Configuring Replication in Reflection for the Web or Reflection Security Gateway
Technical Note 2174
Last Reviewed 14-Nov-2013
Applies To
Reflection for the Web 2014 (All Editions)
Reflection for the Web 2011 (All Editions)
Reflection for the Web 2008 (All Editions)
Reflection Security Gateway 2014
Summary

In Reflection for the Web and Reflection Security Gateway, you can use the replication feature to synchronize the management data across Reflection servers, a necessary step in setting up a load-balancing environment. This technical note describes how to configure the Master and Slave servers for replication, and provides the steps for managing the servers' certificates

Note: For general information about how Reflection for the Web or Reflection Security Gateway works in a load-balanced environment, see Technical Note 1510.

In this note:

Overview

Replication enables you to synchronize multiple Reflection management servers by propagating configuration and session changes made on one server to all of the servers in a replication group. Internally, Replication uses a Master and one or more Slave servers. Externally, the replication group appears as a group of synchronized peers.

When configuring replication, you may choose to use HTTP or HTTPS as your server-to-server communication transport. If you choose HTTPS, you must manage the servers' certificates as described in Managing Certificates. If you choose HTTP, you may skip the following section and proceed to Configuring Replication.

Note: In a replication environment, the only security settings that are replicated are those configured on the Administrative WebStation > Security Setup > Security tab. Settings configured on the Secure Shell, Certificates, Credential Store, and Security Proxy tabs are not replicated.

Managing Certificates

If you select HTTPS as your transport option, Replication requires that the Master server have each Slave web server's certificates installed to the Master's Management Server trusted certificate store, and that each Slave server has the Master web server's certificate installed to the Slave's Management Server trusted certificate store.

To install the appropriate certificates to the appropriate trusted certificate store choose one of these steps:

  • Import the certificate of the signing authority who issued the individual signed certificates.
  • Import the individual server's signed certificates.

Using CA-signed Certificates

If the web servers are using CA-signed certificates (such as from VeriSign or Thawte), the certificates would already be installed in the Reflection Management Serverís Trusted Certificate Store. To check if the certificates are installed, launch the Administrative WebStation on one of your web servers.

  1. Go to Security Setup > Certificates tab.
  2. Scroll down to "Administer Reflection Management Server Trusted Certificate List."
  3. Click "View or modify certificates trusted by the Reflection management server."
  4. Review the certificates listed under Trusted Root Certificate Authorities. Carefully inspect the expiration date and the Issued To and Issued By fields to verify that your certificates are listed.

If the CA-signed certificates are in this list, you can skip the rest of this section and proceed to Configuring Replication.

Importing Server Certificates

If the web serverís certificates are not CA-signed, you will need to import them using the following steps as a guide.

If the web serversí certificates are available in file(s), copy the file(s) to the \ReflectionData\certificates folder and then proceed to Step III. Importing into Reflection.

If the web serversí certificates are not already in file(s), follow this three-step process:

    1. Locate the server certificate and import it to your browserís certificate store.
    2. Export the certificate from your browser store to a file.
    3. Import the Reflection Master (or Slave) web server certificate into the Reflection Management Server Trusted Certificate Store.

Note: The following steps describe importing a Slave web server certificate to a Master server using Internet Explorer. You may use another browser to perform the steps, but the dialog boxes and steps may differ slightly.

To import a Master web server certificate to a Slave server, simply reverse the Master/Slave references.

Step I. Importing Slave Server Certificates

  1. Launch Internet Explorer on the Master server.
  2. Connect to the Slave web server using HTTPS, for example:
https://slaveServer1.mycompany.com:443
  1. To open the Certificate dialog box, either
    • Click the View Certificate button if a Security Alert dialog box opens.
    • Or, double-click the lock in the status bar.

Note the certificate information so that you can easily identify the certificate once you have installed the Slave server's certificate to the Master's browser certificate store.

  1. Click Install Certificate and follow the prompts to install the Slave web server's certificate to the Master server's browser's certificate store.

Step II. Exporting the Master Serverís Certificate

  1. On the Master server's browser, click Tools > Internet Options > Content tab and click Certificates.
  2. Locate and select the certificate you just installed and click Export. The Certificate Export Wizard opens. Click Next to continue.
  3. Select No, do not export the private key, and click Next. .
  4. On the Export File Format page, select the DER encoded binary X.509 option. (Note that Base64 format is also acceptable.) Click Next.
  5. Browse to the certificate folder under ReflectionData\ and enter a file name. (Note the file name for future use.)
  6. Click Save and Next. Review your settings and click Finish.

7. Repeat this process for each slave server.

Step III. Importing into Reflection

  1. In the Reflection Administrative WebStation, go to Security Setup > Certificates tab.
  2. Scroll down to "Administer Reflection Management Server Trusted Certificate List." Select "View or modify certificates trusted by the Reflection management server."
  3. Click the Import button.
  4. Enter the file name you used in Step II #5, above.
  5. Enter a password if your certificate has one; otherwise leave it blank.
  6. Enter a friendly name (a name that will help you identify which server this certificate represents).
  7. Click Submit.

