Replicating front-end WebSEAL servers

In a heavy load environment, it is advantageous to replicate front-end WebSEAL servers to provide better load-balancing and fail-over capability. When replicating front-end WebSEAL servers, each server must contain an exact copy of the Web space, the junction database, and the dynurl database.

This version of ISAM supports a manual configuration procedure to replicate front-end WebSEAL servers. The pdadmin command is no longer used for this task. In the following example, "WS1" is the host name of the primary WebSEAL server machine. "WS2" is the host name for the replica WebSEAL server machine.

1. Install and configure WebSEAL on both WS1 and WS2 server machines.

2. Use the pdadmin command, create a new object to be the root of the authorization space for both WebSEAL servers. For example:
   pdadmin> object create /WebSEAL/newroot "Description" 5 ispolicyattachable yes

3. Stop WebSEAL on WS1.

4. On WS1, change the value of the server-name stanza entry in the WebSEAL configuration file from "WS1" to "newroot":
   [server]
   server-name = newroot

5. Restart WebSEAL on WS1.

6. Repeat Steps 3-5 for WS2.

The WS1 and WS2 servers now use the object /WebSEAL/newroot as the base for authorization evaluations. Either the WS1 or the WS2 server can respond to object list and object show commands for objects located below /WebSEAL/newroot.

Use the following procedure when unconfiguring either WS1 or WS2:

Steps

1. Stop the WebSEAL server.

2. Change the value of the server-name stanza entry back to its original value. For example, for WS1:
   [server]
   server-name = WS1

3. Proceed with normal unconfiguration procedures.

Conditions:

• Unified object space management: Although a single object hierarchy is visible to the administrator, all replicated WebSEAL servers are affected by administration commands applied to that object hierarchy and all servers are able to respond to these commands.

• Unified authorization evaluation: Both WS1 and WS2 use /WebSEAL/newroot as the base for authorization evaluations.

• Unified configuration: For front-end WebSEAL replication to function correctly, the Web space, junction database, and dynurl database configuration must be identical on each server.

The above information replaces the former pdadmin server modify baseurl command, used in previous versions of ISAM.

Parent topic: Load balancing environments