Sun Java System Access Manager Policy Agent 2.2 Guide for IBM WebSphere Portal Server 6.0

ProcedureTo Enable Failover in J2EE Agents

  1. Provide a list of Access Manager authentication services URLs that may be used by the agent to authenticate users who do not have sufficient credentials to access the protected resources.

    Configure the following property to create the list:

    com.sun.identity.agents.config.login.url

    You may specify more than one login URL as follows:

    com.sun.identity.agents.config.login.url[0] = primary-AM-server

    com.sun.identity.agents.config.login.url[1] = failover-AM-server1

    com.sun.identity.agents.config.login.url[2] = failover-AM-server2

    primary-AM-server

    Represents the URL of the primary Access Manager instance to which users are redirected for authentication.

    failover-AM-server1

    Represents the URL of the Access Manager instance to which users are redirected for authentication if the primary Access Manager instance fails.

    failover-AM-server2

    Represents the URL of the Access Manager instance to which users are redirected for authentication if the primary Access Manager instance fails and the first failover Access Manager instance fails.

    If a URL list is provided to this property, com.sun.identity.agents.config.login.url, the agent first tries to establish a connection to the first server (primary-AM-server) specified in the URL list. If the agent is successful in establishing this connection, it redirects the user to the Access Manager instance for authentication.

  2. (Optional) Turn prioritization on for the failover lists by setting the following property to true:

    com.sun.identity.agents.config.login.url.prioritized

    Note –

    Setting this property to true turns prioritization on for the login URL list and the CDSSO URL list. The two cases shown in this step specifically mention the login URL list. However, this explanation of prioritization is exactly the same for the CDSSO URL list. The final step in this procedure describes how to create the CDSSO URL list in case such a scenario applies to your site's deployment.


    The following cases describe the behavior of the agent in different situations: when you turn on prioritization and when you do not turn on prioritization for the login URL list.

    Case 1: com.sun.identity.agents.config.login.url.prioritized = true

    A value of true means that priority is established for the login URL list described in Step 1. The list was created by configuring the following property:

    com.sun.identity.agents.config.login.url

    Therefore, the first URL on the list, which is abbreviated here as .url[0], has a higher priority than .url[1] and .url[1] has higher priority than.url[2] and so on. If the server (primary-AM-server) specified in this example as the value for .url[0] is running, the agent sends all requests to this server only. However, if primary-AM-server fails, from that point on, subsequent requests are sent to the server (failover-AM-server1) associated with .url[1]. Furthermore, if at some point primary-AM-server comes back, then the subsequent requests from that point on are sent to primary-AM-server, since it takes priority over failover-AM-server1. This mechanism always fails back to the highest priority Access Manager instance among the Access Manager instances that are running at the point in time the agent must redirect requests to an Access Manager instance.

    Case 2: com.sun.identity.agents.config.login.url.prioritized = false

    In this case, no server takes priority over another. Failover occurs in a round-robin fashion. If all the servers are running, the agent sends requests to the server (primary-AM-server) associated with .url[0]. If primary-AM-server goes down then all subsequent requests are sent to the server (failover-AM-server1) associated with .url[1]. The agent keeps sending the requests to failover-AM-server1 unless that server goes down. If failover-AM-server1 does go down then the agent routes all the subsequent requests to the server (failover-AM-server2) associated with .url[2] until it goes down. If it goes down, the agent tries to connect to primary-AM-server once again. Assuming that by then the primary-AM-server is running, all the subsequent requests from then on are sent to primary-AM-server. This is a simple round-robin mechanism without any priority involved.

  3. Provide a list of Access Manager Naming Service URLs that may be used by the agent to get access to the various other service URLs that may be needed to serve the logged on user.

    This can be done by using the following property:

    com.iplanet.am.naming.url

    More than one naming service URL may be specified as a space delimited list of URLs. The following example illustrates this idea:

    com.iplanet.am.naming.url = primary-AM-server failover-AM-server1

  4. (Conditional) If the deployment consists of an agent instance that is on a different domain than multiple Access Manager instances for which you want to enable failover, provide a URL list of the remote Access Manager instances.

    Configure the following property to create the list:

    com.sun.identity.agents.config.cdsso.cdcservlet.url[]

    Specify more than one CDSSO URL in the following manner:

    com.sun.identity.agents.config.cdsso.cdcservlet.url[0] = primary-remoteAM-server

    com.sun.identity.agents.config.cdsso.cdcservlet.url[1] = failover-remoteAM-server1

    com.sun.identity.agents.config.cdsso.cdcservlet.url[2] = failover-remoteAM-server2