000022273 - Choosing between using RSA ClearTrust Dispatcher or direct connection to Authorization server (AServer)

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022273
Applies ToRSA ClearTrust Agent 3.5.2 for BEA WebLogic
RSA ClearTrust 5.5.3
Red Hat Linux Advanced Server 3.x
RSA ClearTrust Dispatcher
RSA ClearTrust Authorization Server (AServer)
IssueChoosing between using RSA ClearTrust Dispatcher or direct connection to Authorization server (AServer)
CauseIn a BEA WebLogic cluster, it's necessary to balance between creating custom cleartrust_realm.properties files for each managed server, tuning for performance, and minimizing network traffic handling authentication and authorization requests
ResolutionThere are 2 ways that an RSA ClearTrust Agent can pick which Authorization Server (AServer) to connect to. First, a query can be sent to a dispatcher and a dynamic list of AServers returned to the Agent. Secondly, a preset list of AServers can be specified in the Agent configuration file (cleartrust_realm.properties file for RSA ClearTrust Agent 3.5.2 for BEA WebLogic).

There are a variety of configuration parameters which can be used to affect this choice shown below, for any of the parameters more details information can be found in the comments in cleartrust_realm.properties

This parameter is a yes/no option, and dictates whether a Dispatcher will be contacted. How this option is set indicates which of the two subsequent parameters is used.

This is a list of AServers that are contacted directly by the RSA ClearTrust Agent without having obtained the dynamic list from the Dispatcher. This parameter is used when the cleartrust.agent.rtapi.direct parameter is set to yes.

When the cleartrust.agent.rtapi.direct parameter is set to no, this parameter is used to identify where Dispatchers may be found. Once contacted, a dynamic list of available AServer will be downloaded to the RSA ClearTrust Agent.

Regardless of which of the mechanisms outlined above are used, there are still other parameters that will affect how the derived AServer list is used. The full parameter file should be reviewed for details, but two significant parameters which relate to this are as follows:

If you wish to tailor performance to try to select (for example) a local AServer, then the location class functionality can be used. Note that this also requires that if the cleartrust.agent.rtapi.direct parameter is set to yes, the location class will have been defined in the cleartrust.agent.auth_server_list; when the cleartrust.agent.rtapi.direct parameter is set to no, the location class for a specific AServer is defined in the aserver.conf; when the AServer starts, it registers this value in the Dispatcher, and will be downloaded as part of the dynamic information.

Once the RSA ClearTrust Agent has its list of AServers subsequent usage may also be dictated, this parameter should also be reviewed when defining a custom prioritization.

NOTE: In some cases it might prove practical to have an AServer defined as localhost (of course this only occurs when the AServer is on the same machine) especially where a series of managed servers in a WebLogic cluster might have a single version of the cleartrust_realm.properties file but each managed server needs to talk to its own local AServer.
Legacy Article IDa27840