Hp E Commerce Xml Director Sa8250 Users Manual Senior Technical Writer

2015-01-05

: Hp Hp-E-Commerce-Xml-Director-Sa8250-Users-Manual-155735 hp-e-commerce-xml-director-sa8250-users-manual-155735 hp pdf

Open the PDF directly: View PDF PDF.
Page Count: 394 [warning: Documents this large are best viewed by clicking the View PDF Link!]

KSHFRPPHUFH
[POGLUHFWRUVHUYHU
DSSOLDQFHVD
XVHUJXLGH
© Copyright 2001 Hewlett-Packard Company. All rights reserved.
Hewlett-Packard Company
3000 Hanover Street
Palo Alto, CA 94304-1185
Publication Number
5971-3003
March 2001
Disclaimer
The information contained in this document is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY
KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not
be liable for errors contained herein or for incidental or consequential damages
in connection with the furnishing, performance, or use of this material.
Hewlett-Packard assumes no responsibility for the use or reliability of its
software on equipment that is not furnished by Hewlett-Packard.
Warranty
A copy of the specific warranty terms applicable to your Hewlett-Packard
products and replacement parts can be obtained from http://www.hp.com/
serverappliances/support/.
*Other brands and names are the property of their respective owners.
Contents
Chapter 1: Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Introduction to the SA8250. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Benefits of the SA8250. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Typographic Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Chapter 2: Theory of Operations . . . . . . . . . . . . . . . . . . . . . . 11
General Operating Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
XML Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
XML Expression Syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
XML Data Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Commands and Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Boolean Operators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Function Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
XML Pattern Creation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
XML Pattern Matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
C O N T E N T S HP e-Commerce/XML Director Server Appliance SA8250 User Guide
ii
MIME Content Type Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
URL Encoded MIME Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Multipart MIME Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Document Number Specification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Content Transfer Encoding Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Signed-Only S/MIME Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
XML “Well formed” errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
XML default special case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Layer 4 (HOT) Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Layer 7 (RICH) Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Out-of-Path Return (OPR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
FTP Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Sticky Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Sticky Persistence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Sticky-timeout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
SSL and Sticky . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Server-timeout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Grouping Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
SSL Acceleration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
SSL Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Application Message Traffic Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
HTTPS Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
HTTP Header Option Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Load Balancing Across Multiple Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Balancing Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Response-time Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Primary and Backup Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Server Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Source Address Preservation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Multi-hop Source Address Preservation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
RICH expressions in XML patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Order of RICH expressions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Routing with Dual Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Prioritization and Policy Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Routing Method for VIP Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Error Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Contents
iii
Server Status Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
HTTP Error Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Serial Cable Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Serial Cable Failover Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Replicating the Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Status Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Chapter 3: Boot Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Using the Boot Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
System Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Accessing the Boot Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Interrupting the Bootup Sequence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Using the Run Time CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Boot Monitor Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Chapter 4: Graphical User Interface . . . . . . . . . . . . . . . . . . . . 79
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Logon Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Logging on to the GUI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Topology Screen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Using the Topology Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Purposes of the Topology Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Topology Screen Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Online Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Topology Screen Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Window Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Policy Manager Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Policy Manager Controls and Displays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Policy Manager Toolbar. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Policy Manager’s Pop-up Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Policy Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Creating Policy Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Throttling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Deleting Policy Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Creating Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Additional Service Tab Controls and Displays. . . . . . . . . . . . . . . . . . . . . . . . . 92
C O N T E N T S HP e-Commerce/XML Director Server Appliance SA8250 User Guide
iv
Balance Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
XML Service Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Deleting Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
XML Server Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Deleting Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Administration Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Settings Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Software Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
System Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Agent Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Users Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Routing Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
System Role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Active Routing Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
RIP Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
OSPF Protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Security Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Source IP Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Access Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
GUI Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
CLI Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
SNMP Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
SNMP Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Multi-Site Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Logging Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Specifying System Log Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Viewing the Log File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Configuration Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Saving Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Restoring Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Deleting Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Copying Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Viewing Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Resetting the Factory Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Sending and Retrieving Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Tools Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Contents
v
Ether. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Netstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Nslookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Trace. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Statistics Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Statistics Screen Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Statistics Box. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Graph Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Selection List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Window Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Graphing Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Chapter 5: Command Line Interface. . . . . . . . . . . . . . . . . . . 153
CLI Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Secure Shell Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Online Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Pipes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Categorical List of CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Global System Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Admin Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
File Management Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
IRV Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
GUI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Routing Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Policy Group Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Service Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Server Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
System Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Security Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
SNMP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
SSL Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Logging Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
C O N T E N T S HP e-Commerce/XML Director Server Appliance SA8250 User Guide
vi
Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Run-Time CLI Command Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Global System Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Admin Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
File Management Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
IRV Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
GUI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Routing Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Policy Group Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
System Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Security Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
SNMP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
SSL Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Logging Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Chapter 6: Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
SA8250 Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Scenario 1: Load Balancing a Web Site with Two Servers and the SA8250 in Inline
Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Prerequisites for Scenario 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Procedure for Scenario 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Scenario 2: Load Balancing Servers with Source Address Preservation . . . . . . 241
Prerequisites for Scenario 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Procedure for Scenario 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Scenario 3: Routing Outbound Data Away from the SA8250 for OPR . . . . . . . 244
Prerequisites for Scenario 3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Procedure for Scenario 3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Scenario 4: Content Routing using RICH only. . . . . . . . . . . . . . . . . . . . . . . . . . 247
Prerequisites for Scenario 4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Procedure for Scenario 4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Scenario 5: Using SSL Acceleration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Procedure for Scenario 5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Scenario 6: Content Routing using RICH and XML expressions . . . . . . . . . . . . 255
Using the default special case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Scenario 7: Using CRLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Contents
vii
Prerequisites for Scenario 7. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Procedure for Scenario 7. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Chapter 7: SNMP Support . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Using SNMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Standards Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
MIB Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Supported MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Where to find MIB Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Trap Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Standard SNMP Traps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Displaying SNMP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Configuring Community Authentication and Security Parameters . . . . . . . . . . . 272
Configuring Trap Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Configuring Other SNMP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Chapter 8: Software Updates . . . . . . . . . . . . . . . . . . . . . . . . 275
Updating Your System Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Multiple Software Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Software Image Media. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Saving Your Current Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Downloading and Installing the Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Rebooting with the New Image and Verifying Installation . . . . . . . . . . . . . . . . . 278
Upgrading Under Serial Cable Failover Configuration . . . . . . . . . . . . . . . . . . . . 279
Appendix A: Security Configuration. . . . . . . . . . . . . . . . . . . 281
Recommended Security Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Appendix B: SSL Configuration . . . . . . . . . . . . . . . . . . . . . . 283
Obtaining Keys and Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Copying and Pasting Keys and Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Obtaining a Certificate from Verisign or another CA . . . . . . . . . . . . . . . . . . . . . 285
Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Importing Keys into the SA8250 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Importing Certificates into the SA8250. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Creating a new Key/Certificate on the SA8250. . . . . . . . . . . . . . . . . . . . . . . . . . 288
C O N T E N T S HP e-Commerce/XML Director Server Appliance SA8250 User Guide
viii
Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Using Global Site Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Generating a Client CA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Generating a CRL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Revoking a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Using Ciphers with the SA8250 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
HTTP Header Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Appendix C: Failover Method Dependencies . . . . . . . . . . . . 297
Failover Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Appendix D: Configuring Out-of-Path Return . . . . . . . . . . . 301
Configure OPR for Windows* 2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Set the Loopback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Configure OPR for Windows* NT* . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Set the Loopback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Run a Web Service on the Loopback Interface Using IIS 3.0 . . . . . . . . . . . . 321
Run a Web Service on the Loopback Interface Using IIS 4.0 . . . . . . . . . . . . 322
Configuring OPR for a UNIX-based Apache Web Server. . . . . . . . . . . . . . . . . . . . 323
Appendix E: Diagnostics & Troubleshooting. . . . . . . . . . . . 325
Running Diagnostics on the SA8250 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Diagnostic LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Power Indication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Boot-time LED Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Run time LED Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Run time Errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Appendix F: Cleaning the Dust Filter . . . . . . . . . . . . . . . . . . 335
Background. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Cleaning Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Contents
ix
Regulatory Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Taiwan Class A EMI Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
VCCI Class A (Japan). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
VCCI Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Australia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
FCC Part 15 Compliance Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Canada Compliance Statement (Industry Canada) . . . . . . . . . . . . . . . . . . . . . . . . . . 340
CE Compliance Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
CISPR 22 Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
WARNING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
AVERTISSEMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
WARNUNG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
AVVERTENZA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
ADVERTENCIAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Wichtige Sicherheitshinweise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Software License Agreement . . . . . . . . . . . . . . . . . . . . . . . . . 349
Mozilla* and expat* License Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
MOZILLA PUBLIC LICENSE, Version 1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Support Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Support for your SA8250 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
U.S. and Canada. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Europe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Asia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Latin America . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Other Countries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
C O N T E N T S HP e-Commerce/XML Director Server Appliance SA8250 User Guide
x
Notes
Introduction
Introduction to the SA8250
The HP e-Commerce/XML Director Server Appliance SA8250
provides the flexibility to classify and load balance Extensible
Markup Language (XML) traffic according to content and distribute
it according to user-defined parameters. The SA8250 makes it easy
to use the most appropriate resources at the datacenter to handle
incoming requests.
The SA8250 is positioned in the network in front of the web,
application, or business-to-business (B2B) XML servers, where it
senses and parses XML messages or transaction data. It routes client
data to the most appropriate server, based on rules that have been pre-
configured for each web server. The most common application is a
B2B environment where the client will often be another server or
application.
C H A P T E R 1 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
2
The SA8250 also provides reliable URL- and port-based load
balancing, failover, and policy-based management to your e-
Commerce site, web site, or Intranet. The SA8250 adds the ability to
look into the data beyond the URL, and is the best load balancing
solution available for the reasons shown in this table.
Assumptions
This document assumes that you are a network administrator and that
you have at least a basic understanding of the following:
XML usage and syntax
Networking concepts and terminology
Network topologies
Networks and IP routing
Feature Description
Reliability The SA8250 provides 7 x 24 uptime through failover systems and
the inherent robustness of leading network protocols.
Fault Resistance The SA8250-managed configurations offer many features and
capabilities that improve the availability and reliability of server-
based services.
Policy-based
Management The SA8250 allows system administrators to implement classes of
service, assign priority levels, and set target response times.
Intelligent Content
Routing The SA8250 takes application-aware routing to a new level with
the ability to segment Internet content according to the requested
URL and embedded XML data.
Error Recovery Application intelligence allows the SA8250 to understand and
correct transport-related application errors transparently to the end
user.
Secure Sockets Layer
Acceleration The SA8250 can offload encrypted web traffic (HTTPS) providing
a significant performance improvement over web server based
Secure Sockets Layer (SSL) processing.
SA8250 Features
C H A P T E R 1 Benefits of the SA8250
3
Benefits of the SA8250
This table lists the benefits of the SA8250.
Benefit Description
Distribute XML traffic
among multiple servers
according to content
The SA8250 analyzes and intelligently distributes XML traffic.
The SA8250 categorizes XML traffic by content according to
user-crafted rules, and then distributes it among multiple servers,
thus allowing network resources to be used in a manner consistent
with your corporate goals.
Substantial performance
boost and reliability for
e-Commerce
The SA8250 increases the speed, scalability, and reliability of
multi-server e-Business sites. It regains the speed lost by servers
processing secure transactions by delivering faster SSL
processing. It integrates SSL processing with XML traffic
management technology, eliminating errors and improving Quality
of Service (QoS). This unique capability ensures that customers
working with sensitive information or business-to-business
transactions online receive timely responses, do not see error
messages, and are confident that delivery of their information is
kept private.
SSL acceleration Some e-Commerce sites suffer dramatic performance degradation
as secure transactions increase. Using patent-pending technology
to perform cryptographic processing offloaded from the server, the
SA8250 can support up to 1200 SSL connections per second.
The SA8250 enables e-Commerce sites to transact secure business
and deliver sensitive information quickly, and confidentially. It
performs all key management and encryption. The result is a
tremendous performance boost for heavily trafficked e-Commerce
sites.
Substantial economic
benefits The SA8250 improves customer satisfaction by improving the
response time for secure transactions. This means that e-
Commerce sites can now enjoy the benefits provided by having
secure transactions participate in layer 7 intelligent traffic
management. This creates substantial economic savings for e-
Commerce sites through improved customer satisfaction, lower
cost of ownership, and reduced server provisioning requirements.
Benefits
C H A P T E R 1 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
4
SSL acceleration and
intelligent traffic
management benefits
Performance degrades dramatically as more customers access a
site in SSL mode, frustrating the very customers who are
attempting to make a purchase. The SA8250 is essential to
providing high performance and superior levels of service when
building reliable, scalable, and secure e-Commerce sites.
Off-loading SSL handling from e-Commerce servers improves
overall site performance and customer response time
Accelerated SSL processing eliminates over-provisioning capacity
Lower processing demands on the server creates greater capacity
for your e-Commerce site
Drop-in installation avoids impacting your mission critical e-
Commerce servers
Response-time based prioritized service for secure transactions
Improved responsiveness, reliability, and QoS for secure
transactions means delivering the highest levels of support for
paying customers
Ensures that e-Commerce merchants are always open for business
by preventing Server Too Busy and File Not Found errors,
even for secure transactions
Patent pending
intelligent XML content
routing for secure
transactions
The SA8250 implements intelligent traffic management for secure
transactions, dramatically improving an e-Commerce sites
responsiveness, reliability, and QoS. While typical traffic
management devices make decisions based only on information at
Layer 4 in the network stack, the SA8250 is the only XML
appliance that combines Layer 4 through 7 (application/content)
awareness to speed up response times and eliminate error
messages for secure transactions. It keeps e-Commerce sites open
for business, even during back-end transaction problems or content
glitches.
Benefit Description
Benefits (continued)
C H A P T E R 1 Benefits of the SA8250
5
Intelligent session
recovery for secure
transactions
The SA8250 provides Intelligent Session Recovery technology for
secure transactions. By monitoring content within the response
sent back by the server, Intelligent Session Recovery detects
HTTP 400, 500, or 600 series errors, transparently rolls back the
session, and redirects the transaction to another server until the
request is fulfilled.
Response-time base
prioritized service for
secure transactions
The SA8250 enables system administrators to implement varying
classes of service, assign priority levels, and set target response
times for secure transactions. The SA8250 continually measures
the response times of each class of service group and assigns
incoming requests to the server that can fulfill those requests
within the predefined response time. If the response time exceeds
the predefined threshold, requests designated as high priority
receive preference over those of lower priority. The SA8250
offers predictable performance for high-priority secure requests.
Benefit Description
Benefits (continued)
C H A P T E R 1 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
6
Specifications
This table lists the specifications for the SA8250.
Specification Description
Servers supported Any Web server (Apache, Microsoft, Netscape, etc.)
Most operating systems, including UNIX*, Solaris*, Windows
NT*, BSD*/BSDI*, AIX*, etc.
Any server hardware (SUN, HP, IBM, Compaq, SGI, etc.)
