Symantec Access Management

 View Only
Expand all | Collapse all

CA Siteminder : Does changing HCO value needs restart of service?

  • 1.  CA Siteminder : Does changing HCO value needs restart of service?

    Posted Feb 18, 2016 08:36 AM

    Hi,

     

    If I change the value of HCO in the SmHost.conf file,

     

    1) Will it need restart of service (to reflect immediately)?

     

    2) If yes, will the changes come into effect at least after some time without restart?

     

    3) If yes, then how to know/change the value of that time period (for changes to come into effect)?

     

    4) Also, please explain when web agent load/check HCO details? I mean will it load

      •      only once during web instance initialization or
      •      once for a certain period of time or
      •      during every request or
      •      will it compare with existing value every time or ....?

     

    Thanks for your feedback in advance

     

    Regards,

    Dhilip



  • 2.  Re: Does changing HCO value needs restart of service?

    Posted Feb 18, 2016 06:04 PM

    1) Will it need restart of service (to reflect immediately)?

     

    Thoughts> Yes.

     

     

    2) If yes, will the changes come into effect at least after some time without restart?

     

    Thoughts> I am not entirely sure on this piece since you have changed the HCO value within SmHost.conf - would it pick the new HCO name unless a restart. You could test this behavior. My gut feeling tells me, it needs a restart.

     

     

    3) If yes, then how to know/change the value of that time period (for changes to come into effect)?

     

    Thoughts> Once the HCO is loaded during initialization, the PSPollInterval in ACO plays the key roll for polling for updates & key refreshes.

     

     

    4) Also, please explain when web agent load/check HCO details? I mean will it load

      •      only once during web instance initialization or
      •      once for a certain period of time or
      •      during every request or
      •      will it compare with existing value every time or ....?

     

    Thoughts> We have a feature called as DynamicHCO which needs to be set in SmHost.conf. This allows WA to pick changes within HCO dynamically without having to restart WA Services. Your usecase is however is entirely different, you are changing the HCO name itself within SmHost.conf. This DynamicHCO feature has not been tested under this scenario wherein the HCO name itself has been changed in SmHost.conf. My recommendation would be to look at adding / removing IP address within HCO & use the DynamicHCO feature; rather than changing HCO Name.

     

     

     

    Regards

     

    Hubert



  • 3.  Re: Does changing HCO value needs restart of service?

    Posted Feb 19, 2016 06:02 AM

    Hi Hubert,

     

    Thanks for your response.

     

    Kindly note that I need to change other HCO parameters too and this HCO is being used by many other applications so we cannot modify the same .

    Also, from the siteminder_ps_config_enu.pdf document, I come to know that modifying other HCO parameters needs reboot of the web server (even with Dynamic HCO).

     

    1) We have many instances in the server. So, I want to achieve this change without service disruption. Is it possible?

     

    2) If it is not possible, please let me know if restart of each instance is required?

     

    3) If I want only few instances to use some other HCO, following the below steps will work or will I face some issue? I am aware that restart is required for this action

    but I am not sure about the significance of shared secret.

    • Copy the content of existing SmHost.conf file.
    • Create a new file and update the HCO value.
    • Modify the HostConfigFile parameter of WebAgent.conf of that corresponding instance with the new name.

     

    4) Kindly provide your feedback for my fourth point in the initial mail about when HCO details will be loaded.

     

    Thanks.

     

    Regards,

    Dhilip



  • 4.  Re: Does changing HCO value needs restart of service?

    Posted Feb 19, 2016 10:54 AM

    Hi Dhili,

    Guess restart is required if you changing any thing in HCO except policy server IP with setting DynamicHCO in smhost.conf as per Hubert comment . What the smhost.conf file contain is a bootstrap loader with policy server IP , Which means once you hit the webserver URL webagent will interrupt the request and it contact PS IP from sm.conf , from PS it get HCO details and load it in webagent cache and discard the bootstrap PS details which it got from sm.conf  .

