jburns80
New Member.
657 views

Load Balancing the User application withouth clustering.

Here's the scenario.
UA server 1, engine id server1, application version 4.6.2
UA server 2, engine id server2, application version 4.6.2

Load balancer url dev.ua.com

OSP Version 6.1.6

I followed some documentation that is out there but here's what we have going on currently..UA server 1 works with the load balancer, OSP and we can login. Server 2 gets a connection failed error and I can't seem to determine why. Server 2 is running other wise and I can login just fine directly but when put in the load balancer I get a secured connection failed error, which leads me to believe something with OSP isn't right. Here's what I've already tried. All osp certs from Server 1 are in the tomcat keystore, the cacerts keystore and the osp keystore on all servers, and that process is repeated for the server 2, and the osp server. The OSP server also has SSPR installed. OSP is not installed on server1 or server 2 for the UA. Any feedback would be great. For reference the article that helped me most was : https://www.netiq.com/communities/cool-solutions/troubleshooting-osp-sspr-part-3/ but so far the answer to this issue has eluded me. Thanks IDM guys for any feedback.
Labels (1)
0 Likes
7 Replies
Knowledge Partner
Knowledge Partner

Re: Load Balancing the User application withouth clustering.

On 5/17/2018 11:16 AM, jburns80 wrote:
>
> Here's the scenario.
> UA server 1, engine id server1, application version 4.6.2
> UA server 2, engine id server2, application version 4.6.2
>
> Load balancer url dev.ua.com


I expect the key is this URL above.
>
> OSP Version 6.1.6


In ism-configuration.properties, what is the URL OSP is using as its
base? I forget the name of the property, but there are three in a row,
very similar.

I hate this about OSP, SteveW says this is what the standard says, so
OSP is just following rules properly, ergo by the transitive power of
hatred, I hate the standard.

You CANNOT work with OSP if your URL differs from the one OSP is
configured to use. Now as it happens, OSP is a full featured NAM
competitor. (Think of it as NAM Lite with a bunch of good stuff removed,
but a lot of good stuff added. NAM vs OSP arguments off to the side
please). What frustrates me about this, is you can see during deploy
that OSP registers a series of URL's it will work with. We only feed in
a single value, but that gets translated to the IP address (Or it did, I
am thinking that might have been an earlier OSP now). You can even see
inside the OSP war file, when it expands into Tomcat the script this
comes from if you look long enough

So it is clear it can work with more than one URL. I think support for
that, enabled in the locked down OSP we use, it would make cases like
this much simpler. But it iddn't right now.

So short answer is the Bob Newhart one. "Stop It". 🙂

You kind of have no choice, if using a load balancer, except to
configure t to use the LB URL. A clever LB, that could rewrite the
URL's might get around that.



> on server1 or server 2 for the UA. Any feedback would be great. For
> reference the article that helped me most was :
> https://www.netiq.com/communities/cool-solutions/troubleshooting-osp-sspr-part-3/
> but so far the answer to this issue has eluded me. Thanks IDM guys for
> any feedback.


Glad to know my article helped. Collect your errors and thoughts and
write your own please, to help others.

0 Likes
jburns80
New Member.

Re: Load Balancing the User application withouth clustering.

For the ism config I actually copied the ism config properties file as recommended in the documentation for clustering, At this point I'm just kind of stumped. Node1 works just fine, Node2 just won't connect through the load balancer but will connect directly. I'm going through systematically checking the certs again, I followed your documentation on OSP/SSPR that I referenced before. I just feel like I'm missing something simple. The logs don't really have any useful information pertaining to the issue, I can copy those if it will help anyone checking this issue. In the past I've never had to use clustering mode as they want you to do now.


geoffc;2481112 wrote:
On 5/17/2018 11:16 AM, jburns80 wrote:
>
> Here's the scenario.
> UA server 1, engine id server1, application version 4.6.2
> UA server 2, engine id server2, application version 4.6.2
>
> Load balancer url dev.ua.com


I expect the key is this URL above.
>
> OSP Version 6.1.6


In ism-configuration.properties, what is the URL OSP is using as its
base? I forget the name of the property, but there are three in a row,
very similar.

