Layer7 Access Management

CA SiteMinder and Session Store Failover

  • 1.  CA SiteMinder and Session Store Failover

    Posted 06-21-2011 12:07 PM

    CA SiteMinder and Session Store Failover Tuesday Tip by Vijay Masurkar, Principal Support Engineer for 6-21-2011

    A typical use case is for Federation Security Services where two clusters may be required to be set up for high availability and failover. Let us look at the case where the session store is configured using SQL Server. SiteMinder will assume, in this case, that replication of SQL Server databases is happening instantaneously and successfully. If this this doesn’t happen (within an expected time period), then the session may become invalid and the user for that session will be re-challenged for authentication.

    The clustering itself is configured via SQL Server administrative tools. Then define ODBC data sources, one for cluster one and the other for cluster two. Next, the clusters can be listed simply as nodes, comma separated, via the Policy Server Management Console’s Data Tab. The Test button can be used to test for basic definition and connectivity. Note that if one of the nodes in the cluster fails and it fails over to another node in the same cluster, there is no way for SiteMinder to know. One can determine those details using the SQL Server Management Studio. However, the cluster failovers will be known to Site Minder and logged in the policy server logs.

    Secondly, if, instead of cluster failovers, we have a case where failover is set up between nodes (i.e. just between single database servers, no clusters), where datasources are listed in the Data Tab as comma separated nodes. When the datasource one fails over to datasource two, SiteMinder will be able to see the details of participation in that failover of those nodes in the policy server logs.