Autoscaling on Access gateway Servers

book

Article ID: 194925

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

We wanted to know if we can implement auto-scaling on the Access gateway Servers.

We are currently using the sps servers with Microsoft Azure Cloud.

Environment

Release : 12.6

Component : SITEMINDER -WEB AGENT FOR APACHE

Resolution

We do not offer specific support for Azure and auto-scaling. Implementation is usually handled by services, not support. Siteminder does only cares about the operating system, not the hardware/appliance/cloud platform it is running on.

However, it should work. Depending on what you are doing there may be some issues that need to be taken into consideration. When the agents start up they connect to the policy server, have to download ACOs, have yet to start caching etc so the first few transactions on a newly spun up instance will always slower than already active agents for the first few seconds to minutes. This is heavily dependent on your implementation and support cannot really provide proper implementation advice on this. Personally - this is not Broadcom policy - I would suggest, if possible, keeping one (or more) more instance active than you require for the anticipated load which would give other instances more time to spin up, or somehow do load balancing so that newly spun up instances are not hit immediately after spinning up by a huge load.

In essence, siteminder is doing more than an apache instance. It is connecting to the policy server, which is then having potentially to read policy servers, user directories, read and write to session stores etc. This takes time until caching starts having an effect.

You would need a way of scripting smreghost to register the host you are spinning up.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-52-01/administrating/register-a-trusted-host-using-the-smreghost-registration-tool.html

See the following for an explanation of how the shared secret is generated:

https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=803540