Web Container Failover and High Availability

  <ServerGroup Name="portalApplication Server Group">   <Server CloneID="uk396h0g" Name="portalApp">   <Transport Hostname="serverA.mydomain.com"      Port="10000" Protocol="http" />   </Server>   </ServerGroup>  

  <ServerCluster Name="portalApplication Server Group">   <Server Name="portalApp">   <Transport Hostname="serverA.mydomain.com"      Port="10000" Protocol="http" />   </Server>   </ServerCluster>  

WebSphere 5 Weighted Load Distribution

WebSphere version 5 introduced a sophisticated load distribution model that favors session affinity. Remember that by not having session affinity (in which your subsequent requests aren't sent to the server or clone that initially set up the session), you'll incur additional load overhead while your Web containers retrieve persisted session data from the session database or from in-memory replication.

Suppose, for instance, that you have an environment with only one Web server but two backend WebSphere application servers. With the LoadBalanceWeight setting, as each request that isn't sessionized (i.e., it isn't a user request that contains an active or valid session cookie) is sent to a server, the plug-in decrements the LoadBalanceWeight ratio by 1. This occurs until the value reaches 0. After all servers have had their ratio decremented to 0, the plug-in resets all weighted ratios to their original value and starts the process again. Let's look at an example.

Say you have a plug-in file on the Web server that is configured in a way that has the following directives set as follows :

• The LoadBalance directive is set to RoundRobin

• For server A, LoadBalanceWeight is 5

• For server B, LoadBalanceWeight is 2

As a user request initially comes into the Web server, the plug-in randomly picks the first server to send the request to (regardless of the RoundRobin setting). Here's the process:

1. If the plug-in selects server A for the first request, the LoadBalanceWeight value for server A is decremented by 1 to 4.

2. Another request comes in, and this request is sent to server B, which has its ratio decremented by 2 to 1.

3. The next request comes in and this request has a session cookie tagged to server A. This request is therefore sent to server A, but server A's LoadBalanceWeight value doesn't get decremented on this request.

4. The next new request comes in and is sent to server B, whose LoadBalanceWeight value is decremented by 1 to 0.

5. The next request comes in and has a valid session cookie tagged to server B. Server B handles the request and its LoadBalanceWeight value isn't decremented.

6. The next request is new and is sent to server A. The LoadBalanceWeight value for server A is decremented by 1 to 3.

7. The next request is new and is sent to server B. The LoadBalanceWeight value for server B is unchanged; it stays at 0.

8. The next request is new and is sent to server A. The LoadBalanceWeight value for server A is decremented by 1 to 2.

9. The next request comes in and has a valid session cookie tagged to server A. Server A handles the request and its LoadBalanceWeight value isn't decremented.

10. The next request is new and is sent to server B. The LoadBalanceWeight value for server B is unchanged; it stays at 0.

11. The next request is new and is sent to server A. The LoadBalanceWeight value for server A is decremented by 1 to 1.

12. The next request is new and is sent to server B. The LoadBalanceWeight value for server B is unchanged; it stays at 0.

13. The next request is new and is sent to server A. The LoadBalanceWeight value for server A is decremented by 1 to 0.

14. The next request arrives and triggers all values to be reset back to their original settings. The request is deemed new and is sent to server B.

15. And on the process goes.

As you can see, this method of weighting your requests can provide a powerful mechanism for distributing your load. As you add in additional HTTP servers, this distributing mechanism becomes even more powerful.

An important point is that WebSphere 5.0.1 was released with changes to the operation of this weighting. Effectively, the change is that valid session cookie-based requests also decrement the value, but, as the value passes 0 and goes negative, this doesn't trigger a reset or any other state. Each time a request is sent to a server that has a negative value, the server will check to see if the other server had reached 0. If so, then the plug-in checks to see if by adding the original value of LoadBalanceWeight to the negative number it will increase beyond 0. If it does, the plug-in performs the operation and increments the LoadBalanceWeight of the once negatively valued server to the negative_value + original starting value of LoadBalanceWeight .

For example, if server A has its value at -3 and server B is at 0, the plug-in will attempt to take server A's value and add into the initial LoadBalanceWeight , which is 5. Because this takes the value back over 0, the process continues until both servers are at 0 (or the value of one of the servers is at negative something, and the negative_value + original value check is performed again).

If the value of server A is in fact -7, for example, then adding the initial value of a LoadBalanceWeight of 5 won't increase the value above 0. In this case, both servers will have their result of current_value + initial_value multiplied by another HTTP plug-in directive, maxWeight . By default, this is set to 2, so both servers will be reset to the following:

• Server A: (-7 + 5 — 2) = 3

• Server B: (0 + 2 — 2) = 4

Let's take a look at another key WebSphere version 5 HTTP plug-in directive that you can use to support external software or hardware-based load-balancing gear.

WebSphere 5 and External Load Balancers

On occasions, there may be a valid reason why you may not want to use the load-balancing capabilities supported within the HTTP plug-in. There's another plug-in directive, ClusterAddress , that allows you to force non-session affinity requests to an external load balancer.