No practical limit on number of servers
System administration Command line interface (CLI)
Web-based graphical user interface (GUI)
SNMP monitoring (MIB II and Private MIB)
Dynamic configuration through password-protected serial console,
telnet, SSH v1, and SSH v2
Performance Rated up to 1200 HTTPS connections/sec, 2500 RICH (Layer 7)
HTTP connections/sec, 6600 HOT (Layer 4) connections/sec,
95 Mb/sec
Layer 7 traffic management
Patent-pending technology offloads all cryptographic processing
from server
Dimensions Mounting: Standard 19-inch rack mount
Height: 3.5 inches (8.9 cm)
Width: 17 inches (43.2 cm)
Depth: 20.16 inches (51.21 cm)
Weight 24 pounds (10.89 kg)
Specifications
C H A P T E R 1 Specifications
7
Interface connections Dual 10/100 Ethernet
TTY Serial - console
Failover port
Transparent operation Supports single or multiple Virtual IP (VIP) addresses per domain
Priority classes Application/protocol types supported: HTTP, HTTPS, FTP,
NNTP, or any TCP port
Patent pending XML and
intelligent content
routing
Content: URL, file types such as *.GIF, file paths such as
\ads\, and file names such as index.html
Transactions: Transaction types such as *.CGI
XML patterns: Defined by RICH (Layer 7) and XML expressions,
in the form: */order.asp & //From[id=”acme”]
Intelligent session
recovery Automatically resubmits requests
Traps 400, 500, and 600 series errors for HTTP and HTTPS
Response-time based
priority for secure and
non-secure transactions
Sets and enacts target response times
Directs data based on class priority and target response times
Real-time performance monitoring
Automatic server weighting and tuning
Server-state aware (sticky) based on source IP, SSL session ID,
or HTTP cookie
System fault tolerance
and failover Single site, single or multiple connections
Automatic detection of status change and health of servers
Intelligent Resource Verification (IRV)
Specification Description
Specifications (continued)
C H A P T E R 1 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
8
Security features
supported RSA, RC2, RC4, DES, Triple DES, IDEA, Blowfish, MD5, SHA
SSL v2 and v3 for transaction security
SSH for secure Command Line Interface (up to 168 bit)
IP filtering
Serial port logon
Specification Description
Specifications (continued)
C H A P T E R 1 Typographic Conventions
9
Typographic Conventions
The following typographic conventions are used throughout this
manual.
NOTE: This is an
example of a note. NOTES clarify a point, emphasize vital information, or describe
options, alternatives, or shortcuts. Except for tables, notes are always
found in the left margin.
CAUTION: This is an
example of a caution. CAUTIONS are designed to prevent possible mistakes that could
result in injury or equipment damage. Except for tables, cautions are
always found in the left margin.
NUMBERED LISTS indicate step-by-step procedures that you must
follow in numeric order, even if only one step is listed:
1. This is the first step.
2. This is the second step.
3. This is the third step, etc.
BULLETED LISTS indicate options or features available to you:
A feature or option
Another feature or option, etc.
ITALICS are used for emphasis or to indicate onscreen controls:
4. To edit the configuration settings, press the Configure tab.
COMMANDS are shown in the following ways:
Any command or command response text that appears on the
terminal is presented in the courier font.
Any text that you need to type at the command line appears in
bold courier, for example:
HP SA8250/config/policygroup#create gold
Angled brackets (< >) designate where you enter variable
parameters
Straight brackets ([ ]) show parameter choices, separated by
vertical bars
Braces ({ }) show optional commands and parameters
C H A P T E R 1 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
10
Vertical Bars ( | ) separate the choices of input parameters within
straight brackets. You can choose only one of the set of choices
separated by vertical bars. Do not include the vertical bar in the
command.
Theory of
Operations
General Operating Principles
This chapter discusses the general operating principles of the HP e-
Commerce/XML Director Server Appliance SA8250. For details
about the complete SA8250 command set, see Chapter 5. For
information about completing specific tasks, see Chapter 6.
C H A P T E R 2 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
12
XML
Operations
The SA8250 provides a powerful means of using eXtensible Markup
Language (XML) technology to facilitate B2B transactions. In
addition to its XML capability, the SA8250 provides Layer 4 (HOT)
services, Layer 7 (RICH) services, and Secure Sockets Layer (SSL)
acceleration.
The SA8250 accepts user-created rules regarding the content of
information transmitted in XML documents, and uses the rules to
route the information to the appropriate data center resources.
Before you can configure the SA8250, you must first obtain the
following information:
Which of the several common formats or varieties of XML will
be used in the client application
Which elements, attributes, or data in the anticipated XML traffic
represent the significant markers by which value is determined
You control the XML functionality using the XML Server Tab of
Policy Manager screen in the Graphical User Interface (GUI, Chapter
4), or the Command Line Interface (CLI, Chapter 5), as demonstrated
in this chapter. The SA8250 manages XML traffic using the XML
expression, a definition of one or more patterns that describe
specific conditions to be compared with incoming XML data.
Patterns are assigned only to servers identified by their IP address and
port. When a match between a pattern and the incoming data occurs,
the SA8250 routes that data to the desired server for fulfillment.
C H A P T E R 2 XML Operations
13
XML Expression Syntax
This table lists the valid XML expression syntax for the SA8250.
These are described in more detail on the following pages.
Expression Syntax
XML Expression PathExpression
PathExpression Path | PathExpression BooleanOperator PathExpression |
( PathExpression )
Path ( / | // ) Element + Filter ?
Filter [ FilterExpression ]
FilterExpression (Element | Attribute | Function Call) (ComparisonOperator
Value )? | ( FilterExpression ) | FilterExpression
BooleanOperator FilterExpression
Value Literal | Number
Number Integer | Decimal
ComparisonOperator > | < | = | != | >= | <=
BooleanOperator and | or
FunctionCall FunctionName ( ( Argument ( , Argument )* )? )
FunctionName starts-with | contains | translate
Attribute @ ( AttributeName | * )
Element ElementName | *
XML Expression Syntax
C H A P T E R 2 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
14
XML Data Model
For standard SA8250 operations, XML data consists of three
hierarchical components or nodes:
Elements (data types)
Attributes (subcategories of a data type or element)
Text (specific data such as names, addresses, and quantities)
NOTE: We indented
XML commands for ease
of reading in this
document. However, the
leading spaces or tabs
are not significant.
The relevant content of an XML document is defined within these
three components. This example shows a block of incoming XML
text as received by the SA8250:
<employee>
<name lastName="Smith" firstName="John"
initial="K"/>
<id eid=12345678 jobClass=System
Engineer/>
<benefits status=active>
<medicalCarrier>MedCo</medicalCarrier>
</benefits>
<grade title=manager>5</grade>
<address>
<street>13280 Evening Creek Dr</street>
<city>San Diego</city>
<state>California</state>
<zip>92128</zip>
</address>
</employee>
Where:
employee, name, id, benefits, grade, address,
street, city, state, and zip are elements of the XML
document.
lastName, firstName, and initial are attributes of the
name element.
eid and jobClass are attributes of the id element.
13280 Evening Creek Dr, San Diego, California,
and 92128 are text components of the street, city,
state, and zip elements, respectively.
XML expressions configured in the SA8250 are matched against
items as shown above and routed for fulfillment according to server
assignments.
C H A P T E R 2 XML Operations
15
Commands and Operators
The SA8250 uses an XML Path Language (XPath) subset.
NOTE: For a detailed
description of XML
commands, see Chapter
5.
XML patterns are created in the CLI or GUI using a set of commands,
operators, and comparison operators with XML elements, attributes,
and text components. Patterns take the form of a path, similar to
the expressions used in configuring the SA8250 for HTTP parsing
as described later in this chapter.
A path consists of a sequence of one or more XML elements
separated by single or double slashes (/ or //). The first element is also
preceded by single or double slashes. These slashes are step
operators and are used to select elements relative to the context node,
as described in this table.
The comparison operators are described in this table.
Operator Name Description
/child operator Selects all immediate children of the context node
// descendant operator Selects elements anywhere under the context node
XML Step Operators
Operator Name Description
=Equal Returns true if any values of the nodes specified in the pattern equals
to a given value
!= Not equal Returns true if at least one value of the nodes specified in the
patterns does not equal to a given value
<Less than Returns true if at least one value of the nodes specified in the
patterns is less than the specified value
<= Less than or
equal to Returns true if at least one value of the nodes specified in the
patterns is less than or equal to the specified value
>Greater than Returns true if at least one value of the nodes specified in the
patterns is greater than the specified value
>= Greater than
or equal to Returns true if at least one value of the nodes specified in the
patterns is greater than or equal to the specified value
XML Comparison Operators
C H A P T E R 2 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
16
Each element together with the operator selects a set of nodes in the
XML data tree relative to a context node. This set of nodes must
match the name of the element specified in a step. Every path starts
with the root node as the first context node. Nodes selected in a step
form the set of context nodes for the following step.
You can specify an element as *, which selects any element relative
to the context node. You can also specify an optional filter at the end
of a path to further refine XML data stream parsing.
Using the employee from the earlier XML data example, an XML
pattern on the SA8250 might look like this:
* & //address[zip > 90000]
where:
* is a Layer 7 (RICH) wildcard expression
//address[zip > 90000] is an XML expression
For more information on XML patterns, see XML Pattern Creation
later in this chapter.
Because the server is configured for any zip codes greater than 90000,
and John K. Smiths zip code is 92128, the SA8250 directs his
employee data to that server.
You can specify an attribute as @AttributeName, or @* to select any
attribute relative to the context node.
Filters are identified by a FilterExpression enclosed within square
brackets, [ ]. They define a pattern within a pattern following this
general structure:
( (/ | //) Element )? [ FilterExpression ]
Filter expressions are applied to every element returned by the
preceding path pattern. They return a Boolean TRUE if the server is
a valid choice, or FALSE if that server will not be used.
An element or attribute by itself inside a filter expression specifies an
existence test. For example:
//a[b or @c]
C H A P T E R 2 XML Operations
17
The operative component of a FilterExpression is a comparison
expression or any FunctionCall expression that returns a string value,
which compares either an element or an attribute against a specified
value. An element in a FilterExpression refers to the child element of
the context node, while an attribute refers to the attribute of the
context node.
Comparison expression syntax:
(Element | Attribute | FunctionCall)
ComparisonOperator Value
FunctionCall expression syntax:
FunctionName ( (Argument (, Argument)*)? )
For more information on Function Calls, see Function Calls later in
this chapter.
You can combine comparison expressions and the FunctionCall
expression with Boolean operators and parentheses to create complex
filter expressions, as shown in this table.
Sample Pattern Description
//employee[grade=5] Matches if an employee element with a child element grade
value equal to 5
//name[@lastName=
”Smith”] Matches if a name element with an attribute lastName=Smith
//employee[grade=5] and
//grade[@title=
”manager”]
Matches if an employee element with a child element grade
value equal to 5 and a child element with an attribute
title=manager
Comparison Expression Samples
C H A P T E R 2 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
18
Boolean Operators
Boolean operators are logical operators between expressions. These
operators are used in the PathExpression and the FilterExpression:
<PathExpression> BooleanOperator <PathExpression>
<FilterExpression> BooleanOperator <FilterExpression>
This table shows two Boolean operators.
This table shows examples of Boolean operators.
Operator Name Description
and Logical AND operator Performs a logical AND operation
or Logical OR operator Performs a logical OR operation
Boolean Operators
Sample Pattern Description
//benefits[@status and
medicalCarrier] Matches if there is a benefits element, a status attribute, and a
medicalCarrier child element. status and medicalCarrier are
associated with the benefits element.
//benefits[@status or
medicalCarrier] Matches if there is a benefits element, a status attribute, or a
medicalCarrier child element. status and medicalCarrier are
associated with the benefits element.
//benefits or //grade Matches if there is a benefits or grade element
Boolean Expression Samples
C H A P T E R 2 XML Operations
19
Function Calls
A FunctionCall expression is evaluated by using the FunctionName
to identify a supported function, evaluating each of the arguments if
needed, and calling the function passing the required arguments. It is
an error if the number of arguments is wrong or if an argument is not
of the required type. The result of the FunctionCall expression is the
result returned by the function. A FunctionCall can only be specified
within a FilterExpression.
This table describes the three supported string functions.
Function Description
starts-with(value,
substring) The starts-with function test whether the string value of value starts the
specified substring. value can be either an element, attribute, or function
call that returns a string value. substring must be a literal value enclosed
in single or double quotes. A Boolean value of TRUE or FALSE is
returned.
contains(value,
substring) The contains function tests whether value contains the specified
substring. value can be either an element, attribute, or function call that
returns a string value. substring must be a literal value enclosed in single
or double quotes. A Boolean value of TRUE or FALSE is returned.
translate(value,
fromString,
toString)
The translate function replaces characters in the value string if they
appear in the fromString with the corresponding characters in the
toString. If a character appears in fromString but not in the
corresponding position in toString, the character will be dropped from
the value string. The result string is returned. value can be either an
element, attribute, or function call that returns a string value. Both
fromString and toString have to be a literal value enclosed in single or
double quotes.
Function Calls
C H A P T E R 2 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
20
This table shows function call samples.
Sample Pattern Description
//employee/name[starts-
with(@lastName,S)] Matches if there is an employee element with a name child element
that has a lastName attribute value starting with S
//id[contains(@eid,
456)] Matches if there is an id element with the value of an eid attribute
containing 456
//id[contains(translate
(@jobClass,abcdefghijk
lmnopqrstuvwxyz,
ABCDEFGHIJKLMNOP
QRSTUVWXYZ),
SYSTEM ENGINEER)]
Matches if there is an id element with the value of a jobClass
attribute containing System Engineer. All characters in the
jobClass attribute are converted to uppercase before being passed
to the contains function.
Function Call Samples
C H A P T E R 2 XML Operations
21
Values
Values are used to specify the right operand of a comparison
expression, and can be either a literal (such as a string) or a number.
A literal has to be enclosed either in single or double quotes. If the
literal string contains a single quote, double quotes should be used to
enclose the string. If the literal string contains double quotes, single
quotes should be used to enclose the string. Character references
(both decimal and hexadecimal format) and predefined entities as
described in the XML specification can be used within the literal
string.
The string value of the left operand is obtained for literal equality
comparisons. If an element is specified for the left operand, only
elements without a child element should be used. Although the upper
level elements are not supported, this generally is not a problem,
since in most cases only the lowest level element contains text values.
A number can be either a decimal number or an integer. Numbers
should not be enclosed in quotes. If a number is enclosed in quotes,
it is treated as a literal. A number can be signed by proceeding it with
a + or - sign. A decimal number must contain only one decimal
point with at least one digit.
A numeric comparison is either an equality comparison with a
numeric right operand or a non-equality comparison. Both the value
of the left and right operands, if needed, are converted to numeric
values before a numeric comparison is made. If the value cannot be
converted to a number, the comparison returns false.
C H A P T E R 2 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
22
XML Pattern Creation
XML-related commands are issued at the /xmlpattern level of the
CLI, below the server port level. For example:
/server/10.1.1.1/port/80/xmlpattern#
create */order.asp & doc=3 & //From[id="Acme"]
NOTE: Case is
significant for text
elements like “Acme.”
Incoming text using
“acme” (all lowercase)
does not match, unless
you use the translate()
function to convert text
case.
where:
*/order.asp is the Layer 7 (RICH) expression
doc=3 is the third document in a multipart or URL encoded
message. For more information, see Document Number
Specification later in this chapter.
