Chapter 4. Configuration and customization 151
3. Create a junction from WebSEAL server 2 to each back-end server and
specify the UUIDs identified in Step 2. Use create –s –u and add –u.
Handling an unavailable stateful server
You can use the use-new-stateful-on-error stanza entry in the [junction]
stanza of the WebSEAL configuration file to control how WebSEAL responds to a
stateful server that becomes unavailable.
When use-new-stateful-on-error is set to yes and the original server becomes
unavailable during a session, WebSEAL directs the user’s next request to a
new replica server on the same stateful junction. If a new replica server is
found on that stateful junction, and is responsive to the request, WebSEAL
sets a new stateful cookie on the user’s browser. Subsequent requests during
this same session are directed to this same new server.
When use-new-stateful-on-error is set to no (the default, to keep compatibility
with previous versions) and the original server becomes unavailable during a
session, WebSEAL does not direct the user’s subsequent requests to a new
replica server on the same stateful junction. Instead, WebSEAL returns an
error and attempts to access the same server for subsequent requests by the
user during this session.
4.8.4 Junction throttling
High demand WebSEAL environments usually rely on server clusters made up of
multiple machines hosting replicated content and applications. A replica server
environment allows you to take individual servers offline to perform regular
maintenance. The network load is redistributed across the remaining replicas,
allowing the user experience to proceed without disruption.
Junction throttling allows you to gradually take a junctioned back-end Web server
offline without interrupting the transactions of users with existing sessions. The
throttling action on a junction is particularly useful for allowing stateful sessions,
such as shopping cart transactions, to continue until completed.
Junction throttling accomplishes the following actions:
The throttled server continues to process current and subsequent requests
from users with sessions created before the throttle action was taken.
The throttled server blocks all requests from unauthenticated users and new
authenticated users and directs these requests to other available replica
servers on the same junction.
As the current users finish their sessions, the throttled server eventually
becomes idle and can be taken offline.
152 Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0
Junction throttling does not require you to stop WebSEAL and does not
interrupt user access to other junctioned Web servers.
The Access Manager provides commands to place junctioned servers in one of
three operational states:
Throttle Server can only be used by users that logged in before
throttle. It shows as
throttle and will show a throttled at
timestamp. Only users that have sessions that started
before the throttle timestamp can access the server.
Offline Server cannot be used at this time even if available. It
shows as
offline.
Online Server can be used, and shows as running if it is
available.
Use of junction throttling with existing WebSEAL features
Junction throttling has an impact on the following WebSEAL functions:
Failover authentication
Failover authentication transparently supports failed over sessions that
continue to use a throttled junction if the original session was created before
the junction was throttled. The session creation time is added as an attribute
to the failover cookie so it can be restored when a failover cookie is used to
authenticate. When the failover cookie is used for authentication, the session
creation time from the cookie is set for the newly created failover session.
Session Management Server
Session Management Server makes the session creation time available to all
processes that are sharing the session. The session creation time is
important because only sessions created before a junction server is throttled
are allowed continued access to the throttled junction server.
Re-authentication
Re-authenticated sessions are allowed continued access to a throttled
junction server if the sessions are initially created before the junction was
throttled. The additional effect of session lifetime extensions or resets can
make it difficult for you to determine when the throttled junction is truly idle.
Switch user
When a switch user event occurs, a new session creation time is generated.
This new creation time is used to determine accessibility to a throttled junction
server. When the switch user logs out and returns to the original identity, the
original session creation time becomes effective again and is used to
determine accessibility to a throttled junction server.
Get Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0 now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
