We have 4 nodes jboss cluster in production environment. IDM 14.4 deployed on RHEL 8.x servers. We recently discovered any changes done from one node is not reflected when we login to the other nodes. Such as when an admin role is enabled / disabled, it gets updated on the node that currently connected but when we login to the other nodes, the change doesn't show up. Only restarting all IDM nodes works for the changes to take place.
Release : 14.4
Component : IdentityMinder(Identity Manager)
The issue really started after applying some PenTest fixes recommnded by RedHat. We reverted back the following Penetration Test fixes and the cache replication is working fine now. For the cache replication to work we needed to enable non-ssl port 8080 and remove the JSESSIONID security. We need to however make it work over the SSL port and with JSESSIONID security enabled.
These are the two changes recommended by RedHat that caused IM to stop updating its cache on the cluster.
1. <http-listener name="default" socket-binding="http" enabled="false" max-parameters="5000" redirect-socket="https" enable-http2="true"/>
2. <session-cookie http-only="true" secure="true"/>
RH Support provided a configuration solution:
The issue was with the SSL not being configured for the JMS transport. The process is documented in the below link.
All components need to be SSL enabled when you block the http 8080 port and secure JSESSIONID e.g. client to server connection, JMS session transport, management console access, etc. We were missing the SSL on JMS transport.