A trusted host is a client computer where one or more CA SiteMinder® Web Agents can be installed. The term trusted host refers to the physical system.
You register a trusted host from the system where you install a Web Agent; the host registration process is part of the Agent installation and configuration process. After registration is complete, the registration tool creates the SmHost.conf file. After this file is created successfully, the client computer becomes a trusted host. A trusted host must be registered to communicate with the Policy Server.
Note: You cannot create a trusted host using the Administrative UI; you can only view a trusted host once it is registered or delete a trusted host.
Upon initialization, the Web Agent uses the trusted host’s configuration settings in the Host Configuration File (SmHost.conf). The Web Agent attempts to connect to the first Policy Server listed under the PolicyServer parameter of the Host Configuration File. If the trusted host fails to connect to the first Policy Server, the trusted host attempts to connect to the next Policy Server listed, if any.
Once the Web Agent connects to its bootstrap Policy Server, the trusted host looks for the Host Configuration Object, named in the hostconfigobject parameter of the Smhost.conf file. You specify this value when you register the trusted host. The trusted host then retrieves its configuration.
Important! You only register the host once, not each time you install and configure a Web Agent.
Most of the trusted host configuration settings are set in a Host Configuration Object. The only exceptions are the Policy Server and RequestTimeout parameters, which are set in the Host Configuration file, SmHost.conf.
Settings in the Host Configuration File apply only when the trusted host initializes. Once the trusted host initializes, the settings in the Host Configuration Object take effect.
Use the RequestTimeout parameter to specify the number of seconds that the trusted host should wait before deciding that a Policy Server is unavailable. This setting allows you to optimize the response time of the Web server.
The default value is 60 seconds.
Note: If the Policy Server is busy due to heavy traffic or a slow network connection, you may want to increase the RequestTimeout value.
The operation mode determines how the trusted host works with multiple Policy Servers. The following are the two available operation modes:
Failover is a redundancy mode. If the primary Policy Server fails, there is a backup Policy Server to take over policy operations. Failover is the default operation mode. When the trusted host initializes, it operates in Failover mode.
In this mode, every trusted host request is delivered to the first Policy Server in the list. If that Policy Server does not respond, the trusted host marks it unavailable and redirects the request to the next Policy Server in the list. If a previously failed Policy Server recovers, it is returned to its original place in the list.
Round robin mode is a dynamic load balancing mode in which Agents balance their requests among all the Policy Servers listed in the Host Configuration Object in a round-robin fashion.
In road robin mode, the trusted host delivers a request to the first Policy Server in the list. The next request is delivered to the second Policy Server in the list, and so on, until the trusted host has sent requests to all the available Policy Servers. After sending requests to all of the Policy Servers, the next request returns to the first Policy Server in the list and the cycle begins again.
If a Policy Server fails, the request is redirected to the next Server in the list. The trusted host marks the failed Server as unavailable and redirects all of the requests to other servers. After the failed server recovers, it is automatically restored to its original place in the list.
We recommend this setting because dynamic load balancing produces better throughput when using multiple Policy Servers, resulting in more efficient user authentication and authorization. Dynamic load balancing also prevents a single Policy Server from becoming overloaded with requests. Failover still occurs if one of the load balancing Policy Servers is not available.
The operation mode determines how the trusted host works with multiple Policy Servers. There are two operation modes: failover and round robin.
To implement an operation mode
The value for the EnableFailover parameter applies to all Policy Servers specified in the Host Configuration Object.
The trusted host and Policy Server communicate across TCP/IP connections. The number of available TCP/IP connections between the trusted host and Policy Server is determined by the available sockets for the Policy Server’s authorization, authentication, and accounting ports.
The number of sockets per port controls the number of simultaneous threads accessing the Policy Server from the Web server. Each user access request is handled by a separate Web server thread, which requires its own socket. The Web server maintains a pool of threads for requests and only creates a new one when there are no more available threads. As traffic increases, the number of sockets per port needs to increase.
There are several settings that affect the TCP/IP connections between the trusted host and the Policy Server.
Defines the maximum number of TCP/IP connections used by the trusted host to communicate with the Policy Server. By default, this value is set to 20, which is generally sufficient for low- and medium-traffic Web sites. If you are managing a high-traffic Web site or if you have defined agent identities for virtual servers, you may want to increase this number.
Determines the number of TCP/IP connections open for the Policy Server at start up. The default value is 2. If you are managing a high-traffic Web site, you may want to increase this number.
Specifies the number of TCP/IP connections that the Agent opens when new connections are required. The default value is 2. Modify the number of sockets that should be added at each required increment if you require more sockets.
Note: More information about these values and how you may have to adjust the values as your CA SiteMinder® environment grows exists in the Policy Server Administration Guide.
You delete a trusted host when you are reregistering it. You reregister a host using the smreghost registration tool. This tool is installed with the Web Agent.
Note: You can run the Web Agent Configuration Wizard to reregister a trusted host, but delete or rename the SmHost.conf file or the Wizard does not prompt you to register a trusted host. We recommend that you use the smreghost tool. For more information about registering and reregistering trusted hosts, see the Web Agent Installation Guide.
To delete a trusted host
The Trusted Hosts page appears.
A list of trusted hosts that match the search criteria opens.
Note: You can select more than one trusted host at a time.
You are prompted to confirm the deletion of the host.
The Trusted Host is deleted.
Copyright © 2013 CA.
All rights reserved.
|
|