scope to OA Footer, in the Choose Personalization Context page of the Personalization UI.
  * If you wish to personalize the URL that points to the Privacy Statement for a page that displays a custom Copyright and Privacy (that is, its Auto Footer property is set to false), set the Scope to Page in the Choose Personalization Context page of the Personalization UI. In the following Page Hierarchy Personalization page , identify and personalize the Privacy page element.

• WebCache load balancing problem

  I am having a problem with Web Cache distributing load to 4 origin servers. It turns out that one Origin server received 24 times less requests than another, despite the fact that they configured the same way.
  here is my configuration of production site:
  Radware load balancer ( LB) with cyclic algoritm received requests from users.
  LB distrubuted request to 4 dedicated webcache servers running as a one clusted with the same number for capacity for each server.
  This cluster in turn forward missed requests to 4 application servers (Oracle HTTP and OC4j running J2EE apps). Those 4 servers connected in 2 clusters with 2 servers each. Session failover is disabled.
  The problem is that one server has 60 session and another only 1.
  Here is some statistics I collected from WebCache admin pages:
  Request served to origin servers:
       cache1     cache2     cache3     cache4     total
  serv5     1095     704     1102     8206     11107
  serv6     2190     9414     9829     3404     24837
  serv7     58     481     465     92     1096
  serv8     10113     1145     1102     934     13294
  as you may see serv7 does not get his share of requests.
  Does anybody experienced the same problem or have any idea where to look for answer?
  thanks

  Does your application require session binding?
  You may want to contact Oracle Support to review your configuration setttings.

• Cache refresh issue with PI Load Balanced HA setup.

  Dear Experts,
  Wei have installed a HA Load Balanced PI Production Server with the below specifications. Its a four node cluster. Two nodes for Application Cluster and another two nodes for Database Cluster.
  Node1
  Physical Hostname  : axsappci
  Virtual Hostname  : axsapp00
  Instances         : CI,SCS and ASCS.
  Node2
  Physical Hostname : axsappdi
  Virtual Hostname   : axsapp00
  Instances          : Dialog instance installed with physical hostname axsappdi
  Node3
  Physical Hostname : axsappd1
  Virtual Hostname   : axsappdb
  Instances  : DB Instance.
  Node4
  Physical Hostname : axsappd2
  Virtual Hostname   : axsappdb
  Instances  : Standby DB Instance (passive).
  Web Dispatcher Hostname : h2h
  Application Switchover : CI,SCS and ASCS to switchover to Node2 and dialog instance Node2 forcing to go down
  Database Switchover : DB Instance switchover to Node2 if Node1 fails.
  We have changed all the parameters according to note 951910 -> NW2004s High Availability Usage Type PI
  I am facing an issue with the cache Notifications in the Integration Repository and Directory. The cache notifications are not happening properly particularly with the ABAP Cache.
  I get the below error in my ID when i try to do the manual cache notification.
  Unable to notify integration runtime (ABAP) of data changes
  Unable to establish http connection "http://h2h:8002/sap/xi/cache?sap-
  client=001"
  Kindly assist.
  Thanks and Regards
  Raghu.

  Hi Srikanth,
  Thanks for the reply.
  I have configured my web disptacher to use default HTTP and HTTPS ports i.e 80 and 443. According to note 951910 i have changed parameters in exchange profile to use these ports.
  Regards
  Raghu.

• Testing Forms Services availability with Hardware Load Balancer

  I have posted a question about load balancing to a group of application services running Forms Services here on the Forms forum but have had no reply:
  Forms Services availability checking for BIGIP Load Balancer
  My basic questions are:
  a) What do people recommend for load balancing Forms ... least connection, round robin ... ?
  b) Do people use http://server:port/forms/frmservlet?ifcmd=status or have some of you used something else?
  My reason for the question is we had a Forms Services failure that was not detected by the ifcmd servlet as the HTTP side of things was still working. This meant that the BIGIP load balancer sent everything to the failed server as it had the least connections. So basically no-one could logon.
  I've raised an SR with Oracle but they recommend the standard URL above. Has anyone else had a problem like this and if so were you able to fix it?
  Regards,
  Philippe