//From[id=Acme] is the XML expression.
It is imperative that XML commands be written as shown above, with
spaces on either side of all ampersands (&) used to separate the RICH
expression, document number (if used), and XML expression (if
used). Failure to do so results in an error.
Once created, XML patterns receive index numbers and are stored in
a list. You can display this list by typing the info command:
/server/10.1.1.1/port/80/xmlpattern#info
This results in a list of expressions by their index number.
XML commands can also be entered and managed using the Policy
Manager screen of the Graphical User Interface. For more
information, see Chapter 4.
For more information on XML commands, see Chapter 5.
C H A P T E R 2 XML Operations
23
XML Pattern Matching
Please refer to this example XML command throughout this
discussion:
create */order.asp & doc=3 & //From[id="Acme"]
The SA8250 attempts to find XML pattern matches in the following
sequence:
1. RICH expression matches. If the RICH expression
(*/order.asp) does not match, the document number and
XML expression are ignored.
NOTE: We recommend
using the same document
number in all XML
patterns with the same
RICH expression for a
service. If you specify
different document
numbers for each XML
pattern of the same RICH
expression, it could cause
degraded performance,
because a different XML
document has to be
parsed for each XML
pattern to be matched.
2. Optional document number matches. doc=3 instructs the
SA8250 to use the third document for matching against the XML
expression. If the third document is missing, or is not an XML
document, the data is treated as a non-XML document and
directed to the first matching RICH expression server.
For more information on the document number, see Document
Number Specification later in this chapter.
3. Optional XML expression matches. If both the RICH and XML
expressions match, the SA8250 directs the client data to the
server matching the XML expression (//From[id=Acme]).
4. If only the RICH expression matches, or the XML expression is
missing, the SA8250 either directs the client data to a default
server, or returns an HTTP error 503, No Servers Available
message to the client. This depends upon the SA8250s
configuration.
For information on how to configure a default server, see Chapter
4.
For more information on RICH expressions, see RICH
expressions in XML patterns later in this chapter.
If any server in a service has undefined XML expressions, that server
will be used for any XML data sent to that service, regardless of
content. To prevent this, ensure that you define XML expressions on
all servers within a service.
C H A P T E R 2 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
24
MIME Content Type Support
Multipurpose Internet Mail Extension (MIME) values in the
Content-Type HTTP header are recognized by the SA8250 and
handled accordingly. This is primarily to support multipart and URL
encoded messages which can contain multiple documents in the
message body. The Content-Type header has the following format:
Content-Type: <media type>/<media subtype>
[ ; <parameter> ] *
The media type and subtype, the charset parameter, and the
boundary parameter are recognized. The boundary parameter is
only used for multipart messages.
The charset Parameter
The optional charset parameter in the Content-Type header is used
to identify the character set used for the XML document. If encoding
is also specified in the prolog of the XML document, the charset
parameter in the Content-Type header is used instead. Any
unrecognizable charset or encoding causes the SA8250 to treat the
document as non-XML. Valid character sets include:
UTF-8
UTF-16
US-ASCII
ISO-8859-1
C H A P T E R 2 XML Operations
25
Media Type and Subtype
This table lists the recognized media type and subtypes. The media
types listed are the currently defined types registered with the IANA
(Internet Assigned Number Authority). The SA8250 cannot
recognize all possible media subtypes, because many of them are
proprietary.
Media type recognition allows the XML engine to determine the
format of the message and the type of content being embedded. If a
media subtype is xml, the document is treated as an XML
document without further examination. If a media type indicates
explicitly non-XML, such as audio, video, or image, the document is
treated as non-XML.
Media Type Media Subtype How it is processed by the SA8250
text xml Treated as XML
other subtypes Check if XML
multipart voice-message Treated as non-XML
encrypted Treated as non-XML
other subtypes Extract individual part and classify
application xml Treated as XML
x-www-form-urlencoded Extract individual field value, check if XML
pkcs7-mime/x-pkcs7-mime Treated as non-XML
other subtypes Check if XML
message rfc822 Parse initial rfc822 header and classify
partial Treated as non-XML
other subtypes Check if XML
any other
media type any subtypes Treated as non-XML
Media Types and Subtypes
C H A P T E R 2 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
26
URL Encoded MIME Processing
Messages with a application/x-www-form-urlencoded media type
are URL encoded messages in a special format that contains a set of
field names and values, with the values encoded. This shows how the
body of an URL encoded message is formatted:
<field name>=<encoded value>[ & <field name>=
<encoded value>] *
Each encoded value is potentially an XML document, and is referred
to as a document in the context of document selection. Each encoded
value is extracted from the message body and decoded before being
checked for XML data and matched against the XML expressions.
There can be multiple fields, and thus multiple potential XML
documents, in a URL encoded message. The first XML document is
used for pattern matching, unless a document number is specified, as
described in Document Number Specification later in this chapter.
Multipart MIME Processing
Multipart messages contain multiple body parts. Each body part is
preceded with a boundary string specified in the boundary parameter
in the Content-Type header. The body of each body part can be
optionally preceded with its own MIME headers. Each body part
contains a separate document and is extracted individually before any
XML parsing is made. If the boundary parameter is missing for a
multipart message, the message will be treated as a non-XML,
because there is no way to interpret the body of the message. This is
an example of a simple 2-part multipart message:
POST /Order.asp HTTP/1.0
Content-Type: multipart/mixed;
boundary = Body Part Boundary
Content-Length: 2048
--Body Part Boundary
Content-Type: text/xml
Content of Document 1
--Body Part Boundary
Content-Type: image/jpeg
Content of Document 2
--Body Part Boundary--
C H A P T E R 2 XML Operations
27
Multipart messages can also be nested:
POST /Order.asp HTTP/1.0
Content-Type: multipart/mixed;
boundary = Body Part Boundary
Content-Length: 2048
--Body Part Boundary
Content-Type: multipart/related;
boundary = Nested Body Part Boundary
--Nested Body Part Boundary
Content-Type: text/xml
Content of Document A
--Nested Body Part Boundary
Content-Type: text/xml
Content of Document B
--Nested Body Part Boundary--
--Body Part Boundary
Content-Type: text/xml
Content of Document C
--Body Part Boundary--
The first body part that contains an XML document is used for pattern
matching, unless a specific document number is specified.
Document Number Specification
NOTE: To maximize
performance, the
document number of all
XML patterns with the
same RICH expression
should be consistent on
all servers.
Since both URL encoded and multipart messages can contain
multiple XML documents, the document number specifes which
document is used for matching against a specific XML expression.
An incorrect match results if the wrong XML document is specified.
An example is shown in the XML Pattern Matching earlier in this
chapter.
Documents are counted as they are encountered sequentially in the
message body. If they are nested in a multipart message body, as
shown above, the innermost document is counted first. The
document number is used only for multipart and URL encoded
messages, and is ignored otherwise. If the document number is not
specified, the first XML document will be used for the pattern
matching.
Valid document numbers are integers from 1 to 99.
C H A P T E R 2 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
28
Content Transfer Encoding Support
NOTE: The Content-
Transfer-Encoding
header is not an HTTP
header, and can only be
specified in a MIME
header (in the header of
an embedded body part).
Message bodies can be encoded so that they do not cause any problem
for some of the protocol transfer gateways, especially when sending
binary data. Even though HTTP is able to handle binary data, many
applications still encode certain types of the messages. This is
especially true if the encoding is being done at an application layer
that is unaware of the transport protocol being used.
There are basically two common transfer encoding schemes: quoted-
printable, and base64. Quoted-printable encodes non-printable
ASCII and non-ASCII characters into the corresponding hexadecimal
representation, while base64 uses a 64-character set to encode the
data.
Both the quoted-printable and base64 values in the Content-transfer-
encoding header are recognized. The encoded document is decoded
according the encoding scheme, before any XML document test and
pattern matching are made. The original message is not modified
with respect to content-transfer-encoding.
Signed-Only S/MIME Support
S/MIME messages can be either encrypted or signed-only messages.
For encrypted messages, the format can be either multipart/
encrypted, or application/pkcs7-mime with enveloped-data
or encrypted-data. Encrypted messages are not supported, and are
treated as non-XML.
For signed-only messages, 2 formats can be used: multipart/
signed or application/pkcs7-mime with signed-data. The
multipart/signed format is supported, because the signed data
content looks like a normal Multipart MIME body part. The
application/pkcs7-mime format is not supported, and messages
in this format are treated as non-XML.
C H A P T E R 2 XML Operations
29
XML Well formed errors
If the SA8250 detects punctuation or syntax errors in an incoming
XML data stream, it can be configured to send an error message to the
sending client (the default setting), or to direct the client data to
servers matching the RICH expression, effectively ignoring the
incoming XML data.
XML default special case
If a server is configured as the default in the SA8250, and none of the
XML expressions match the incoming data stream, the SA8250
directs the client to the default server, provided the RICH expression
matches. This feature specifes which server handles the transactions
if there are no matches for the XML expressions.
If the SA8250 is not programmed with a default server, and if none
of the XML expressions match the incoming data, the SA8250
returns HTTP error 503, No Servers Available to the client.
If the RICH expression does not match, the XML expression is
ignored and the SA8250 returns HTTP error 503, No Servers
Available to the client.
To set the default server using the Graphical User Interface (GUI),
see Chapter 4.
To set the default server using the Command Line Interface (CLI),
see Chapter 5.
C H A P T E R 2 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
30
Services Services are the virtual resources that the SA8250 provides to
network clients. Services are defined by their Virtual Internet
Protocol (VIP) address and virtual port number. The SA8250 load
balances network client requests for a service by receiving requests
from the user and directing them for fulfillment to the most
appropriate resource in the providers server farm. Services are
defined and created within Policy Groups (see Prioritization and
Policy Groups later in this chapter) and are managed using the
following commands:
NOTE: The sample
commands used in this
chapter are meant as
examples only.
config policygroup <name> service create <name>
vip <ipaddr> port <number> {type [TCP | UDP |
RICH_HTTP]} {sticky [disable| src-ip |
cookie]} {sticky-timeout <seconds>} {backups
[enable | disable]} {response <milli-sec>}
{priority <level>} {balancing [load | robin]}
{server-timeout <seconds>}
config policygroup <name> service delete [<name>
| -all ]
config policygroup <name> service <name>
{enable} | {disable} | {balancing [robin |
load]} | {sticky [disable | src-ip | cookie]}
| {sticky-timeout <seconds>} {backups [enable
| disable]} | {response <milli-sec>} |
{dup-syn <micro-sec>} | {priority <level>} |
{server-timeout <seconds>}
C H A P T E R 2 Services
31
Layer 4 (HOT) Services
HOT services provide the fastest brokered performance and are
available on the SA8250. HOT services are defined in full by their
Virtual IP address (VIP) and port number.
In HOT or Brokered mode, the SA8250 performs Network Address
Translation (NAT) on all packets passing through the connection.
NAT changes the destination IP address and port of incoming packets
to those of the selected fulfillment server. The source IP address is
modified to be that of the SA8250.
Fulfillment servers can be addressable by IP address, and thus can be
on either local or wide area networks.
By default, in HOT mode the fulfillment server sees all connections
as coming from the SA8250 rather than from the client's address. In
some environments, it may be preferable to have the fulfillment
server see the requests as they were coming directly from the client.
Source Address Preservation (SAP) on the SA8250 allows this to
happen. For more details, see Source Address Preservation later in
this chapter.
Layer 7 (RICH) Services
The SA8250 allows more flexible service fulfillment for RICH (Real-
time Intelligent Content Handling) services. The service type
RICH_HTTP is available on the SA8250 and enables it to make
fulfillment decisions based on the URL content of each client HTTP
request. RICH services also include advanced error detection, and
automatic resubmission of HTTP requests under most error
conditions.
As with HOT services above, fulfillment servers can be addressable
by IP address, and thus can be on either local or wide area networks.
XML services are configured as RICH services.
C H A P T E R 2 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
32
Out-of-Path Return (OPR)
NOTE: OPR is not
applicable to Layer 7
services.
Ordinarily, the SA8250 processes all traffic in both directions
between clients and the server farm. Viewing the server return traffic
helps the SA8250 accurately determine server response times and
handle HTTP errors. Often, the volume of data sent from the server
to the client is much larger than the traffic from client to server. In
such situations, you can use OPR mode to increase performance.
You enable OPR by typing this command:
config policygroup <name> service <name> server
<name> port <port> mode opr
Each server for which OPR is enabled must have its loopback
interface configured to identify itself as the VIP of the brokered
service. This allows the server to respond directly to the client. The
servers loopback interface, or an equivalent interface that will not
respond to Address Resolution Protocol (ARP) requests, must be
configured before setting up the SA8250 for OPR. For more
information, see Appendix D.
FTP
Limitations
This table lists those limitations of FTP on the SA8250.
HOT with SAP does not change the servers IP address during Passive
FTP because the server is making the connection directly to the client,
using its real IP address. If the servers IP address is not a "real" IP
address, this mode will not work.
Mode Active FTP Passive FTP
HOT No Yes
HOT with SAP Yes Yes (see below)
OPR No No
FTP Limitations
C H A P T E R 2 Sticky Options
33
Sticky Options Some services operate best if all requests from a specific client during
a single session are directed to the same fulfillment server. For
example, if the server maintains a local database of client activity or
context (shopping cart, registration info, navigation history, etc.), it is
important that subsequent client requests go to the server with these
database records. The SA8250's sticky options allow this to occur.
Sticky is available in the two modes shown in this table.
Sticky source IP for SSL uses the SSL session ID for stickiness
instead of the source IP of the client.
Both HTTP and HTTPS services can be RICH. However, incoming
RICH SSL connections will always be decrypted and sent on to the
fulfillment servers in clear text. Sticky cookie must be used when the
clients need to remain stuck to the same server between HTTPS and
HTTP.
There is no sticky cookie requirement for HTTPS traffic.
Each brokered service can be configured with sticky cookie, sticky
IP, or no sticky option enabled. When a sticky option is configured,
all client requests (identified according to the enabled sticky mode)
during a session are routed to the same fulfillment server. When the
sticky option is disabled, the SA8250 determines the best fulfillment
server for each client request and directs them accordingly.
Mode Description
Source IP
address
(src-ip)
Requests from a given IP address are directed to a
single server.
Cookie The requesting browser is given a cookie, which
subsequently identifies it as a unique requestor to
be directed to a single server. This method uniquely
identifies the client even if the request passes
through a proxy server. RICH service is required.
Sticky Modes
C H A P T E R 2 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
34
Sticky Persistence
For source-ip based sticky, the relationship between the client IP
address and the fulfillment server remains in effect for the entire time
the SA8250 is online or until the sticky timeout value expires. In the
event of failover, the sticky relationship is lost. Cookie sticky remains
in effect while the browser is running or until the sticky timeout value
expires. Since the browser maintains the cookie, cookie sticky is
maintained in the event of failover. The system clocks on both
SA8250s must be synchronized for failover handling to work. You do
this by enabling Network Time Protocol (NTP) using the Boot
Monitor. The administrator can control the length of time a server is
forced to handle serial requests from a single client using the sticky
timeout value.
