Hi, I'd like to know if someone has exprience setting up the X509 Client Cert authentication scheme in an environment with 2 web servers and a load balancer in front:
As per Siteminder documentation they ask to set the web servers name (e.g. WebServer1) as Server Name in the Authentication Scheme configuration. This works but leads to the situation that if WebServer1 is down the users can not log in anymore. Using the LoadBalancer as Server Name results in a Bad Gateway error for the users.
Support refers to CA Services as this seems to be an exotic constellation so no ideas from there.
thanks for any input!
As you know, Load balancer will have the status of each server and it will be able to check the status each server underneath for every 5sec (Depends on the configuration). So if you are mentioning the Load Balancer URL in the Authentication scheme then the load balancer will be able to send the requests to the available servers.
As you said, You have two web servers Webserver1(web1.xyz.com) and Webserver2(web2.xyz.com) which are under the Load Balancer A (a.xyz.com). So when the you mention the load balancer as server name then the URL is http://a.xyz.com/siteminderagent/cert/smgetcred.scc. Suppose your Webserver1 is down then the load balancer will have the status of Webserver1 and it automatically mark the server as down and it wont send the request further to it and all the requests will be going to Webserver2. Kindly work with your Load Balancer team for more on this.
Shouldn't be a problem. We run multiple systems behind a few load balancer setups and doing certificate authentication; never had any issues with it.
If you're getting a "bad gateway" is that ONLY with the certificate auth? Does it happen when accessing any other pages or like HTML forms schemes?
One thing to keep in mind with cert auth, is that whatever load balancer you're using should not be doing SSL termination, that will completely dork up the cert auth. Needs to just pass through the request to appropriate active server.