Thank you for your inputs and suggestions.
It worked for me after configured the correct port under [dsess-cluster].
Also, configured the domain in the configuration file and accessing it via LB.
Original Message:
Sent: Tue December 29, 2020 04:25 AM
From: André Leruitte
Subject: ISAM - Session is not being shared with DSC
Hi Prashant,
By default the cookie will be placed on the full domain name (server1.mydomain.com).
So when accessing server2.mydomain.com, the cookie will not be sent.
For sharing the cookie between both ISAM's, one solution would be to place the cookie on ".mydomain.com".
This can be done with the following stanza:
################################### SESSION COOKIE DOMAINS##################################[session-cookie-domains]# Normally WebSEAL session cookies are 'host' cookies which browsers# only return to the host that originally set them. This stanza# can be used to configure 'domain' session cookies that may be sent# to any host in a particular DNS domain. Review the WebSEAL# documentation and understand the security implications of domain# session cookies before enabling any entries in this stanza.# Format is:# domain = example.com# domain = otherdomain.com# ...domain = mydomain.com
As explained in the documentation, please be aware of the potential security implications of sharing a session cookie (the cookie will be sent with any request to *.mydomain.com domains)
Regards
------------------------------
André Leruitte
Original Message:
Sent: Mon December 28, 2020 12:46 PM
From: Prashant Narkhede
Subject: ISAM - Session is not being shared with DSC
Hi Jon,
Thank you for your inputs.
Both the WebSEAL appliances are configured in the cluster and configured with the same DSC cluster.
Yes, I am dealing with standard junctions only.
Can you please point me to the documentation link which will help to configure the shared session cookie for DSC?
We are yet to configure LB in front. Is it possible to test in the way that I mentioned in my original post?
Thanks and Regards,
Prashant
------------------------------
Prashant Narkhede
Original Message:
Sent: Mon December 28, 2020 12:18 PM
From: Jon Harry
Subject: ISAM - Session is not being shared with DSC
Prashant,
Two main things must be true for DSC to work:
1. Both WebSEAL servers must be configured for DSC and both registered with same DSC cluster.
2. The two connections must share a session cookie. This will be true if connections are via a common DNS name (two replicas behind a load balancer for example) but may not be true if the connections are to two different DNS names. In the case of different DNS names, they must share a common domain and domain cookies must be enabled on both WebSEALs.
There's a third requirement around replica set names when using virtual host junctions but you didn't mention that so assuming standard junctions.
Jon
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
Original Message:
Sent: Mon December 28, 2020 11:17 AM
From: Prashant Narkhede
Subject: ISAM - Session is not being shared with DSC
Hi All,
I have two WebSEAL appliances in the cluster in DMZ. The policy server cluster is a separate one.
For the first WebSEAL instance, "Cluster is Master" is checked and for the second, "Master Instance Name" is specified.
I have configured DSC on a reverse proxy instance and can see both the WebSEAL instance added to the replica server list.
But the issue is session is not being shared.
I tested it by accessing the first reverse proxy and logged in.
In the same tab, I am changing the URL to the second reverse proxy.
I expect it should not give me the login page.
Is there any configuration that I am missing here?
Regards,
Prashant
------------------------------
Prashant Narkhede
------------------------------