The ClusterAddress directive is located at the top of the ServerCluster group directive as follows:

 <ServerCluster Name="portalApplication Server Group" RetryInterval="15" LoadBalance="RoundRobin">  <ClusterAddress Name="myCiscoLoadBalancer">   <Transport Hostname="myLoadBalancer.myDomain.com"      Port="80" Protocol="http" />   </ClusterAddress>  <Server Name="portalApp" LoadBalanceWeight="5">              <Transport Hostname="serverA.mydomain.com" Port="10000"    Protocol="http" />          </Server>          <Server Name="portalAppCloned" LoadBalanceWeight="5">              <Transport Hostname="serverB.mydomain.com" Port="10000"    Protocol="http" />           </Server>     <PrimaryServers>          <Server Name="portalApp"/>     </PrimaryServers>    <SecondaryServers>          <Server Name="portalAppCloned"/>   </SecondaryServers> </ServerCluster> 

This directive works as follows: For all new requests that don't have an active session cookie, the plug-in will route the request to the ClusterAddress device ” myLoadBalancer.mydomain.com in this example ”for the external load balancer to handle which server the request should be sent to. Subsequent requests or requests that do have active session cookies will be sent to their affinity server.

Why use this directive? Consider for a moment all the discussion about load balancing and availability around the HTTP plug-in to date. In all cases, you've only been able to route requests to backend servers based on a rule (e.g., a defined route group) or an already established link via a session cookie.

This form of "soft" request distribution can fall down, however, in the case in which the next selected server, based on LoadBalanceWeight , is heavily loaded. This may be due to one large request that's consuming a lot of system resources or there could be a DoS attack or something else that is slowing the environment down (e.g., a bad network). Although it's possible to tweak the RetryInterval to lower values (under 5 seconds), which may provide a "quasi-server load litmus test," this doesn't provide an accurate test of server load.

Many of the high-end load balancers, and even many of the feature-rich software load balancers, allow you to configure them to do one of two things. First, you can configure them to probe the remote WebSphere application servers with a basic HTTP GET call and time the response, distributing the load accordingly . Second, you can install the load balancer's software on your WebSphere application server host and configure it so that the load balancer will continuously interrogate to determine the true load on the server. The load balancer will then route the initial request in a session to the least truly loaded server.

WebSphere 5 ConnectTimeout Setting

In Chapter 6, you explored various tuning options and settings associated with various operating systems' TCP/IP stack configurations. One key point that I discussed related to decreasing the TCP/IP time-out values within the operating system of your choice. I also discussed the risks associated with this, especially because your server that is hosting your WebSphere application server instance may be supporting other TCP/IP-based services. In this case, the setting changes would affect all TCP/IP-based services on the physical node.

To get around this, WebSphere version 5 supports a setting called ConnectTimeout that is accessible and tunable within the HTTP plug-in file used by your chosen HTTP server.

Within the Server directive of the HTTP plug-in configuration file, you can declare the ConnectTimeout setting and value as shown in Listing 7-7.

Listing 7-7: WebSphere Version 5 Example HTTP Plug-in File: ConnectTimeout Value

 <Server CloneID="uk396h0g" Name="portalApp" LoadBalanceWeight="5"  ConnectTimeout=10>  <Transport Hostname="serverA.mydomain.com" Port="10000" Protocol="http" />          </Server> 

 

As you can see from Listing 7-7, the ConnectTimeout value is set to 10, which refers to 10 seconds. This setting sets the plug-in manager to use a nonblocking TCP connect sequence with a timeout of 10 seconds. There isn't a rule of thumb for this setting. The best way to determine its value, if required at all, is to perform testing. Of course, the setting should be lower than that of the TCP/IP time-out value to be of any use.

If the server defined in the Server directive (to which the ConnectTimeout directive is associated) doesn't respond with a TCP connect within the defined value period (e.g., 10 seconds), the plug-in will mark that server as down for the retry period. The setting needs to be set based on your network bandwidth (i.e., speed, capacity, and latency) and the load of the remote server. If you're happy with 15 seconds of lag between client transactions because of a heavily loaded WebSphere application server, this ConnectTimeout directive should be set accordingly.

Finally, this setting can be very useful if you have frontend HTTP servers distributing user requests to backend WebSphere application servers that are located both locally and via WAN (e.g., such as servers located in another city for disaster recovery purposes). For remote servers, you may want to increase the value of this time-out directive, whereas as for local servers, you may want the setting to be lower (e.g., 10 to 20 seconds). For this reason, it's possible to set a different ConnectTimeout value on each server.

Session Failover and Persistence

Session persistence is an integral part of most Web-based applications. Because the primary protocol that Web transactions are conducted over, HTTP, is essentially stateless, there is no default mechanism for storing state. This is different from thick client environments, which may have a Java GUI operating on end user desktops. In this case, the application, or Java GUI that operates on the desktop, stores state in its memory space, like the majority of other client/server-based applications.

The way to get around the stateless environment situation is to employ a mechanism that binds itself to the user's session. There are several ways to implement this "stickiness," but the crux of the solution works by creating a token or identifier that is maintained by the Web client through each URL transaction and having that identifier associate itself with an object on the backend server.

