ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Policy Server health checks supports from a load balancer

book

Article ID: 227672

calendar_today

Updated On:

Products

CA Single Sign On Federation (SiteMinder) SITEMINDER CA Single Sign On Agents (SiteMinder)

Issue/Introduction

 

When running a Web Agent with a Load Balancer :

  - How Siteminder Webagent connects to Policy Servers ?
  - What protocol does it uses ?
  - What kind of health checks monitoring that can be performed from
    Load balancer ?

 

Resolution

 

At first glance, the communication protocol is proprietary (1).

It use algorithms depending on the FIPS mode which has been selected
at the Policy Server level (2).

The loadbalancing at the Web Agent level is done on "response time"
given by the Policy Server.

To see that activity, you can enable further components on the Web
Agent traces (3).

Reading documentation further, Loadbalancing and Failover aren't
monitoring features, but rather performance ones.

The loadbalancing is based on the "server response time", and the
failover on "the number of available servers" (4).

About the TCP monitoring, the same page mentions :

  "Do not configure a TCP heartbeat or health–check directly against
   the Policy Server TCP ports. Heartbeats and health–checks that are
   applied directly against the TCP ports of the Policy Server can
   adversely affect its operation (4)."

As per documentation, you can use OneViewMonitor to monitor the Policy
Server cluster (5)(6).

So to prevent a Web Agent or Web Agent Option Pack to connect to a
Policy Server which is up and running, having its ports opened, but
encountering difficulties to send expected responses, you have to
detect the errors on both sides by OneView Monitor above in
conjunction with APM and then put offline the Policy Server which is
experiencing problems (7).

 

Additional Information

 

(1)

    Policy server and Web Agent communication protocol in use

      Siteminder Policy Server to Web Agent communication is secured using
      Siteminder proprietary key(Session Key).

    https://knowledge.broadcom.com/external/article?articleId=41714

(2)

    Encryption algorithm in traffic between Policy Servers and Web Agents

      The encryption for communication between the Web Agent and Policy
      Server is proprietary and depends on the FIPS mode you use (1).

    https://knowledge.broadcom.com/external/article?articleId=139417

(3)

    Web Agent traces configuration for connection and clustering information
    https://knowledge.broadcom.com/external/article?articleId=116285

(4)

    Clustering Policy Servers

      Load balancing and failover in a CA Single Sign-On deployment provide
      a high level of system availability and improve response time by
      distributing requests from CA Single Sign-On Agents to Policy Servers.

      Policy Server clusters provide the following benefits over a
      traditional load balancing/failover scheme:

      - Load is dynamically distributed between Policy Servers in a
cluster-based on server response time.

      - A cluster can be configured to failover to another cluster when
the number of available servers in the cluster falls below a
configurable threshold.

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/administrating/clustering-policy-servers.html      

(5)


  Configure a Policy Server as a Centralized Monitor for a Cluster

      The OneViewMonitor can be configured to monitor a Policy Server
      cluster.

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/administrating/clustering-policy-servers.html

(6)

  
    Use OneView Monitor to Analyze Performance  

      The CA Single Sign-On OneView Monitor identifies performance
      bottlenecks and provides information about resource usage in a CA
      Single Sign-On deployment. It also displays alerts when certain
      events, such as component failure, occur. It does this by collecting
      operational data from the following CA Single Sign-On components:

      - Policy Server
      - CA Single Sign-On Web Agent

      [...]

      OneView Monitor data can be accessed from a Web browser, or from a
      third-party SNMP monitoring application.

      Policy Server Data

      Status

      Status of the Policy Server. The status can be Active or Inactive.

      Inactive status indicates that there was no interaction between
      the Policy Server and the monitor for a specified period of
      time. The period of time is determined by the heartbeat interval.

      Web Agent Data

      AuthorizeErrors

      Number of errors that occurred during authorization attempts made
      by this Web Agent. An error indicates a communication failure
      between the Web Agent and Policy Server during an authorization
      call.

      AuthorizeFailures

      Number of failed authorization attempts. An authorization attempt
      fails when a user lacks sufficient privileges to access a
      resource.

      IsProtectedErrors

      Number of times an error has occurred when the Web Agent asks the
      Policy Server whether or not a resource is protected. An error
      indicates a communication failure between the Web Agent and the
      Policy Server.

      LoginErrors

      Number of errors that occurred during login attempts. An error
      indicates a communication failure between the Web Agent and the
      Policy Server.

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/administrating/use-oneview-monitor-to-analyze-performance.html 

(7)

    CA APM SSO Features
    https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-identity-and-access-management/apm-for-ca-sso/13-0/getting-started/ca-apm-sso-features.html