I hate this about OSP, SteveW says this is what the standard says, so
OSP is just following rules properly, ergo by the transitive power of
hatred, I hate the standard.

You CANNOT work with OSP if your URL differs from the one OSP is
configured to use. Now as it happens, OSP is a full featured NAM
competitor. (Think of it as NAM Lite with a bunch of good stuff removed,
but a lot of good stuff added. NAM vs OSP arguments off to the side
please). What frustrates me about this, is you can see during deploy
that OSP registers a series of URL's it will work with. We only feed in
a single value, but that gets translated to the IP address (Or it did, I
am thinking that might have been an earlier OSP now). You can even see
inside the OSP war file, when it expands into Tomcat the script this
comes from if you look long enough

So it is clear it can work with more than one URL. I think support for
that, enabled in the locked down OSP we use, it would make cases like
this much simpler. But it iddn't right now.

So short answer is the Bob Newhart one. "Stop It". 🙂

You kind of have no choice, if using a load balancer, except to
configure t to use the LB URL. A clever LB, that could rewrite the
URL's might get around that.



> on server1 or server 2 for the UA. Any feedback would be great. For
> reference the article that helped me most was :
> https://www.netiq.com/communities/cool-solutions/troubleshooting-osp-sspr-part-3/
> but so far the answer to this issue has eluded me. Thanks IDM guys for
> any feedback.


Glad to know my article helped. Collect your errors and thoughts and
write your own please, to help others.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Load Balancing the User application withouth clustering.

On 5/17/2018 2:04 PM, jburns80 wrote:
>
> For the ism config I actually copied the ism config properties file as
> recommended in the documentation for clustering, At this point I'm just


So I am confused. What value is in the ism-configuration.properties file?

You URL is dev.ua.com (in your example, clearly fake for the public).
In relation to that, how is each node configured?

Do your certs on both boxes, in all cases, use that as the Subject Name?

I.e. if it were

ua1.ua.com
ua2.ua.com

and load balancer is
dev.ua.com

Then in ism-config it should say: dev.ua.com and there should NEVER Be a
URL pointing at ua1 or ua2 direct.

All your certs referencing the box itself (OSP, Tomcat) should have
Subject Names of dev.ua.com (MAYBE a Subject Alternate Name of
ua1.ua.com and ua2.ua.com could help).



> kind of stumped. Node1 works just fine, Node2 just won't connect through
> the load balancer but will connect directly. I'm going through
> systematically checking the certs again, I followed your documentation
> on OSP/SSPR that I referenced before. I just feel like I'm missing
> something simple. The logs don't really have any useful information
> pertaining to the issue, I can copy those if it will help anyone
> checking this issue. In the past I've never had to use clustering mode
> as they want you to do now.
>
>
> geoffc;2481112 Wrote:
>> On 5/17/2018 11:16 AM, jburns80 wrote:
>>>
>>> Here's the scenario.
>>> UA server 1, engine id server1, application version 4.6.2
>>> UA server 2, engine id server2, application version 4.6.2
>>>
>>> Load balancer url dev.ua.com