Sticky-timeout
NOTE: All cookie sticky
RICH services will be
stuck to the same server
for the duration of the
sticky timeout value.
The SA8250 treats the timeout differently for cookie versus source-
ip sticky. With source-ip sticky, the timeout is reset with every
connection from the client (so that the timeout is effectively an "idle
time"). With cookie sticky, the timeout starts with the first
connection from the client to the server, and never gets reset. When
the cookie expires, even if actively being used, the next connection
will be load balanced to a new server.
We recommend that you set the cookie sticky timeout value to at least
1.5 times the maximum amount of time a user will expect to be stuck
to a server. If you are uncertain of the exact setting, we recommend
using 43200 seconds (12 hours) as the default.
SSL and Sticky
SSL (Secure Sockets Layer, or HTTPS) enabled services can also be
made sticky by specifying sticky cookie or sticky src-ip on the
CLI. For SSL services, sticky cookie behaves exactly as it does for
ordinary HTTP services. Source IP sticky uses the SSL session ID to
maintain server context. The server relationship will not survive
failover. As with sticky cookie, use of the session ID uniquely
identifies the client even if the request passes through a proxy server.
C H A P T E R 2 SSL Acceleration
35
Server-timeout
A server timeout, which causes a change in servers, can appear as a
cookie sticky state change. The recommended value for server
timeout is at least 1.5 times the maximum server response time.
We recommend that you use 120 seconds as the default.
Grouping Services
NOTE: RICH is required
for sticky service
grouping.
The SA8250s sticky capabilities can ensure that all service requests
from the same user are routed to the same server. Enabling sticky
cookie on multiple services ensures that requests from the same client
will be routed to the same fulfillment server for the duration of the
sticky relationship. Of course the server must be able to fulfill all
service requests to have a true one-to-one client-server relationship.
SSL
Acceleration
The SA8250 is a powerful addition to any web site desiring high
security levels. It was specifically created to manage secure traffic
going to and from critical applications. It handles SSL traffic into and
out of the customers environment, as well as providing load
balancing, fault management, and error recovery.
The SA8250 includes cryptographic software features and hardware-
based acceleration. It provides up to 1200 SSL (HTTPS) connections
per second, far exceeding the performance of even the most powerful
web servers on the market today.
The SA8250 allows users to off load SSL processing from their back
end servers, and at the same time achieve full-featured traffic
management. In a SA8250 environment, all encrypted traffic
required by e-Commerce applicationsis handled at the SA8250.
The interaction between the SA8250 and the servers is done in the
clear, allowing load balancing and session management.
SSL processing is enabled by assigning an RSA private key (a public
encryption key algorithm invented in 1977) and an X.509 certificate
to a Layer 7 service. The SA8250 Command Line Interface (CLI)
creates or imports keys and certificates when you define a service.
Once the key and certificate are in place, secure HTTP (HTTPS)
requests are decrypted and passed on to the web server. The SA8250's
dual NIC and packet filtering capabilities can be used to isolate the
web servers from the Internet, further preventing unauthorized
access.
C H A P T E R 2 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
36
SSL
Fundamentals
SSL involves an interchange of keys used both to authenticate the
parties and to provide information to securely encrypt confidential
data. The keys distributed in this medium are one way, or
asymmetric. That is, they can only be used to encrypt confidential
data, and only the owner of the public key can decrypt the data once
it is encrypted using the public key information. SSL assures the three
benefits shown in this table.
To establish a secure session with a server, the client sends a hello
message to which the server responds with its certificate and an
encryption methodology. The client then responds with an encrypted
random challenge, which is used to establish the session keys. This
method allows two parties to quickly establish each others identities
and establish a secure connection.
Several encryption methods are employed. Common ones are DES,
3DES, RC2, and RC4. Key size can be varied to determine the level
of security desired. A longer key is more secure.
The SA8250 supports all common keys and ciphers, as well as the
following encryption methods: DES, DES3, and RC2 & RC4. The
SA8250 includes a licensed version of the RSA code embedded in the
security module as well. The device's session management software
has been certified by prominent security agencies and meets all
standards for SSL traffic.
The SA8250 handles all the handshaking, key establishment, and
bulk encryption for SSL transactions. Essentially, the SA8250 is a
full-featured, SSL-enabled web server. Traditionally, these functions
are performed either at the server level, by web servers generally
providing SSL functionality by way of standalone software
components, or by embedded encryption software.
Benefit Description
Authenticity Verifies the identities of the two parties
Privacy None other than the transacting parties can access
the information being exchanged.
Integrity The message cannot be altered in transit between
the two parties by a third party without the
alteration being detected.
SSL Benefits
C H A P T E R 2 SSL Fundamentals
37
The SA8250 places encryption processing on the network side, thus
eliminating the need for processing on the servers. The servers never
see any of the SSL connection dialogue or the encrypted data. This
removes a substantial processing load from the servers allowing
improved response times and greater availability of system resources.
Basic SSL Operations
SA8250 1. Client connects to SA8250 with ClientHello
(includes ciphers supported)
2. SA8250 responds with SSL ServerHello
(includes selected cipher & session ID)
3. SA8250 sends certificate for server
4. Client sends ClientKeyExchange message;
includes PK (session key)
5. SA8250 and client send ChangeCipherSpec
message to indicate readiness
6. SA8250 and client send "finished" messages;
includes hash of whole conversation
7. Encrypted data sent to SA8250, decrypted and
forwarded to least busy server
8. Clear response sent to SA8250, encrypted and
sent to client.
1. Client connects to server
2. Server responds with certificate
3. Client encrypts random key
4. Server generates working key
5. Session established
Encrypted Traffic
Client
Client
Server Server Server
Server Server Server
C H A P T E R 2 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
38
Application Message Traffic Management
The SA8250 was developed to perform load balancing in SSL
environments. The SA8250 allows users to load balance based on
application content (Layer 7, or RICH mode), as well as server
address and port (Layer 4, or HOT mode). SSL management is
handled independently of RICH mode processing. That is, once a
session is established and the message is decrypted, it is passed to the
SA8250s RICH processing component. This allows even SSL traffic
to take full advantage of the features of the device, including error
recovery and session rollback.
The SA8250 allows non-encrypted traffic to be processed
independently of SSL traffic. The advantage of this is that it permits
load balancing (in either HOT or RICH mode) configuration on a per
virtual IP address, thus allowing you to isolate the impact of the SSL
processing. Many users tune their sites for maximum performance by
assigning HOT load balancing to all traffic except SSL.
One of other advantages of the SA8250 is its ability to recognize SSL
session IDs. This permits sticky (or persistent) sessions to be
established on a given server.
HTTPS Redirect
If desired, you can specify a page to return to the client if a successful
session cannot be negotiated because the client does not support the
required cipher suite. The SA8250 accomplishes this by sending an
HTTP 302 redirect message back to the client in the case of a cipher
negotiation failure. For example: The server supports 128-bit
encryption, but the clients software is only capable of 40-bit
encryption.
The CLI parameter redirectpage=<URL> sets which page the
client is redirected to.
where <URL> is the fully qualified location of the page. For
example: redirectpage=http://www.companyname.com/
error.html.
The default configuration file setting is: redirectpage=none.
C H A P T E R 2 SSL Fundamentals
39
Fulfillment of each virtual service is load balanced across a number
of real servers depending on the load balancing algorithm chosen.
Servers capable of fulfilling requests for a service are identified and
managed with the following commands:
config policygroup <name> service <name> server
create <name> port <port>
config policygroup <name> service <name> server
delete <name> port <port>
If you make an error while creating the policygroup, you must delete
it and create a new policygroup.
Client Authentication
By default, the SA8250 does not authenticate client identities;
however you can configure services to request client certificates for
the purpose of verifying identities. When you enable this feature, the
SA8250 verifies that client certificates are signed by a known
Certificate Authority (CA).
Issued client certificates are expected to be in use for their entire
validity period. The CA periodically issues a signed data structure,
called a Certificate Revocation List (CRL), containing the serial
numbers of all expired certificates. You can configure the SA8250 to
obtain and use a CRL using LDAP, HTTP, or FTP protocols. The
SA8250 first verifies a client certificate against the installed CA
certificate, and then looks up its serial number in the installed CRL.
If the serial number exists in the CRL, the SA8250 returns a message
to the client indicating that the clients certificate was revoked, and
the client connection is terminated.
C H A P T E R 2 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
40
HTTP Header Option Fields
The SA8250 can make the IP address of a requesting client available
to a fulfillment server by constructing a custom HTTP header option,
with the clients IP as the value:
HP_SOURCE_IP:<client-IP>
SSL-related HTTP header option fields are only used by the SA8250
with any SSL service. The HP_CIPHER_USED header option is
used whenever HP_SOURCE_IP is used, to provide the name of the
SSL-cipher negotiated between the SA8250 and the client:
HP_CIPHER_USED:<ssl-cipher>
These two header fields are used only by the SA8250 when client
authentication is in use:
HP_CLIENT_CERTIFICATE:<client-certificate>
HP_SESSION_ID: <SSL-session-ID>
Because a client certificate contains information useful for client/user
authorization, the SA8250 inserts the client certificate in the request
header before sending the request to the server. The server can then
extract the certificate from the request header and use it for
authorization or other purposes.
The client certificate is inserted in the request header only once per
session. Requests following the initial request will be sent to the
server with only the SSL-session-id in the header. The SSL-session-
id is unique for each session and allows the server to work with
multiple sessions. The client certificate is inserted in the request
header with a new SSL-session-id only when the client certificate has
been re-negotiated between the SA8250 and the client:
New Session/Initial Request: The SA8250 sends both the
HP_CLIENT_CERTIFICATE and HP_SESSION_ID header
options.
Existing Session/Subsequent Requests: The SA8250 sends
only the HP_SESSION_ID header option.
The use of header option fields is an efficient way of supplying
information to the server about the client. To ease the use of this
important feature, the SA8250 allows customization of all the above
header option field names. For more information, see Chapter 5.
C H A P T E R 2 Load Balancing Across Multiple Servers
41
Load
Balancing
Across
Multiple
Servers
Balancing Algorithms
The SA8250 provides a choice of load balancing algorithms.
Services can be separately configured to load balance using a round-
robin or a response time algorithm. In most networks, the best
performance results from use of the response time algorithm. Under
this algorithm, the SA8250 measures the response time of each
request to each server in the server farm. It then balances requests to
the service among the servers, sending more requests to the fastest
servers and fewer to the slower ones, thus optimizing the average
response time.
In cases where OPR is used in unpredictable WAN environments,
response time metrics may be obscured by WAN latency variance. In
these situations, round-robin load balancing can provide equal
distribution of client requests to each fulfillment server.
The balancing algorithm is specified with this command:
config policygroup <name> service <name>
balancing [robin | load]
Response-time Metrics
For both balancing algorithms, servers can be assigned target
response times. These values indicate the desired average response
time for requests for specified services to be fulfilled, and instructs
the SA8250 to use alternate resources for fulfillment if the average
response time exceeds target response time. Target response time is
controlled with this command:
config policygroup <name> service <name>
response <mil-seconds>
If the servers do not meet the specified response time threshold,
backup servers, if available and enabled, are activated. In addition,
the servers providing lower priority services are throttled if the
response time is still not being met (if throttle is enabled in the
policygroup). Both mechanisms are available for both of the load-
balancing algorithms.
C H A P T E R 2 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
42
Primary and Backup Servers
Each server is identified as either a Primary or Backup for a given
service. Primary servers are always considered first for request
fulfillment. By default, Backup servers are considered for use only if
a primary server goes down, though they can optionally be
configured for use to maintain target response times. A servers type
is established with this command:
config policygroup <name> service <name> server
<name> port <port> type [primary | backup]
Backup servers are enabled to maintain target response times with
this command:
config policygroup <name> service <name> backups
[enable | disable]
Server
Configuration
Options
Source Address Preservation
By default, brokered service requests arriving at a fulfillment server
appear to the server as requests originating from the SA8250.
Consequently, server log files record the SA8250 as the source of
these requests. When Source Address Preservation (SAP) is enabled
however, the SA8250 preserves the original source addresses of
requests delivered to the server farm. If you use the log files from
your server farm to gather information based on client source
addresses, use Source Address Preservation. SAP is controlled with
this command:
config policygroup <name> service <name> server
<name> port <port> mode sap
NOTE: For the SA8250
to operate in SAP mode,
the default gateway for
each SAP-enabled server
must be set to the
SA8250’s physical IP
address, not the VIP.
SAP cannot be used in WAN or multiple router LAN environments.
To use SAP, each server must be configured so that its default
gateway is set to the physical IP address of the SA8250, thus there can
be no routers between the SA8250 and the fulfillment servers.
Limitations of SAP mode operation:
The client machine cannot be on the same subnet as the SA8250.
The SA8250 and server must be on the same subnet.
When SAP is enabled, serial cable failover is the only failover option
routing failover is not available.
C H A P T E R 2 Server Configuration Options
43
Multi-hop Source Address Preservation
It is possible in sophisticated network topologies to require requests
to pass through two SA8250s. In such configurations, the SA8250
topologically closest to the clients must be configured with the Multi-
hop Source Address Preservation (MSAP) feature enabled.
MSAP allows requests to pass through two cascaded SA8250s in
different geographical areas. Enabling MSAP ensures that the actual
IP addresses of requesting clients, rather than the virtual IP address of
the SA8250 that delivered the request, are recorded in the server logs.
This is similar to SAP (described in the preceding section), however
this feature allows SA8250s to be geographically-dispersed:
MSAP on a Geographically-Dispersed Network
NOTE: MSAP must be
disabled (the default). In the figure above, a client in San Diego sends a request to a
fulfillment server in Boston. MSAP is enabled on SA8250 Broker 1,
and Server 1s default route is set to SA8250 Broker 2. The SA8250
Broker 2 doesnt need SAP enabled for this service, since SAP is
automatically used on MSAP requests from SA8250 Broker 1. In this
configuration, the San Diego client's IP address will be preserved in
the Boston fulfillment servers' logs. To enable MSAP, type this
command:
config policygroup <name> service <name> server
<name> port <port> msap enable
%RVWRQ6DQ'LHJR
6$
ZLWK06$3
(QDEOHG
6$
ZLWK06$3
'LVDEOHG
&OLHQW 6HUYHU
%RVWRQ6DQ'LHJR
6$
ZLWK06$3
(QDEOHG
6$
ZLWK06$3
(QDEOHG
6$
ZLWK06$3
'LVDEOHG
6$
ZLWK06$3
'LVDEOHG
&OLHQW&OLHQW 6HUYHU6HUYHU
C H A P T E R 2 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
44
RICH expressions in XML patterns
Layer 7 RICH_HTTP service configurations use rich expressions to
assign particular classes of URLs to particular servers for fulfillment.
RICH expressions are used, for example, to distinguish content
requested by clients performing online transactions, from content
typically requested by casual browsers. In this way, users performing
online transactions are given higher priority access to server
resources (and better response times) than other users.