  Well SR followed up and it looks like the only course of action is to use the standard HTTP check: http://server:port/forms/frmservlet?ifcmd=status ...
  ... unless that is you want to do some serious customisation. Oracle don't support any other form of checking.
  I'm guessing from the lack of responses to this thread that this hasn't been an issue for anybody else ... ???
  Any thoughts/suggestions really welcome as we go into production in 4 weeks.
  a) What do people recommend for load balancing Forms ... least connection, round robin ... ?
  b) Do people use http://server:port/forms/frmservlet?ifcmd=status or have some of you used something else?
  Thanks,
  Philippe

• Bug with Network Load Balancing Services and SkipAsSource always reverting to true

  Steps to reproduce:
  Add an IP address to the cluster (2 nodes running Windows Server 2012) using the Network Load Balancing Manager
  Using PowerShell set the SkipAsSource flag on the IP Address to true (Set-NetIpAddress -IpAddress 192.168.1.10 -SkipAsSource $true). The flag is correctly set.
  Try to reverse the setting (Set-NetIpAddress -IpAddress 192.168.1.10 -SkipAsSource $false). Flag stays as true.
  It appears as though Network Load Balancing Services is remembering the setting from someone.
  Things I've tried all without success (in no particular order):
  Removing the IP address from the cluster and adding it back in
  Using PowerShell to remove the IP address and add it back in manually (on each host).Flag stays set as true on the 1st node but takes a second before it reverts back to true on the 2nd node.
  Using netsh to remove the IP address and add it back in manually (on each host). Flag stays set as true on the 1st node but takes a second before it reverts back to true on the 2nd node.
  Deleting each host from the cluster (one at a time), removing the registry keys CurrentControlSet\Services\WLBS and
  Removing both hosts from the cluster
  Restarting the hosts
  Using processmon (sysinternals) to try and find a registry entry that might be set when SkipAsSource is set
  Does anyone know:
  How to resolve this issue? I'm guessing resetting the TCP/IP stack would work but that's a last resort as it requires an on sight visit to the datacentre.
  Where the SkipAsSource flag it stored?
  How to reset the master/global cluster config?
  Thank in advance,
  Antony

  Hi Antony,
  I am trying to involve someone familiar with this topic to further look at this issue.
  There might be some time delay. Appreciate your patience.
  Best Regards.
  Steven Lee
  TechNet Community Support

• HTTP Redirect with Global Load Balancing

  I've seen a lot of documentation about redirects and what I am trying to do seems simple enough yet I can't get it to work. Here is a summary:
  We have two CSSs in different data centers with load balancing in a roundrobin fashion.
  User types www.test.com:9086/test.html
  User hits one of the CSSes configured to respond to www.test.com, CSS1 and CSS2.
  If CSS1 gets the request, it should redirect request to server1:9086/test.html
  If CSS2 gets the request, it should redirect request to server2:9086/test.html
  Here is a sample of one of the CSSes:
  content vTEST
  dnsbalance roundrobin
  add dns www.test.com
  url "/*"
  protocol tcp
  port 9086
  vip address 192.168.3.135
  add service rTEST
  active
  service rTEST
  protocol tcp
  port 9086
  type redirect
  keepalive type none
  ip address 2.2.2.2
  redirect-string "server1:9086/test.html"
  active
  I've seen a lot of example of using HTTP Redirects, but none of them touch on using global load balancing as we are trying to accomplish.
  Now, if I type in a browser:
  http://www.test.com:9086/test.html
  it fails. Why? because the CSS returns back an IP of 2.2.2.2 for www.test.com, which isn't a real IP address (this is by design). If I type:
  http://192.168.3.135:9086/test.html
  it works because it successfully redirects to:
  http://server1:9086/test.html
  because it is going directly against the VIP and redirecting as it should.
  So the redirect function we know is working on the CSS as expected. However, the problem is this:
  When I ping www.test.com I should get back the VIP address of the content rule (192.168.3.135) and I do UNTIL I ADD THE REDIRECT TYPE to the service. Once I do that if I ping www.test.com I will get back 2.2.2.2. Somehow once the redirect is added the IP address of the service (2.2.2.2) is returned instead of the content VIP (192.168.3.135). That shouldn't happen.
  I hope this makes sense and any help would be greatly appreciated!!!