     

    You need to run host registration (webagent config wizard) for new webserver config , copying the entire content of sm.conf and replacing it in another instance won't help as shared key secret won't match with policy server .You can check this test case by changing the IP address of webserver as shared secret contains physical server details like IP . 

     

    Regarding to your last question is



  • 5.  Re: Does changing HCO value needs restart of service?

    Posted Feb 22, 2016 05:43 AM

    Hi,

     

    Thanks for your feedback. Somehow, I am not getting the clear answer which I am expecting.

     

    Regarding modification => Please note that I am not going to change anything in HCO. I just want to change the value/name of HCO in SmHost.conf file. So, I want to know when this HCO file will be loaded, where those details will be stored, what is the validity of that stored data etc.. I would feel great if I get the answer for my 4th question in initial mail (I have re-posted the same below)

    <<

    4) Also, please explain when web agent load/check HCO details? I mean will it load

      •      only once during web instance initialization or
      •      once for a certain period of time or
      •      during every request or
      •      will it compare with existing value every time or ....?

    >>

     

    Regarding host registration => Please note all the instances are on the same server and using the same server name (with different ports). Currently, all the instances are using only one SmHost.conf file. As I want two instances to use different HCO, I thought of  copying and modifying the existing data in different file (for instance SmHost1.conf) and source that file in the WebAgent.conf of that corresponding instance. Won't it work?

     

    Is there any document which clearly explain this behavior?

     

    Thanks in advance.

    Dhilip



  • 6.  Re: CA Siteminder : Does changing HCO value needs restart of service?

    Posted Feb 22, 2016 05:08 PM

    Dhilip

     

    To best of my knowledge the answer for [4] is WebAgent reads the HCO during initialization only.

     

    If we are using DynamicHCO WebAgent would read Policy Server IP Changes at runtime. However inorder to apply DynamicHCO, WebAgent needs to be restarted as it reads DynamicHCO enablement during initialization only.

     

    If you change the HCO name in SmHost.conf; I think there is no way other than to restart the WebAgent process to reload the new configuration.

     

    These are my findings over the years.

     

    I would encourage you to test these in a PoC environment. It is easy to test this and see the results.

     

    Alternatively, if it needs to be reassured, then a P3 or P4 (RFI) Support Case would be best to validate these comments.

     

     

    Regards

     

    Hubert



  • 7.  Re: CA Siteminder : Does changing HCO value needs restart of service?

    Posted Feb 23, 2016 02:07 AM

    Hi Hubert,

     

    Thanks for your continuous support.

     

    So, as per you feedback, I think only way is to restart the services and I didn't really understand your below point.

    << if it needs to be reassured, then a P3 or P4 (RFI) Support Case would be best to validate these comments. >>

     

    Could you please provide your feedback for the below points as well? Hope this thread wont continue further..

     

    1) Assume that I have 10 instances on the server and all the instances are using the same SmHost.conf file. If I modify the HCO value in that SmHost.conf file, then I have to restart each instance for the changes to come into effect for that corresponding instance. Please correct me if I am wrong.

     

    2) If I want only few instances to use some other HCO, following the below steps will work or will I face some issue? I am not sure about the significance/content of shared secret.  

      • Copy the content of existing SmHost.conf file.
      • Create a new file (for instance SmHost1.conf) and update the HCO value.
      • Modify the HostConfigFile parameter of WebAgent.conf of that corresponding instance with the new name.
      • Restart the service.

    Note : All the instances are using the same server name (but with different ports).

     

    Regards,

    Dhilip



  • 8.  Re: CA Siteminder : Does changing HCO value needs restart of service?

    Posted Feb 23, 2016 10:50 AM

    1) Assume that I have 10 instances on the server and all the instances are using the same SmHost.conf file. If I modify the HCO value in that SmHost.conf file, then I have to restart each instance for the changes to come into effect for that corresponding instance. Please correct me if I am wrong.

