IBM Security Verify

Expand all | Collapse all

Best way to save information in AAC session

Jump to Best Answer
  • 1.  Best way to save information in AAC session

    Posted Thu October 21, 2021 08:32 AM
    Hi,

    As long as I know, since ISAM 9.0.6 it is possible to share session between AAC in a cluster via HVDB by setting stateMgmt.store to HVDB. With this setting no exception is raised if the initial AAC for some reason becomes unavailable and clustered AAC can handle the session futher. But here is a problem: if the first AAC has saved some information using IDMappingExtUtils.setSPSSessionData(key,value) then this information is not available for the clustered AAC, since this method works with memory and not with HVDB:

    It will be faster and more efficient as it is in memory (not the HVDB)
    https://community.ibm.com/community/user/security/blogs/shane-weeden1/2018/08/24/branching-authentication-policy-in-isam-advanced-a

    The method IDMappingExtUtils.getIDMappingExtCache().put(key,value,timeout) uses a "global" table in HVDB and therefore needs a manual session handling.

    I wondering if there is a way to make information saved with setSPSSessionData make available to the clustered AAC so the session could be correctly taken by the clustered AAC in case of a switch.

    Best Regards,
    Ivan

    ------------------------------
    Ivan Yartsev
    ------------------------------


  • 2.  RE: Best way to save information in AAC session
    Best Answer

    Posted Fri October 22, 2021 06:27 AM
    Hi Ivan,

    In 10.0.2.0 there are "Session Persistence" options to set the "User session storage" for the Liberty Server session.  You can set it to Memory, DSC, or DMAP.
    In older versions I think you can achieve the same by setting advanced config "session.store" parameter.

    I'm not 100% sure but perhaps this configuration affects the storage location for the data set with setSPSSessionData.

    Of course, if you save this data to DMAP (or DSC) you will incur the same performance overhead as using DMAP directly but at least it would take care of the session handle for you.

    If this doesn't work the way I think it does, using the DMAP directly and using the session index (from user credential) as the handle will have similar affect.

    One last thing... in 10.0.2.0 (and maybe 10.0.1.0) I think it's possible to have the DMAP use Redis instead of HVDB.  This might give you a good compromise between performance and session persistence.

    Tagging @Jasmine Smith to check my thinking.

    Jon.​​​

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------