Wednesday, May 15, 2013

SFO is not supported across sites

"SFO is not supported across sites" - What does this statement mean? (Read here)

I get to personally experienced it this week while configuring AM Session Failover (on 2 different sites) for a customer of mine.






Theoretically, each site that is participating in SFO will need a Message Queue Broker Cluster where a minimal of 2 message queue servers are installed.




However, I was plain lazy and was trying my luck. In "Secondary Configuration Instance", I configured the same configuration for both InternetSSO and IntranetSSO instances.









In addition, we have quota constraints enabled and the session quota exhaustion behavior is set to DESTROY_OLD_SESSIONS.




Lastly, the Active User Sessions count is set to 1.





So, what will happen when a user has already logged in to Intranet site and attempt to log in to Internet site?





1. The quota constraint kicks into effect (1 active user allowed at any single point of time).
2. However, the session quota exhaustion behavior will not kick into effect (OpenAM is not able to destroy the old session).


Why?


amSession:05/15/2013 03:24:13:315 PM ICT: Thread[ajp-172.19.176.115-8109-3,5,jboss]
Failed to destroy the next expiring session.
com.iplanet.dpro.session.SessionException: java.lang.NullPointerException
at com.iplanet.dpro.session.Session.refresh(Session.java:1437)
at com.iplanet.dpro.session.Session.getSession(Session.java:1097)
at org.forgerock.openam.session.service.DestroyAllAction.action(DestroyAllAction.java:57)
at com.iplanet.dpro.session.service.SessionConstraint.checkQuotaAndPerformAction(SessionConstraint.java:183)
at com.iplanet.dpro.session.service.InternalSession.activate(InternalSession.java:1053)
at com.sun.identity.authentication.service.LoginState.activateSession(LoginState.java:1193)
at com.sun.identity.authentication.service.AMLoginContext.runLogin(AMLoginContext.java:611)
:
:

Caused by: java.lang.NullPointerException
at com.iplanet.dpro.session.service.ClusterStateService.checkServerUp(ClusterStateService.java:321)
at com.iplanet.dpro.session.service.ClusterStateService.checkServerUp(ClusterStateService.java:220)
at com.iplanet.dpro.session.service.SessionService.checkServerUp(SessionService.java:2081)
at com.iplanet.dpro.session.Session.getSessionResponse(Session.java:1688)
at com.iplanet.dpro.session.Session.doRefresh(Session.java:1454)
at com.iplanet.dpro.session.Session.access$300(Session.java:113)
at com.iplanet.dpro.session.Session$3.run(Session.java:1426)
at com.sun.identity.session.util.RestrictedTokenContext.doUsing(RestrictedTokenContext.java:86)
at com.iplanet.dpro.session.Session.refresh(Session.java:1423)
:
:

Caused by: com.iplanet.dpro.session.SessionException: Session state is invalid. AQIC5wM2LY4Sfcx9Tij6-6PzKZBBdJNzYNJpZPkutzgpdMk.*AAJTSQACMTAAAlNLAAstMjA3NzY4NTU4OAACUzEAAjA5*
at com.iplanet.dpro.session.service.SessionService.checkSession(SessionService.java:1267)
at com.iplanet.dpro.session.service.SessionService.getSessionInfo(SessionService.java:1226)
at com.iplanet.dpro.session.Session.doRefresh(Session.java:1450)
at com.iplanet.dpro.session.Session.access$300(Session.java:113)
at com.iplanet.dpro.session.Session$3.run(Session.java:1426)
at com.sun.identity.session.util.RestrictedTokenContext.doUsing(RestrictedTokenContext.java:86)
at com.iplanet.dpro.session.Session.refresh(Session.java:1423)



Simply put - The session object belongs to Intranet Site. When DESTROY_OLD_SESSIONS action is executed, OpenAM is not able to destroy it in Internet Site. 

.




No comments:

Post a Comment