     

    [Hubert] Yes correct.

     

     

    2) If I want only few instances to use some other HCO, following the below steps will work or will I face some issue? I am not sure about the significance/content of shared secret. 

      • Copy the content of existing SmHost.conf file.
      • Create a new file (for instance SmHost1.conf) and update the HCO value.
      • Modify the HostConfigFile parameter of WebAgent.conf of that corresponding instance with the new name.
      • Restart the service.

    Note : All the instances are using the same server name (but with different ports).

     

    [Hubert] This should work. No issues in the steps defined in bullet points.

     

     

     

    Regards

     

    Hubert



  • 9.  Re: CA Siteminder : Does changing HCO value needs restart of service?

    Posted Feb 24, 2016 03:38 AM

    Hi Hubert,

     

    Thanks for your response and continuous support.

    Have a nice day!

     

    Regards,

    Dhilip



  • 10.  Re: CA Siteminder : Does changing HCO value needs restart of service?

    Broadcom Employee
    Posted Feb 23, 2016 03:03 AM

    Hi,

     

    Search in documentation and release notes something about "Dynamic Host Configuration Object", I think this functionality might exist.

     

    Best Regards,

    Patrick



  • 11.  Re: CA Siteminder : Does changing HCO value needs restart of service?

    Posted Feb 26, 2016 05:21 AM

    With R12 SP3 Policy Server/WebAgent supports Dynamic HCO. There is no need to restart webservers.



  • 12.  Re: CA Siteminder : Does changing HCO value needs restart of service?

    Posted Feb 26, 2016 06:26 AM

    Hi,

     

    • I think Dynamic HCO feature is handy only for reflecting the changes in "Policy Server" parameter of HCO without restarting the services.
    • From the siteminder_ps_config_enu.pdf document, I come to know that modifying other HCO parameters needs reboot of the web server (even with Dynamic HCO).

     

    Also, in this case, I want to change the HCO name itself. So, I think as per Hubert's feedback, restart of service is required. Could you please share your thought?

     

    Regards,

    Dhilip



  • 13.  Re: CA Siteminder : Does changing HCO value needs restart of service?

    Posted Feb 26, 2016 06:35 AM

    Depending upon the type of webserver.

    Whenever a webserver creates a new child process, it reads the SmHost.conf file then downloads HCO then based on the policy servers in HCO it downloads ACO.

    Apache in prefork mode forks child process for every request, so if you have Apache in pre-fork mode you can simply change the HCO in SmHost.conf and all the new child processes will use the new HCO.

    Other webservers will use the new HCO when they creates a new child process depending upon the configuration or else restart is required. Dynamic HCO will not help here.

     

    If the webserver is Apache in pre-fork mode then you can simply change the HCO to a non-existent value and do the test. All the new requests being processed by the new child processes will start giving error.



  • 14.  Re: CA Siteminder : Does changing HCO value needs restart of service?

    Posted Feb 26, 2016 07:36 AM

    Hi,

     

    I thought SmHost.conf file will be loaded only once (during initialization) irrespective of the type.

    But, as per your above feedback. I think my understanding is wrong.

     

    Thanks for your valuable feedback!!

     

    • So, I assume that restart is not needed in case of Prefork.
    • Could you please also explain when a new child process will get created in worker mode? Is there any way to control that?

     

    Regards,

    Dhilip



  • 15.  Re: CA Siteminder : Does changing HCO value needs restart of service?

    Posted Feb 26, 2016 08:20 AM

    In case of prefork restart is not required. As pre-fork Apache is multi process but not multi threaded. You can test it in test env.

    If ACO or HCO name is changed in the WebAgent.conf/SmHost.conf file, existing processes will not give any error but all the new child processes will start giving error.

     

    For worker mode the following directives in the httpd.conf controls when the new processes will be created:

    For e.g.

