IBM Security Verify

 View Only
  • 1.  High availability for Redis as session service

    Posted Tue August 16, 2022 08:49 AM
    I noticed that Redis is supported as an alternative for the DSC, and I am considering to use it, as it is a more widely used technology
    The ISVA 10.0.4 documentation states that the most common HA solution for Redis is by the use of Redis Sentinel. The Redis documentation where the link refers to states that a Redis client should be 'Sentinel aware'. Is this the case for ISVA, and how should it be configured? Is there any guidance or document describing how to use Redis in a HA setup in combination with ISVA?

    It is also stated that Redis clustering is not supported, but is support for Redis clustering on the roadmap?

    ------------------------------
    Gerardus Bastiaansen
    ------------------------------


  • 2.  RE: High availability for Redis as session service

    Posted Tue August 16, 2022 04:51 PM

    Geradus,

     

    WebSEAL is not sentinel-aware.  This essentially means that it does not rely on Redis itself to tell WebSEAL who the writable server is, WebSEAL uses its own logic to determine this.

     

    Redis clustering is not currently on the roadmap.  I imagine however that it will be placed on the roadmap when it becomes more popular and is requested by customers.

     

    Thanks.

     

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     

     






  • 3.  RE: High availability for Redis as session service

    Posted Wed August 17, 2022 03:06 AM
    Hi Scott, thanks for your answer.

    So if I understand this correctly, the way to set it up is the following:
    - create a redis cluster, with sentinels, following the Redis documentation, so that Redis can always elect a new master when needed
    - reference the Redis servers in WebSEAL as documented, which will then automatically determine which server is the master

    ------------------------------
    Gerardus Bastiaansen
    ------------------------------



  • 4.  RE: High availability for Redis as session service

    Posted Wed August 17, 2022 03:26 AM

    Geradus,

     

    Your understanding is correct, except that you won't be creating a 'redis cluster', but will instead be creating a 'sentinal environment' (the 'cluster' term is overloaded and I just wanted to ensure that there is no confusion).

     

    Thanks.

     

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     

     






  • 5.  RE: High availability for Redis as session service

    Posted Wed August 17, 2022 04:07 AM
    Scott, my bad, I meant creating a HA redis environment by making use of sentinels, just as you pointed out.
    It's clear to me now how to set things up, thanks again for the quick answers

    ------------------------------
    Gerardus Bastiaansen
    ------------------------------



  • 6.  RE: High availability for Redis as session service

    Posted Wed August 17, 2022 06:33 AM
    Hi Gerardus,

    i've written this blog to describe in a bit more detail what to do:
    https://www.gwbasics.be/2022/04/redis-sentinel-for-isva-webseal.html

    Tom Bosmans

    ------------------------------
    Tom Bosmans
    ------------------------------



  • 7.  RE: High availability for Redis as session service

    Posted Wed August 17, 2022 09:39 AM
    Hi Tom, thanks, this will definitely help when we start implementing this

    ------------------------------
    Gerardus Bastiaansen
    ------------------------------



  • 8.  RE: High availability for Redis as session service

    Posted Thu August 18, 2022 04:16 AM
    Edited by Jasper Teuben Thu August 18, 2022 04:16 AM

    Hi Tom,

    As you know I want to start with this soon and we have discussed a 3 and 5 server configuration.
    The thing is I cannot remember the difference between a 3 and 5 server setup.

    When do you want to scaleup the number of servers, any recommendations?

    Jasper



    ------------------------------
    Jasper
    ------------------------------



  • 9.  RE: High availability for Redis as session service

    Posted Thu August 18, 2022 06:04 AM
    Edited by HANS VANDEWEGHE Thu August 18, 2022 06:05 AM
    We're also doing this Redis exercise here (combined with Postgres as HVDB), and we're going for the 5 server setup. (3 VMs in datacentre1, 2 VMs in datacentre2).
    My understanding of the 5 sentinels vs 3 sentinels, is that with 5 sentinels you can 'survive' 2 nodes (machines/vm's running the sentinel) being unavailable, and the remaining 3 (still the majority of 5) will be able to automate failover to a new master Redis.

    This would be useful if, e.g:
    - planned maintenance (patching/reboot/...) on 1 VM + unexpected issue on a 2nd VM. 
    - DC2 blackout/outage (2 VMs down)
     
    - What I suspect won't survive in our case, is a DC1 outage (3 VMs down)

    I believe ideally there would be a 3rd datacentre I suppose (where the 3rd VM from dc1 would reside in dc3), however regarding DC outages there are likely additional technologies that can help spin up the VMs automatically in other regions.

    ------------------------------
    HANS VANDEWEGHE
    ------------------------------



  • 10.  RE: High availability for Redis as session service

    Posted Fri August 19, 2022 03:54 AM
    Hi Hans,

    Thanks for the info, that was it :)

    ------------------------------
    JasperTeuben
    ------------------------------