>>
>> I expect the key is this URL above.
>>>
>>> OSP Version 6.1.6

>>
>> In ism-configuration.properties, what is the URL OSP is using as its
>> base? I forget the name of the property, but there are three in a row,
>> very similar.
>>
>> I hate this about OSP, SteveW says this is what the standard says, so
>> OSP is just following rules properly, ergo by the transitive power of
>> hatred, I hate the standard.
>>
>> You CANNOT work with OSP if your URL differs from the one OSP is
>> configured to use. Now as it happens, OSP is a full featured NAM
>> competitor. (Think of it as NAM Lite with a bunch of good stuff
>> removed,
>> but a lot of good stuff added. NAM vs OSP arguments off to the side
>> please). What frustrates me about this, is you can see during deploy
>> that OSP registers a series of URL's it will work with. We only feed in
>> a single value, but that gets translated to the IP address (Or it did,
>> I
>> am thinking that might have been an earlier OSP now). You can even see
>> inside the OSP war file, when it expands into Tomcat the script this
>> comes from if you look long enough
>>
>> So it is clear it can work with more than one URL. I think support for
>> that, enabled in the locked down OSP we use, it would make cases like
>> this much simpler. But it iddn't right now.
>>
>> So short answer is the Bob Newhart one. "Stop It". 🙂
>>
>> You kind of have no choice, if using a load balancer, except to
>> configure t to use the LB URL. A clever LB, that could rewrite the
>> URL's might get around that.
>>
>>
>>
>>> on server1 or server 2 for the UA. Any feedback would be great. For
>>> reference the article that helped me most was :
>>>

>> https://www.netiq.com/communities/cool-solutions/troubleshooting-osp-sspr-part-3/
>>> but so far the answer to this issue has eluded me. Thanks IDM guys

>> for
>>> any feedback.

>>
>> Glad to know my article helped. Collect your errors and thoughts and
>> write your own please, to help others.

>
>


0 Likes
jburns80
New Member.

Re: Load Balancing the User application withouth clustering.

geoffc;2481120 wrote:
On 5/17/2018 2:04 PM, jburns80 wrote:
>
> For the ism config I actually copied the ism config properties file as
> recommended in the documentation for clustering, At this point I'm just


So I am confused. What value is in the ism-configuration.properties file?

You URL is dev.ua.com (in your example, clearly fake for the public).
In relation to that, how is each node configured?

Do your certs on both boxes, in all cases, use that as the Subject Name?

I.e. if it were

ua1.ua.com
ua2.ua.com

and load balancer is
dev.ua.com

Then in ism-config it should say: dev.ua.com and there should NEVER Be a
URL pointing at ua1 or ua2 direct.

All your certs referencing the box itself (OSP, Tomcat) should have
Subject Names of dev.ua.com (MAYBE a Subject Alternate Name of
ua1.ua.com and ua2.ua.com could help).



> kind of stumped. Node1 works just fine, Node2 just won't connect through
> the load balancer but will connect directly. I'm going through
> systematically checking the certs again, I followed your documentation
> on OSP/SSPR that I referenced before. I just feel like I'm missing
> something simple. The logs don't really have any useful information
> pertaining to the issue, I can copy those if it will help anyone
> checking this issue. In the past I've never had to use clustering mode
> as they want you to do now.
>
>
> geoffc;2481112 Wrote:
>> On 5/17/2018 11:16 AM, jburns80 wrote:
>>>
>>> Here's the scenario.
>>> UA server 1, engine id server1, application version 4.6.2
>>> UA server 2, engine id server2, application version 4.6.2
>>>
>>> Load balancer url dev.ua.com

>>
>> I expect the key is this URL above.
>>>
>>> OSP Version 6.1.6

>>
>> In ism-configuration.properties, what is the URL OSP is using as its
>> base? I forget the name of the property, but there are three in a row,
>> very similar.
>>
>> I hate this about OSP, SteveW says this is what the standard says, so
>> OSP is just following rules properly, ergo by the transitive power of
>> hatred, I hate the standard.
>>
>> You CANNOT work with OSP if your URL differs from the one OSP is
>> configured to use. Now as it happens, OSP is a full featured NAM
>> competitor. (Think of it as NAM Lite with a bunch of good stuff
>> removed,
>> but a lot of good stuff added. NAM vs OSP arguments off to the side
>> please). What frustrates me about this, is you can see during deploy
>> that OSP registers a series of URL's it will work with. We only feed in
>> a single value, but that gets translated to the IP address (Or it did,
>> I
>> am thinking that might have been an earlier OSP now). You can even see
>> inside the OSP war file, when it expands into Tomcat the script this
>> comes from if you look long enough
>>
>> So it is clear it can work with more than one URL. I think support for
>> that, enabled in the locked down OSP we use, it would make cases like
>> this much simpler. But it iddn't right now.
>>
>> So short answer is the Bob Newhart one. "Stop It". 🙂
>>
>> You kind of have no choice, if using a load balancer, except to
>> configure t to use the LB URL. A clever LB, that could rewrite the
>> URL's might get around that.
>>
>>
>>
>>> on server1 or server 2 for the UA. Any feedback would be great. For
>>> reference the article that helped me most was :
>>>