Each server listed for fulfillment of a RICH_HTTP service can be
configured to serve any number of specific rich expressions. This is a
list of applicable expressions:
File type expressions, such as *.gif, or */index.html
Path expressions, such as /home/*, or /home/images/*, or
/home/images/a*.
Unique file expressions, such as /index.html
Wildcard expression, such as *.
Negation expressions, such as !*.gif or !*/index.html
RICH and XML expressions are managed with these commands:
config policygroup <name> service <name> server
<name> port <port> xmlpattern create
<xmlpattern>
config policygroup <name> service <name> server
<name> port <port> xmlpattern delete
<xmlpattern>
config policygroup <name> service <name> server
<name> port <port> xmlpattern info
For more details on these commands, see Chapter 5.
C H A P T E R 2 Server Configuration Options
45
Order of RICH expressions
When using expressions in Layer 7 (RICH) operations, the order of
expressions is significant only when the not (!) operator is used.
Expressions are described in this table.
Three rules for expressions:
The * and ! are allowed in RICH expressions, but they can
only exist at the beginning or end of the expression.
A positive RICH expression is required after a negative RICH
expression, otherwise the negative expression has no effect.
Negative RICH expressions can be used alone, but not in XML
patterns.
Expression Yields
!*.gif All non-GIF files
*.jpg All JPG files
!/home/* No matches
Order of Expressions
C H A P T E R 2 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
46
Routing with
Dual Interfaces
Because the SA8250 has two network interfaces, it can act as a router
in some contexts. This means that it can route between two subnets.
To do this, you must designate the SA8250 as the default gateway for
your fulfillment servers. Routes to the inside subnet are not
advertised to the outside router, but host routes are advertised to the
VIPs. Packets destined for defined VIPs are always routed through
the SA8250 to the server-side subnet. Other packets are forwarded
through the SA8250 only when the security mode is set to OPEN or
when set to CUSTOM and IP Forwarding is turned on. The SA8250s
routing capabilities vary depending on which routing and failover
methods are used. For more details about these variations and their
relationships to routing and failover configurations, see Appendix C.
NOTE: The SA8250
cannot route multiple
subnets on one interface.
This table lists terms that are pertinent to SA8250 routing.
Term Description
Brokered
subnet The SA8250 interface attached to the side of the
physical network on which client requests arrive.
Server-side
subnet The SA8250 interface attached to the side of the
physical network that includes the fulfillment
servers.
Outside
device The router or switch one hop from the SA8250 on
the brokered subnet
Inside
device The router or switch one hop from the SA8250 on
the server-side subnet
Routing Terms
C H A P T E R 2 Prioritization and Policy Groups
47
This figure shows an example of the SA8250 routing topology.
SA8250 Routing Topology
Prioritization
and Policy
Groups
Policy groups are containers used to organize services. Service
prioritization uses policy group information to make decisions about
which services should get more or less server resources. Although
the assignment of services to policy groups can be arbitrarily
determined by the operator, effective use requires that each policy
group contain services related by their shared use of server resources.
Services and servers are assigned to Policy Groups at their time of
creation. This is a list of policy group management commands:
config policygroup create <name>
config policygroup delete <name>
config policygroup <name> throttle [enable |
disable]
The policy group framework allows the prioritization of categories of
client requests. Each service defined in a policy group is assigned a
priority within that group and a target response time. When the
average response time of a service exceeds its target response time,
that service is allocated, on the basis of its priority, a greater share of
common server resources to attempt to bring response time back
within the target range (this assumes that the throttling option is
enabled for the policy group).
6$
6HUYHU
6HUYHU
6HUYHU
+XERU
6ZLWFK
5RXWHU
%URNHUHG
6XEQHW
6HUYHUVLGH
6XEQHW
³2XWVLGH´
5RXWHU
³,QVLGH´+XE
RU6ZLWFK
6$6$
6HUYHU6HUYHU
6HUYHU6HUYHU
6HUYHU6HUYHU
+XERU
6ZLWFK
+XERU
6ZLWFK
5RXWHU5RXWHU
%URNHUHG
6XEQHW
6HUYHUVLGH
6XEQHW
³2XWVLGH´
5RXWHU
³,QVLGH´+XE
RU6ZLWFK
C H A P T E R 2 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
48
Target Response Time Satisfied
For example, the services HTTP and HTTPS are both assigned to a
single policy group. HTTPS is designated the highest priority service,
and HTTP the second priority. The SA8250 monitors the response
time of each service, and if necessary re-prioritizes server resources
of subordinate services to keep the response time for the highest
priority service within the specified range. The figure above shows a
policy group with services sharing a defined VIP, two services, and
their associated target response times. When the average response
time of HTTPS is less than or equal to 10ms, Server 1 fulfills HTTP
requests, Server 2 fulfills HTTPS requests, and Server 3 fulfills both
HTTP and HTTPS requests. The figure on the next page illustrates
server utilization after HTTPS response time exceeds 10 ms.
SA8250
VIP: 10.2.2.4
HTTPS: 10 ms
HTTP: 10 ms
Server 1:
HTTP Server 2:
HTTPS
Server 3:
HTTP/HTTPS
C H A P T E R 2 Prioritization and Policy Groups
49
Target Response Time Exceeded
Upon noticing a break in the target response time threshold, the
SA8250 scans the policy groups active service and server pools for
shared resources. In this example, both the HTTP and HTTPS
services use Server 3. To provide the greatest server resources for the
highest priority service, shared resources are eliminated from
subordinate service pools (although each service will always have at
least one point of fulfillment). For example, in the figure above, new
HTTP connections are no longer sent to Server 3 in an effort to
guarantee the target response time for HTTPS. Server 3 will again
serve HTTP when target response times are met.
SA8250
VIP: 10.2.2.4
HTTPS: 12 ms
HTTP: 10 ms
Server 1:
HTTP Server 2:
HTTPS
Server 3:
HTTP
C H A P T E R 2 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
50
Routing
Method for VIP
Addresses
After setting up a service, you must configure the SA8250 to route the
VIP address to the Internet. There are two possibilities:
In single SA8250 installations, Standalone mode is preferred
as it allows the VIP to be ARP-accessible from the router.
If there are multiple address spaces (such as a SA8250 on the
10.x.x.x network and a VIP on the 209.x.x.x), then a routing
protocol might be the best method to advertise the VIP. When
configuring routing on the SA8250, always match the router's
configuration. The SA8250 can be programmed to use RIP v1,
RIP v2, or OSPF.
For example (standalone mode):
HP SA8250#config route
HP SA8250/config/route#info
Route configuration:
----------------------------
Broker role: standalone
RIP Info:
Active:no
Version:2
OSPF Info:
Active: no
Area: backbone
Hello interval: 10
Router dead interval: 40
Authentication type: simple
Authentication key: <your key>
C H A P T E R 2 Error Detection
51
Error
Detection
The SA8250 is capable of recognizing and reacting to server error
conditions, detecting non-responsive (comatose) servers, and
directing traffic to alternate resources until the server is back in
operation. The SA8250 can also capture many HTTP errors before
they reach the client, and redirect the request to an alternate server.
Server Status Detection
The SA8250 uses multiple means to monitor the status of the
fulfillment servers. The Intelligent Resource Verification (IRV)
module periodically pings the servers to verify that they are alive. The
SA8250 also monitors a dup-syn interval to calculate packet loss
rate.
Intelligent Resource Verification
When the IRV module pings a server and receives no response, it tries
to connect to each port on which the suspect server is configured to
listen. If the SA8250 itself does not receive a response from a given
port, then that server/port combination is declared dead. If the server
maintains network connectivity and responds positively to IRV
pings, but its ports stop responding, then the dup-syn interval
threshold (described below) is used to decide if the server is declared
dead.
Dup-syn Interval
The SA8250 dynamically calculates the threshold for the acceptable
number of dropped packets within a given interval. If at any time in
this interval the number of dropped packets exceeds this threshold,
the server is considered dead. After the specified time value has
expired the lost packet (or dup-syn) count is divided by two and the
time interval starts again. In this way, some history information is
kept between time intervals.
The dup-syn interval for this threshold is established with the dup-
syn CLI command, and ranges in value from 1000 to 2,147,483,647
microseconds. The default time interval value is 500,000
microseconds (one half second), which is appropriate for most
environments. By lowering or raising this value, you render the
SA8250 respectively less or more sensitive to dropped packets, and
less or more likely to declare a server dead. The volume of network
traffic must be taken into account when setting the dup-syn interval.
Higher volumes of traffic require a shorter dup-syn interval to avoid
mistakenly declaring a server dead due to network congestion.
C H A P T E R 2 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
52
The dup-syn command uses the following syntax:
config policygroup <name> service <name> dup-syn
<micro-seconds>
HTTP Error Detection
The SA8250 offers HTTP error detection for RICH services. When
HTTP error detection is enabled, the SA8250 scans the headers of
server responses for errors. If an HTTP error is found, the original
request is rerouted to another server for fulfillment, transparently to
the client. This process continues until a server responds without an
error, or all applicable servers have been tried. Conversely, if HTTP
error detection is disabled, the error is returned directly to the client.
HTTP error detection for errors 401-405 and 500-503 (as defined in
the HTTP specification) is configured with this command:
config policygroup <name> service <name> server
<name> port <port> http [enable | disable]
The SA8250 extends standard HTTP error handling by allowing the
server to return a special 606 error code. Detection and handling of
606 errors is configured separately. In this way, standard errors may
be passed to the client while 606 errors are handled transparently by
the system. If 606 error handling is enabled, the SA8250 scans for an
HTTP 606 response code. If the response code is found and another
server is available to handle the request, it is sent automatically. This
process continues until a server responds without an error, or until all
applicable servers have been tried.
The HTTP header for 606 handling is of the form: HTTP/1.0 606
Error. Users can generate this response through a variety of methods
including CGI and nph scripts. Consult your web server
documentation for information about generating custom error
messages.
config policygroup <name> service <name> server
<name> port <port> 606 [enable | disable]
C H A P T E R 2 Serial Cable Failover
53
Serial Cable
Failover
The SA8250 offers two failover methods:
Router Failover (including OSPF, RIPv1 and RIPv2), and
Serial Cable Failover
NOTE: DHCP is not
available when serial
cable failover is enabled.
When serial cable failover is configured, the Primary and Backup
SA8250s communicate heartbeat, configuration, and status
information using the included null modem serial cable. The Backup
SA8250 assumes control from the Primary when any of the following
occur:
The Backup SA8250 does not detect the Primary SA8250's
heartbeat within the timeout period (the default is 3 seconds).
The Primary SA8250's Ethernet interface becomes inactive. For
example, if the Ethernet cable is disconnected.
The Primary SA8250 experiences an internal software error.
NOTE: You can log on to
the Backup SA8250, but
the full command set is
not available.
Both the Primary and Backup SA8250s need to know their own
identity and the Online Identity by address and name to satisfy
internal communication parameters. The SA8250s' own names and
the shared online identity are automatically entered into their host
files during failover configuration. If Dual NIC is enabled, the
identities for both the Outside (network-side) and Inside (server-side)
NICs are shared.
For information on failover method dependencies, see Appendix C.
Serial Cable Failover Configuration
NOTE: Before
configuring serial cable
failover, both the primary
and backup SA8250s
must be configured with
the setup command.
For more information,
see Chapter 3.
The following procedures are used to configure the Primary and
Secondary SA8250s for serial cable failover operation.
Configure the Primary SA8250
1. Connect the two SA8250s using their failover ports using the
provided null modem serial cable.
2. Reboot the SA8250 that will be the Primary and press a key at
the prompt to enter the Boot Monitor.
3. At the prompt, type this command:
monitor>failover
C H A P T E R 2 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
54
NOTE: The Online IP
Address is the address
used by the SA8250 that is
currently accepting
connections this can be
either the Primary or the
Backup SA8250 (though
it is typically the
Primary). The Online IP
Address is the address by
which you can access the
Online SA8250 using
telnet for administration.
4. For single NIC operation, follow the prompts as shown:
Set failover method (None, Serial, Route)
[ ] ---> serial
Checking for failover unit...
Failover unit not detected or may not be
configured.
Is this machine Primary or Backup? [Primary]--->
Enter the Networks Online IP Address
--->10.6.3.200
Enter Networks Online Hostname ---> netonline
Serial failover successfully configured
If Dual NIC operation is enabled, failover configuration looks
like this example:
monitor>failover
Set failover method (disabled, serial, route)
[disabled] --->serial
Disabling DHCP to allow serial failover.
Checking for failover unit...
Failover unit not detected or may not be
configured.
Is this machine Primary or Backup? [Primary]--->
Enter the Network side Online IP Address
[10.6.3.200] --->
Enter the Server side Online IP Address
[10.6.4.200] --->
Enter the Network side Online hostname
[netonline] --->
Enter the Server side Online hostname --->
servonline
Serial failover successfully configured
C H A P T E R 2 Serial Cable Failover
55
5. Save the Primary configuration.
monitor>save
List of currently saved configuration files(s).
You may save over an existing configuration file
or enter a new name.
File name
----------
active.cfg
backup.cfg
cris.cfg
active.cfg is the last booted configuration.
Enter configuration file name (- to cancel):
[active.cfg] --->
Configuration has been saved.
6. Boot the SA8250.
monitor>boot
Do you really want to continue boot? [y]
---> <Enter>
Boot which configuration? [active.cfg]
---> <Enter>
Please stand by, the system is being booted.
.... Done
Login>
C H A P T E R 2 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
56
Configure the Backup SA8250
1. Reboot the SA8250 that will be the Secondary and press a key at
the prompt to enter the Boot Monitor.
2. At the prompt, type this command:
monitor>failover
3. Follow these prompts:
Specify failover method (disabled, serial,
route) [ ] --->s
Checking for failover unit...
Failover unit detected
--------------------------
Version : 2.3
Type : PRIMARY
State : ONLINE
Name : online13
IP : 13.1.1.20
Mac : 0:1:c9:ed:a6:fb
NOTE: Use the same
Online IP Address and
name for the Backup
SA8250 as the Primary
(these appear by default).
Is this machine Primary or Backup? [Backup]
---> <Enter>
Enter Online IP Address [13.1.1.20] ---> <Enter>
Enter Online Name [online13] ---> <Enter>
Serial failover successfully configured
monitor>
4. Save the Backup configuration.
monitor>save
List of currently saved configuration file(s).
You may save over an existing configuration file
or enter a new name.
File name
----------
active.cfg
backup.cfg
cris.cfg
active.cfg is the last booted configuration.
Enter configuration file name (- to cancel):
[active.cfg] --->
Configuration has been saved.
C H A P T E R 2 Serial Cable Failover
57
5. Boot the SA8250.
monitor>boot
... current configuration ...
... list of saved configuration files ...
Boot configuration file name? [active.cfg]
---> <Enter>
Do you really want to boot active.cfg? [y]
---> <Enter>
Please stand by, the system is being booted.
Replicating the Configuration
The active configuration is replicated upon changes to the Backup
SA8250 from the Primary. For most configurations, faults are
detected within 3 seconds, and the Backup is fully online within 25
seconds. The latter interval increases as the number of services
increases.
Status Information
You can display information about the SA8250s function and
failover status either via the Command Line Interface or the GUI.
