OPENAM - amService-UrlAccessAgent Login multiple Times

StackOverflow https://stackoverflow.com/questions/18063574

سؤال

In our deployement, We have 3 OpenAM instances behind a LoadBalancer, the stickiness is based on IP adresses, so that the Users always get on the same server.

My problem is that our max concurrent sessions is reached on each server after just one day of Workload.

When i analysed the amSSO audit log, i found out that my Web Agent (amService-UrlAccessAgent) opens sessions frequently (more than 20 sessions per minute) and those sessions never get destroyed (they all live loong :)).

Can you please help me to interpret this behavior? didn't amService-UrlAccessAgent suppose to log once?

In advance Thank you.

هل كانت مفيدة؟

المحلول 2

I think that i got the solution. when i started to dig a little in the OpenAm code and in the agent code i have found out the folowing

           if ((isApplicationModule(authMethName) && 
                (ad.isSuperUser(userDN) || ad.**isSpecialUser**(userDN)))
                || isAgent(amIdentityUser))
           if (isAgent(amIdentityUser) && agentSessionIdleTime > 0) {
                ....
                session.setMaxSessionTime(Long.MAX_VALUE/60);
                session.setMaxIdleTime(agentSessionIdleTime);
                session.setMaxCachingTime(agentSessionIdleTime);
            } else {
                session.setExpire(false);
            }

and when You look just a little before, You found out that the value of agentSessionIdleTime is 0 if the property com.iplanet.am.session.agentsessionidletim isn't setup.

for the interpretation of the meaning of this property follow this link: policy agent sessions to time out

Thanks Peter For Your Help. I will tell You soon if that works well on our production system.

نصائح أخرى

There are a couple of interesting things in your description:

  • If you are using a web agent, then why are using it with amService-UrlAccessAgent? You should create a Web agent profile for your agent and use that account instead.
  • It's not clear what web server are you using, so I'm assuming it's Apache. In that case make sure that you are NOT using prefork mode, the recommended mpm is worker, because it will require much less agent login in general. Nevertheless as far as I know the agent always logs itself out once the child process dies.
  • You may also want to try to use a newer version of the webagent, or even a nightly if this problem keeps reoccurring.
مرخصة بموجب: CC-BY-SA مع الإسناد
لا تنتمي إلى StackOverflow
scroll top