Configuring WebSEAL in a highly available environment

When you are working in an environment with multiple IBM Security Access Manager for Mobile servers, you can configure WebSEAL for failover and high availability.

About this task

You can configure the WebSEAL junction and Runtime Security Services External Authorization Service (RTSS EAS) to take advantage of the IBM Security Access Manager for Mobile high availability.

Figure 1 depicts an environment where WebSEAL is configured to use two IBM Security Access Manager for Mobile servers, MGA_1 and MGA_2. For high availability, you can configure a stateful junction to each available IBM Security Access Manager for Mobile appliance. You can also include each server in the RTSS EAS configuration.

Figure 1. WebSEAL client in an environment with multiple IBM® Security Access Manager for Mobile servers

The isamcfg tool is provided with IBM Security Access Manager for Mobile. You must run this configuration tool to configure each WebSEAL instance for use with the IBM Security Access Manager for Mobile appliance. This tool sets up a single junction server and configures the RTSS EAS to point to a single appliance.

If you have more than one IBM Security Access Manager for Mobile appliance, you need to manually configure the additional servers.

Procedure

For each IBM Security Access Manager for Mobile appliance, include a server entry in the [rtss-cluster:<cluster>] stanza in the WebSEAL configuration file (for example, webseald-default.conf).
```
[rtss-cluster:cluster1]
server = 9,https://9.48.167.40:443/rtss/authz/services/AuthzService
server = 9,https://9.48.167.117:443/rtss/authz/services/AuthzService 
```
Note:
- The first parameter in each entry is the priority of the server in the cluster. Set the priority of your servers as appropriate to your environment. Using a priority of 9 for all servers evenly distributes the load and switches between the available appliances.
- The second parameter is a well-formed Uniform Resource Locator (URL) for the runtime security services on the appliance. Use the IP address of the application interface on the IBM Security Access Manager for Mobile appliance.
Use the pdadmin utility to add extra servers to the junction.
```
pdadmin sec_master> server task default-webseald-test.ibm.com add -h
 9.48.167.40 -p 443 /mga
pdadmin sec_master> server task default-webseald-test.ibm.com add -h
 9.48.167.117 -p 443 /mga 
```
Note:
- You must replace all example values in these commands with values that are appropriate to your environment.
- The first parameter in this server task command is the fully qualified name of the WebSEAL server. For example, default-webseald-test.ibm.com.
- The -h option specifies the IBM Security Access Manager for Mobile appliance that you want to add to the junction. Use the IP address of the application interface on the target appliance.
- The isamcfg tool creates an SSL junction by default. Therefore, when you are adding servers to this junction, use the SSL port number 443.
- By default, the isamcfg tool creates a junction that is called /mga. This default value is used in the example commands.
For secure communication between WebSEAL and the appliance, ensure that trusted certificates are used. WebSEAL must trust the certificates that are presented by IBM Security Access Manager for Mobile. To establish this trust, you can use a common certificate authority (CA) that is trusted in your environment or you can configure WebSEAL to trust each individual certificate.
Similarly, for client certificate authentication, IBM Security Access Manager for Mobile must trust the certificates that are presented by WebSEAL.
To configure failover between junctioned servers, set the use-new-stateful-on-error stanza entry to yes for the stateful junction to the appliance. That is, update the use-new-stateful-on-error entry in the [junction:/mga] stanza in the WebSEAL configuration file. Where /mga is the name of the junction. The isamcfg tool creates a junction that is called /mga by default, but this name is configurable.
If a stateful junction becomes unavailable when this value is set to yes, WebSEAL fails over to a different server. For example, if the stateful junction to MGA_1 in Figure 1 becomes unavailable, WebSEAL fails over to MGA_2.