The agent allows basic failover capabilities. This helps you ensure that if the primary Access Manager instance for which the agent has been configured becomes unavailable, the agent will switch to the next Access Manager instance as specified in the J2EE agent AMAgent.properties configuration file. This setup can be achieved by implementing the following steps.
Provide a list of Access Manager authentication services URLs that may be used by the agent to authenticate users who do not have sufficient credentials to access the protected resources.
Configure the following property to create the list:
You may specify more than one login URL as follows:
com.sun.identity.agents.config.login.url = primary-AM-server
com.sun.identity.agents.config.login.url = failover-AM-server1
com.sun.identity.agents.config.login.url = failover-AM-server2
Represents the URL of the primary Access Manager instance to which users are redirected for authentication.
Represents the URL of the Access Manager instance to which users are redirected for authentication if the primary Access Manager instance fails.
Represents the URL of the Access Manager instance to which users are redirected for authentication if the primary Access Manager instance fails and the first failover Access Manager instance fails.
If a URL list is provided to this property, com.sun.identity.agents.config.login.url, the agent first tries to establish a connection to the first server (primary-AM-server) specified in the URL list. If the agent is successful in establishing this connection, it redirects the user to the Access Manager instance for authentication.
(Optional) Turn prioritization on for the failover lists by setting the following property to true:
Setting this property to true turns prioritization on for the login URL list and the CDSSO URL list. The two cases shown in this step specifically mention the login URL list. However, this explanation of prioritization is exactly the same for the CDSSO URL list. The final step in this procedure describes how to create the CDSSO URL list in case such a scenario applies to your site's deployment.
The following cases describe the behavior of the agent in different situations: when you turn on prioritization and when you do not turn on prioritization for the login URL list.
Case 1: com.sun.identity.agents.config.login.url.prioritized = true
A value of true means that priority is established for the login URL list described in Step 1. The list was created by configuring the following property:
Therefore, the first URL on the list, which is abbreviated here as .url, has a higher priority than .url and .url has higher priority than.url and so on. If the server (primary-AM-server) specified in this example as the value for .url is running, the agent sends all requests to this server only. However, if primary-AM-server fails, from that point on, subsequent requests are sent to the server (failover-AM-server1) associated with .url. Furthermore, if at some point primary-AM-server comes back, then the subsequent requests from that point on are sent to primary-AM-server, since it takes priority over failover-AM-server1. This mechanism always fails back to the highest priority Access Manager instance among the Access Manager instances that are running at the point in time the agent must redirect requests to an Access Manager instance.
Case 2: com.sun.identity.agents.config.login.url.prioritized = false
In this case, no server takes priority over another. Failover occurs in a round-robin fashion. If all the servers are running, the agent sends requests to the server (primary-AM-server) associated with .url. If primary-AM-server goes down then all subsequent requests are sent to the server (failover-AM-server1) associated with .url. The agent keeps sending the requests to failover-AM-server1 unless that server goes down. If failover-AM-server1 does go down then the agent routes all the subsequent requests to the server (failover-AM-server2) associated with .url until it goes down. If it goes down, the agent tries to connect to primary-AM-server once again. Assuming that by then the primary-AM-server is running, all the subsequent requests from then on are sent to primary-AM-server. This is a simple round-robin mechanism without any priority involved.
Provide a list of Access Manager Naming Service URLs that may be used by the agent to get access to the various other service URLs that may be needed to serve the logged on user.
This can be done by using the following property:
More than one naming service URL may be specified as a space delimited list of URLs. The following example illustrates this idea:
com.iplanet.am.naming.url = primary-AM-server failover-AM-server1
(Conditional) If the deployment consists of an agent instance that is on a different domain than multiple Access Manager instances for which you want to enable failover, provide a URL list of the remote Access Manager instances.
Configure the following property to create the list:
Specify more than one CDSSO URL in the following manner:
com.sun.identity.agents.config.cdsso.cdcservlet.url = primary-remoteAM-server
com.sun.identity.agents.config.cdsso.cdcservlet.url = failover-remoteAM-server1
com.sun.identity.agents.config.cdsso.cdcservlet.url = failover-remoteAM-server2