Session cache reference

Use the Cluster Configuration management page to administer cluster support for the appliance.

You can view and update the current cluster session cache configuration:

Worker threads

The number of worker threads that handle the server requests. At a minimum, use a number that is greater than the maximum number of clients.

Maximum session lifetime

The maximum lifetime in seconds for each session. Use a value greater than the maximum lifetime of all clients. That is, use a value greater than the maximum [session] timeout value that the WebSEAL clients use.

For more information about the [session] timeout configuration entry, see the reference topics for the Web Reverse Stanza Proxy in the Knowledge Center.

Maximum session list

The maximum number of sessions returned by the dscadmin utility. The default limit for a session query is 1024 results. Increasing this limit can have a performance impact on the session cache.

Client grace period

The grace period in seconds that a client has available to restart and register an interest in the session again before the session is removed from the session cache. This period gives the client a chance to restart without losing the session from the server.

Use a similar value to the idle timeout value for the session on the client. That is, use a value similar to the [session] inactive-timeout value that is set in the client Web Reverse Proxy configuration.

For more information about the [session] inactive-timeout configuration entry, see the reference topics for the Web Reverse Stanza Proxy in the Knowledge Center.

Connection idle timeout

The maximum length of time that a connection from a client can remain idle before it is closed by the server. A value of 0 indicates that connections will not be reused. The default value is 0.

Support internal clients only

Indicates that only internal clients can use the distributed session cache.

Notes:

If this option is selected, the remaining fields are disabled.
Clients can be turned off. For more information about failover events, search for the Options for handling session failover events topic in the Administering topics in the Knowledge Center. For more information about configuration properties, see Advanced configuration properties in "Advanced Access Control Configuration topics".

Support internal and external clients

Indicates that both internal and external clients can use the distributed session cache.

Note: To share the key files across the cluster, navigate to the SSL Certificates page and select the Replicate with Cluster check box.

Session cache supports mutual TLS. Ensure that the client’s certificate in the Distributed Session Cache (DSC) server’s trust store and the server’s certificate in the client’s truststore are added.

The DSC by default supports internal client. It runs on port 2026 and 2027. If external clients support is required, use a different port.

Port

The port on which external clients can communicate with the session cache. This field is mandatory if you enable support for internal and external clients.

Enable SSL

If selected, the distributed session cache uses secure communication with its clients.

Note: If you enable SSL, you must also configure the Keyfile.

Keyfile

Lists the existing keyfiles on the appliance. These keyfiles are managed from the SSL certificates page. You can click the SSL Certificates link on the right to go to that page.

Note: If you want to share the key files across the cluster, you must go to the SSL Certificates page and select the Replicate with Cluster check box.

Label

Lists the certificate labels in the selected keyfile. This field is disabled if a keyfile is not selected.

SSL key agreement

Specifies the key agreement mode for TLS 1.2 and TLS 1.3. It defines the key agreements that the distributed session cache accepts from the clients. This field is enabled only when Enable SSL is selected.

SSL supported groups

Specifies a comma-separated list of supported groups to accept the TLS 1.2 and TLS 1.3 key agreements. This field is enabled only when SSL Key Agreement is set to Custom.

Allow RSA key exchange

Specifies whether the RSA algorithm should be accepted for key exchange.The RSA algorithm does not provide forward secrecy. This configuration does not affect the use of the ECDHE-RSA algorithm. This field is enabled only when Enable SSL is selected.

Permitted SSL signature algorithms

The Public Key algorithms are permitted for establishing TLS connections with the DSC server. The valid values are "RSA_WITH_SHA224", "RSA_WITH_SHA256", "RSA_WITH_SHA384", "RSA_WITH_SHA512", "ECDSA_WITH_SHA224", "ECDSA_WITH_SHA256", "ECDSA_WITH_SHA384", and "ECDSA_WITH_SHA512".

Permitted TLS 1.2 encryption algorithms

The TLS 1.2 CipherSpecs are permitted for establishing TLS connections to the DSC server. The valid values are "TLS_RSA_WITH_NULL_NULL", "TLS_DHE_R_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8", "TLS_RSA_WITH_NULL_SHA256", "TLS_RSA_WITH_NULL_SHA", "TLS_ECDHE_RSA_WITH_NULL_SHA", "TLS_ECDHE_ECDSA_WITH_NULL_SHA", "TLS_RSA_WITH_AES_128_CCM", "TLS_RSA_WITH_AES_256_CCM", "TLS_DHE_RSA_WITH_AES_128_CCM", "TLS_DHE_RSA_WITH_AES_256_CCM", "TLS_RSA_WITH_AES_128_CCM_8", "TLS_RSA_WITH_AES_256_CCM_8", "TLS_DHE_RSA_WITH_AES_128_CCM_8", "TLS_DHE_RSA_WITH_AES_256_CCM_8", "TLS_PSK_WITH_AES_128_CCM", "TLS_PSK_WITH_AES_256_CCM", "TLS_DHE_PSK_WITH_AES_128_CCM", "TLS_DHE_PSK_WITH_AES_256_CCM", "TLS_PSK_WITH_AES_128_CCM_8", "TLS_PSK_WITH_AES_256_CCM_8", "TLS_DHE_PSK_WITH_AES_128_CCM_8", "TLS_DHE_PSK_WITH_AES_256_CCM_8", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", and "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384".

Permitted TLS 1.3 encryption algorithms

The TLS 1.3 CipherSpecs are permitted for establishing connections to the DSC. The valid values are "TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_CCM_SHA256", and "ECDSA_WITH_SHA512".

Trace level

Specifies the trace level for the DSC with an integer (0 - 9). 0 indicates that trace is disabled. 9 indicates the maximum trace level.

Note: The trace level setting is not a part of the cluster policy. So this setting is not replicated across the cluster and is not persistent across firmware updates. The trace messages are sent to the log file for the DSC.