Creating a monitoring page on the server being protected by the Web agent means you can eliminate the agent being involved in the load balancer's health check.
This monitoring page should be an unprotected resource and exist on the Not Enforced URL list. Even though the URL is on the Not Enforced URL list, the agent is still invoked each time the load balancer checks the monitoring page to determine whether the resource needs protecting or not; this means you can use this configuration to check if the agent is responding without the need for policy evaluation.
If you want to remove the reliance on the agent from your load balancer checks, that is, prevent the agent being invoked, you can use fallback mode. Once you have configured your monitoring page and added it to the Not Enforced URL list, you can configure fallback mode as described in Not-Enforced URL and IP. There is a known issue with this in some versions: AMAGENTS-3303 (Fallback mode does not work reliably). This is fixed in Web agents 5.6.3.
You can create a monitoring page as follows:
- Create a monitor.html file on one of the servers being protected by the Web agent. This file can simply contain the HTML tags; for example, you can use the printf command to create is as follows: $ printf '<HTML>\n</HTML>' > monitor.html
- Add the URL for this monitoring page to the Not Enforced URL list for this server:
- Console: navigate to: Realms > [Realm Name] > Applications > Agents > Web > [Agent Name] > Application > Not Enforced URLs and add the URL for the monitoring page, for example: http://www.host1.example.com:8080/monitor.html
- ssoadm: enter the following command: $ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a com.sun.identity.agents.config.notenforced.url=[URL]replacing [realmname], [agentname], [adminID], [passwordfile] and [URL] with appropriate values.
- Repeat steps 1 and 2 on each server being protected by the Web agent.
The load balancer will now check the monitoring page URL, for example, http://www.host1.example.com:8080/monitor.html on each server to check if the server is up.
You can check this by navigating to the monitoring page URL and observing that you do not need to log in; if you check the agent debug log (when the debug level is set to All) you will see that the agent has been invoked to determine if the resource needs protecting and matches the URL on the Not Enforced URL list. For example:2016-08-16 20:33:53.504 Debug 65819:7f22ec000950 all: in_not_enforced_list(http://host1.example.com:8080/monitor.html): matched 'http://host1.example.com:8080/monitor.html' entry in not-enforced list 2016-08-16 20:33:53.504 Debug 65819:7f22ec000950 all: in_not_enforced_list: Allowing access to http://host1.example.com:8080/monitor.html