This solution has two components namely, Auth agent and Proxy Agent. Auth agent collects information from multiple Proxy Agents and distributes the same to all Proxy Agents.This will ensure sharing of authentication information amongst all proxies that are configured to use the Auth Agent, even if the user is authenticated to only one proxy. Proxy Agents run on each NBM box and share the information with Auth Agent. This need to be configured for each NBM Proxy.
User password is never exchanged between Proxy Agent and Auth agent. Run Auth agent on a separate box.
The Auth agent, a java application, is the central repository of authenticated user information,for all the proxies in the setup. The Auth agent can run on NetWare, Windows or a Linux Server, with a Java Virtual Machine (version 1.4). For better reliability, the Auth Agent should run on a separate machine.
NOTE: The Auth agent failover will be supported in the next release.
Proxy agent is the new authchk.nlm, running in each of the proxy servers configured for Session failover. The Proxy agent part of authchk talks to the Auth agent and keeps the central repository in sync with the local proxies. The activities that could trigger a communication between the Proxy agent and the Auth agent would be - new user logs in, logs out, inactivity timeout, etc.
The trust between the Proxy agent and the Auth agent is established by the configuration file.
(copy sample auth.cfg file from SYS:/ETC folder).
Proxy agents section contains the list of Proxy agents (proxy servers) wanting to share authenticated session information. Format is:<unique_proxyID>=<ProxyAgent_IP_Address>
To ensure that the ProxyID and IPaddress mapping is unique across all your Proxies, it is recommended to edit one auth.cfg with all the relevant information and copy it to the Auth agent and Proxy agent boxes.
A sample auth.cfg file (in auth agent box) is:
[proxy agents]
1=10.10.10.1
2=10.10.10.2
[auth]
ipport1=10.10.10.3:9023
[debug]
Level=1
File=auth.log
In the sample, 1 and 2 are unique Proxy Ids. The Auth agent is listening at 10.10.10.3 port 9023.The debug section is for debugging and logging purposes. Recommended Level is 1.Level 1 gives details on the information exchanged between the proxies and the auth agent,in the log file. The log file name is configurable via the 'File' entry under debug section. The log is available with the Auth agent in /etc/proxy directory.
To start auth agent:
Run the following command in the Auth Agent server .
java -classpath <full path of bmauth.jar> com.novell.bordermanager.proxy.auth.AuthDB<location of config file>
Location of config file is optional and you can use this if auth.cfg file is stored in a different location other than /etc/proxy. eg.java -classpath sys:\public\bmauth.jar com.novell.bordermanager.proxy.auth.AuthDB
Ensure that the Auth Agent is configured (as described above) and running.
Copy sample auth.cfg file to sys:/etc/proxy folder from SYS/ETC folder of the NBM Server.
In the Proxy Agents section, edit the entry for this proxy server, by changing the IP address to 'localhost' (without quotes).
This is similar to the config file for Auth Agent except that <ProxyID>=<Proxy Agent IP Address>. Entry for the local server should be localhost instead of IP address.
The auth secion should mention the IP address and port of the Auth agent, as shown below.
See a sample auth.cfg file, for Proxy Agent configuration on 10.10.10.1 machine:
[proxy agents]
1=localhost
2=10.10.10.2
[auth]
ipport1=10.10.10.3:9023
[debug]
Level=1
File=auth.log
Run stopbrd and startbrd to restart NBM Services.
Proxy Agent supports the following command to initiate a sync request to Auth Agent:
authchk_send_sync_to_agent
This is useful when the Proxy Agent and Auth Agent go out of sync due to network failures. Run the above command in the proxy box, once the connection with auth agent is established.
NOTE: Make sure that Proxy Agents and Auth Agents are able to commuicate with each other [reachable]through the configured interfaces / IP addresses.