Layer7 API Management

  • 1.  How to disable /ssg/ping on only first GW out of cluster of so many?

    Posted Jun 23, 2017 04:50 PM

    We know that Load balancer can yous /ssg/ping to health check GW.  Is there a way to return  Not OK or disable /ssg/ping for only the first node of a 9.2.3 GW cluster?



  • 2.  Re: How to disable /ssg/ping on only first GW out of cluster of so many?

    Broadcom Employee
    Posted Jun 26, 2017 09:20 AM

    Hello,

     

    You can disable the ping service by following the below steps:

     

    - Log into Policy Manager with admin

    - Tasks > Transports  > Manage Listen Ports

    - Select the port you're going over (8443 for example) > Properties

    - Under enabled features, expand 'Built-in services'

    - Uncheck Ping service

     

    ***if you plan on making changes on a specific port, you must log into Policy Manager with a different port other than the one you are changing ***

     

    -Alec Daniello

    APIM Support



  • 3.  Re: How to disable /ssg/ping on only first GW out of cluster of so many?

    Posted Jun 26, 2017 09:39 AM

    Alec,

    I believe the steps you provided will disable ping on entire cluster of gateways.

    I just want to disable /ssg/ping on one of the server within a cluster.

    Makes sense?



  • 4.  Re: How to disable /ssg/ping on only first GW out of cluster of so many?
    Best Answer

    Posted Jun 26, 2017 10:52 AM

    Hello Rakesh Ray

     

    You can only control the ssg/ping service on a particular listen port, so you would have to ahve a seperate interface defined for each node with a separate listen port configured which (if even possible) would be difficult to maintain. 

     

    I know of another customer that created there own ping service over the cluster and used that to enable or disable specific nodes.  You can use ${ssgnode.hostname} to determine the current node and then return a response via retrun template to sender assertion. 

     

    Regards

    Christopher Clark

    CA Support



  • 5.  Re: How to disable /ssg/ping on only first GW out of cluster of so many?

    Posted Jun 26, 2017 12:22 PM

    Christopher,

    Very useful suggestion.  I am considering this for an existing deployment already in production. Both of above suggestion will need  Load balancer  KA URL change. 

    I just want the first node in the cluster to not take any request, can we just shutdown or disable ssg on first node of a cluster somehow? ( First and second node runs MySQL and cluster size is 8 to 10 nodes). Would it cause any trouble considering mysql  runs on first and second node?



  • 6.  Re: How to disable /ssg/ping on only first GW out of cluster of so many?

    Posted Jun 27, 2017 10:11 AM

    Hi

     

    You can have a database only node without ssg running.  A lot of customers with large clusters use this setup. 

     

    Regards

    Christopher Clark

    CA Support



  • 7.  Re: How to disable /ssg/ping on only first GW out of cluster of so many?

    Posted Jul 14, 2017 12:08 PM

    Chris,

    Are these database only nodes are part of the cluster of a separate cluster?  if it is part of same cluster how do they disable ssg?  As per my observation when ssg process goes down, it tries to restart by itself.



  • 8.  Re: How to disable /ssg/ping on only first GW out of cluster of so many?

    Posted Jul 17, 2017 04:39 AM

    Hello Rajesh

     

    The ssg process is managed by a controller process 'kill' it then it will be restarted.  In the short term you can stop ssg either via the command 'service ssg stop' or via the ssgconfig console menu (Choose option 2, followed by 7).  If you want to stop the ssg process starting at boot time then at the ssgconfig console menu choose option 2, then 3  followed by 4 Node Configuration.  At the Enabled prompt choose 'No'.

     

    Hope this is useful.

    Christopher Clark
    CA Support



  • 9.  Re: How to disable /ssg/ping on only first GW out of cluster of so many?

    Posted Jun 29, 2017 12:50 PM

    Additional important reasons not to use /ssg/ping for your load balancer health check:

    This service runs in the apache layer, which means it can be up with the ssg service is not, giving the load balancer a false impression that the gateway is ready to accept traffic.

    Typically you want the health check on the same port as services, which means the /ssg/ping service would be exposed to clients, and therefore they can identify (by it's existance) that you are running a CA API Gateway (anonymity and obfuscation are your first line of defense).

    The /ssg/ping service is useful for diagnostics and troubleshooting, which requires that password mode be enabled, however load balancers usually require that it be in ananymous mode (and if not in anonymous then the account used by the load balancers might lock resulting in the services being unavailable).

    (And of course, it can't do what you are trying to, which Chris outlined how.)