    # worker MPM

    # StartServers: initial number of server processes to start

    # MaxClients: maximum number of simultaneous client connections

    # MinSpareThreads: minimum number of worker threads which are kept spare

    # MaxSpareThreads: maximum number of worker threads which are kept spare

    # ThreadsPerChild: constant number of worker threads in each server process

    # MaxRequestsPerChild: maximum number of requests a server process serves

    <IfModule worker.c>

    StartServers         4

    MaxClients         300

    MinSpareThreads     25

    MaxSpareThreads     75

    ThreadsPerChild     25

    MaxRequestsPerChild  0

     

    In the above example during restart Apache will create 4 processes and since MaxRequestsPerChild is 0 then most likely Apache is not going to create any new process during the run time.



  • 16.  Re: CA Siteminder : Does changing HCO value needs restart of service?

    Posted Mar 01, 2016 08:13 AM

    Hi Rajesh,

     

    Thanks for your detailed explanation.

     

    If my understanding is correct,

    • In prefork mode, for every request new child process will be created. This process will reload the httpd.conf file.
    • By means of that, WebAgent.conf file and then SmHost.conf file will be loaded.

     

         1. But, will the new process reloads the environment variable?

      • If no, does launching the script . ./path_of_ca_wa_env.sh is sufficient?
        • If still no, is there any other way to load environmental variables without restart? because if it is possible then restart of service is not at all needed in Prefork mode (even for new web agent installation).

         2. Also, as the HCO will be downloaded for every request in Prefork mode, I hope restart is not needed even if I modify any HCO parameter in WAMUI. Please correct me if I am wrong.

     

    Thanks and awaiting your return!

     

    Regards,

    Dhilip



  • 17.  Re: CA Siteminder : Does changing HCO value needs restart of service?

    Posted Mar 04, 2016 04:33 AM

    Hi Dhilip,

     

    with regards to answer #1...there is no way to load the environment variable. Also, you need to restart webagent during upgrade because you need to recycle LLAWP process. LLAWP is only created when Apache is started. It is independent of the Apache child processes.

     

    #2...Which parameters you are modifying? if you modify the policy server names then it should be taken by the webagent dynamically. If you are changing the name of the HCO then also it should work(never tried this myself). Regarding other parameters like socket count, timeout etc, I am not sure whether those values will be applied dynamically.

     

    Also if you are using clusters then changes should be applied dynamically.

     

    regards,

    Rajesh



  • 18.  Re: CA Siteminder : Does changing HCO value needs restart of service?

    Posted Mar 08, 2016 12:51 AM

    Hi Rajesh,

     

    Thanks for your continuous responses. Sorry, but I have lot of questions again!

     

    1) In IIS server, I have noticed that LLAWP process was getting started (on launching the URL) even before the restarting the services so I thought the same will be the case in Apache too. But, as per your above feedback it seems I was wrong.

    • What is the significance of this LLAWP process? because sometimes this process is running even when siteminder is disabled (but agent is working as expected).
    • When it will be started? Is it depends on where we are adding environment variable?
    • I think the working of Apache Worker and IIS is nearly the same. But, how LLAWP process is getting started without restart in IIS (I hope it is also Multi process and Multi threaded) whereas not in case of Apache ?

     

    2) I am not able to understand your point clearly. Could you please confirm if my below understanding is correct?

         "In prefork mode, for every request new child process will be created. This process will reload the httpd.conf file. By means of that, WebAgent.conf file and then SmHost.conf file will be loaded."

    • If my understanding is correct, then I think change in any parameter of HCO should be applied dynamically. May i know why you are not sure? as I seems to missed some point of view.
    • Also, how you are sure in case of clusters while not in other case?

     

    Regards,

    Dhilip



  • 19.  Re: CA Siteminder : Does changing HCO value needs restart of service?

