Managing Distributed Session Cache in Containers

Edit online

Use this page to view and update the Distributed Session Cache (DSC) configuration data in a container environment.

About this task

This page is available only when Verify Identity Access is running in a container environment.

Procedure

  1. From the top menu, select System > Network Settings > DCS Configuration.
  2. Specify the general settings.
    Worker threads
    The number of worker threads that are allocated to processing requests.
    Maximum session lifetime
    The maximum lifetime (in seconds) of any session that is stored by the DSC.
    Maximum session list
    The maximum number of sessions returned from a dscadmin session list query. Default limit is 1024 sessions. Increasing this limit can impact the performance of the session cache.
    Client grace period
    The length of time (in seconds) that a client (aka Web Reverse Proxy) has to reconnect before sessions that are owned by that client are discarded.
    Connection idle timeout
    The maximum length of time that a connection from a client can remain idle before it is closed by the server. A value of 0 indicates that connections will not be reused. The default value is 0.
    Service port
    The port number on which the DSC will listen for requests.
    Replication port
    The port number on which the DSC will listen for requests from replicated DSC servers.
  3. Specify the external connection settings. This data is used when configuring the DSC clients (aka Web Reverse Proxy and administration client). It corresponds to the host identifier and port used to connect to the replication and session services of the various DSC servers. For failover purposes, up to 4 DSC servers can be configured (primary, secondary, tertiary, and quaternary).
    Address
    The IP address or resolvable host name over which clients can connect to the DSC.
    Service port
    The port that can be used by clients to connect to the DSC for session requests. This port can be different to the configured Service Port under general settings due to the port mapping capability of containers.
    Replication port
    The port that a DSC server should use when connecting to a replicated DSC server. This port can be different to the configured Replication Port under general settings due to the port mapping capability of containers.
    SSL key agreement

    Specifies the key agreement mode for TLS 1.2 and TLS 1.3. It defines the key agreements that the distributed session cache accepts from clients.

    SSL supported groups

    Specifies a comma-separated list of supported groups to accept the TLS 1.2 and TLS 1.3 key agreements. This field is enabled only when SSL Key Agreement is set to Custom.

    Allow RSA key exchange

    Specifies whether the RSA algorithm should be accepted for key exchange. The RSA algorithm does not provide forward secrecy. This configuration does not affect use of the ECDHE-RSA algorithm.

    Permitted SSL signature algorithms
    The Public key algorithms are permitted for establishing TLS connections with the DSC. The valid values are "RSA_WITH_SHA224","RSA_WITH_SHA256", "RSA_WITH_SHA384", "RSA_WITH_SHA512", "ECDSA_WITH_SHA224", "ECDSA_WITH_SHA256", "ECDSA_WITH_SHA384", and "ECDSA_WITH_SHA512".
    Permitted TLS1.2 ecryption algorithms

    The TLS 1.2 CipherSpecs are permitted for establishing TLS connections to the DSC server. The valid values are "TLS_RSA_WITH_NULL_NULL", "TLS_DHE_R_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8", "TLS_RSA_WITH_NULL_SHA256", "TLS_RSA_WITH_NULL_SHA", "TLS_ECDHE_RSA_WITH_NULL_SHA", "TLS_ECDHE_ECDSA_WITH_NULL_SHA", "TLS_RSA_WITH_AES_128_CCM", "TLS_RSA_WITH_AES_256_CCM", "TLS_DHE_RSA_WITH_AES_128_CCM", "TLS_DHE_RSA_WITH_AES_256_CCM", "TLS_RSA_WITH_AES_128_CCM_8", "TLS_RSA_WITH_AES_256_CCM_8", "TLS_DHE_RSA_WITH_AES_128_CCM_8", "TLS_DHE_RSA_WITH_AES_256_CCM_8", "TLS_PSK_WITH_AES_128_CCM", "TLS_PSK_WITH_AES_256_CCM", "TLS_DHE_PSK_WITH_AES_128_CCM", "TLS_DHE_PSK_WITH_AES_256_CCM", "TLS_PSK_WITH_AES_128_CCM_8", "TLS_PSK_WITH_AES_256_CCM_8", "TLS_DHE_PSK_WITH_AES_128_CCM_8", "TLS_DHE_PSK_WITH_AES_256_CCM_8", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", and "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384".

    Permitted TLS1.3 encryption algorithms

    The TLS 1.3 CipherSpecs are permitted for establishing connections to the DSC. The valid values are "TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_CCM_SHA256", and "TLS_AES_128_CCM_8_SHA256".

  4. Click Save.