CA Service Management

Hello Community,

I have completed the installation of the Service Desk 17 and Looking for inputs to add the network domain name and network loadbalancer.

Currently I am able to access the application on tomcat port 8080.

do I need to configure the secure SSL on port 443 and 8443, please advise.

Thank you,

Venkat

Hi Venkat,

I think there is some confusion here as you are talking about two different things.  You mention that you want to use a load balancer, which is fine and can be done - I can explain a bit about that.  But then you mention configuring SSL which is a separate thing all together.  Regarding SSL, we recommend that if you choose to implement SSL, that you implement it for ALL tomcat and IIS instances being used for SDM (Service Desk Tomcat, Xflow, Visualizer, Support Automation, PAM etc...) so that inter-application communication all occurs via SSL.  To do that, you would need to create a java keystore, then generate a cert request for each keystore on each server in the environment, and then send those cert requests to a certificate vendor to get a certificate for each server, then finally import the appropriate certificates into the keystore on each server.  There are a few sections in the documentation along with several tec docs available for setting up SSL.  I wont put the specific links here as they may or may not be relevant to your environment, but if you search for SSL in the main documentation page, you should find what you need - the main site is here: CA Service Management Home - CA Service Management - 17.0 - CA Technologies Documentation 

Now, as for the load balancer.  I am not sure of your environment architecture here, so first I would need to understand if you are using Advanced Availability or Conventional setup and how many servers you have there.   The basics are that YES, you can use a load balancer such as an "F5" to balance the load between Secodnary servers (Conventional) or APP Servers (Advanced Availability).  The only requirement is that "Session Persistence" (sometimes called "Sticky Sessions") must be turned on in the load balancer so that web sessions stay on the server which they are originated, otherwise the end users will get errors.    If you can give us an idea of what you are looking to do specifically, then we can make some recommendations based on the needs.   Here are the questions that we would ask:

1. what type of architecture (AA or Conventional)

2. how many secondary or app servers

3. do you use any custom web services applications to open or update tickets or other data in service desk from outside the application?

4. do you have any integrations with SDM such as CA PAM, USS, or any other CA or non-CA applications?

5. 

Sorry - last reply got cut of - here it is again...

Hi Venkat,

I think there is some confusion here as you are talking about two different things.  You mention that you want to use a load balancer, which is fine and can be done - I can explain a bit about that.  But then you mention configuring SSL which is a separate thing all together.  Regarding SSL, we recommend that if you choose to implement SSL, that you implement it for ALL tomcat and IIS instances being used for SDM (Service Desk Tomcat, Xflow, Visualizer, Support Automation, PAM etc...) so that inter-application communication all occurs via SSL.  To do that, you would need to create a java keystore, then generate a cert request for each keystore on each server in the environment, and then send those cert requests to a certificate vendor to get a certificate for each server, then finally import the appropriate certificates into the keystore on each server.  There are a few sections in the documentation along with several tec docs available for setting up SSL.  I wont put the specific links here as they may or may not be relevant to your environment, but if you search for SSL in the main documentation page, you should find what you need - the main site is here: CA Service Management Home - CA Service Management - 17.0 - CA Technologies Documentation 

Now, as for the load balancer.  I am not sure of your environment architecture here, so first I would need to understand if you are using Advanced Availability or Conventional setup and how many servers you have there.   The basics are that YES, you can use a load balancer such as an "F5" to balance the load between Secodnary servers (Conventional) or APP Servers (Advanced Availability).  The only requirement is that "Session Persistence" (sometimes called "Sticky Sessions") must be turned on in the load balancer so that web sessions stay on the server which they are originated, otherwise the end users will get errors.    If you can give us an idea of what you are looking to do specifically, then we can make some recommendations based on the needs.   Here are the questions that we would ask:

1. what type of architecture (AA or Conventional)

2. how many secondary or app servers

3. do you use any custom web services applications to open or update tickets or other data in service desk from outside the application?

4. do you have any integrations with SDM such as CA PAM, USS, or any other CA or non-CA applications?

5.how many users will be logged into SDM at any given time?  How many of those are analysts and how many are employees/customers?

6. are you using Xflow/Elastic Search?

Let us know,

Thanks,
Jon I.

Thank you Jon, for clarifying. This question is more about for the loadbalancer than  enabling the SSL communication.

Please find the below my response

1. what type of architecture (AA or Conventional)

Advance availability

2. how many secondary or app servers

2 Application Servers ( planning to extend to 4)

3. do you use any custom web services applications to open or update tickets or other data in service desk from outside the application?

Yeah we have In built application which creates and updates the tickets.

4. do you have any integrations with SDM such as CA PAM, USS, or any other CA or non-CA applications?

We have PAM and SC and Vendor Automation tools.

5.how many users will be logged into SDM at any given time?  How many of those are analysts and how many are employees/customers?

Approximately 100 Analysts, 200 Users

6. are you using Xflow/Elastic Search?

As of now we are not using

and where can I enable stickysession is it in Loadbalancer configuration.

Thank you,

Venkat

Hi Venkat,

So I am not sure how many web services transactions take place per day in your environment, but if its a high amount, then I would recommend creating a separate set of app servers just for web services, and then creating 2 app servers for the users to use.  Then you would have two load balancer entries - one pointing to the set of app servers for the users, and another pointing to the other set of app servers for web services.  This separates the web services from the users and thus if web services goes rogue or gets overloaded, the users are not affected at all.  You can also point PAM, SC and other tools to the set of web services app servers - also protecting the users from those other applications going rogue as well.

I think that type of setup would serve you the best and make the system strong enough to handle the current load and a bit of growth as needed.

Hope this helps,

Jon I.

In my organisation we A10 load balancer. Right Know I just have SD 17 installation and communction on port 8080, is there any other pre requisites needs to accomplish in Service Desk configuration before going to load balancer configuration. Please advise.

Thank you 

Venkat

any advise.

Hi Venkat - No you dont have to configure anything specific.  I am not sure what you are asking for specifically - did you have any specific questions?  

Jon I.

Thank you Jon, I got to know that I have to enable the SSL communication and then have to ask the Network team to configure the loadbalancer.

If you are going to be using SSL, then YES you will want to configure SSL across ALL tomcat instances (and IIS if you are using that as well), and across all applications that you are integrating with SDM so that everything is communicating via SSL.  Then you can point your load balancer to the SSL addresses.  Just make sure that you have SSL on the load balancer VIP/alias URL as well, and remember to turn on "session persistence" on the load balancer.

Thanks,

Jon I.