RSA ACE/Agent 5.0 for high ACE/Server availability
|Issue||How to control Agent Host load balancing manually|
How RSA ACE/Agents 5.0 for high availability perform load balancing
Creating sdopts.rec file
|Resolution||Automatic and Manual load balancing|
Using version 5.0 of the RSA ACE/Agent Authentication API, an RSA ACE/Agent can balance the load of authentication requests among Servers in the Local RSA ACE/Server realm either automatically (the default) or manually. As an Agent sends authentication requests to its Servers, it will send time requests at timed intervals to the Servers to determine their response times. The Server with the fastest response will receive authentication requests from the Agent more frequently than other Servers until the Agent polls the Servers again. This activity happens automatically, and allows the Agent to balance the load of authentication requests it handles by using the fastest responding Servers to service requests.
Now with RSA ACE/Agent 5.0, you can opt to specify which Servers the Agent uses to process requests, giving you greater control over the load balancing performed by the Agent API. You can prioritize Servers so some receive authentication requests from the Agent more frequently than other Servers do. You can also indicate additional firewall IP addresses to be used to contact Servers. Finally, you can specify an overriding IP address for the Agent Host if that host is a multi-homed server. These depend on settings that you specify in an optional, flat text file named sdopts.rec.
CREATING AND CONFIGURING AN SDOPTS.REC FILE
Use any text editor to create or modify an sdopts.rec file. After you set up the sdopts.rec file, save the file into the correct directory for your Agent Host platform. On Windows NT, store the file in %SYSTEMROOT%\system32. On UNIX, store the file in the \var\ace directory (or in the directory being pointed to by the $VAR_ACE system variable).
To protect the file from unintended changes, change the permission settings on your sdopts.rec file so only administrators can modify it. Share the sdopts.rec file information for your Agent with the Server administrators, as they will want to know about increased demand made on the Servers because of Agent sdopts.rec settings. Each time you modify the sdopts.rec file, you must restart the Agent to acknowledge your changes.
NOTE: No more than 11 actual Server IP addresses should be specified concurrently by the sdconf.rec and sdopts.rec files. Make certain you specify IP addresses correctly in the sdopts.rec file.
You can place comments in the file if you begin each comment line with a semicolon. The file can contain the following keywords and values: CLIENT_IP=ip_address: Specifies an overriding IP address for the Agent Host. The CLIENT_IP keyword can appear only once in the file. USESERVER=ip_address, priority: Specifies a Server that can or will receive authentication requests from the Agent, depending on the specified value. Use one setting for each Server that the Agent will use, but list no more than 11 Servers in the file. Each USESERVER keyword value must contain the actual IP address of the Server. Do not specify an alias IP address in a USESERVER keyword value. In the USESERVER value, the actual Server IP address is separated by a comma from the assigned Server priority, which specifies whether or how often a Server will receive authentication requests. The priority value must be one of the following:
SERVER PRIORITY MEANINGS
2-10 Send authentication requests to this Server. The Agent sends requests to the specified Server using a randomized selection that is weighted according to the assigned priority of the Server. The range is from 2-10 (inclusive) - the higher the priority value, the more requests are sent to the Server. A Priority 10 Server will receive about 24 times as many requests as a Priority 2 Server.
Priority 1: For emergency use only. Priority 1 Servers are used only if Servers of higher priority are unavailable.
Priority 0: A Priority 0 Server can only be used if the Server is one of the four Servers specified in the sdconf.rec file, and either the Priority 0 Server is used merely for the initial authentication of the Agent, or all Servers with priorities of 1-10 listed in the sdopts.rec file are known to the Agent to be unusable.
NOTE: Assigning a Priority of 0 doesn't prevent the agent from trying that server - it just makes it unlikely that the Agent will choose that server for an authentication. The server is still part of the load balancing logic and will be contacted occasionally to build the sdstatus.12 file.
To PREVENT an agent from trying to contact an authentication server in any way, use the following entry:
The AVOID option was incorporated in 5.0.3 build 1099. Any earlier kit or source code would not have this feature. AVOID and USESERVER cannot be used together in an sdopts.rec file.
You must assign a priority to each Server you specify using the USESERVER keyword or the Server entries in the file will be considered invalid. The IP addresses in the file are checked against the list of valid Servers the Agent receives as part of its initial authentication with RSA ACE/Server.
|Legacy Article ID||a2751|