Configure the non-sticky failover solution

The following configuration steps enable WebSEAL to reuse a client's original session ID to improve failover authentication response and performance in a non-sticky load-balancing environment. WebSEAL reuses the original session ID by storing the ID as an extended attribute to the failover cookie.

To enable the functionality of including the user's original session ID in the failover cookie, set the failover-include-session-id stanza entry in the [failover] stanza of the WebSEAL configuration file to "yes":

[failover]
failover-include-session-id = yes

When we enable the non-sticky failover solution (failover-include-session-id = yes), configure the following four stanza entries correctly. WebSEAL reports a startup error and fails to start if any of these settings are incorrect:

Steps

1. The non-sticky failover solution requires the use of the WebSEAL session cookie, rather than the SSL session ID, to maintain session state over HTTPS. Verify the ssl-id-sessions stanza entry in the [session] stanza of the WebSEAL configuration file is set to "no" (default):

   [session] 
   ssl-id-sessions = no

2. To encode the user's original session ID as an extended attribute in the failover cookie, set the tagvalue_failover_amweb_session_id stanza entry in the [failover-add-attributes] stanza of the WebSEAL configuration file to "add":

   [failover-add-attributes] 
   tagvalue_failover_amweb_session_id = add

3. When the user session is switched to another replica for the first time, WebSEAL (on that replica) must build a credential and session cache entry for the user, using the information contained in the failover cookie. To ensure the session ID (encoded in the failover cookie) is added to the user credential, set the tagvalue_failover_amweb_session_id stanza entry in the [failover-restore-attributes] stanza of the WebSEAL configuration file to "preserve":

   [failover-restore-attributes] 
   tagvalue_failover_amweb_session_id = preserve

4. The credential refresh feature allows us to update the contents of a user credential on demand by issuing a pdadmin command (see Credential refresh). To preserve the session ID attribute used in the non-sticky failover performance solution during a credential refresh, we must set the tagvalue_failover_amweb_session_id stanza entry in the [credential-refresh-attributes] stanza of the WebSEAL configuration file to "preserve":

   [credential-refresh-attributes] 
   tagvalue_failover_amweb_session_id = preserve

Parent topic: Failover for non-sticky failover environments