>> https://www.netiq.com/communities/cool-solutions/troubleshooting-osp-sspr-part-3/
>>> but so far the answer to this issue has eluded me. Thanks IDM guys

>> for
>>> any feedback.

>>
>> Glad to know my article helped. Collect your errors and thoughts and
>> write your own please, to help others.

>
>




The Cert created for osp is aliased osp. Each osp keystore has that cert. I've also imported in the vault certificates just to be sure. so in the osp keystore on each server. I've also imported the sspr certs, as there is a reference to the sspr in the ism properties file. I assume in the config you're referring to these values:
com.netiq.client.authserver.url.authorize = https://dev.sspr.com:8443/osp/a/idm/auth/oauth2/grant
com.netiq.client.authserver.url.token = https://dev.sspr.com:8443/osp/a/idm/auth/oauth2/getattributes
com.netiq.client.authserver.url.logout = https://dev.sspr.com:8443/osp/a/idm/auth/app/logout

I'm wondering then why would the osp cert for dev.ua.com work for node 1 but node 2 just doesn't seem to get connected. I feel like it's something simple that I've over looked but I've compared the keystores, I've compared.the configurations, I just feel like I'm missing something.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Load Balancing the User application withouth clustering.

On 5/17/2018 3:16 PM, jburns80 wrote:
>
> geoffc;2481120 Wrote:
>> On 5/17/2018 2:04 PM, jburns80 wrote:
>>>
>>> For the ism config I actually copied the ism config properties file

>> as
>>> recommended in the documentation for clustering, At this point I'm

>> just
>>
>> So I am confused. What value is in the ism-configuration.properties
>> file?
>>
>> You URL is dev.ua.com (in your example, clearly fake for the public).
>> In relation to that, how is each node configured?
>>
>> Do your certs on both boxes, in all cases, use that as the Subject
>> Name?
>>
>> I.e. if it were
>>
>> ua1.ua.com
>> ua2.ua.com
>>
>> and load balancer is
>> dev.ua.com
>>
>> Then in ism-config it should say: dev.ua.com and there should NEVER Be
>> a
>> URL pointing at ua1 or ua2 direct.
>>
>> All your certs referencing the box itself (OSP, Tomcat) should have
>> Subject Names of dev.ua.com (MAYBE a Subject Alternate Name of
>> ua1.ua.com and ua2.ua.com could help).
>>
>>
>>
>>> kind of stumped. Node1 works just fine, Node2 just won't connect

>> through
>>> the load balancer but will connect directly. I'm going through
>>> systematically checking the certs again, I followed your

>> documentation
>>> on OSP/SSPR that I referenced before. I just feel like I'm missing
>>> something simple. The logs don't really have any useful information
>>> pertaining to the issue, I can copy those if it will help anyone
>>> checking this issue. In the past I've never had to use clustering

>> mode
>>> as they want you to do now.
>>>
>>>
>>> geoffc;2481112 Wrote:
>>>> On 5/17/2018 11:16 AM, jburns80 wrote:
>>>>>
>>>>> Here's the scenario.
>>>>> UA server 1, engine id server1, application version 4.6.2
>>>>> UA server 2, engine id server2, application version 4.6.2
>>>>>
>>>>> Load balancer url dev.ua.com
>>>>
>>>> I expect the key is this URL above.
>>>>>
>>>>> OSP Version 6.1.6
>>>>
>>>> In ism-configuration.properties, what is the URL OSP is using as its
>>>> base? I forget the name of the property, but there are three in a

