Environment
Novell Access Manager 3 Linux Novell Identity Server
Novell Access Manager 3 Support Pack 4 IR2 applied
Novell Access Manager 3 Support Pack 4 IR2 applied
Situation
When the Identity (IDP) Server needs to authenticate users or evaluate policies, a significant amount of interaction is needed with the user stores. This interaction is done using LDAP requests. In cases where LDAP problems occur at the IDP server LDAP interface, the IDP server will continue to handle incoming HTTP (s) requests but will not be able to generate the LDAP required traffic.
If a cluster of IDP servers exist behind a load balancer, there is no current way of detecting if one of the IDP servers has an LDAP issue, such that the load balancer can take it out of the equation. The end result is that users will have their services disrupted.
If a cluster of IDP servers exist behind a load balancer, there is no current way of detecting if one of the IDP servers has an LDAP issue, such that the load balancer can take it out of the equation. The end result is that users will have their services disrupted.
Resolution
Apply Support Pack 4 Interim Release 3, where a URL Ping Health Check for the LDAP
service has been added.
The additional health check may be enabled by adding a servlet config parameter
to the /opt/novell/nids/lib/webapp/WEB-INF/web.xml file. This additional health check pings
any url and checks for a valid return code. The configuration syntax allows
the admin to specify the URL, success return codes, and the tim einterval
between pings. The following is an example of the web.xml configuration:
<context-param>
<param-name>healthPing</param-name>
<param-value>https://www.novell.com[f]200,302[f]60000[e]https://151.155.45.45:8443/nidp/services/LDAPService[f]200[f]10000</param-value>
</context-param>
The "[e]" is an entry separator.
The "[f]" is a field separator within an entry.
The "," is a success return code separator.
The last field in an entry is the time interval in milliseconds (i.e. seconds *
1000)
This configuration says:
Ping https://www.novell.com and mark it is successful if either a 200 or 302 are
returned. Perform the ping once every 60 seconds.
Ping https://45.45.45.45:8443/nidp/services/LDAPService and mark it is
successful if a 200 is returned. Perform the ping once every 10 seconds.
If this configuration is not present in the web.xml file, then no health check
pings will be performed.
WARNING: Be very careful to not cause an endless failure loop! For example, if
a URL placed in this list pings through an L4 AND that L4's health is dependant
on getting a success from the same IDP's heartbeat URL, then an endless loop
can result. What happens is the L4 issues a heartbeat, the URL ping executes
which goes through the L4, the ping is denied because the L4 is not allowing
traffic yet because it has not yet received a valid heartbeat success, so the
health check fails because the ping fails... and on and on and on. The best
solution is not to use domain names that map through L4s. Instead use specific
ip addresses of boxes.
Additional Information
https://support.microfocus.com/kb/doc.php?id=7001148&sliceId=1&docTypeID=DT_TID_1_1&dialogID=37956808&stateId=1%200%2037952937 includes information about additional health
checks available with the Identity Server.
checks available with the Identity Server.