IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

View Only

Back to discussions

Expand all | Collapse all

ISVA 10.0.8 Policy Server priority setting in /mga junction

1. ISVA 10.0.8 Policy Server priority setting in /mga junction

Like
Gomathy Sethusankar
Posted Tue January 07, 2025 02:40 AM

Reply
Hi Team ,

We have enabled MFA with Email OTP using ISVA 10.0.8 for our web portal application .

We have 2 Policy Servers , one set up as Primary master and the other as Secondary master .

When i enable the AAC --> Authentication and context-based configuration on my Reverse proxy instance , the /mga junction is created . Here when we have the 2 Policy servers set with a priority of "9" , the OTP Validations are not happening correctly .

It is working correctly , when i set one of the Policy Server priority to "8"

Could you please clarify if this is the desired behaviour ?

Thanks and Regards,

Gomathy Sethusankar
Security Consultant

Managed Security Services
Mobile: +91-9901508141
gsethusa@in.ibm.com
IBM Security
2. RE: ISVA 10.0.8 Policy Server priority setting in /mga junction

Like
Scott Exton
Posted Tue January 07, 2025 04:13 PM

Reply
Gomathy,

I assume that when you are talking about a primary and secondary policy server you are really referring to a clustered appliance environment with a primary and secondary master configured?

I am not entirely sure why the policy server setting would impact your OTP validations, but the policy servers do not run in an active-active configuration, but instead run in an active-passive configuration (in other words, only one policy server is active at any one time).

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

image002.png@01D85F83.85516C50">

Original Message
3. RE: ISVA 10.0.8 Policy Server priority setting in /mga junction

Like
Gomathy Sethusankar
Posted Wed January 08, 2025 02:08 AM

Reply
Hi Scott,

Yes, you are correct. I am referring to a clustered appliance with primary and secondary master configured.

So can we set these 2 policy servers with priority 9 in the /mga junction?

Original Message
4. RE: ISVA 10.0.8 Policy Server priority setting in /mga junction

Like
Philipp Klueter
Posted Wed January 08, 2025 02:36 AM

Reply
Hi Gomathy,

are you sure, you are talking about policy server settings and not the backend servers? Maybe your federation / AAC module is running on the same server as the policy server.

It's also not fully clear what you mean with "the OTP Validations are not happening correctly". Can you provide a more detailed error description?

If you are talking about the backend servers, the junctions created by the AAC wizard are not stateful. Thus when adding a second server, the reverse proxy will use the least connection approach to determine the backend server. This could cause a swap of the backend server in subsequent requests which might cause issues. Best to activate the stateful setting on the junction.

Regards,

Philipp

------------------------------
Philipp Klueter
IT Specialist for Access Management (ISAM)
IBM Deutschland GmbH
------------------------------

Original Message
5. RE: ISVA 10.0.8 Policy Server priority setting in /mga junction

Like
Gomathy Sethusankar
Posted Wed January 08, 2025 03:17 AM

Reply
Hi Philipp,

Sorry for not posting the screenshots . Please find below . I am referring to the backend servers added to the /mga junction

Both the backend server has the priority set to 9 .

If you are talking about the backend servers, the junctions created by the AAC wizard are not stateful. Thus when adding a second server, the reverse proxy will use the least connection approach to determine the backend server. This could cause a swap of the backend server in subsequent requests which might cause issues. Best to activate the stateful setting on the junction.

This rings a bell , let me check by setting the junction to Stateful and give a retry .

Thanks a lot for your help!

Thanks and Regards,

Gomathy Sethusankar
Security Consultant

Managed Security Services
Mobile: +91-9901508141
gsethusa@in.ibm.com
IBM Security

Original Message

IBM Verify

IBM Verify

ISVA 10.0.8 Policy Server priority setting in /mga junction

Gomathy SethusankarTue January 07, 2025 02:40 AM

Scott ExtonTue January 07, 2025 04:13 PM

Gomathy SethusankarWed January 08, 2025 02:08 AM

Philipp KlueterWed January 08, 2025 02:36 AM

Gomathy SethusankarWed January 08, 2025 03:17 AM

1. ISVA 10.0.8 Policy Server priority setting in /mga junction

2. RE: ISVA 10.0.8 Policy Server priority setting in /mga junction

3. RE: ISVA 10.0.8 Policy Server priority setting in /mga junction

4. RE: ISVA 10.0.8 Policy Server priority setting in /mga junction

5. RE: ISVA 10.0.8 Policy Server priority setting in /mga junction

Additional
Resources

Office

Quick Links

IBM Verify

IBM Verify

ISVA 10.0.8 Policy Server priority setting in /mga junction

Gomathy SethusankarTue January 07, 2025 02:40 AM

Scott ExtonTue January 07, 2025 04:13 PM

Gomathy SethusankarWed January 08, 2025 02:08 AM

Philipp KlueterWed January 08, 2025 02:36 AM

Gomathy SethusankarWed January 08, 2025 03:17 AM

1. ISVA 10.0.8 Policy Server priority setting in /mga junction

2. RE: ISVA 10.0.8 Policy Server priority setting in /mga junction

3. RE: ISVA 10.0.8 Policy Server priority setting in /mga junction

4. RE: ISVA 10.0.8 Policy Server priority setting in /mga junction

5. RE: ISVA 10.0.8 Policy Server priority setting in /mga junction

Related Content

ISVA Appliance 10.0.4 - How to configure AAC for a Webseal junction and configure MFA

ISVA 10.0.8 The Access control policy is triggering only for the first time

AAC Junction over Virtual Junction

ISVA 10.0.4 Customize Email OTP Template query

Policy parameters for OTP mechanisms

Additional Resources

Office

Quick Links

Additional
Resources