Enable distributed cache and session affinity when using Secure Conversation
WebSphere Application Server provides message-level protection in a cluster environment. We can use Web Services Secure Conversation (WS-SecureConversation) for message-level protection of Java API for XML Web Services 2.0 (JAX-WS) Web services in a cluster environment.
A web services request that is protected with a Security Context Token (SCT) is routed to one server in a cluster, but that SCT might have been issued or renewed by a different server in the cluster. If the WAS distributed cache is not configured to replicate or does not replicate quickly enough, the server processing the request might not have access to the SCT. The task steps described in this topic need to be performed only if the replication setting for cluster members is set to asynchronous update for the Web Services Security distributed cache.
For more information on cache update settings, read the topic Enabling the distributed cache using synchronous update and token recovery. We can also enable the Web Services Security distributed cache with the default setting, which enables synchronous update of cluster members.
Perform the following high-level steps to enable distributed cache and session affinity when using secure conversation for message-level protection in a cluster environment.
- Enable the distributed cache for the Security Context Token.
- In the console for WebSphere Application Server, click Services > Security cache.
- Select the Enable distributed caching check box.
- Click the radio button to select Asynchronous update of cluster members.
- Click Apply and then click Save to save the configuration.
- Create a replication domain. Perform the following steps:
- In the Administrative Console, click Environment > Replication domains > New.
- Enter a name. For example, ABCDomain.
- Under Number of replicas, select the Entire Domain option.
- Click OK and then click Save to save the configuration.
- Enable the dynamic cache. Perform the following steps for each server in the cluster:
- In the Administrative Console, click Servers > Server Types > WebSphere application servers > server_name > Container Services > Dynamic Cache Service.
- Select the Enable cache replication option.
- Select the replication domain name created. For example, ABCDomain.
- Select the replication type as Both push and pull.
- Click OK and then click Save to save the configuration.
- Optional: Change the distributed cache batch update interval. By default, the distributed cache batch update interval is 1,000 milliseconds. However, we can set this interval to a value that is less than 1,000 milliseconds. To change the value...for each server in the cluster:
- In the Administrative Console, click Servers > Server Types > WebSphere application servers > server_name > Java and Process Management > Process Definition > Java Virtual Machine > Custom Properties > New.
- Enter the com.ibm.ws.cache.CacheConfig.batchUpdateInterval property name.
- Enter the property value.
- Click OK and then click Save to save the configuration.
- Install a web server or proxy server that supports session affinity. The IBM HTTP Server and WebSphere Application Server proxy server support session affinity. In the WAS Information Center, read the topic "Communicating with Web servers". for information on installing and configuring the IBM HTTP Server.
- Configure the client systems to send the web services requests to the host and port where the web server or proxy server is running. The web server or proxy server then routes the requests to the proper cluster member.
- On the services that are receiving the web services requests, which are protected by using Web Services Secure Conversation, select the HTTP transport Session enabled policy option. Complete the policy set configuration by following these steps:
- Add the HTTP Transport policy to the policy set that is being used by the services.
- In the configuration panel for the HTTP Transport policy, select Session enabled.
- Click OK and then click Save to save the configuration.
- On the client systems that are sending the web services requests and are protected by Secure Conversation, enable the HTTP transport Maintain session property. Complete the policy set configuration or set the property programmatically. For a policy set with the configuration:
- Add the HTTP Transport policy to the policy set that is being used by the clients.
- At the HTTP Transport policy configuration panel, select the Session enabled option.
- Click OK and then click Save to save the configuration.
Results
After the configurations are completed, we have enabled the distributed cache and session affinity when using secure conversation in a cluster environment. If the server processing the request does not have access to the SCT, it will fail the request with the error of Either null SCT or invalid SCT.
Example
The following example, which is a code snippet, demonstrates how to programmatically set the Maintain session property on the correct JAX-WS object:
Map<String> rc = ((BindingProvider) port).getRequestContext(); ... rc.put(BindingProvider.SESSION_MAINTAIN_PROPERTY, Boolean.TRUE); ... </String>
Related concepts
Web Services Secure Conversation
Related tasks
Enable the distributed cache using synchronous update and token recovery Implement a web server plug-in