Below are the commands to display status information followed by a
list of status messages and their explanations.
1. Log in to the SA8250.
2. At the CLI prompt, type this command:
HP SA8250>info
C H A P T E R 2 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
58
The status appears on the last line of the info commands output.
A description of the status message is shown in this table.
Failover Status Message Description
The broker is ONLINE, and
serial failover is NONE
(disabled).
One of the SA8250s is configured
for either none or route
failover.
The broker is PRIMARY and
ONLINE, the remote's serial
failover is NONE (disabled).
One of the SA8250s is configured
for either none or route
failover.
The broker is PRIMARY and
ONLINE, the remote's state is
READY.
Normal Serial Failover Operation
The broker is BACKUP and
READY, and the remote's
state is ONLINE.
The broker is PRIMARY and
NIC_FAILED, and the
remote's state is ONLINE.
Ethernet cable disconnected, or
cable, NIC, or HUB port failure
The broker is BACKUP and
ONLINE, and the remote's
state is NIC_FAILED.
The broker is PRIMARY and
ONLINE, the connection to
the remote has TIMED OUT.
The serial cable connecting the
SA8250s is disconnected
The broker is BACKUP and
IP_IN_USE_ERROR, the
connection to the remote has
TIMED OUT.
Status Message Descriptions
C H A P T E R 2 Serial Cable Failover
59
NOTE: The notation,
PRIMARY/BACKUP
indicates that either
PRIMARY or
BACKUP will be
displayed.
The Failover Status messages in this table are not specific to the
Primary or Backup SA8250s.
Failover Status Message Description
The broker is PRIMARY/
BACKUP and
WAITING_FOR_SYNC
One of the SA8250s has been
restarted. This status persists
while the configuration files are
loaded from the online SA8250.
The time this state persists
depends on the number of VIPs
and services configured.
The broker is PRIMARY/
BACKUP and
CONFIGURATION_
ERROR
Both SA8250s are configured as
Primary or as Backup. Neither
SA8250 will come online until
this condition is corrected
The broker is PRIMARY/
BACKUP and DNS_FAILED The online IP address is missing
from both the local host file and
the DNS server.
The broker is PRIMARY/
BACKUP and
CORE_APP_FAILED.
Indeterminate error. Use an earlier
working configuration. If the
condition persists, contact
Customer Support for assistance.
The broker is PRIMARY/
BACKUP and
RICH_APP_FAILED.
Additional Status Message Descriptions
C H A P T E R 2 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
60
Notes
Boot Monitor
Using the Boot Monitor
CAUTION: After
configuring the SA8250
with the Boot Monitor,
you must enable Autoboot
with the autoboot
command or the SA8250
will not operate.
The HP e-Commerce/XML Director Server Appliance SA8250s
Boot Monitor configures boot options and manage boot configuration
files. Typically, you will use the Boot Monitor only during the initial
configuration or after major reconfigurations, if the latter becomes
necessary. You can manage day-to-day operations using the
Graphical User Interface (GUI, Chapter 4) or the Command Line
Interface (CLI, Chapter 5).
General categories of tasks performed by the Boot Monitor:
Configure and display boot options, including the configuration
file
Manage the boot configuration file system
Configure and change IP parameters
C H A P T E R 3 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
62
System
Requirements
You can use any terminal or workstation with a terminal emulator to
run Boot Monitor, provided the terminal has the following features:
9600 bits per second, 8 data bits, 1 stop bit no parity, no flow
control (9600-8-N-1)
A terminal emulation program, such as HyperTerminal*
Cable and connector to match the male DTE connector (DB-9)
Accessing the
Boot Monitor
You can access the Boot Monitor in either of the two ways described
below.
Interrupting the Bootup Sequence
1. Interrupt the SA8250's bootup sequence by pressing a key at the
following prompt:
Press any key to stop autoboot.
In a few seconds the following prompt displays, confirming that
the Boot Monitor is running:
monitor>
Using the Run Time CLI
1. Type this command at the prompt:
HP SA8250#config sys autoboot disable
2. Type this command at the prompt:
HP SA8250#reboot
The monitor> prompt displays, confirming that the Boot
Monitor is running.
C H A P T E R 3 Using the Boot Monitor
63
Boot Monitor
Commands
This section lists and describes all Boot Monitor commands available
on the SA8250.
autoboot Enables or disables the Autoboot function. If Autoboot is enabled
(the default), the SA8250 prompts you to press a key during restart to
enter the Boot Monitor command line interface. If you ignore the
prompt, restart finishes with the SA8250 in normal operating mode.
If Autoboot is disabled, the restart sequence ends by displaying the
Boot Monitor interface.
Example:
monitor>autoboot
Enable Autoboot? (yes,no) [yes] --->
boot Boots the device with a specific configuration. Variations on the use
of the reboot command are shown in this section.
Reboot with No Configuration Changes
NOTE: The first boot
after a factory_reset
command or a new
installation will prompt
you for the root
password.
1. Type the boot command.
The Boot Monitor displays the current configuration and prompts
you for confirmation:
Current active configuration
----------------------------
Product: HP SA8250
Version: 2.7
Patch Level: 0.0
Build: 12
Current time: Tue Sep 12 17:02:05 2000
Hostname: CSLab7k
-------------
Network side NIC:
IP Address: 10.6.3.21
Netmask: 255.255.255.0
MAC address: 0:a0:c9:ed:6c:cc
-------------
Service side NIC:
IP Address 10.6.5.21
Netmask: 255.255.255.0
MAC address: 0:d0:b7:6:c1:85
-------------
C H A P T E R 3 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
64
Default Gateway: 10.6.3.1
Domain: None
Primary name server: None
DHCP: Disabled
Failover mode: Disabled
Network NIC setup: Auto
Server NIC setup: Auto
NTP: Disabled
Autoboot: Disabled
Static Routes: None
RICH_Biased: Enabled
Do you really want to boot active.cfg? [y] --->
2. To boot to the normal operational prompt, type y.
3. To return to the monitor> prompt, type n.
Reboot with Configuration Changes
When you use the boot command after changing the SA8250s
configuration, you are presented with a number of options. With
these you can use the changed configuration, revert to the last saved
configuration, or choose among a list of previously saved
configurations. Procedures for choosing among these options are
organized within three groups described in this section.
1. Type the boot command.
2. The Boot Monitor displays the changed configuration
information and prompts you to save the new configuration:
Current active configuration
----------------------------
Product: HP SA8250
Version: 2.7
Patch Level: 0.0
Build: 12
Current time: Tue Sep 12 17:02:05 2000
Hostname: CSLab7k
-------------
Network side NIC:
IP Address: 10.6.3.21
Netmask: 255.255.255.0
MAC address: 0:a0:c9:ed:6c:cc
-------------
C H A P T E R 3 Using the Boot Monitor
65
Service side NIC:
IP Address 10.6.5.21
Netmask: 255.255.255.0
MAC address: 0:d0:b7:6:c1:85
-------------
Default Gateway: 10.6.3.1
Domain: None
Primary name server: None
DHCP: Disabled
Failover mode: Disabled
Network NIC setup: Auto
Server NIC setup: Auto
NTP: Disabled
Autoboot: Disabled
Static Routes: None
RICH_Biased: Enabled
The configuration has changed, save it? [y] --->
First Options:
1. If you accept the default, y, the system saves the configuration as
either active.cfg or the last loaded filename.
Configuration file name? [active.cfg] --->
NOTE: This list includes
backup.cfg, a backup
of the most recently
booted configuration.
This file is automatically
created when you change
the configuration and
save.
2. You can either accept the default, active.cfg, or enter a new
filename. The system then saves the file and presents a list of all
saved files.
Select a boot configuration from the following
files.
active.cfg
backup.cfg
Boot configuration file name? [active.cfg] --->
3. You can accept the default, active.cfg, or select another
previously saved configuration. No matter which file you select,
the configuration file you are about to boot is displayed to ensure
that the last file displayed is the configuration that is booted.
4. If you accept the default, y, the system boots to the normal
operational prompt, if you type n, it returns to the monitor>
prompt.
C H A P T E R 3 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
66
Second Options:
1. If you choose not to save the modified file, the system displays a
warning that it is reverting to the previously booted
configuration:
Warning: The current configuration has NOT been
saved and will not be booted. Reverting to last
saved active.cfg.
2. If there are no additional saved configurations then the system
prompts you to confirm that want to boot the last saved
configuration, which will always be active.cfg.
Do you really want to boot active.cfg? [y] --->
3. If you accept the default, y, the system boots to the normal
operational prompt. If you type n, it returns to the monitor>
prompt.
Third Options:
1. If there are any previously saved configurations on the system,
you are offered a choice of configuration files to boot from.
Select a boot configuration from the following
files.
active.cfg
backup.cfg
Boot configuration file name? [active.cfg] --->
2. You can accept the default, active.cfg, or select another
previously saved configuration. If you select active.cfg, the
configuration is not redisplayed. If you select a file other than
active.cfg, the files contents are displayed to ensure that the
last file displayed is the configuration that is booted.
3. If you accept the default, y, the system boots to the normal
operational prompt. If you type n, it returns to the monitor>
prompt.
C H A P T E R 3 Using the Boot Monitor
67
delete Deletes the specified configuration file.
Example:
monitor>delete
Select a configuration to delete from the
following files.
Note: You cannot delete the active
configuration file active.cfg.
File name
--------------
active.cfg
backup.cfg
cris.cfg
active.cfg is the last booted configuration.
Enter the configuration filename to delete:
--->broker1.cfg
broker1.cfg successfully deleted.
dhcp Enables or disables the SA8250s use of DHCP. When DHCP is
enabled, the SA8250 receives its configuration parameters from the
DHCP server at startup. When DHCP is disabled (the default setting),
the SA8250 ignores the DHCP server, and so it must be manually
configured at restart. Respond to the prompt with y to enable, or n to
disable.
Example:
monitor> dhcp
Enable DHCP (yes, no)? [no] --->
dir Displays the list of saved boot configuration files.
C H A P T E R 3 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
68
dns Sets the domain and (optionally) nameserver(s). The system prompts
you for the required information.
Example:
monitor> dns
Would you like to configure DNS (yes, no)?
[no] --->
monitor>dns
Would you like to configure DNS (yes, no)?
[no] --->yes
Enter Domain name (- to cancel)
--->mydomain.com
Enter the IP Address of the Primary name server
(- to cancel) --->10.6.3.5
Specify additional name server
( <return> to end ) --->10.6.3.10
Specify additional name server
( <return> to end ) --->
dual Sets single or dual NIC operation.
Example:
monitor>dual
Enable dual NIC operation (yes, no) [no] --->
C H A P T E R 3 Using the Boot Monitor
69
factory_reset Resets the SA8250 to its factory defaults, as listed in this table.
NOTE: The first boot
after a factory_reset
command or a new
installation will prompt
you for the root
password. Also, the
factory_reset
command does not delete
saved configuration files.
Parameter Setting
All added user accounts Deleted
Policy groups, services, and servers Deleted
Route parameters Deleted
CLI parameters Deleted
IP address Deleted
Default route Deleted
Hostname Deleted
Domain Deleted
Name servers Deleted
DHCP Disabled
Dual NIC Disabled
Failover mode Disabled
Autoboot Disabled
Autoboot timeout 5 seconds
Added hosts in the host file Deleted
New root password on next boot Forced
Rich bias Enabled
Static routes Deleted
Factory Defaults
C H A P T E R 3 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
70
failover Sets the SA8250s failover method. Three failover options are
available:
disabled: no failover method will be used
serial: serial cable failover will be used
route: router failover will be used
Example:
monitor>failover
Specify failover method (disabled, serial,
route): [disabled] --->serial
Checking for failover unit...
Failover unit not detected or may not be
configured.
Is this machine Primary or Backup?
[Primary] --->
Enter the Network side Online IP Address
--->10.6.3.200
Enter the Server side Online Address
--->10.6.5.200
Enter the Network side Online hostname
--->net-onlinehost
Enter the Server side Online hostname
--->serv-onlinehost
Serial failover successfully configured
gateway Specifies the default gateway.
Example:
monitor>gateway
Enter default gateway: --->10.6.3.1
help Lists all Boot Monitor commands, or optionally displays syntax for a
specified command.
Example:
gateway Set default gateway
interface Configure network interface card
C H A P T E R 3 Using the Boot Monitor
71
host Sets the SA8250s host name.
Example:
monitor>host
Enter the hostname you would like to assign to
the Network NIC: --->CSLab7k
info Displays the current boot configuration.
interface Configures Ethernet port parameters (replaces the nic command).
Compatibility with some older switches, hubs, or routers, may
require that you manually specify the Ethernet speed and duplex
mode of the SA8250's network interface card.
Single NIC configuration example:
monitor>interface
Auto configure the network NIC speed and duplex
(yes,no)? [yes] --->no
1 - 100BaseTx
2 - 10BaseTx
Select Media Type (1 or 2): [1] --->2
Use Full Duplex? [n] --->n
Dual NIC configuration example:
monitor>interface
Auto configure the Network side NIC speed and
duplex (yes,no)? [yes] --->
Auto configure the Server side NIC speed and
duplex (yes,no)? [yes] --->
ip Sets the SA8250's IP address.
Example:
monitor>ip
Enter the IP address for the Network side NIC
[10.6.3.21] --->
Enter the IP address for the Server side NIC
[10.6.5.21] --->
C H A P T E R 3 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
72
load Loads a previously saved configuration file into memory.
Example:
monitor>load
Select a configuration file to load from the
following files.
File name
--------------
active.cfg
backup.cfg
cris.cfg
active.cfg is the last booted configuration.
Enter the configuration filename to load
(- to cancel): [active.cfg] --->
Configuration loaded: active.cfg
netmask Sets the netmask.
Example:
monitor>netmask
Enter Netmask for Network side NIC
[255.255.255.0] --->
Enter Netmask for Service side NIC
[255.255.255.0] --->
rich-bias Optimizes RICH_HTTP service performance. If your RICH_HTTP
service responses consist mostly of files greater than 8K, the enabled
(default) setting of rich_bias will optimize performance. If your
site is experiencing performance problems and the RICH_HTTP
service responses are less than 8K, you should disable rich_bias.
This command has no effect on SSL terminated connections.
Example:
monitor>rich_bias
Unit is currently RICH_Biased, change it
(yes, no) [no] --->yes
RICH_Biased (enable, disable) [enable]
--->disable
C H A P T E R 3 Using the Boot Monitor
73
save Saves the current configuration. Changes made during the current
Boot Monitor session are lost unless you use the save command.
Example:
monitor>save
List of currently saved configuration file(s).
You may save over an existing configuration file
or enter a new name.
File name
-------------
active.cfg
bckup.cfg
cris.cfg
active.cfg is the last booted configuration.
Enter configuration file name (- to cancel):
[active.cfg] --->-Configuration save canceled!
settime Set the SA8250s system date and time. If you select NTP, you will
be prompted for the IP address of the NTP server(s) you want to use.
If you set the date manually, you will be prompted for the date in 24-
hour format.