In a Web-based Java world, this works by having a value, known as the session ID, tagged for each active end-user session. That session ID is then maintained by the Web container operating the WebSphere application server. The Web container builds up a session object that incorporates all the session attributes required for the user to use the Web-based application.

You'll need to take into account a number of performance and operational considerations with implementing failover and high availability when session objects are used. Here are a few of them:

• The J2EE Servlet specification requires that all requests for any one particular session is routed back to the originating Web container.

• Session objects can become large. Failing them over and maintaining them in memory can present a performance issue.

• If session persistence is used, consideration needs to be given to the database impact.

Within WebSphere, there are three forms of session affinity and persistence:

• No sessions ”no affinity and no persistence required

• Session affinity with no persistence

• Session affinity with session persistence

The important point to remember is that once a session has been created, all subsequent requests made by that particular session will go back to the originating WebSphere application server (Web container). This is important to remember when modeling and designing your topological architecture. Consider it from an application perspective.

Let's say the application that you're serving on a WebSphere platform is some form of online payment system. You may have three pages to get through in order to make your payment. That is, page 1 is where you enter in your invoice or bill number, page 2 would be your personal details such as delivery address and so forth, and page 3 may be where you enter in your credit card details. Each page click will most likely store the preceding built-up information into a session object. Going from page 1 to page 2 will store the tax and invoice details into the user session, going from page 2 to page 3 will add in the personal details of the user, and so on.

Consider what will happen if between page 2 and page 3 the application server crashed. If you had no session persistence, your user would have to start all over again. This is only an annoyance, but it's something that users don't like (a studied, proven fact). If your application is more critical than for producing payments, then the consequences of a lost session could be higher.

Session persistence is therefore the key to surviving Web container failovers within WebSphere. The version of WebSphere you're running will determine your options for session persistence. With WebSphere version 4, the only option available is a database as data store. For version 5, you have the option of either using a database or using the WebSphere memory-to-memory replication or Dynamic Replication Service (DRS).

Before moving on, let's look at how a session failover would take place, as shown in Figure 7-11.

Figure 7-11: An example of session management with WebSphere

Figure 7-11 shows a user, user 1, logging into a WebSphere-based application. The heavier thick lines show the path user 1's requests would take after establishing a session with server A. You'll also note the session lists for both server A and server B, which depict what sessions are active on each server, on the right side of the image.

If server A failed, for whatever reason, the way in which persistent sessions work is that the subsequent request will be redirected by the plug-in to the next available server in the ServerGroup or ServerCluster list.

Figure 7-12 shows how the plug-in redirects all user requests away from the dead server to one of the remaining active servers, which in turn retrieves the session objects from the database.

Figure 7-12: An example of session management with WebSphere in a failover scenario

As you can see, the session failover is transparent to the user with the caveat that there may be a slight delay (a couple of seconds) while the session is retrieved.

It goes without saying that persisting user sessions to a database introduces extra load onto the database tier . Be sure that you account for this type of load, as well as peak load periods when failover events are taking place. It's worthwhile assuming that during a peak period such as a failover situation, your load on specific components of your environment may increase threefold during initial transaction cutover.

You'll need to factor in a few other considerations into your design when you implement sessions or, more specifically , persistent sessions. That is, how do you ensure that your developers or the applications you're deploying into WebSphere support your chosen method of gluing sessions to requests?

Failover Process

In the event the HTTP plug-in identifies that a Web container has stopped listening, the HTTP plug-in will perform one of many functions. Referring back to Table 7-1, the third column suggests approximate times for how long it will take a HTTP plug-in to acknowledge that a Web container is unavailable, mark that server as dead, and move on to the next available server. This is important because all the backend application servers in the world won't help you out if you're banking up connections waiting for response times on your user requests.

The "lengthy" time interval items, being "Physical server unavailable" and "Network infrastructure problem," are probably the worst offenders to user transaction delays. The reason for this is that the plug-in will continue to try to connect to the host system until the local host system's TCP connection time-out threshold has been reached. This is different from the "Application JVM crash" scenario. In this case, the operating system of the WebSphere application server, while functional, doesn't have an active listening port on the specific port that the HTTP plug-in is attempting to connect to. In this scenario, the operating system responds back immediately with a connection refused message (no different from a connection refused message if you try to telnet into a server in which the telnet daemon has been shut down or deactivated).

As you saw in Chapter 6, you need to undertake changing these types of settings with great care. If you're running WebSphere version 5, there is a HTTP plug-in feature to get around this problem, which I discuss shortly. If you're running WebSphere version 4, you may want to consider reducing the TCP connection time-out setting on your operating system if you have stand-alone Web servers.

There are several settings configured in the WebSphere version 5 HTTP plugin on the Web servers that can help you eliminate delays between when servers are made unavailable. Unfortunately, these options are only available in WebSphere version 5. The settings that you can change to help eliminate delays in recognizing dead or unresponsive clones are as follows:

• RetryInterval

• ConnectTime

In the next sections you'll examine these settings in more detail.