Access Gateway (SPS) implementing health check for load balancer

book

Article ID: 51347

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

 

Implementing a local keep alive ping for the load balancer to
determine if the SPS server is active and available.

The best solution for a keep alive ping is to have a request that goes
through the SPS server and also hits the backend application. If that
returns correctly then you have tested the complete path and not just
the availability of the SPS server itself.

Nevertheless you can implement pages that will be served locally from
the SPS server itself by using JkUnMount:

Edit httpd.conf file adding:

  JkUnMount /SPStest/forms/*.html ajp13

Will ensure files matching that pattern, are not passed onto the
servlet engine for processing but are handled locally by the Apache
httpd process.

 

Resolution

 

Disclaimer:
----------

  Siteminder doesn't support serving Local Content from the Access
  Gateway. Support will not troubleshoot issues involving local content
  served from the Access Gateway.

  Per the Documentation, the Access Gateway does not serve local
  content (1). Please refer to the "Limitations" section.

----------

The requirement was to have a local page on the SPS server than the
front end lod balancer can use to determine if the SPS server is
listening. This page is also used as a manual switch, by the client
renaming it to another name to quickly drop one SPS server out of the
cluster.

Originally the client was using alive.fcc page, which can se served
locally, but while that does work to determine if the machine is
alive, the alive.fcc page is cached on first access attempt in the
webagent portion of the SPS server, and renaming the alive.fcc page to
not-alive.fcc would not make the page unavailable since the server
would continue to reply with the cached version.

Nevertheless, you can implement resources to be served locally from
the Apache httpd portion of the SPS server, and this can be useful in
some circumstances to serve unprotected content such as images
directly from the SPS server.

The JkMount/JkUnMount commands in the httpd.conf file can be used to
determine which content is passed onto the secure-proxy/tomcat server
and which content is served locally via the Apache httpd server e.g.:

  JkUnMount /SPStest/forms/*.html ajp13

In this case, for this particular client:

Adding HTML page alive.html under

/netegrity/secure-proxy/httpd/htdocs/SPStest/forms/alive.html

     <html>      
     <head>    
     <title>SiteMinder Alive Page</title>    
     </head>    
     </html>
     


and added JkUnMount entry in httpd.conf file as:

  JkUnMount /SPStest/forms/*.html ajp13
  


The commands:

  wget http://localhost/SPStest/forms/alive.html
  wget http://www.sample.com/SPStest/forms/alive.html


  
Will now get the file alive.html locally from the SPS machine, and can
be used by the load balancer as a quick test to determine if the SPS
server is alive. But just to stress again, this is not a complete
solution, as to use this you would need to also be monitoring the
backend service with its own keep alive ping.

Note: Depending upon your circumstances, the best solution for a keep
alive ping is usually to have a request that goes through the SPS
server and also hits the backend application. If that returns
correctly then you have tested the complete access path and not just
the availability of the SPS server itself.

 

Additional Information

 

(1)

    Product Limitations

      - Access Gateway does not support local content. The ability to place
 content on Access Gateway is not exposed, and Access Gateway does
 not support proxy rules for providing access to local content.

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/implementing/implementing-access-gateway/access-gateway-architecture-introduced.html#concept.dita_f4090d50c168423afe767733be987fb7d882ec35_ProductLimitations