000021707 - How to automatically apply RSA ClearTrust Agent webagent.conf file changes to Web server operation at regular intervals

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021707
Applies ToRSA ClearTrust Agent 4.0 for Sun ONE Web Server 6.0
RSA ClearTrust Agent 4.5 for Microsoft IIS
Microsoft Internet Information Server (IIS) 6.0
IssueHow to automatically apply RSA ClearTrust Agent webagent.conf file changes to Web server operation at regular intervals
Upon modifying configuration values within the webagent.conf file, if the system is a production system, it may not be convenient to recycle the webserver to interrupt service
CauseThe ClearTrust.agent.configuration_poller_frequency parameter was introduced in the RSA ClearTrust Agent 4.0 for Sun ONE 6.0, and was removed when the reconfig utility was introduced with the ClearTrust Agent 4.5 for Microsoft IIS. This configuration parameter allows for a time interval value to be set so that at each interval, the Web server dynamically applies the webagent.conf configuration parameter values for operation.
Resolution

Microsoft Internet Information Services (IIS) 6.0 can be configured to reload its pool and therefore reload the agent. Worker Process Recycling in IIS 6.0 should do this. However, there?s currently an important note with the IIS agents, where WPR in overlapping mode (the default) causes the server to hang and the log to fill up over port contention for 5628.
 
Worker Process Recycling is a feature of IIS 6 in which Web applications can be partitioned into application pools that share a common, partitioned memory space. The process running within that application can be configured to be 'recycled' periodically (e.g. after x hours, or  every day at x time) or in response to certain events (e.g. application memory usage reaches x, CPU usage reaches x, or x hits have been received). The purpose of worker process recycling is to make IIS more robust by making it self-repairing in the event that web applications have bugs. For example, a Web application with a memory leak can be configured to recycle the process when memory usage hits a certain level. While this is not intended to replace correct coding of applications, it gives system administrators more options for dealing with problematic applications in production environments. Overall, the effect is to increase the availability of even buggy web applications.
 
Recycling the process means stopping one process and replacing it with another. By default, recycling is overlapped; the second replacement process is started and initialized while the first process (to be recycled) continues handling requests. When the second process is  ready, the first is killed and the second seamlessly handles requests for the application. Overlapping of process recycling is governed by the setting DisallowOverlappingRotation in the IIS MetaBase (C:\Windows\System32\inetsrv\MetaBase.xml); the default is false.
 
When the second process is initialized, a new instance of the agent is created. Since the agent binds to port 5628 as a listener, the second instance of the agent 'steals' the port from the first instance in the first process. The first instance of the agent goes into distress, logging its inability to connect and listen to port 5628.
 
If no requests come in during the overlap period, the first process is killed and the second takes over with no evidence of error except in the agent logs. However, if a new request comes in after the second process has been started (and the agent grabs port 5628 from the first agent), but before the first process is killed, the first agent in the first process handles the request. Prior to hot fix 4.5.7 for RSA ClearTrust Agent 4.5 for IIS, this would cause a crash of the worker process. Now, the agent hangs the process, preventing IIS from killing the first process and replacing it with the second process, effectively hanging the entire application.
 
Option 1 (recommended): Disable overlapping recycling in favor of sequential recycling. The first process is killed before the second process starts, preventing the theft of port 5628 and the subsequent risk of hanging the worker process to be recycled. This is accomplished (after shutting down the web service) by opening C:\Windows\System32\inetsrv\MetaBase.xml and changing the application pool's DisallowOverlappingRotation setting to TRUE.

Option 2: When the worker process hangs, killing the process by PID will cause the replacement process to take over, clearing the problem. The server does not need to be restarted.


Aside of the ctagent_reconfig utility, IIS 6.0 can be configured to reload its pool and therefore reload the agent.

 
Here is a couple links of interest regarding IIS:

Restarting IIS
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/wsa_restartingiis.asp
 
Recycling Worker Processes
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/ca_recycwrkrprocess.asp
 
Worker Process Recycling in IIS 6.0 should do this.  However, there?s currently an important note with the IIS agents, where WPR in overlapping mode (the default) causes the server to hang and the log to fill up over port contention for 5628.
 
Worker Process Recycling is a feature of IIS 6 in which Web applications can be partitioned into application pools that share a common, partitioned memory space. The process running within that application can be configured to be 'recycled' periodically (e.g. after x hours, or  every day at x time) or in response to certain events (e.g. application memory usage reaches x, CPU usage reaches x, or x hits have been received). The purpose of worker process recycling is to make IIS more robust by making it self-repairing in the event that web applications have bugs. For example, a Web application with a memory leak can be configured to recycle the process when memory usage hits a certain level. While this is not intended to replace correct coding of applications, it gives system administrators more options for dealing with problematic applications in production environments. Overall, the effect is to increase the availability of even buggy web applications.
 
Recycling the process means stopping one process and replacing it with another. By default, recycling is overlapped; the second replacement process is started and initialized while the first process (to be recycled) continues handling requests. When the second process is  ready, the first is killed and the second seamlessly handles requests for the application. Overlapping of process recycling is governed by the setting DisallowOverlappingRotation in the IIS MetaBase (C:\Windows\System32\inetsrv\MetaBase.xml); the default is false.
 
When the second process is initialized, a new instance of the agent is created. Since the agent binds to port 5628 as a listener, the second instance of the agent 'steals' the port from the first instance in the first process. The first instance of the agent goes into distress, logging its inability to connect and listen to port 5628.
 
If no requests come in during the overlap period, the first process is killed and the second takes over with no evidence of error except in the agent logs. However, if a new request comes in after the second process has been started (and the agent grabs port 5628 from the first agent), but before the first process is killed, the first agent in the first process handles the request. Prior to hot fix 4.5.7 for RSA ClearTrust Agent 4.5 for IIS, this would cause a crash of the worker process. Now, the agent hangs the process, preventing IIS from killing the first process and replacing it with the second process, effectively hanging the entire application.
 
Option 1 (recommended): Disable overlapping recycling in favor of sequential recycling. The first process is killed before the second process starts, preventing the theft of port 5628 and the subsequent risk of hanging the worker process to be recycled. This is accomplished (after shutting down the web service) by opening C:\Windows\System32\inetsrv\MetaBase.xml and changing the application pool's DisallowOverlappingRotation setting to TRUE.

Option 2: When the worker process hangs, killing the process by PID will cause the replacement process to take over, clearing the problem. The server does not need to be restarted.

Legacy Article IDa24420

Attachments

    Outcomes