  I think what you want to do is explained at :
  http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080094068.shtml
  For your information, you should also look at this solution :
  http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a00801dcd75.shtml
  Regards,
  Gilles.

• LACP with Weighted Load Balancing

  Hi,
  I am trying to figure out how to use weighted load balancing (WLB) with LACP in Nexus 5K. Please can you give any duidance on this because the documentation I found so far is not helpful.
  Basically I have a port channel cosisting of two physical 1G ethernet ports and one backup server connecting with two remote SAN hosts over this port channel. Unfortunately the two remote SAN hosts have similar even mac and ip addresses. Thus ordinary source ip/mac load balancing puts them on the same link in the port channel. I want to apply a weight to try to distribute this load.
  Many thanks
  Sankung
  PS: Ultimately, I am getting a 10G NIC for the backup server but in the meantime want to explore this WLB possibility.

  advice : get the apache trace dump to find out what stack it is in. I think you must open a TAR .
  The error possibly coming from mod_osso ?

• SSL setup with a load balancer

  We are running EP 7.0 SP14 and have set it up to run through a Cisco ACE loadbalancer.  We have also setup SSL with the certificate on the ACE load balancer.  Everythign work fine, except we keep getting a Security Alert popup message in IE that states "You are about to be redirected to a connection that is not secure."
  Are there some additional configurations that I need to do in EP to make this go away?
  Maximum points to the first correct answer.

  You can change logoff URL to any value:
  http://help.sap.com/saphelp_nw04s/helpdata/en/44/aada5230be5e77e10000000a155369/frameset.htm
  Regarding VC apps.
  It is strange you cannot see HTTP in the IEWatch. IE should not be able to alert about something it does not see. I suggest you to use something more substantial to trace network calls: http://www.wireshark.org
  This is the best tool I know for network tracing.
  Regards,
  Slava

• Portal Drive not working with external load balancer

  Hi,
  We have a portal cluster and we are using external Load balancer from
  Juniper for load balancing the portal cluster. When given the direct
  portal URL (Central instance URL or Dialog instance URL), Portal Drive
  is able to connect to portal and shows the KM documents properly. But
  when given the Load balancer URL, it gives error saying "Can
  not connect to host using WebDAV protocol". Load balancer URL works
  fine from the browser without any problems. Any help is highly appreciated.
  Helpful points will be rewarded.
  Regards,
  Chandra

  Hi Steve,
  For Portal Drive, Windows integrated authentication, client certificates,basic authentication and Kerberos is supported.
  (in the default delivery of com.sap.km.cm.docs iview the authentication Scheme is set to basicauthentication - switching that to form based authenticationis not being supportedbywebdav clients).
  ALso now Integrated Windows Authentication (NTLM) has been made available with latest patch.
  Also read through SAP NOTE 1084683 for further clarifications.
  Regards,
  Shailesh

• 11gR2 SCAN config with F5 load balancer

  We are getting ready to set up our first RAC 2-node configuration. The hardware had already been purchased before deciding to go with 11gR2. Therefore, we have an F5 load balancer. The question is...can we use the IP address of the F5 in the /etc/hosts file as the SCAN IP address? Would this get us around the need to have a DNS configured SCAN host name?
  Has anyone done this before?
  Thanks,
  Mike

  Hi Mike,
  Welcome to the forum.
  I dont know works F5 Load Balancer.
  But i'll try...
  The question is...can we use the IP address of the F5 in the /etc/hosts file as the SCAN IP address?Oracle strongly recommends that you do not configure SCAN VIP addresses in the hosts file.
  But if you use the hosts file to resolve SCAN name, you can have only one SCAN IP address. You will not get full functionality of the SCAN.
  See this note on MOS:
  *11gR2 Grid Infrastructure Single Client Access Name (SCAN) Explained [ID 887522.1]*
  Would this get us around the need to have a DNS configured SCAN host name?If you want to use the SCAN feature, it is strongly recommended you use the DNS in your environment. This is my advice.
  Read the note above or link below to understand how SCAN works
  http://levipereira.wordpress.com/2010/12/18/single-client-access-name-scan-by-barb-lundhild/
  Regards,
  Levi Pereira
  <font size="1" color="black">Please close your thread when you get the solution to your problem.</font><br>
  <font size="1" color="black">Mark the replies answered "helpful" answer or "correct" answer that will help others with same problem.</font><br>
  <font size="1" color="black">Thanks for doing your part to make this community as valuable as possible for everyone!</font><br>

