Clustering Policy Servers

Contents
casso1283
Contents
1
Load balancing and failover in a 
SiteMinder
 deployment provide a high level of system availability and improve response time by distributing requests from 
SiteMinder
 Agents to Policy Servers. Defining clusters in combination with load balancing and failover further enhance the level of system availability and system response time.
Traditional round robin load balancing without clusters distributes requests evenly over a set of servers. However, this method is not the most efficient in heterogeneous environments, where computing powers differ, because each server receives the same number of requests regardless of its computing power.
Another problem with efficiency can occur when data centers are located in different geographical regions. Sending requests to servers outside a certain locale can lead to the increased network communication overhead, and in some cases to the network congestion.
To address these issues and to improve system availability and response time, you can define a cluster of Policy Servers and associated 
SiteMinder
 Agents configured to perform (software-based) load balancing and failover.
Policy Server clusters provide the following benefits over a traditional load balancing/failover scheme:
  • Load is dynamically distributed between Policy Servers in a cluster based on server response time.
  • A cluster can be configured to failover to another cluster when the number of available servers in the cluster falls below a configurable threshold.
Policy Servers clusters are not suitable or necessary for environments in which Policy Servers communicate with Agents through hardware load balancers.
The following figure illustrates a simple 
SiteMinder
 deployment using two clusters:
Clustered Policy Servers - 12.8
Clustered Policy Servers - 12.8
Consider Cluster A and Cluster B as distributed in two different geographical locations, separated by several time zones. By dividing the Web Agents and Policy Servers into distinct clusters, the network overhead involved with load balancing across geographically separate regions is only incurred if the Policy Servers in one of the clusters fail, requiring a failover to the other cluster.
Failover Thresholds
In any clustered 
SiteMinder
 environment, you must configure a failover threshold. When the number of available Policy Servers falls below the specified threshold, all requests that would otherwise be serviced by the failed Policy Server cluster are forwarded to another cluster.
The failover threshold is represented by a percentage of the Policy Servers in a cluster. For example, if a cluster consists of four Policy Servers, and the failover threshold for the cluster is set at 50%, when three of the four Policy Servers in the cluster fail, the cluster fails, and all requests fail-over to the next cluster.
The default failover threshold is zero, which means that all servers in a cluster must fail before failover occurs.
Hardware Load Balancing Considerations
If you are deploying a hardware load balancer between the 
SiteMinder
 Policy Server and Web Agents, consider the following:
  • Do not configure a TCP heartbeat or health–check directly against the Policy Server TCP ports. Heartbeats and health–checks applied directly against the TCP ports of the Policy Server can adversely affect its operation.
  • Design a comprehensive facility for the load balancer to test the operational health of the Policy Server.
  • Consider the impact of a single Policy Server configuration on the Web Agent failover algorithm as opposed to a multiple Policy Server configuration.
  • Consider performance and failure scenarios in Web Agent and Policy Server tuning and monitoring.
  • If the load balancer is configured to proxy Agent-to-Policy-Server connections, consider the timeouts and the socket states of the load balancer.
    For more information about deploying a hardware load balancer between Web Agents and Policy Servers, see the related Knowledge Base article (TEC511443) on the Support site.
Configure Policy Server Clusters
Policy Server clusters are defined as part of a Host Configuration Object. When a 
SiteMinder
 agent initializes, the settings from the Host Configuration Object are used to setup communication with Policy Servers.
Follow these steps:
  1. Click Infrastructure, Hosts. Host Configuration Objects.
  2. Click Create Host Configuration.
  3. In the Clusters section, click Add.
    The Cluster Setup section opens.
    Note
    : You can click Help for a description of fields, controls, and their respective requirements.
  4. Enter the IP address and the port number of the Policy Server in the Host and Port fields respectively.
  5. Click Add to Cluster.
    The Policy Server appears in the servers list in the Current Setup section.
  6. Repeat these steps to add other Policy Servers to the cluster.
  7. Click OK to save your changes.
    Your return to the Host Configuration dialog The Policy Server cluster is listed in a table.
  8. In the Failover Threshold Percent field, enter a percentage of the number of Policy Servers that must be active and click Apply.
    If the percentage of active servers in the cluster falls below the percentage you specify, the cluster fails over to the next available cluster in the list of clusters. This setting applies to all clusters that use the Host Configuration Object.
    The Policy Server specified in the Configuration Values section is overwritten by the Policy Servers specified in a cluster. This Policy Server is no longer used because a cluster is configured. For the value of the Policy Server parameter in the Configuration Values section to apply, do not specify any Policy Servers in a cluster. If clusters are configured, and you decide to remove the clusters in favor of a simple failover configuration delete all Policy Server information from the cluster.
  9. Click Submit to save your changes.
Configure a Policy Server as a Centralized Monitor for a Cluster
The OneViewMonitor can be configured to monitor a Policy Server cluster. To enable this configuration, one Policy Server must be set up as a centralized monitor with the other clustered Policy Servers pointing to it.
Follow these steps:
  1. Start the Policy Server Management Console.
    casso1283
    On Windows Server, if User Account Control (UAC) is enabled open the shortcut with Administrator permissions. Use Administrator permissions even if you are logged in to the system as an Administrator. For more information, see the release notes for your
    SiteMinder
    component.
  2. In the Settings tab, select Allow Incoming Remote Connections.
  3. Click OK to save your changes and close the Policy Server Management Console.
  4. Restart the OneView Monitor.
This setting allows the centralized Policy Server monitor to accept remote connections from the other clustered Policy Servers.
The network channel between a Policy Server and a Monitor process is non-secure.
After you configure a Policy Server as a centralized monitor, configure the Policy Server Management Console to point the other clustered Policy Servers to it.
Point Clustered Policy Servers to the Centralized Monitor
Follow these steps:
  1. For each Policy Server that will point to the monitoring service, open the Policy Server Management Console.
    casso1283
    On Windows Server, if User Account Control (UAC) is enabled open the shortcut with Administrator permissions. Use Administrator permissions even if you are logged in to the system as an Administrator. For more information, see the release notes for your
    SiteMinder
    component.
  2. In the Settings tab, under OneView Monitor, select Connect to Remote Monitor.
  3. In the field below, enter the hostname and TCP port number of the system where the monitoring service is configured. For example, server.company.com:44449.
  4. Click OK to save your changes and close the Policy Server Management Console.
  5. Restart the Policy Server.