WebSphere Application Server provides message-level protection
in a cluster environment. You can use Web Services Secure Conversation (WS-SecureConversation)
for message-level protection of Java API for XML Web Services 2.0 (JAX-WS)
Web services in a cluster environment.
Before you begin
A Web services request that is protected with a Security Context
Token (SCT) is routed to one server in a cluster, but that SCT might have
been issued or renewed by a different server in the cluster. If the WebSphere
Application Server distributed cache is not configured to replicate or does
not replicate quickly enough, the server processing the request might not
have access to the SCT.
About this task
Perform the following high-level steps to enable distributed cache
and session affinity when using secure conversation for message-level protection
in a cluster environment.
Procedure
- Enable the distributed cache for the Security Context Token. Perform
the following steps:
- In the Administrative Console for IBM WebSphere Application
Server, click Services > Trust service > Trust Providers > Security Context
Token.
- Select the Distributed cache check box.
- Click OK and then click Save to save the configuration.
- Create a replication domain. Perform the following steps:
- In the Administrative Console, click Environment > Replication
domains > New.
- Enter a name. For example, ABCDomain.
- Under Number of replicas, select the Entire Domain option.
- Click OK and then click Save to save the configuration.
- Enable the dynamic cache. Perform the following steps for each
server in the cluster:
- In the Administrative Console, click Servers > Application
Servers > server_name > Container Services > Dynamic Cache Service.
- Select the Enable service at server startup option.
- Select the Enable cache replication option.
- Select the replication domain name that you created. For example, ABCDomain.
- Select the replication type as Both push and pull.
- Click OK and then click Save to save the configuration.
- Specify the distributed cache batch update interval as 100 milliseconds.
Perform the following steps for each server in the cluster:
- In the Administrative Console, click Servers > Application
servers > server_name > Java and Process Management > Process Definition
> Java Virtual Machine > Custom Properties > New.
- Enter the com.ibm.ws.cache.CacheConfig.batchUpdateInterval property
name.
- Enter 100 as the property value.
- Click OK and then click Save to save the configuration.
- Install and configure a Web server or proxy server that supports
session affinity. The IBM HTTP Server and WebSphere Application Server proxy
server support session affinity. In the WebSphere Application Server Information
Center, see Communicating with Web servers
for information on installing and configuring the IBM HTTP Server.
- Configure the client systems to send the Web services requests
to the host and port where the Web server or proxy server is running. The
Web server or proxy server then routes the requests to the proper cluster
member.
- On the services that are receiving the Web services requests, which
are protected by using Web Services Secure Conversation, select the HTTP transport
Session enabled policy option. Complete the policy set configuration by following
these steps:
- Add the HTTP Transport policy to the policy set that is being
used by the services.
- In the configuration panel for the HTTP Transport policy, select Session
enabled.
- Click OK and then click Save to save the configuration.
- On the client systems that are sending the Web services requests
and are protected by Secure Conversation, enable the HTTP transport Maintain
session property. Complete the policy set configuration or set the property
programmatically. If you are using a policy set with your configuration,
follow these steps:
- Add the HTTP Transport policy to the policy set that is being
used by the clients.
- At the HTTP Transport policy configuration panel, select the Session
enabled option.
- Click OK and then click Save to save the configuration.
Results
After the configurations are completed, you have enabled the distributed
cache and session affinity when using secure conversation in a cluster environment.
If the server processing the request does not have access to the SCT, it will
fail the request with the error of Either null SCT or invalid SCT.
Example
The following example, which is a code snippet, demonstrates how
to programmatically set the Maintain session property on the correct JAX-WS
object:
Map<String> rc = ((BindingProvider) port).getRequestContext();
...
rc.put(BindingProvider.SESSION_MAINTAIN_PROPERTY, Boolean.TRUE);
... </String>