Hi Janos.
Good news, and obviously confirms, that additional unneccassary sessions might be related to a mis-configuration of the load balancer.
I don't think, that new sesssions when doing a refresh (F5) in the main window is an issue.
At least I can observe the same in this scenario: Single SDM server, no SSO. Doing a refresh forces me to do a new login.
Hence a new session is created. So, this obviously behaves the same as in your situation.
If your customer sees this as an issue, this would be a different topic ;)
Regarding different behaviour of the Edge browser, there might be a technical reason for it. To examine this further on, I would take a look at the http requests, this browser sends, and compare them to a working browser behaviour.
In regards the NX.env variable setup, I have the following thoughts:
One of the main reasons implementing advanced availability, is exactly that: advanced availability.
By using a specifc server for the sevlet urls, you have a single point of failure again.
Second, you don't have load balancing capabilities any more. So all servlet activities like upload,download,report would use only one server.
It's nothing wrong with this setup, but its more insufficient, in regards to the intent of advanced availability.
Hope this helps.
Best regards
...Michael
Original Message:
Sent: May 18, 2022 02:38 AM
From: Janos Mertz
Subject: CA SDM Login creates multiple sessions using Single Sign On.
Hi Michael,
Thanks a lot.
Customer has checked the load balancer settings and made small changes.
I haven't received any information about what exactly, but now it works correctly with Internet Explorer, only Refresh (F5) in main window creates unnecessary session.
Unfortunately we still have the problem with Edge, a simple login generates two sessions, and each detail window generates another new one.
I have checked the URLs in NX.env, and the following URLs are set in all servers:
@NX_WEB_CGI_URL=https://LOAD_BALANCER_NAME/CAisd/pdmweb.exe
@NX_SERVLET_SERVER_URL=https://HOSTNAME:8443
@NX_LOCAL_SERVLET_SERVER_URL=https://HOSTNAME:8443
@NX_WSP_CGI_URL=http://HOSTNAME/CAisd/pdmweb.exe
The following URLs are set in all servers?
Thanks and best regards
Janos
Original Message:
Sent: May 17, 2022 02:49 AM
From: Michael Mueller
Subject: CA SDM Login creates multiple sessions using Single Sign On.
Hi Janos.
I suggest the following , more general procedure (some of these might be checked by you already)
- First check your settings in NX.env in regards to url's.
I have the following vars in mind:
@NX_WEB_CGI_URL
@NX_SERVLET_SERVER_URL
@NX_LOCAL_SERVLET_SERVER_URL
@NX_CMDB_VISUALIZER
All of them should point to your load balancer, in my understanding, and should look the same on all app server. - Then I would do another test to reproduce the issue , mostly as the only user on the system, to reduce confusion.
Then check the webserver logs for incoming requests on all app server.
If reproduced, and different app server have received requests, it would definitively point to a loadbalancer issue. - The load balancer needs to be configured with so called sticky sessions. How this is done depends on the loadbalancer in use, and could usually be done in various ways: by cookies, by incoming ip, maybe others.
- In general the lb should also be configured to check the availability of app server's. The health servlet can be perfectly used to accomplish this. However, this kind of config is not related to this issue, but is part of a reliable loadbalancer setup
Hope this helps
Regards
...Michael
Original Message:
Sent: May 16, 2022 03:30 PM
From: Janos Mertz
Subject: CA SDM Login creates multiple sessions using Single Sign On.
Hi Michael,
Thanks a lot.
I couldn't reproduce it in a single server configuration.
The duplicate session is only created when you refresh the main form using F5.
Do you have any hints how to configure the load balancer correctly?
It was configured by the customer and I would like to have ideas in which direction we can look further.
Thanks and best regards
Janos
Original Message:
Sent: May 13, 2022 08:30 AM
From: Michael Mueller
Subject: CA SDM Login creates multiple sessions using Single Sign On.
Hi Janosh.
Yes, usualy you adopt the lb fqdn into NX.env web_url and other NX.env url vars.
That might lead to, that you are going through the LB later on, even though you started your session directly on the app server.
Sure, this depends on the setup.
Anyway, the lb access should work anyhow !
Best regards
...Michael
Original Message:
Sent: May 13, 2022 05:04 AM
From: Janos Mertz
Subject: CA SDM Login creates multiple sessions using Single Sign On.
Hi Michael,
Thanks a lot.
I also think we need to check towards LB and/or SSO.
Do you think that we have to take the LB into account if I specify the application server directly in the URL?
I've thought that in that way it is then purely dependent on the application server.
As I mentioned in this thread before I plan to check these properties in my single server development system.
If I can reproduce similar behavior using SSO, then I can disregard the load balancer temporarily.
It means that I am still looking for the causes and collecting the information.
Thanks and best regards
Janos
Original Message:
Sent: May 13, 2022 01:29 AM
From: Michael Mueller
Subject: CA SDM Login creates multiple sessions using Single Sign On.
Hi all.
Another potential reason for multiple backend sessions for the same single frontend (browser) could be a misconfiguration of your loadbalancer.
When SSO is configured you need to assure that on LB level the same SDM session will always be forwarded to the same app server (sticky session).
In fact this should be configured in a non SSO environment as well, otherwise the user gets prompted for login each time he hits a different app server/webengine. This is because web session as well as SOAP sessions are not shared accross webengines. Btw. REST sessions are .
Regards
...Michael
Original Message:
Sent: May 11, 2022 09:49 AM
From: Janos Mertz
Subject: CA SDM Login creates multiple sessions using Single Sign On.
Hi,
We have SDM 17.3.0.12 in Advanced Availability configured for https and SSO on Windows Servers.
When we open the URL https://<servername>/CAisd/pdmweb.exe the user is automatically logged in and two sessions are automatically opened instead of only one session.
Opening a contact detail creates another session.
Using refresh F5 in main window only closes one session and creates two new ones.
It's generally the same behaviour with Internet Explorer and Edge, just a small difference that the Refresh (F5) in Contact Detail causes an extra session in Edge, and no new session is generated in IE.
The main problem is that we get a multiple number of sessions than the actual logged-in users.
Have any of you seen this kind of behaviour?
How can we eliminate these multiple sessions from being created?
Thanks and best regards
Janos Mertz