WebSphere® Application Server provides message-level
protection in a cluster environment. You can use Web Services Secure
Conversation (WS-SecureConversation) for message-level protection
of Java™ API for XML Web Services 2.0 (JAX-WS) Web
services in a cluster environment.
Before you begin
A Web services request that is protected with a Security
Context Token (SCT) is routed to one server in a cluster, but that
SCT might have been issued or renewed by a different server in the
cluster. If the WebSphere Application Server distributed
cache is not configured to replicate or does not replicate quickly
enough, the server processing the request might not have access to
the SCT. The task steps described in this topic need to be performed
only if the replication setting for cluster members is set to asynchronous
update for the Web services security distributed cache.
For
more information on cache update settings, read the topic Enabling
the distributed cache using synchronous update and token recovery.
You can also enable the Web services security distributed cache with
the default setting, which enables synchronous update of cluster members.
This option was introduced in WebSphere Application Server version 7.0.
About this task
Perform the following high-level steps to enable distributed
cache and session affinity when using secure conversation for message-level
protection in a cluster environment.
Procedure
- Enable the distributed cache for the Security Context Token.
- In the administrative console for WebSphere Application Server, click Services
> Security cache.
- Select the Enable distributed caching check
box.
- Click the radio button to select Asynchronous
update of cluster members.
- Click Apply and then click Save to save
the configuration.
- Create a replication domain. Perform the following steps:
- In the Administrative Console, click Environment
> Replication domains > New.
- Enter a name. For example, ABCDomain.
- Under Number of replicas, select the Entire Domain option.
- Click OK and then click Save to save the
configuration.
- Enable the dynamic cache. Perform the following steps for
each server in the cluster:
- In the Administrative Console, click .
- Select the Enable cache replication option.
- Select the replication domain name that you created.
For example, ABCDomain.
- Select the replication type as Both push and pull.
- Click OK and then click Save to save the
configuration.
- Optional: Change the distributed cache batch
update interval. By default, the distributed cache batch
update interval is 1,000 milliseconds. However, you can set this interval
to a value that is less than 1,000 milliseconds. To change
the value, complete the following steps for each server in the cluster:
- In the Administrative Console, click .
- Enter the com.ibm.ws.cache.CacheConfig.batchUpdateInterval property
name.
- Enter the property value.
- Click OK and then click Save to save the
configuration.
- Install and configure a Web server or proxy server that
supports session affinity. The IBM® HTTP
Server and WebSphere Application Server proxy server
support session affinity. In the WebSphere Application
Server Information Center, read the topic "Communicating with Web
servers." for information on
installing and configuring the IBM HTTP
Server.
- Configure the client systems to send the Web services requests
to the host and port where the Web server or proxy server is running.
The Web server or proxy server then routes the requests to the proper
cluster member.
- On the services that are receiving the Web services requests,
which are protected by using Web Services Secure Conversation, select
the HTTP transport Session enabled policy option. Complete the policy
set configuration by following these steps:
- Add the HTTP Transport policy to the policy set that
is being used by the services.
- In the configuration panel for the HTTP Transport policy,
select Session enabled.
- Click OK and then click Save to save the
configuration.
- On the client systems that are sending the Web services
requests and are protected by Secure Conversation, enable the HTTP
transport Maintain session property. Complete the policy set configuration
or set the property programmatically. If you are using
a policy set with your configuration, follow these steps:
- Add the HTTP Transport policy to the policy set that
is being used by the clients.
- At the HTTP Transport policy configuration panel, select
the Session enabled option.
- Click OK and then click Save to save the
configuration.
Results
After the configurations are completed, you have enabled
the distributed cache and session affinity when using secure conversation
in a cluster environment. If the server processing the request does
not have access to the SCT, it will fail the request with the error
of Either null SCT or invalid SCT.
Example
The following example, which is a code snippet, demonstrates
how to programmatically set the Maintain session property on the correct
JAX-WS object:
Map<String> rc = ((BindingProvider) port).getRequestContext();
...
rc.put(BindingProvider.SESSION_MAINTAIN_PROPERTY, Boolean.TRUE);
... </String>