Example, with NTP:
monitor>settime
Use NTP? [enable] --->
Enter IP address of NTP server or <return> to
end: --->209.218.240.1
Enter IP address of NTP server or <return> to
end: --->209.218.240.238
Enter IP address of NTP server or <return> to
end: --->
Example 1, without NTP (manual setting)
NOTE: Example 1 is for
setting the time using
Greenwich Mean Time
(GMT). For example, the
GMT-14 timezone is
GMT minus 14 hours.
monitor>settime
Use NTP? [disable] --->
Select TIMEZONEs to list (GMT, US, Other or q to
quit: [GMT] --->GMT
C H A P T E R 3 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
74
Select a TIMEZONE from the GMT list.
1) GMT-14 2) GMT-13 3) GMT-12
4) GMT-11 5) GMT-10 6) GMT-9
7) GMT-8 8) GMT-7 9) GMT-6
10)GMT-5 11)GMT-4 12)GMT-3
13)GMT-2 14)GMT-1 15)GMT
16)GMT+1 17)GMT+2 18)GMT+3
19)GMT+4 20)GMT+5 21)GMT+6
22)GMT+7 23)GMT+8 24)GMT+9
25)GMT+10 26)GMT+11 27)GMT+12
Select a number between 1 and 27
(q to quit)--->2
Selected TIMEZONE GMT-13
The current time is now: Fri Sep 29 05:38:38
GMT-13 2000
Enter the year (YYYY): [2000] --->
Enter the month (MM): [09] --->
Enter the day (DD): [29] --->
Enter the hour (HH): [05] --->
Enter the minute (MM): [38] --->
Enter the seconds (SS): [38] --->
Fri Sep 29 05:38:38 GMT-13 2000
Example 2, without NTP (manual setting):
NOTE: Example 2 is for
setting the time using
United States time (US).
monitor>settime
Use NTP? [disable] --->
Select TIMEZONEs to list (GMT, US, Other or q to
quit: [GMT] --->US
Select a TIMEZONE from the US list.
1) Alaska 2) Aleutian 3) Arizona
4) Central 5) Eastern 6) Hawaii
7) Indiana-East 8) Indiana-Starke 9) Michigan
10)Mountain 11)Pacific 12)Somoa
Select a number between 1 and 12
(q to quit): [11}--->5
C H A P T E R 3 Using the Boot Monitor
75
Selected TIMEZONE Eastern
The current time is now: Sat Oct 28 23:59:42
2000
Enter the year (YYYY): [2000]--->
Enter the month(MM): [10]--->
Enter the day (DD): [28]--->29
Enter the hour (HH): [23]--->01
Enter the minute (MM): [59]-->57
Enter the seconds (SS): [39]--->
Sun Oct 29 01:57:39 EDT 2000
Example 3, without NTP (manual setting):
NOTE: Example 3 is for
setting the time using any
timezone OTHER THAN
GMT or US.
monitor>settime
Use NTP? [disable] --->
Select TIMEZONEs to list (GMT, US, Other or q to
quit: [GMT] --->O
Select a TIMEZONE from the Other list.
1) Bangkok 2) Belfast 3) Belgrade
4) Berlin 5) Brussels 6) Copenhagen
7) Hongkong 8) Israel 9) Japan
10)London 11)Madrid 12)Manila
13)Paris 14)Poland 15)Portugal
16)Prague 17)Rome 18)Singapore
19)Stockholm 20)Turkey 21)Warsaw
22)Zulu 23)Zurich
Select a number between 1 and 23 (q to quit):
[10]--->22
Selected TIMEZONE Zulu
The current time is now: Wed Jan 10 10:32:22 UTC
2001
Enter the year (YYYY): [2001]--->
Enter the month(MM): [01]--->
Enter the day (DD): [10]--->
Enter the hour (HH): [10]--->
Enter the minute (MM): [32]-->
Enter the seconds (SS): [22]--->
Wed Jan 10 10:32:22 UTC 2001
C H A P T E R 3 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
76
setup Starts the SA8250s setup procedure. The system displays prompts
for all inputs necessary to initialize it.
Example:
monitor>setup
Enable dual NIC operation(yes,no)? [no] ---> yes
Autoconfigure the Network side NIC speed and
duplex? (yes,no)? [yes] --->
Autoconfigure the Server side NIC speed and
duplex? (yes,no)? [yes] --->
DHCP is disabled for dual NIC operation.
Enter the hostname you would like to assign to
the Network NIC: --->CSLab7k
Enter the IP address for the Network side NIC
--->10.6.3.21
Enter the IP address for the Server side NIC
--->10.6.5.21
Enter the Netmask for the Network side NIC
--->255.255.255.0
Enter the Netmask for the Server side NIC
--->[255.255.255.0] --->255.255.255.0
Enter default gateway: --->10.6.3.1
Would you like to configure DNS (yes, no)? [no]
--->DNS not configured.
Specify failover method (disabled, serial,
route): [disabled] --->
Set Autoboot? (yes,no) [no] --->
C H A P T E R 3 Using the Boot Monitor
77
static_routes Deletes and adds any number of static IP routes. Shows the current
static IP routes (if any) when the function is entered. You are
prompted for the destination and gateway IP addresses. The info
command will show any static IP routes that are known to the Boot
Monitor, and factory_reset will remove all static IP routes as
part of its cleanup.
Example:
monitor>static_routes
Static Route information.
Enter Static route (1) dest IP(- to del, q to
quit): --->10.7.16.5
Enter Static route (1) gate IP(- to del, q to
quit): --->10.8.15.40
Enter Static route (2) dest IP(- to del, q to
quit): --->10.7.18.50
Enter Static route (2) gate IP(- to del, q to
quit): --->10.8.15.40
Enter Static route (3) dest IP(- to del, q to
quit): --->q
{2} Static Route(s).
version Displays the software version information.
Example:
monitor>version
Product: HP SA8250
Version: 2.8
Patch Level: 0.1
Build: 8
C H A P T E R 3 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
78
Notes
Graphical User
Interface
Before You Begin
NOTE: Some functions
and features, such as
expressions, are not
available in the GUI.
The HP e-Commerce/XML Director Server Appliance SA8250 has
features and functions that are controlled through either the browser-
based Graphical User Interface (GUI), as discussed in this chapter, or
the Command Line Interface (CLI), as discussed in chapter 5.
In order to use the inside IP or inside online IP for administration, the
client must be on the same subnet as the inside interface, or must have
an alternate path back through the outside interface.
To type all XML commands and configurations, see the Policy
Manager screen, later in this chapter.
C H A P T E R 4 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
80
Logon Screen
To access the various GUI services available to you on the SA8250,
you must first log on to the system as described in this section.
Logging on to
the GUI
1. Launch your browser.
2. In your browsers Address or Location field, type the SA8250s
address and specify port 1095. For example:
NOTE: If Internet
Explorer* 5.01 is your
browser, you must add a
trailing slash (/) to the
URL, as shown in step
(2). Also, the default GUI
port (1095) can be
changed. For details, see
GUI Tab later in this
chapter.
http://system_name:1095/
where system_name is the actual name or IP address of your
SA8250.
3. Press Enter.
The Logon screen displays.
Logon Screen
C H A P T E R 4 Logon Screen
81
NOTE: The factory
default for both the user
name and password is
admin (lowercase
required). To change
them, see Users Tab
later in this chapter.
4. In the space provided, type your User name.
5. In the space provided, type your Password.
6. Click Logon.
The Topology screen displays, as shown on the next page. The
number of server icons varies, depending upon your network
configuration.
C H A P T E R 4 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
82
Topology Screen
Topology Screen
Using the
Topology
Screen
Purposes of the Topology Screen
Displays a graphical representation of the current topological
relationships between the SA8250 and network servers. The
SA8250s status and Serial Cable failover, if configured, are also
reflected here.
Serves as a gateway to the Administration and Policy Manager
screens, and the Configuration and Tools screens.
C H A P T E R 4 Topology Screen
83
Topology Screen Toolbar
Located at the top left of the window, the toolbars buttons are
described below.
Topology Screen Toolbar
Back returns you to the previous screen. From the Topology
screen, this will log you off the system and return you to the
logon screen.
Configuration displays the Configuration Screen
Administration displays the Administration Screen
Tools displays the Tools Screen
Policy Manager displays the Policy Manager Screen
Statistics displays the Statistics Screen
Log File displays the SA8250's log file.
Online Help
Located at the top right of the window, the Help button is shown
below. Click Help to display the online help file.
Online Help Button
Back
Configuration
Administration Policy
Manager
Statistics
Log File
Tools
C H A P T E R 4 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
84
Topology Screen Elements
This figure shows how the SA8250 is represented onscreen by a
horizontal "rack unit" icon.
SA8250 Icon
Right-clicking on the SA8250 icon displays a popup menu that
can take you to other screens.
Double-clicking the SA8250 icon takes you to the Policy
Management screen by default, but this can be changed in the
Administration screen later in this chapter.
This figure shows how servers are represented onscreen by vertical
"tower case" icons.
Server Icon
Right-clicking on a server icon displays a popup menu that can
take you to other screens.
Double-clicking the server icon takes you to the Statistics screen
by default, but this can be changed in the Administration screen
later in this chapter.
C H A P T E R 4 Topology Screen
85
Window Controls
To resize the Topology screen elements, click and drag the slider
control located in the upper right hand corner of the screen.
Slider Control
Moving the slider control to the far right, as shown in the figure
above, for the largest display.
Moving the slider control to the far left results in the smallest
display.
You can also resize the Topology screen elements by right-
clicking on the background of the screen and making your
selection from the popup menu.
Background Zoom and Refresh Control
Zoom In enlarges the display and is the equivalent of moving the
slider control to the right.
Zoom Out reduces the display and is the equivalent of moving the
slider control to the left.
Refresh Display updates the Topology screen.
C H A P T E R 4 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
86
Policy Manager Screen
When you double-click a SA8250 icon in the Topology screen (or
right-click and select Policy Management), the Policy Manager
screen displays.
Policy Manager Screen
The Policy Manager consists of a series of screens with multiple tabs
that includes the controls used in the implementation of Policies. The
discrete items created, altered, and deleted in the course of Policy
management are listed below:
Policy Groups
Services
Servers
C H A P T E R 4 Policy Manager Screen
87
Policy
Manager
Controls and
Displays
The Policy Manager screen contains two main regions:
Policies, on the left side of the Policy Manager screen
Details, on the right side of the Policy Manager screen
You can adjust the relative sizes of the Policies and Details displays
by clicking and dragging the vertical line between the panels. The
Policies display includes existing Policy Groups, Services, and
Servers, reflecting the previously mentioned hierarchy. The Details
display includes controls and status displays relating to the item
selected in the Policies display, and changes according to the type
(Policy Group, Service, or Server) of the item selected. If a Service or
Server is selected, then the Details screen contains two tabs, each
containing related controls.
The three types of items form a hierarchy: policy groups contain
Services. Services in turn contain Servers. A lower hierarchy item
cannot be created unless its immediately superior type exists, that is,
a policy group must exist before you can create a Service, and a
Service must exist before you can create a Server.
Policy
Manager
Toolbar
The Policy Manager toolbar contains three buttons for creating Policy
Groups, Services and Servers, and one button to delete the currently
selected item, regardless of its type. The toolbar's buttons are enabled
or disabled (dimmed) according to the type of item selected in the
Policies display.
Policy Manager Toolbar
New
Policy
Group
Delete
Selected
Item
New
Server
New
Service
C H A P T E R 4 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
88
Policy
Managers
Pop-up Menu
You can display the Policy Managers pop-up menu by right-clicking
in the Policies display.
Policy Managers Pop-up Menu
Policy Groups Services are virtual resources provided to a client. However, Services
can exist only in the context of Policy Groups. Policy Groups are
regarded as containers used to organize Services. Therefore, before
Services can be defined, Policy Groups must be created to contain
them.
The Policy Manager's Policy Group Details screen provides two
functions:
Naming of newly created Policy Groups
Enabling or disabling of the selected Policy Group's throttling
function
Display
Commands
Sort
Commands
Create/
Delete
Commands
C H A P T E R 4 Policy Manager Screen
89
Creating Policy Groups
You can create Policy Groups in either of two ways:
1. In the left of the Policy Manager toolbar, click New Policy
Group, or
2. Right-click to display the menu, then select the New Policy
Group command.
A new Policy Group icon and the Detail screen displays in the
Policies.
Adding a New Policy Group
3. In the Policy Group Name field, type a name for the new Policy
Group. Policy Group names must adhere to the following
conventions:
From 1 to 25 characters in length
Any alphanumeric character
Other eligible characters include hyphens ("-"), periods ("."), and
underscores ("_")
Spaces must not be used.
NOTE: The names of
existing Policy Groups
cannot be changed.
Within these restrictions, the naming of Policy Groups is at your
discretion, though convenient naming schemes might include
serial names ("Group1," "Group2," etc.), or names that reflect a
Policy Groups content, such as "e-CommerceGrp" or
"HTTP_Group."
4. To accept the specified name, click Apply. The new Policy
Group's new name displays in the Policies display.
When the new Policy Group name displays, New Service
becomes available. This reflects the fact that Services cannot be
created unless at least one Policy Group already exists.
C H A P T E R 4 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
90
Throttling
When throttling is enabled, requests to eligible servers in lower-
priority services are stopped until response times of higher priority
services are met, or all eligible servers have been throttled. An
eligible server is one that is shared by both higher and lower priority
services. Throttling affects all services within a Policy Group.
To enable or disable throttling for the selected Policy Group, follow
these steps:
1. Select the Enable Server Throttling check box.
2. Click Apply.
Deleting Policy Groups
To delete a Policy Group, follow these steps:
1. In the Policies display, click to select the name of the Policy
Group to be deleted.
2. In the Policy Manager toolbar, click Delete (X), or right-click to
display the menu and click the Delete Selected Item command.
C H A P T E R 4 Policy Manager Screen
91
Services Once a Policy Group exists, you can create Services.
Creating Services
To create a Service, follow these steps:
1. In the Policies display, click to select a Policy Group.
2. In the Policy Manager toolbar, click New Service, or right-click
in the Policies display and select New Service from the pop-up
menu.
The Service Details tab displays in the Details for the service.
Service Details Tab
NOTE: All fields in steps
(3) through (6) become
read-only after the
service is created.
3. In the Service Name field, type a name for the service.
4. From the Service Type pull-down menu, click the desired Service
type. The choices are HOT TCP (the default), or RICH_HTTP.
5. From the Virtual IP pull-down menu, click the desired Virtual IP
(VIP) address. If there are no VIPs in the menu, or if the desired
one is absent, type it in.
C H A P T E R 4 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
92
NOTE: The VIP/port
combination must be
unique.
6. In the Port field, type a port number. This is the listening port for
incoming connections, and you can select port numbers between
1 and 65535.
7. When you have finished filling in the fields in the Service Details
tab, click Apply.
The Policies display now reflects the name of the new Service
below the name of the Policy Group from which it was created.
Additional Service Tab Controls and Displays
This table lists items that can be changed after the Service has been
created.
Control or Display Description
Enabled Select this check box to activate the selected Service. Clear the check
box to disable the Service.
