Specify back-end server UUIDs for stateful junctions

When a new junction is created to a back-end Web application server, WebSEAL normally generates a Unique Universal Identifier (UUID) to identify that back-end server. This UUID is used internally and also to maintain stateful junctions (create -s).

When the initial client request occurs, WebSEAL places a cookie on the client system containing the UUID of the designated back-end server. When the client makes future requests to the same resource, the cookie's UUID information ensures the requests are consistently routed to the same back-end server.

Figure 1. Stateful junctions use back-end server UUIDs
Stateful junctions use back-end server UUIDs

The handling of stateful junctions becomes more complex when there are multiple front-end WebSEAL servers junctioned to multiple back-end servers. Normally, each junction between a front-end WebSEAL server to a back-end server generates a unique UUID for the back-end server. This means that a single back-end server will have a different UUID on each front-end WebSEAL server.

Multiple front-end servers require a load balancing mechanism to distribute the load between the two servers. For example, an initial "state" could be established to a back-end server through WebSEAL server 1 using a specific UUID.

However, if a future request from the same client is routed through WebSEAL server 2 by the load balancing mechanism, the "state" will no longer exist, unless WebSEAL server 2 uses the same UUID to identity the same back-end server. Normally, this will not be the case.

The -u option allows us to supply the same UUID for a back-end server to each front-end WebSEAL server.

The -u option is also supported on virtual host junctions.

As an example, consider two replicated front-end WebSEAL servers, each with a stateful junction to two back-end servers. When we create the stateful junction between WebSEAL server 1 and back-end server 2, a unique UUID (UUID A) is generated to identify back-end server 2. However, when a stateful junction is created between WebSEAL server 2 and back-end server 2, a new and different UUID (UUID B) is generated to identify back-end server 2.

Figure 2. Dissimilar UUIDs
Dissimilar UUIDs

A "state" established between a client and back-end server 2, via WebSEAL server 1 will fail if a subsequent request from the client is routed through WebSEAL server 2.

In the following figure, back-end server 1 is known by both WebSEAL-1 and WebSEAL-2 as UUID 1. Back-end server 2 is known by both WebSEAL-1 and WebSEAL-2 as UUID 2.

Figure 3. Specifying back-end server UUIDs for stateful junctions
Specifying back-end server UUIDs for stateful junctions

Apply the following process for specifying a UUID during the creation of a junction:

Steps

  1. Create a junction from WebSEAL server 1 to each back-end server. Use create -s and add.
  2. List the UUID generated for each back-end server during step 1. Use show.

  3. Create a junction from WebSEAL server 2 to each back-end server and specify the UUIDs identified in Step 2. Use create -s -u and add -u.

Parent topic: Stateful junctions