Understand and configure simple failover with static load balancing in SCSP

book

Article ID: 157179

calendar_today

Updated On:

Products

Critical System Protection

Issue/Introduction

You would like to know how to configure load balancing or failover in SCSP.

Resolution

Content:

■ About simple failover
How simple failover works
About the fail back interval
Specifying the management server list for an agent
Configuration
 
About simple failover
Symantec Critical System Protection includes simple failover. Should the primary management server fail, simple failover lets agents automatically switch to the next management server in an ordered list of alternate servers.
 
Simple failover enables you to deploy a set of front-end Tomcat servers without reconfiguring your IT infrastructure. The ordered list of management server host names or IP addresses is maintained by the Symantec Critical System Protection agent configuration.
 
Another use for simple failover is static load balancing. With static load balancing, you manually assign a set of agents to each Tomcat server. Each agent can fail to a different Tomcat server if its primary server becomes inaccessible.
 
How simple failover works
 
Simple failover works as follows:
 
When the IPS Service starts up, it uses the first server in the ordered list of management servers. The first server in the ordered list is considered the primary management server; the remaining servers are alternate servers. The IPS Service uses server #1 as long as communication with the server is successful.
At startup, the IPS Service always uses the first server in the ordered list of management servers, regardless of which server was in use when the IPS Service was shut down.
When the ordered list of management servers changes, the IPS Service immediately attempts to connect to the first server in the new list.
When communication with a server fails, the IPS Service uses the next server in the ordered list of management servers. When communication with the last server fails, the IPS Service uses the first server in the list. The IPS Service loops through the ordered list of management servers indefinitely.
When the IPS Service switches to a new management server, it logs the action.
Once the IPS Service fails away from the first server in the ordered list, it periodically checks if server #1 is back, based on the fail back interval.
See “About the fail back interval”.
When the fail back interval expires, the IPS Service checks if server #1 is available. If server #1 is available, the IPS Service starts using it immediately. If server #1 is not available, the IPS Service continues to use the current alternate server; the IPS Service does not traverse the entire ordered list of management servers.
 
 
Simple failover with static load balancing works as described in the following example:
 
Suppose you have two Tomcat servers pointing to a single database, and two agents.
You initially configure Agent1 with a management server list of Tomcat1, Tomcat2. You initially configure Agent2 with a management server list of Tomcat2, Tomcat1.
After installation completes, Agent1 should be talking to Tomcat1, and Agent2 should be talking to Tomcat2.
Take Tomcat1 off the network.
Agent1 should fail talking to Tomcat1 and switch to Tomcat2. Now both agents are talking to Tomcat2.
Put Tomcat1 back on the network.
Wait longer than the fail back interval.
Agent1 should fail back to Tomcat1. Agent2 continues to use Tomcat2. Everything is back to the initial state; both agents should be communicating successfully with their original Tomcat servers.
 
About the fail back interval
 
Once an agent fails away from the first server in an ordered list, the agent periodically checks if the first server is back. The agent uses a fail back interval to determine when to perform this server check. By default, the agent performs the server check every 60 minutes.
 
For example, suppose you configured three management servers. The primary server #1 and alternate server #2 have failed; alternate server #3 is working. When the fail back interval expires, the agent checks if server #1 is available. If server #1 is available, the agent immediately starts using server #1. If server #1 is not available, the agent continues to use server #3; it does not recheck the ordered list of servers. The agent resets the fail back interval, so it can perform future server checks.
 
Specifying the management server list for an agent
 
To use simple failover for an agent, you must provide the list of primary and alternate management servers using one of the following methods:
If you are installing Symantec Critical System Protection for the first time, you can provide the list of primary and alternate management servers during agent installation.
If you are upgrading to Symantec Critical System Protection 5.1.1 or higher, you provide the list of primary and alternate management servers using the CSP_Agent_Diagnostics detection policy or the agent config tool.
 
To use simple failover, you must upgrade the management server, management console, and agent to version 5.1.1 or higher.
 
The primary and alternate management server host names or IP addresses configured for a single agent must be Tomcat servers that talk to a single Symantec Critical System Protection database. Using multiple databases can result in unexpected agent behavior.
The primary and alternate management servers must use the same server certificate and agent port.
 
Configuration
 
Once you have your first SCSP Management Server and database running, you have to install the second SCSP Management Server with Tomcat component only. If the second SCSP Management Server has already been installed, you will most likely have to reinstall it to access the installation option in order to choose Tomcat component only as shown on the below screen shot:
Installing Tomcat component only
 
This production installation option installs only the Tomcat component. You can use this option to point multiple Tomcat servers to a single management server database on a dedicated system.
The Tomcat only option is useful if you want to create a set of identical Tomcat servers for load balancing or failover.
 
The Tomcat only option requires that you provide the file path to the following files from an installed management server:
 
■ server.xml file
■ server-cert.ssl
 
These files are located in the default management server installation directory:
 
C:\Program Files\Symantec\Critical System Protection\Server\server-cert.ssl
C:\Program Files\Symantec\Critical System Protection\Server\tomcat\conf\server.xml
 
******************************************************************************************************************************
Note: If the management server database is on a Tomcat system instead of a dedicated system, you must specify the real IP (not localhost) for the initial installation.
It means that you might have to edit the exported server.xml file and change the hostname/[email protected] of the database server.
******************************************************************************************************************************
 
To install Tomcat component only
 
1. Insert and display the installation CD, and then double-click server.exe.
2. In the Welcome panel, click Next.
3. In the License Agreement panel, select I accept the terms in the license agreement, and then click Next.
4. In the Installation Type panel, click Production Installation, click Install Tomcat component ONLY.
5. In the Installation Type panel, specify the file paths to server.xml and server-cert.ssl from an installed management server, and then click Next.
6. In the Destination Folder panel, change the folder if necessary, and then click Next.
The directory name must contain printable ASCII characters only. Multibyte, double-byte, hi-ASCII and non-printable ASCII characters are not supported.
7. In the Service User Configuration panel, do one of the following:
Click Use Local System Account, and then click Next.
Click Use an alternate Account, type a user name in the Username box using <domain>\<username> format, type the same password in the Password boxes, and then click Next.
8. In the Ready to Install the Program panel, click Install.
9. When the InstallShield Wizard Completed panel appears, click Finish.