>> row,
>>>> very similar.
>>>>
>>>> I hate this about OSP, SteveW says this is what the standard says,

>> so
>>>> OSP is just following rules properly, ergo by the transitive power

>> of
>>>> hatred, I hate the standard.
>>>>
>>>> You CANNOT work with OSP if your URL differs from the one OSP is
>>>> configured to use. Now as it happens, OSP is a full featured NAM
>>>> competitor. (Think of it as NAM Lite with a bunch of good stuff
>>>> removed,
>>>> but a lot of good stuff added. NAM vs OSP arguments off to the side
>>>> please). What frustrates me about this, is you can see during

>> deploy
>>>> that OSP registers a series of URL's it will work with. We only feed

>> in
>>>> a single value, but that gets translated to the IP address (Or it

>> did,
>>>> I
>>>> am thinking that might have been an earlier OSP now). You can even

>> see
>>>> inside the OSP war file, when it expands into Tomcat the script this
>>>> comes from if you look long enough
>>>>
>>>> So it is clear it can work with more than one URL. I think support

>> for
>>>> that, enabled in the locked down OSP we use, it would make cases

>> like
>>>> this much simpler. But it iddn't right now.
>>>>
>>>> So short answer is the Bob Newhart one. "Stop It". 🙂
>>>>
>>>> You kind of have no choice, if using a load balancer, except to
>>>> configure t to use the LB URL. A clever LB, that could rewrite the
>>>> URL's might get around that.
>>>>
>>>>
>>>>
>>>>> on server1 or server 2 for the UA. Any feedback would be great.

>> For
>>>>> reference the article that helped me most was :
>>>>>
>>>>

>> https://www.netiq.com/communities/cool-solutions/troubleshooting-osp-sspr-part-3/
>>>>> but so far the answer to this issue has eluded me. Thanks IDM guys
>>>> for
>>>>> any feedback.
>>>>
>>>> Glad to know my article helped. Collect your errors and thoughts

>> and
>>>> write your own please, to help others.
>>>
>>>

>
>
>
> The Cert created for osp is aliased osp. Each osp keystore has that
> cert. I've also imported in the vault certificates just to be sure. so
> in the osp keystore on each server. I've also imported the sspr certs,
> as there is a reference to the sspr in the ism properties file. I
> assume in the config you're referring to these values:
> com.netiq.client.authserver.url.authorize =
> https://dev.sspr.com:8443/osp/a/idm/auth/oauth2/grant
> com.netiq.client.authserver.url.token =
> https://dev.sspr.com:8443/osp/a/idm/auth/oauth2/getattributes
> com.netiq.client.authserver.url.logout =
> https://dev.sspr.com:8443/osp/a/idm/auth/app/logout



So OSP is only on the dev.sspr.com node? Not on the UA boxes?

As for cert aliases, I would do main name as the load balanced version
and the Subject Alternate Name (Alias) as the other names.


> I'm wondering then why would the osp cert for dev.ua.com work for node 1
> but node 2 just doesn't seem to get connected. I feel like it's
> something simple that I've over looked but I've compared the keystores,
> I've compared.the configurations, I just feel like I'm missing
> something.
>
>


0 Likes
jburns80
New Member.

Re: Load Balancing the User application withouth clustering.

Correct OSP is only installed on the SSPR box. I was told this configuration should work by MicroFocus
0 Likes
Knowledge Partner
Knowledge Partner

Re: Load Balancing the User application withouth clustering.

On 5/17/2018 5:44 PM, jburns80 wrote:
>
> Correct OSP is only installed on the SSPR box. I was told this
> configuration should work by MicroFocus


Agreed. So the OSP side configuration in terms of where OAuth is running
is consistent.

So my initial concern is lessened.

What I would do next is get a tool like SAML Tracer (I like it better
than Fiddler, tomato/potato) and connect to the working node. Look at
the steps, save maybe (not sure if you can 'reload') but at least
snapshot the steps (forwards/302's/etc) that happen.

Then do the same against the bad node.

Look for differences.


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.