Clustered Policy Servers Introduced

Load balancing and failover in a
CA Single Sign-On
deployment provide a high level of system availability and improve response time by distributing requests from
CA Single Sign-On
Agents to Policy Servers. Defining clusters with load balancing and failover further enhance the level of system availability and system response time.
Traditional round robin load balancing without clusters distributes the requests evenly over a set of servers. However, this method is not the most efficient in heterogeneous environments. The computing powers differ, because each server receives the same number of requests regardless of its computing power.
Another problem with efficiency can occur when data centers are located in different geographical regions. Sending requests to servers outside a certain locale can lead to the increased network communication overhead, and sometimes to the network congestion.
To improve the system availability and response time, you can define a cluster of Policy Servers and associated
CA Single Sign-On
Agents that are configured to perform (software-based) load balancing and failover.
Policy Server clusters provide the following benefits over a traditional load balancing/failover scheme:
  • Load is dynamically distributed between Policy Servers in a cluster-based on server response time.
  • A cluster can be configured to failover to another cluster when the number of available servers in the cluster falls below a configurable threshold.
Policy Servers clusters are not suitable or necessary for environments in which Policy Servers communicate with Agents through hardware load balancers.
The following figure illustrates a simple
CA Single Sign-On
deployment using two clusters:
Diagram showing clustered policy servers.
Consider Cluster A and Cluster B as distributed in two different geographical locations, which are separated by several time zones. By dividing the Web Agents and Policy Servers into distinct clusters, the network overhead that is involved with load balancing is only incurred if the Policy Servers in one of the clusters fail, requiring a failover to the other cluster.
Failover Thresholds
In any clustered
CA Single Sign-On
environment, you must configure a failover threshold. When the number of available Policy Servers falls below the specified threshold, all requests that would otherwise be serviced by the failed Policy Server cluster are forwarded to another cluster.
The failover threshold is represented by a percentage of the Policy Servers in a cluster. For example, if a cluster consists of four Policy Servers, and the failover threshold for the cluster is set at 50 percent, when three of the four Policy Servers in the cluster fail, the cluster fails, and all requests failover to the next cluster.
The default failover threshold is zero, which means that all servers in a cluster must fail before failover occurs.
Hardware Load Balancing
If you are deploying a hardware load balancer between the
CA Single Sign-On
Policy Server and Web Agents, consider the following tips:
  • Do not configure a TCP heartbeat or health–check directly against the Policy Server TCP ports. Heartbeats and health–checks that are applied directly against the TCP ports of the Policy Server can adversely affect its operation.
  • Design a comprehensive facility for the load balancer to test the operational health of the Policy Server.
  • Consider the impact of a single Policy Server configuration on the Web Agent failover algorithm as opposed to multiple Policy Server configurations.
  • Consider performance and failure scenarios in Web Agent and Policy Server tuning and monitoring.
  • If the load balancer is configured to proxy Agent-to-Policy-Server connections, consider the timeouts and the socket states of the load balancer.
    To deploy a hardware load balancer between Web Agents and Policy Servers, see the related Knowledge Base article (TEC511443) on the Support site.