000022877 - How to control Agent Host load balancing manually

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000022877
Applies Tosdopts.rec
RSA ACE/Server
RSA ACE/Agent 5.0 for high ACE/Server availability
IssueHow to control Agent Host load balancing manually
How RSA ACE/Agents 5.0 for high availability perform load balancing
Creating sdopts.rec file
ResolutionAutomatic and Manual load balancing
AUTOMATIC
Using version 5.0 of the RSA ACE/Agent Authentication API, an RSA ACE/Agent can balance the load of authentication requests among Servers in the Local RSA ACE/Server realm either automatically (the default) or manually. As an Agent sends authentication requests to its Servers, it will send time requests at timed intervals to the Servers to determine their response times. The Server with the fastest response will receive authentication requests from the Agent more frequently than other Servers until the Agent polls the Servers again. This activity happens automatically, and allows the Agent to balance the load of authentication requests it handles by using the fastest responding Servers to service requests.
MANUAL
Now with RSA ACE/Agent 5.0, you can opt to specify which Servers the Agent uses to process requests, giving you greater control over the load balancing performed by the Agent API. You can prioritize Servers so some receive authentication requests from the Agent more frequently than other Servers do. You can also indicate additional firewall IP addresses to be used to contact Servers. Finally, you can specify an overriding IP address for the Agent Host if that host is a multi-homed server. These depend on settings that you specify in an optional, flat text file named sdopts.rec.
CREATING AND CONFIGURING AN SDOPTS.REC FILE
Use any text editor to create or modify an sdopts.rec file. After you set up the sdopts.rec file, save the file into the correct directory for your Agent Host platform. On Windows NT, store the file in %SYSTEMROOT%\system32. On UNIX, store the file in the \var\ace directory (or in the directory being pointed to by the $VAR_ACE system variable).
To protect the file from unintended changes, change the permission settings on your sdopts.rec file so only administrators can modify it. Share the sdopts.rec file information for your Agent with the Server administrators, as they will want to know about increased demand made on the Servers because of Agent sdopts.rec settings. Each time you modify the sdopts.rec file, you must restart the Agent to acknowledge your changes.
NOTE: No more than 11 actual Server IP addresses should be specified concurrently by the sdconf.rec and sdopts.rec files. Make certain you specify IP addresses correctly in the sdopts.rec file.
You can place comments in the file if you begin each comment line with a semicolon. The file can contain the following keywords and values: CLIENT_IP=ip_address: Specifies an overriding IP address for the Agent Host. The CLIENT_IP keyword can appear only once in the file. USESERVER=ip_address, priority: Specifies a Server that can or will receive authentication requests from the Agent, depending on the specified value. Use one setting for each Server that the Agent will use, but list no more than 11 Servers in the file. Each USESERVER keyword value must contain the actual IP address of the Server. Do not specify an alias IP address in a USESERVER keyword value. In the USESERVER value, the actual Server IP address is separated by a comma from the assigned Server priority, which specifies whether or how often a Server will receive authentication requests. The priority value must be one of the following:
SERVER PRIORITY MEANINGS
2-10 Send authentication requests to this Server. The Agent sends requests to the specified Server using a randomized selection that is weighted according to the assigned priority of the Server. The range is from 2-10 (inclusive) - the higher the priority value, the more requests are sent to the Server. A Priority 10 Server will receive about 24 times as many requests as a Priority 2 Server.
Priority 1: For emergency use only. Priority 1 Servers are used only if Servers of higher priority are unavailable.
Priority 0: A Priority 0 Server can only be used if the Server is one of the four Servers specified in the sdconf.rec file, and either the Priority 0 Server is used merely for the initial authentication of the Agent, or all Servers with priorities of 1-10 listed in the sdopts.rec file are known to the Agent to be unusable.
NOTE: Assigning a Priority of 0 doesn't prevent the agent from trying that server - it just makes it unlikely that the Agent will choose that server for an authentication. The server is still part of the load balancing logic and will be contacted occasionally to build the sdstatus.12 file.
To PREVENT an agent from trying to contact an authentication server in any way, use the following entry:
AVOID=x.x.x.x

The AVOID option was incorporated in 5.0.3 build 1099. Any earlier kit or source code would not have this feature.  AVOID and USESERVER cannot be used together in an sdopts.rec file.


You must assign a priority to each Server you specify using the USESERVER keyword or the Server entries in the file will be considered invalid. The IP addresses in the file are checked against the list of valid Servers the Agent receives as part of its initial authentication with RSA ACE/Server.
NOTE: If you use USESERVER keywords to specify which Servers are used by the Agent, only those that you specify in this way will be used. The Agent will not use any other Servers unless those specified with USESERVER keywords fail to respond to Agent authentication requests.
        ;Any line of text preceded by a semicolon is ignored (is considered a comment).
        ;Do not put a blank space between a keyword and it's equal sign, after the IP Address,
        ;and after the comma that separates an IP Address from a priority value.
        USESERVER=999.999.999.999,10
        
        USESERVER=999.999.999.998,2        
        USESERVER=999.999.999.997,1
        USESERVER=999.999.999.996,0
The Server identified by the actual IP address 999.999.999.999 will receive many more authentication requests than Server 999.999.999.998. Server 999.999.999.997 will only be used if the Servers of higher priority are unavailable, and Server 999.999.999.996 will be ignored except in rare circumstances.
NOTE: You can use the USESERVER and ALIAS keywords together in the sdopts.rec file, just as you can include whichever keywords defined for use in the file as you like. However, USESERVER keywords do not affect the alias addresses used to connect to Servers, and ALIAS keywords have no effect on which Servers are specified for use.
How to configure RSA ACE/Agent andAuthentication Agent through firewalls using Network Address Translation (NAT) andALIAS
File information ofsdconf.rec sdopts.rec and sdstatus.12 files in RSA ACE/Server and RSA Authentication Manager
How to set an IP address override for an RSA ACE/Agent and RSA Authentication Agent

Legacy Article IDa2751

Attachments

    Outcomes