    Posted Mar 08, 2016 04:47 AM

    Hi Dhilip,

     

    When you start IIS LLAWP doesn't start automatically. LLAWP is only started when IIS receives an HTTP request. In Apache LLAWP starts whenever Apache is restarted.

    In IIS Application pool there is a configuration which controls how often the application pool is recycled. In IIS6 by default application pool is recycled every 23 hours (not sure if this is same in IIS8). Also there is a setting to recycle application pool after processing certain number of requests also there is an idletimeout for Application pools. When the application pool is recycled then IIS will create new w3wp process.

     

    Depending on how you have disabled the webagent. If you have modified the webagent ACO parameter EnableWebAgent to NO then Apache will still load the webagent module and LLAWP will be running. If you want to completely disable the webagent then in Apache conf file you should disable the 2 lines which loads the SiteMinder webagent library.

    LLAWP process starts when Apache is started. In IIS it is started when IIS first recieves an HTTP request. But if the IIS process w3wp is shut down due to idletimeout then LLAWP will also shut down and will start again when IIS recceives an http request.

    IIS is multi process multi threaded and so is Apache in worker mode.

    Reason I said I am not sure whether all the parameter changes will take effect or not is because this is what CA documentation states:

    Dynamic Host Configuration Object

    With dynamic Host Configuration Object (HCO) updates, you can add Policy Servers to and remove them from a Policy Server cluster without needing to reboot the Web Server for the changes to take effect. The Web agent picks up the Policy Server changes dynamically and the Host Configuration Object is updated without a reboot.

     

    It only talks about the Policy Server cluster. If you are not using clusters then you need to check withCA whether Dynamic HCO applies or not and whether all changes are applied or only policy server.

     

    thanks,
    Rajesh



  • 20.  Re: CA Siteminder : Does changing HCO value needs restart of service?

    Posted Mar 09, 2016 07:59 AM

    Hi Rajesh,

     

    Thanks for your explanation!! I think now I have understood but could you provide your feedback for below points just to confirm?

     

    Let us assume one application pool which has following values.

    • Idle time out = 15 minutes
    • Maximum worker process = 1

     

    1. In case, if I modify some siteminder agent configuration in the server side (like changing the name of HCO/ACO, enabling/disabling siteminder), then this changes will come into effect after 15 minutes max (assuming that website which is using this app pool will not be used for the next 15 minutes).
    2. If I want my changes to reflect immediately, recycling the application pool itself is enough (don't need restart of services) as new worker process will get created after recycling.

     

    If my understanding is correct, then I hope I am not going to ask any further questions.

     

    Thanks for your great support!

    Have a great day!!

     

    Regards,

    Dhilip



  • 21.  Re: CA Siteminder : Does changing HCO value needs restart of service?

    Posted Feb 26, 2016 10:14 AM

    Dhilip

     

    I would encourage you to test it and conclude (I would always test the suggestion & recommendation on communities before signing it for a customer implementation / design). Hence my initial comment was to also raise P4 or P3 support case and have it validated via CA Support / CA Engineering.

     

    I believe (Inclined to agree with Rajesh) it may work for Apache PreFork without restart. Because each child process opens an initial connection to Policy Server i.e. a High Priority Request (Read HCO, ACO, establish trust handshake) I'd assume; before a Normal Priority Request (IsProt / IsAuth / IsAz). 

     

    However for Apache Worker; You'd still need a restart, as the process opens threads and each thread handles requests. HCO and ACO would have been read during Agent Process initialization, when WebServer's single process booted.

     

    IIS would also a near about similar pattern as Apache Worker.

     

     

    Regards

     

    Hubert



  • 22.  Re: CA Siteminder : Does changing HCO value needs restart of service?

    Posted Mar 01, 2016 07:48 AM

    Hi Hubert,

     

    Thanks for your support.

     

    Unfortunately, I cannot test this from my end. Could you please let me know the procedure for raising P4 or P3 support case so that I may try?

     

    Regards,

    Dhilip