10.2 Configuring Session Broker

Before setting up Session Broker in your iChain configuration, you must install iChain on a standalone server that is dedicated as the primary Session Broker server. The primary Session Broker server should not be an iChain accelerator server. A typical setup would include two iChain accelerator servers and a third iChain server as a dedicated primary Session Broker server. One of the iChain servers could be designated as the secondary server. When users authenticate to either of the iChain servers, the session information would be updated to the primary Session Broker server. If either of the iChain servers were to go down in this setup, the user would not be prompted to re-authenticate.

IMPORTANT:Only authentication profiles with the same name on each iChain server are shared. If the second iChain server doesn't have an authentication profile with the same name as the authentication profile the user authenticated to on the first server, the user will be required to authenticate again.

Only the primary Session Broker server maintains a database of all authenticated sessions. The secondary server does not contain a duplicated/synchronized copy of the database. The secondary server is initialized only if the primary server fails. Only then does the secondary server begin building a new Session Broker database. For more information, see the following Technical Information Documents, “iChain Session Broker FAQ”, and “iChain Session Broker Operation Work Flow”.

You use ConsoleOne to configure Session Broker on an iChain server:

  1. In ConsoleOne®, right-click the ISO object and select Properties.

  2. Select the Session Broker tab.

  3. Specify the two requested IP addresses: the Primary session broker server IP address and the Secondary session broker server IP address.

    The Secondary session broker server IP address is optional and only becomes active if the Primary session broker server IP address is down; otherwise, it remains idle.

    Place the primary Session Broker on an iChain server that has no other responsibilities. The secondary Session Broker can be configured on an iChain server with other duties since it is used only for short periods of time.

  4. Do the following steps on the primary Session Broker:

    1. Establish a shared secret between your iChain servers and the Session Broker(s) that can be used to encrypt data passed between them. To do this, enter the following command at any iChain console:

      createsessionbrokerkey

      This creates the Session Broker key on the primary Session Broker server and also copies the key to a floppy disk. This floppy disk is used to install the Session Broker keys on all iChain servers within the Session Broker setup, including the primary and secondary Session Broker servers.

      It is possible to disable encryption of data passed between iChain and Session Broker. Do this only if you are certain that the messages passed between them are secure. To disable encryption of data, instead of entering the command above, enter the command, createnullsessionbrokerkey. This creates a null key, telling iChain and Session Broker that no encryption is desired.

    2. When prompted, insert a floppy disk into the floppy drive and enter a password to encrypt the shared secret. The password you enter must be at least 6 characters in length.

    3. When prompted, confirm the password.

  5. Do the following on all machines participating in the Session Brokerage:

    1. Insert the floppy disk containing the encryption key into the floppy drives of each of your iChain servers, including the primary and secondary Session Broker servers.

    2. At the console of each Session Broker server, enter the following command:

      installsessionbrokerkey

    3. When prompted for the password, enter the password you gave when you created the encryption key (see Step 4.b).

  6. After creating or installing the encryption key, restart your proxy server in order for the server to read in the key and begin encrypting the Session Broker data.

  7. At the iChain console of the servers you have designated to be the primary and secondary Session Broker servers, enter the following command:

    set authentication sessionbrokerenable = yes

    Set this parameter only on the designated primary and secondary iChain servers. All other iChain servers know they participate by reading the configuration information from the ISO object.

    Session Broker should now be running. To confirm that it is running and is initialized on the primary Session Broker server, load tcpcon > protocol information > TCP > TCP listeners, then confirm that 5001 exists in the list.