Repeat this process for each Slave server.

Importing Master Server Certificates

Follow the same process you used to import Slave server certificates to a Master server, but reverse the Master and Slave designations, for example, launch a browser on the Slave server and connect to the Master server using HTTPS.

Configuring Replication

You must configure the servers for their specific role: Master or Slave.

Warning: Be aware that Master server settings (including sessions, access control setup, and security settings, but excluding certificate stores) overwrite the settings on the server that you configure to be a Slave server.

Configuring replication is a multi-step process during which you must alternate between configuring Master server options and Slave server options. Follow the steps below.

Configuring the Master server

On the Master server:

  1. In Administrative WebStation, click Settings > Replication tab.
  2. For Server Role, select the Master option. Scroll (if necessary) and click Save Settings.
  3. Configure the Concurrency Lock Timeout; 180 seconds is the default value.
  4. To use HTTPS for Transport Configuration, accept the default, "Use HTTPS for server to server communication."

To use HTTP instead, clear the check box.

Note: If HTTPS is selected as the Management server access protocol on the Security Setup > Security tab, then you must use HTTPS for the Replication Transport Configuration.

  1. Accept the default passphrase (which appears blank), or enter your own passphrase. Note: The Master and all Slave servers must have identical passphrases.
  2. Click Save Settings.

Configuring the Slave server

On the Slave server:

  1. In Administrative WebStation, click Settings > Replication tab.
  2. For Server Role, select the Slave option. Scroll (if necessary), and click Save Settings.
  3. To use HTTPS for Transport Configuration, accept the default, "Use HTTPS for server to server communication."

To use HTTP instead, clear the check box.

Note the following:

    • The transports for the Master and all the Slaves must be the same.
    • If HTTPS is selected as the Management server access protocol on the Security Setup > Security tab, then you must use HTTPS for the Replication Transport configuration.
  1. Accept the default passphrase (which appears blank), or enter your own passphrase. Note: The Master and all Slave servers must have identical passphrases. If you entered your own passphrase while configuring the Master server, you must enter the same passphrase for all of the Slave servers.
  2. Click Save Settings.
  3. In the Add Replication Master Server section, enter the Master server host name, host port (80 by default for HTTP; 443 by default for HTTPS) and servlet context (rweb is the default value).
  4. Click Add.

If the Slave server cannot communicate with the Master server, an error message will display at the top of the page.

  1. Click Test to verify that the Slave server can contact the Master server. Check the Test Result column for a Pass value.

Completing the Master server configuration

On the Master server:

  1. In the Add Replication Slave Server section, enter the Slave server host name, host port, and servlet context (rweb is the default value).
  2. Click Add to Table.

If the Master server cannot communicate with the Slave server, an error message will display at the top of the page.

  1. Select the check box for the Slave server you just added.
  2. Click Test to verify the connection between the Master and Slave. Check the Test Result column for a Pass value.

Repeat the above four steps to complete the Master server configuration for each Slave server.

For detailed information about what to do if your master server goes down, see Technical Note 2373.

Copying Package Data

If you are replicating a server that contains packages for Windows-based sessions, the mappings and settings are replicated automatically; however, the package data must be manually copied to each Slave server.

Package data needs to be manually copied from the Master server to each Slave server when:

  • new packages are uploaded to the Master server.
  • existing packages are updated or deleted from the Master server.

Follow these steps to copy the package data:

  1. Upload, update, or delete packages on the Master server.
  2. Delete all .zip files from the /ReflectionData/deploy/packages/ directory from each Slave server.†
  3. Manually copy all of the .zip files from the /ReflectionData/deploy/packages/ directory on the Master server to the analogous location on each Slave server.
  4. To confirm success, log in to Reflection for the Web or Reflection Security Gateway on a Slave server as a user who is authorized to receive the package.†Verify the package is downloaded and installed successfully.

Note: If your client already has the package, first uninstall it from the client and delete it from C:\Users\<username>\AppData\Local\Temp\AttachmatePkgs before performing this verification.

Concurrent Administration

Concurrent administration can be used with a standalone server and in a replication environment. See Technical Note 2371 for more information.

Upgrading Replication Servers

If you have replication enabled, you should disable it on every server with replication before you upgrade. Follow these steps:

  1. In the Administrative WebStation, click Settings > Replication tab. Select the Standalone Server Role option. Scroll if necessary, and click Save Settings.
  2. Repeat step 1 for the Master server and all of the Slave servers.
  3. Upgrade all of the servers.
  4. Configure the Master server from Standalone back to the Master role and define the Slave servers. Review the Configuring Replication steps, above.
  5. Configure the Slave servers from Standalone back to the Slave role and point them to the Master server.
Related Technical Notes
1510 Overview of Load Balancing and Reflection for the Web or Reflection Security Gateway
2330 Configuring BEA WebLogic to Work with Reflection for the Web Server Replication
2371 Concurrent Administration and Reflection for the Web or Reflection Security Gateway
2373 Solutions If Your Master Server Goes Down
9988 Reflection for the Web Technical Notes

Did this technical note answer your question?

           



Need further help? For technical support, please contact Support.