• FireWall ( with DMZ ) Load Balance

  Hi,
  I search CCO and find some Firewall load balance document ( http://www.cisco.com/warp/customer/117/fw_load_balancing.html ), but in this sample both firewall havn`t DMZ. Is there anyone can advise me how about the network diagram and hot to configure CSS if both firewall have DMZ?
  Best Regards,

  Hi,
  There are no issues with the firewalls having DMZ's. The firewall load balancing occours accross firewalls regardless of the firewall interface that the incomming packet is destined for.
  Regards Brett

• Having an issue with vpn load balancing certificate on the vip

                     Hi all,
  I am setting up vpn load balancing in a lab. I have two asa's running 8.6. I created a ucc cert from our internal CA  that has the vip as the CN in the cert and the two ASA's themselves as subject alternative names. I used open ssl to create the request. In each asa I am using encryption between the ASA's to encrypt the psk's. Since this is a lab and I do not have the DNS servers at my disposal I've added the hostnames and addresses of each ASA to the config in the ASA's. The problem I have is that when I connect to the vip I get a cert error saying the cert doesn't match the name on the site. See below:
  "The security certificate presented by this website was issued for a different website's address."
  I have a hostfile on my lab pc connected directly to the outside of the ASA that can resolve the name of the vip but when I browse to the vip I get the cert error. If I click proceed anyway the asa redirects me and the page opens without error on one of the two ASA's.
  Does any one know what the CN of the cert should be for vpn load balancing. I thought the CN would be the vip but sometinhg is not right.
  Any help is appreciated.
  Thanks.

  Issue resolved. Switched the order of the trustpoints on the outside and vpn load balance.

• Webcache load balancing - Login issue

  Hi,
  We have configured load balancing between two managed server using web cache. The load balancing is working fine. But the problem is, after login to our application deployed on both managed servers, if we stop the managed server currently processing the request and start second managed server then the current session is not applicable for second managed server. We are logged out of the application for any further request. Even if the second managed server is already running, we are logged out. The session binding has been configured to JSESSIONID and cookie based. Please let us know how we can make the same session applicable for another server as well so that users are not logged out if the server processing the request goes down. This sounds like configuring some failover settings but i am not able to find it out.
  Thanks

  Does your application require session binding?
  You may want to contact Oracle Support to review your configuration setttings.

• Certificate based authentication with SSL load balancer

  I've been asked to implement certificate-based authentication (CBA)
  on a weblogic cluster serving up web services. I've read through
  Chapter 10 (security) and understand the "Identity Assertion" concept.
  Environment:
  Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
  uses sticky-sessions.
  Question:
  If the load balancer is used to handle SSL, do I still need to turn
  on SSL on the weblogic cluster in order to use CBA? Is there another
  way to request the client's certificate?
  If the above is yes, what is the minnimal level of SSL? Does it have
  to be two-way?
  If SSL has to be turned on is there any reason to use the load
  balancer's SSL? Is there still a performance benefit?

  I think the simplest and most secure way is to have the servers configured for
  2-way ssl, since this would ensure that the certificate they receive and use for
  authentication has been validated during the ssl handshake. In this case the load
  balancer itself does not need to and cannot do the handshaking, and would need
  to pass the entire SSL connection through to the WLS server (ie: act similar to
  a router)
  Pavel.
  "George Coller" <[email protected]> wrote:
  >
  I've been asked to implement certificate-based authentication (CBA)
  on a weblogic cluster serving up web services. I've read through
  Chapter 10 (security) and understand the "Identity Assertion" concept.
  Environment:
  Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
  uses sticky-sessions.
  Question:
  If the load balancer is used to handle SSL, do I still need to turn
  on SSL on the weblogic cluster in order to use CBA? Is there another
  way to request the client's certificate?
  If the above is yes, what is the minnimal level of SSL? Does it have
  to be two-way?
  If SSL has to be turned on is there any reason to use the load
  balancer's SSL? Is there still a performance benefit?