| |
The Session Broker feature is useful when you have more than one iChain server running at your site. Session Broker allows "sessions" (user authentication data) to be shared between multiple iChain servers, which, in turn, allows a user to authenticate only once when browsing across all of them.
For example, if a user browses to a page on your site protected by iChain Server A, iChain will ask the user to authenticate before granting access to the page. Suppose that during the course of browsing, the user is directed to a page protected by iChain Server B. Without Session Broker, the user would be required to authenticate again because iChain Server B has no way of knowing that the user was authenticated on Server A.
When Session Broker is running, iChain servers relay all their authenticated users. When a user who isn't authenticated attempts to access a protected page, iChain will ask the Session Broker if this user is authenticated to a different iChain server. If so, the user is granted access without the need to authenticate again.
NOTE: Only Authentication Profiles with the same name on each iChain server are shared. If the second iChain server doesn't have an Authentication Profle with the same name as the Authentication Profle the user authenticated to on the first server, the user will be required to authenticate again.
Use the iChain Web Accelerator Wizard in ConsoleOneTM to configure Session Broker on an iChain server:
In ConsoleOne, select Wizards > iChain Web Server Accelerator.
Select an iChain Service object (or create one).
Enter the two requested IP addresses: the Primary Session Broker IP Address and the Secondary Session Broker IP Address.
The Secondary Session Broker IP Address is optional and only becomes active if the Primary Session Broker is down; otherwise it remains idle.
Enter the IP address of the iChain servers you have designated to run the Session Broker.
For performance reasons, you may want to put the primary Session Broker on an iChain server that has no other responsibilities. The secondary Session Broker can be configured on an iChain server with other duties since it will only be used for short periods of time.
Establish a shared secret between your iChain servers and the Session Brokers that can be used to encrypt data passed between them. To do this, enter the following command at any iChain console:
createsessionbrokerkey
This command will create a floppy with the encryption key on it and this installs the key on the server that generates it.
NOTE: It is possible to disable encryption of data passed between iChain and Session Broker. Do this only if you are certain that the messages passed between them are secure. To disable encryption of data, instead of the command createsessionbrokerkey, enter the command createnullsessionbrokerkey. This creates a null key, telling iChain and Session Broker that no encryption is desired.
When prompted, insert a floppy disk into the floppy drive and enter a password to encrypt the shared secret with. The password you type must be at least 6 characters in length.
When prompted, confirm the password.
Insert the floppy disk with the encryption key on it into the floppy drives of each of your iChain servers, including those designated to run Session Broker. At the console of each server, enter the following command:
installsessionbrokerkey
When prompted for the password, enter the password you gave when you created the encryption key (see Step 6).
After creating or installing the encryption key, you must restart your proxy server in order for the server to read in the key and begin encrypting the session broker data.
At the iChain console of the server(s) you have designated to run Session Broker, enter the following command:
set authentication sessionbrokerenable = yes
Session Broker should now be running.
| |