Symantec Access Management

 View Only
  • 1.  CA Single Sign On 12.8 Health Check options

    Posted Oct 05, 2018 01:28 AM

    Hi All,

    We are building CA SSO 12.8 in AWS cloud and as part of the design, we have decided to use AWS ELB in between SPS and policy server.

    However, we are running out of options to enable CA Policy server health check from AWS ELB.

    user case 1:

    Since AWS platform has to be spin-in another instance of policy server or spin-out based on load/ due to uncertain situations and server failures, AWS platform has to spin-in new platform. 

     

    use case 2:

    ELB has to distribute the load across available policy servers, to do that it has to do a health check.

     

    Please suggest, how external load balancer can receive status of policy server ?

     

    please suggest.



  • 2.  Re: CA Single Sign On 12.8 Health Check options

    Broadcom Employee
    Posted Oct 05, 2018 09:30 AM

    Have you considered monitoring the health of the Policy Server using OneView monitor?

     

    https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/installing/oneview-monitor



  • 3.  Re: CA Single Sign On 12.8 Health Check options

    Posted Oct 05, 2018 11:28 AM

    Another option would be the SNMP protocol support in the Policy Server if they have a third party Network Monitoring Tool.

     

    Install and Configure SNMP Support - CA Single Sign-On - 12.8 - CA Technologies Documentation 



  • 4.  Re: CA Single Sign On 12.8 Health Check options

    Broadcom Employee
    Posted Oct 05, 2018 11:30 AM

    Sasi,

     

    Below articles will give you details of setting up Load Balancer between Agent and Policy servers.

     

    Configure Agent to Policy Server Communication Using a Hardware Load Balancer - CA Single Sign-On - 12.8 - CA Technologi… 

     

    https://search.ca.com/assets/SiteAssets/TEC511443_External/TEC511443.pdf 

     

     

    Hope this helps !

     

    Regards

    Ashok



  • 5.  RE: Re: CA Single Sign On 12.8 Health Check options

    Posted Nov 02, 2022 11:03 AM
    Is that pdf still accessible https://search.ca.com/assets/SiteAssets/TEC511443_External/TEC511443.pdf ? I am not able to access it. 


  • 6.  Re: CA Single Sign On 12.8 Health Check options

    Posted Oct 05, 2018 12:25 PM

    Use Case 2 : ELB has to distribute the load across available policy servers, to do that it has to do a health check.

     

     

    This is my first recommendation always.

     

    However if we choose to go down the path of using a ELB, then here is what I recommend based on experience.

     

    • TCP OPEN, no way - because this will generate handshake errors on Policy Server. I would recommend that this be specifically mentioned in the documentation that not recommended.
    • TCP Half is recommended. But this does not tell you in any way is the Policy Server heavily loaded OR lighted loaded. It only tells you if the Policy Server is up and running.
    • ICMP - not recommended.
    • SNMP - Yes. 
    • The recommendations in TEC511443 (Ashok provided) is good, but the KEY element is you have to determine the Response Times based on results and also this does not tell you the Throughput. <SNIP> The ideal load balancer health check against a SiteMinder Policy Server exercises the Policy Server’s ability to service Agent API requests—isProtected, Authenticate and Authorize—and measures Policy Server response time. </SNIP>

     

     

    Regards

    Hubert



  • 7.  Re: CA Single Sign On 12.8 Health Check options

    Posted Oct 08, 2018 10:36 PM

    Thank you all for your input. we have decided to install webagent on policy server and make a request to protected resource from ELB.

     

    When we are doing this, we have realized two issues.

     

    1. calling protected resource from ELB enables the healthcheck on policy server status (available or not available). I suspect, how we can get the CPU status of each policy server.

     

    2. Installed apache & WA, however when I was running webagent from systemctl LLAWP process failed to start due to siteminder load module in httpd.conf file. do we have any handy on auto start-up script for webagent process ? 

     

    Thank you.



  • 8.  Re: CA Single Sign On 12.8 Health Check options

    Posted Oct 08, 2018 11:07 PM

    Regarding-1 : how we can get the CPU status of each policy server? 

    ELB cannot monitor the CPU of a backend server. ELB can monitor latency's based on Responses and take actions. It seems like ELB pretty much does Round Robin only for TCP listeners on Classic LB. You'll need an external tool to monitor backend servers.

    Amazon provides something called 'CloudWatch' which can monitor all the components E2E.

    Elastic Load Balancing Latency Troubleshooting  

    https://forums.aws.amazon.com/thread.jspa?threadID=58796  

    CloudWatch Metrics for Your Classic Load Balancer - Elastic Load Balancing  

    Elastic Load Balancing Capacity Troubleshooting  

    How Elastic Load Balancing Works - Elastic Load Balancing  

     

    Regarding-2 : when I was running webagent from systemctl LLAWP process failed to start due to siteminder load module in httpd.conf file.

    CA SSO WebAgent LoadModule in httpd.conf is correct. What was the error you received in apache error logs? I would recommend you spin a different discussion for this. Rather than adding too many discussions in one thread here.

     

     

    Regarding-3 : do we have any handy on auto start-up script for webagent process.

    Since CA SSO WebAgent LoadModule is added in httpd.conf, when Apache starts, during that time LLAWP would also start. In reality you need to configure AutoStart for the WebServer. The WebAgent is configured with WebServer.

     

    Regards

    Hubert