Hi Scott,
Yes, As per Product documentation we should not load balance policy server, But customer is sending restapi calls to modify user account to valid and import new user from LDAP from Webservice web server via restapi calls to connect to policy server. So they asked us to load balance.
As far as high availability is concerned, high availability configuration's has been configured with remote IP address and rest of the configuration. As per cluster configuration if Primary policy server is restarting, those 5 minutes it is considered as policy server down so secondary policy server cannot actively take traffic for restapicalls for PDadmin. Is that so, that until we make secondary policy server promote to Primary it will not accept the traffic?
But when Primary policy server is running and if i send restapi calls only to secondary policy server management ip by disabling backend node of primary policy server then it works(secondary policy server is actually serving traffic). When primary policy server is restarting that time if send traffic to secondary policy server it fails and giving error like
runtime environment must be available to perform this operation.
------------------------------
Vasanthakumar Chandrasekaran
------------------------------
Original Message:
Sent: Wed February 10, 2021 04:07 PM
From: Scott Exton
Subject: Policy Server High Availability
The first thing which I will ask is why are you trying to achieve policy server HA using a load balancer? The policy server does not support automatic failover - the policy server on the primary master is the only active policy server in an environment and if something happens to the primary master a manual step is required to promote another machine in the cluster to the primary master role and thus become the policy server. It appears to be pointless to have a front-end load balancer in this environment when there can only ever be one policy server active.
As far as the automatic failover between mutliple front-end load balancers - have you configured this using the 'High Availability' tab on the 'Front End Load Balancer' panel of the LMI? If so, the issue sounds like it might be a configuration or networking issue.
I hope that this helps.
Scott A. ExtonSenior Software Engineer
Chief Programmer - IBM Security Verify AccessIBM Master Inventor
|
Phone: 61-7-5552-4008 E-mail: scotte@au1.ibm.com | 1 Corporate Court Bundall, QLD 4217 Australia |
Original Message:
Sent: 2/10/2021 1:29:00 PM
From: Vasanthakumar Chandrasekaran
Subject: Policy Server High Availability
Hi,
I have 2 policy server in clustered environment as master and secondary master. I have 2 FELB with one on each policy server, I have a VIP(192.168.1.1) which is taking traffic for policy server and load balancing the traffic to 2 policy servers as mentioned in the figure below.
I want to achieve High availability of FELB, So if i reboot the primary policy server, the same VIP present in the secondary FELB in secondary policy server is not taking the traffic as expected and i am getting the following error,
But if i make the load balancer disable manually in Primary policy server then same VIP 192.168.1.1 present in secondary FELB is taking traffic without any issues. But when i restart Primary policy server and it is not available for 5 minutes during the restart in the mean time secondary FELB is not taking the traffic to serve the request(But if i hit the direct management IP of secondary policy server it serves the traffic during restart of primary)
Why FELB high availability of VIP IP is not accepting the request during primary policy server restart but the same VIP(Present in Secondary server) is taking traffic if i disable manually front end load balancer in Primary server.
------------------------------
Vasanthakumar Chandrasekaran
------------------------------