To support secure conversation in a cluster environment,
the distributed cache stores the shared state information. Version
7.0 of WebSphere® Application Server uses
MBeans to improve synchronous update of the cache across the cluster.
In addition, persistent token support is provided by storing the token
data in a database.
About this task
Synchronous update of shared information in the distributed
cache is implemented in version 7.0 of
WebSphere Application Server using an MBean
solution. When update of the shared state information across cluster
members is required, a synchronous blocking call is issued to replicate
the token state changes to all the servers in the cluster. This solution
removes the limitations of using session affinity for secure conversation
in a cluster environment.
Perform the following high-level steps
to enable distributed cache when using secure conversation for message-level
protection in a cluster environment.
Procedure
- In the administrative console for WebSphere Application Server, click .
- Click the check box to select the Enable distributed
cache setting.
- The distributed cache setting has three options. The
first option is Synchronous update of cluster members.
This option is selected by default, enabling the runtime to update
all the cluster members with token information synchronously. If this
is selected, then session affinity does not have to be enabled.
The
second option is Asynchronous update of cluster members,
which you can select by clicking the corresponding radio button. For
this option to work successfully, session affinity must be enabled.
For information on enabling session affinity, read the topic Enable
distributed cache and session affinity when using Secure Conversation.
If Asynchronous update of cluster members is selected,
skip steps 4 and 5.
The third option is Token recovery
support. To enable this option, click the corresponding
radio button, then select a data source (database) from the Cell
level data sources menu list. To create a data source,
click the Manage data sources link. If Token
recovery support is selected, skip steps 4 and 5.
- This step is needed only if Synchronous update of cluster
members is selected. Create a replication domain, as follows:
- In the administrative console, click Environment
> Replication domains > New.
- Enter a name for the domain. For example, ABCDomain.
- In the Number of replicas section, click the radio button
to select the Entire Domain option.
- Click OK, then Save,
to save the modified configuration.
- This step is needed only if Synchronous update of cluster
members is selected. Enable the dynamic cache by performing the following
steps for each server in the cluster:
- In the administrative console, click .
- Select the Enable cache replication option.
- Select the replication domain name that you created
in the previous step. For example, ABCDomain.
- Under Replication type. select Both push
and pull from the menu list.
- Click OK, then click Save to
save the modified configuration.
Different clusters should use different replication domains.
Likewise, cluster members from the same cluster should use the same
replication domain. This ensures that synchronous update of cluster
members performed by the Web services security runtime, and dynamic
replication service updates of cluster members performed by the WebSphere Application Server dynamic cache
runtime, are in sync.
Results
When the configuration steps are complete, you have enabled
the distributed cache with either the default option, which is synchronous
update of cluster members, or with asynchronous cluster update or
with token recovery support. The token recovery support option uses
a JDBC database to store the token state. This provides failover support
for high availability of the token. If the server processing the request
does not have access to the secure conversation token, the request
fails, producing an error such as "null secure conversation token"
or "invalid secure conversation token."