Symantec Access Management

 View Only
  • 1.  Configure and hadle High Availability in Siteminder: Best Practice

    Posted Sep 19, 2016 02:00 PM

    Hello.

     


    We have a lot of agents (1000) and 6 policy servers 12.52. For the moment all agents contact all policy servers and we haven't any cluster for the moment.
    I'd like to receive some tips, information and in general best practices about High Availability and clustering in a SSO (Siteminder) environment.

     

    Can you share your experience about how to handle HA in Siteminder? How you configured your cluster, high availability of both policy servers and agents?
    Obviusly I know how HCO, bootstrap and cluster work, but sharing experiences and configurations with other environent is important.
    The idea is to handle in a better/best way the resources of the infrastructure, the flow users-->agents-->policy servers to avoid any fault in terms of availability of servers/resources and in the same time distribute the charge in a good way.

     

    Thanks.



  • 2.  Re: Configure and hadle High Availability in Siteminder: Best Practice
    Best Answer

    Broadcom Employee
    Posted Sep 19, 2016 05:23 PM

    Hello,

     

    Most enterprise customers use clustered HCOs for the dynamic load balancing as well as high availability/failover.  

     

    In addition to setting up the clusters, it is important to assure that sufficient connections are configured on the policy servers.  For most web server types it is as simple as multiplying the number of web agent instances by the MaxSocketsPerPort setting in the HCO (for Apache servers still running in pre-fork mode, all HCO Port settings should be 1, and the max number of connections from these web agents will equal the MaxClients setting in Apache). On Unix policy server systems, assure that there are at least as many file descriptors available as configured policy server connections (each connection consumes a file descriptor).

     

    As you plan your environment, keep in mind that Siteminder is middleware, and thus depends on the various systems it ties together.  Things like the policy store and user stores can be points of failure and thus need to be as highly available as the Siteminder components themselves.

     

    -Pete 



  • 3.  Re: Configure and hadle High Availability in Siteminder: Best Practice



  • 4.  Re: Configure and hadle High Availability in Siteminder: Best Practice

    Broadcom Employee
    Posted Sep 23, 2016 02:41 PM

    Clustering on the agent side

    The older style each server listed is treat as its own cluster, if failover is check all request go to the first server listed, load balance selected request is evenly distributed

     

    [17731/57195376][Fri Sep 23 2016 14:45:39] policyserver='lodbl510vm039.ca.com,44441,44442,44443'.

    [17731/57195376][Fri Sep 23 2016 14:45:39] policyserver='10.130.158.146,44441,44442,44443'.

     

    New cluster configuration all request go to servers in the first cluster, requests are then load balanced within the cluster.  For failover if the number of server down in cluster 1 is over the failover thresholder percent failover occurs  to cluster 2

     

    [18106/81427312][Fri Sep 23 2016 14:49:51] cluster_1='2'.

    [18106/81427312][Fri Sep 23 2016 14:49:51] cluster_1='10.130.158.146,44443'.

    [18106/81427312][Fri Sep 23 2016 14:49:51] cluster_1='lodbl510vm039.ca.com,44443'.

    [18106/81427312][Fri Sep 23 2016 14:49:51] cluster_1='0'.

    [18106/81427312][Fri Sep 23 2016 14:49:51] cluster_2='2'.

    [18106/81427312][Fri Sep 23 2016 14:49:51] cluster_2='lodbl510vm039.ca.com,44443'.

    [18106/81427312][Fri Sep 23 2016 14:49:51] cluster_2='lodbl510vm039.ca.com,44443'.

    [18106/81427312][Fri Sep 23 2016 14:49:51] cluster_2='0'.