In this scenario, we are configuring hardware load balancing (CISCO CSS) for the webMethods Integration Server.
Problem: When accessing the instance via the Virtual Internet Protocol (VIP), user is continuously being prompted for credentials.
Facts: This is caused by the TCP three-way handshake and cookie in the webMethods Integration Server.
- The user browse to the VIP
- CSS forward the request to Node 1
- Node 1 send authentication request to the user with a random hex number ssnid=29c4f640596011de9579da14127f22f1 in the HTTP header
- The user enter his/her credential and submit
- The browser send the response the CSS
- CSS forward the response to Node 2
- Node 2 rejected the response because of unrecognised SSNID
- Node 2 send authentication request to the user with a random hex number ssnid=b9066b60559411de9034cfa576455f64 in the HTTP header
- The user enter his/her credential and submit
- This goes around in an infinite loop.
The customer has configured the CSS to look for a cookie called ‘ssnid=’
owner WMQA-VIP
content WMQA-HTTP-N
vip address 146.195.84.125
add service WMQA-1-HTTP-N
port 8080
protocol tcp
add service WMQA-2-HTTP-N
string range 208 to 528
string prefix "ssnid="
advanced-balance cookies
and then told the service to look for the following string;
service WMQA-1-HTTP-N string WMQA-1
This will not work because the string doesn’t exist in the cookie.
Resolution: The only workaround is to configure the arrowpoint-cookie. This is a cookie generated by the CSS itself and inserted into the TCP stream.
For example the owner and content should look something like this (remove all redundant commands)
service WMQA-1-HTTP-N
no string
owner STICKY-VIP
content STICKY-WMQA-HTTP-N
vip address 146.195.84.125
add service WMQA-1-HTTP-N
add service WMQA-2-HTTP-N
advanced-balance arrowpoint-cookie
sticky-mask 255.255.240.0
protocol tcp
port 8080
url "/*"
active