Priority Services within a single Policy Group can be prioritized. The SA8250
assures more server resources to Services with high priority numbers
than to those with lower numbers. The Priority setting is an integer
from 1 (highest priority) to 5 (lowest priority), and the default is 1.
Duplicate SYN
Timeout This value is the time interval (in microseconds) after which the
fulfillment server is declared dead if the dynamically calculated
number of duplicate SYNs (lost packets) to that server is detected. You
can specify a value from 1000 to 2,147,483,647, and the default is
500,000.
Server Timeout
(RICH Only) This value is the time interval (in seconds) during which a server must
respond before it is declared dead. If the server fails to respond before
the end of timeout interval, the outstanding request is passed to another
server. This value is only available for RICH_HTTP services.
Enable Backup
Servers This check box enables or disables servers designated as type
"Backup" to come on line if necessary to assure target response times.
For more details about servers, see Servers later in this chapter.
Insert Source IP in
HTTP Header
(RICH only)
This check box specifies whether or not the Source IP address is
embedded within the HTTP header information.
Additional Service Tab Controls and Displays
C H A P T E R 4 Policy Manager Screen
93
Sticky Mode The SA8250 is configured to maintain a sessions state so that serial
requests from a single client are allocated to the same server. This is
called a "sticky" port. This setting may be disabled, based on Source
IP, or based on a Cookie:
Source IP: Source IP sticky mode uses the clients source IP address
to identify a series of requests to be directed to a single server.
Note: If using SSL services, the SSL session ID maintains a sticky
relationship when Source IP sticky is selected.
Cookie: In cases where requests come through a proxy server, all
requests display to originate from that servers IP address, thus IP
address is of no use in identifying individual requestors. Cookie sticky
mode provides an active method of identifying requestors in such
situations. When Cookie sticky mode is enabled, a cookie is given to
requesting browsers. Subsequent requests from clients who have
received cookies contain identifying information allowing the SA8250
to direct them to a single server. Cookie mode is available only for
RICH_HTTP.
Sticky Timeout The current software version for the SA8250 treats the timeout
differently for cookie versus Source IP sticky. With Source IP sticky,
the timeout is reset with every connection from the client (so that the
timeout is effectively an "idle time"). With cookie sticky, the timeout
starts with the first connection from the client to the server, and never
gets reset. When the cookie expires, even if actively being used, the
next connection will be load balanced to a new server.
Workaround: We recommend that you set the cookie sticky timeout
value to at least 1.5 times the maximum amount of time a user will
expect to be stuck to a server. The default is 90 seconds.
Protocol This read-only field displays the protocol of the Service (TCP).
Status This read-only field displays the status of the selected Service
("Active" or "Inactive").
Control or Display Description
Additional Service Tab Controls and Displays (continued)
C H A P T E R 4 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
94
Balance Strategy
HOT Services are assigned server resources according to either of
two Balance Algorithms.
1. Click the Balance Strategy tab of the Service Details screen to
display the Balance Algorithm controls.
Service Balance Strategy Tab
Two Balance Algorithms are available:
Response Time: Requests for a Service using the Response
Time algorithm are forwarded to the server that can fulfill them
within the shortest time.
Round Robin: Requests for a Service using the Round Robin
algorithm are distributed evenly among the available servers.
2. From the pull-down menu, click to select the desired Balance
Algorithm for the Service selected in the Policies display. If you
select Response Time, type a value (in milliseconds) in the Max
response time (ms) field.
C H A P T E R 4 Policy Manager Screen
95
XML Service Tab
This screen controls how the SA8250 reacts to incorrect syntax or
punctuation errors it detects in the incoming client data.
1. Click the XML tab of the Service Details screen.
XML Services Tab
2. To enable the client error messages (HTTP 403, POST data was
not well formed), check the Return Well Formed Errors to
User checkbox. This is the default setting.
3. To disable this feature, uncheck the Return Well Formed
Errors to User checkbox. When disabled, no HTTP error
messages are sent, but the SA8250 directs the data to servers that
match the RICH expression, effectively ignoring the XML
expression.
4. Click Apply.
C H A P T E R 4 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
96
Deleting Services
To delete a Service:
1. In the Tree, click select the name of the Service to delete.
2. In the Policy Manager toolbar, click Delete, or right-click to
display the menu and click the Delete Selected Item command.
C H A P T E R 4 Policy Manager Screen
97
Servers After you create Services, you must designate, or "create" Servers to
fulfill client requests for Services. As Services must exist within
Policy Groups, a Server (for example, a fulfillment host) must be
mapped to a Service.
To create Servers, follow these steps:
1. In the Policies tree, click an existing Service.
2. In the Policy Manager toolbar, click Create Server, or right-click
in the Policies display and click New Server from the pop-up
menu.
The Server Details tab displays in the Details screen:
The Policy Managers Server Detail Screen
3. In the Server Name field, type an IP address or server name
known to the SA8250 via DNS or static host table. This value
cannot be changed after the server is created.
4. If appropriate, edit the Port field. The default value is the port
number of the Service under which this Server displays in the
Tree. This value cannot be changed after the server is created.
C H A P T E R 4 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
98
5. From the drop down menu, click to select the desired Type:
Primary: Primary servers are immediately available to
accept client requests forwarded from the SA8250.
Backup: Backup servers are sent requests under only two
circumstances: First, when the primary servers are unable to
meet the configured target response times a backup server
may be used if and only if "backups" is enabled for this
service. Second, backup servers are given requests when a
primary server is unavailable. As primary servers become
inactive, backup servers are brought into service to handle
requests.
Disabled: Renders the server unavailable to accept client
requests.
NOTE: OPR cannot be
used in conjunction with
Services of type
RICH_HTTP.
6. From the drop down menu, click to select the desired Mode. This
command enables or disables Source Address Preservation
(SAP) on the named server. When Out-of-Path Return (OPR) is
enabled, the user-designated server port is ignored and the
configured service server port is used. By default, SAP is enabled
(and cannot be disabled) when OPR is in effect.
For more details about SAP and OPR, see Chapter 2.
7. Check the appropriate RICH control checkboxes:
Multi-hop Source Address Preservation: It is possible in
sophisticated network topologies to require that requests pass
through two cascaded SA8250s. In such configurations, the
SA8250 topologically closest to the clients must be configured
with the MSAP feature enabled. In most configurations, the
default setting (MSAP disabled) must be used.
606 Error Detection: "606" is a user-defined error code, that is,
you can specify an application level error as a "606 error" so it is
detectable by the SA8250. When 606 Error Detection is enabled,
requests that generate a 606 error are rerouted, transparently to
the client, to the next available server. When disabled, the error is
sent back to the requesting client.
HTTP Error Detection: When HTTP Error Detection is
enabled, requests that generate HTTP errors 401-405 and 500-
503 are rerouted, transparently to the client, to the next available
server. When disabled, these errors are sent back to the
requesting client.
C H A P T E R 4 Policy Manager Screen
99
XML Server Tab
This screen defines the RICH and XML expressions that the SA8250
will look for in the incoming client data.
For more details on XML expressions, see Chapter 2.
Programming RICH and XML expressions
To program the RICH and XML expressions, follow these steps:
1. From the Server Details screen, click the XML tab.
This figure shows the XML Server Tab display.
XML Server Tab
1. Type the Layer 7
(RICH) expression here
4. Click the checkbox
to add the RICH and
XML expressions to
RICH and XML
expression list
RICH and XML
expression list
controls (Edit,
Copy, Paste, Delete)
5. Click Apply to add
your expressions to
the configuration
3. Type the XML
expression here
the list
2. Type the optional
document number here
C H A P T E R 4 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
100
NOTE: If the RICH
Expression field is blank,
XML expressions will be
ignored. If desired, you
can type an asterisk (*) as
a wildcard in the RICH
Expression field to accept
all RICH expressions
Also, you cannot use the
vertical bar ( | ) or the
carat (^) in XML
expressions.
2. In the RICH Expression field, type a valid RICH expression.
3. (Optional) In the Doc # field, type a valid document number if
using multipart or URL-encoded messages. The entry must be
an integer, and the valid range is from 1 to 99. If a document is
not specified, the SA8250 starts with the first XML document in
the message.
4. In the XML Expression field, type a valid XML expression.
5. To the right of the XML Expression field, click the checkbox.
Your RICH and XML expressions are added to the list.
6. Repeat steps (2) through (5) above as needed.
7. When you have finished adding expressions to the list, add the
expressions to the SA8250s configuration by clicking Apply.
For more XML expression examples, see Chapter 6.
XML Default Special Case
We recommend programming the SA8250 with one of your servers
set to the default special case.
Typing the XML Default Special Case
The advantage of this is that if no XML expressions match, the client
is directed to the server you chose as the default server.
If no default servers exist, and no RICH or XML expressions match,
the client will receive a Server not found error from the SA8250.
C H A P T E R 4 Policy Manager Screen
101
XML Syntax Checking
The SA8250 includes a syntax checker to ensure that XML
expressions you type are understood by the system. If your syntax is
incorrect, as in the case of a missing double quote () or an incorrect
document number, an error message is displayed.
GUI XML Syntax Error Window
The error message will tell you the location of the first error. In the
figure above, a closing double quote was missing in the second
character position of an XML expression.
Deleting Servers
To delete a Server:
1. In the Tree, click the name of the Server to delete.
2. In the Policy Manager toolbar, click Delete, or right-click to
display the menu and click Delete Selected Item.
C H A P T E R 4 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
102
Administration Screen
The Administration Screen is a set of ten tabs containing the
functions used to manage the SA8250. Each tab includes controls
and displays related to a specific category of administration tasks.
Administration Screen Settings Tab
Settings Tab The Settings tab includes controls used to set the following:
System ID: Edit this field to set the unit identifier. The SA8250s
are shipped with the unit serial number in this field. You can use
this control to change the identifier if your site requires alternate
asset tracking information. The new ID can be an alphanumeric
value from 1 to 64 characters. To change this value, type the
desired identifier, and then click Apply.
C H A P T E R 4 Administration Screen
103
Server Verification Interval: Edit this field to change the
interval in seconds at which servers are "pinged" to verify they
are available and able to handle traffic requests. For more
details, see Chapter 5. The valid range for this field is 0 to 99999.
A value of 0 disables IRV.
In addition to the above controls, the Settings tab also contains
the following read-only displays:
System Name: Displays the name given the SA8250 in its initial
configuration.
MAC Address: Displays the SA8250's Media Access Control
address.
Status: The Status field displays information about the
SA8250's function and failover status. For more details about
status messages, see Chapter 2.
Software Tab The Software tab contains controls and displays allowing you to
perform the following tasks:
Specify image category as either System software or Agent
Software. Agent software lists software components other than
the SA8250 system image that may be installed on the unit, such
as the HP Multi-Site Traffic Director Server Appliance SA9200
agent.
View the list of currently installed system software images (the
SA8250 can have up to five system images installed).
View the list of currently installed agent software images (the
SA8250 can have up to four agents installed in addition to those
accompanying each system software image).
Specify which of the installed software images is to be active.
Install or update software images.
Delete software images.
Enable or disable Passive FTP.
FTP or TFTP new Multi-Site Agents to the SA8250.
C H A P T E R 4 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
104
Administration Screen Software Tab (System Software View)
System Software
The SA8250 provides sufficient local storage for five software
images (though at any time, only one image is active and executing.)
The "System Software" area of the Software tab displays the list of
currently installed system images, including the following details for
each:
Image index number
"Active" status (yes/no)
Product name
Product version number
Patch number
Build number
C H A P T E R 4 Administration Screen
105
Agent Software
The SA8250 can interface with other HP Server Appliances by using
Agent Software images. The SA8250 provides sufficient local
storage for at least five Agent software images (though at any time,
only one image is enabled). To display the "Agent Software" area of
the Software tab, click Agent Software, which displays the list of
currently installed Multi-Site Director Agent images:
Software Tab in Agent Software View
Details displayed for each Agent include:
Image index number
"Active" status (yes/no)
Product version number
Patch number
Build number
Compatible Multi-Site Traffic Director version number
C H A P T E R 4 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
106
Specifying the Active System Software Image
To change the active system image:
1. Click System Software.
2. In the System Software box, click the image you want to activate.
3. Click Boot.
The SA8250 warns you that it will reboot.
Boot Warning Window
NOTE: You can also
perform a soft reboot of
the SA8250 by selecting
the currently active
software image and
clicking Boot.
4. Click Yes.
As the SA8250 reboots, it prompts you to close your browser
window.
Reboot Screen
5. You must close all browser windows to ensure your browser uses
the newly activated Administration Application.
6. Wait three to five minutes for the SA8250 to finish rebooting,
and then run the administration application.
7. Go to the Software tab of the Administration screen and verify
that the "Active" column of the selected image displays yes.
C H A P T E R 4 Administration Screen
107
Installing Software Images
You can download and install new system and agent software images
for the SA8250 using the controls in the Update Software box at the
bottom of the Software tab.
Downloading a System Software Update
NOTE: A key is not
required to obtain Agent
Software.
1. To download the new image, contact HP Customer Support or
your System Administrator to obtain the URL, Key, User, and
Password information.
For more details about software installation and updates, see
Chapter 8.
Deleting Software Images
To delete a software image from the list of installed images:
1. In the Software View box, click the software type to be deleted.
2. In the Installed Software box, click the image to be deleted.
3. Click Delete. The SA8250 prompts you to confirm that you want
to delete the selected image.
Delete Image Confirmation (System View)
C H A P T E R 4 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
108
4. Click Yes.
If you selected Agent Software, you are prompted to confirm the
deletion.
Delete Image Confirmation (Agent View)
5. Click Yes.
C H A P T E R 4 Administration Screen
109
Users Tab The Users tab contains controls and displays allowing you to perform
the following tasks:
Add users
Modify user permissions and passwords
Delete users
View the user names and permissions of all authorized users
View the user names and permissions of all users currently
logged on
Promote your permissions level
Log off all other users currently logged on
Administration Screen Users Tab
List of All Users
The Add/Delete Users box contains a list of all users allowed to log
on to the SA8250.
C H A P T E R 4 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
110
Adding Users
To add a user:
1. In the User Name field, type the new users User Name.
2. In the Password field, type the new users password.
3. In the Confirm Password field, re-enter the password.
4. In the User Permissions box, select the appropriate permission
level: Read-only, Read-write, Read-write-all. Users with Read-
write-all permissions can add, modify, and delete other user
logon entries.
5. Click Add.
6. Verify that the new users name and permission level displays in
the "All User" list.
Editing User Profiles
To modify existing users permissions and passwords:
1. In the All Users List at the upper right sector of the tab, click the
user you want to modify.
2. If you are changing the password, type the new password in the
Password field, and then retype it in the Confirm Password field.
3. Click Change.
4. If you are changing the users permissions, click the appropriate
button in the User Permissions box.
5. Click Change.
Deleting Users
To delete a user:
1. In the User List, click the user you want to delete.
2. Below the list, click Delete.
3. Verify that the deleted users name no longer displays in the list.
Current Users Information
The left-hand side of the "Current Logon" box at the bottom of the
Users tab displays the name and permissions of the user currently
logged on to this session. The log on time and date also display in this
area of the tab.
C H A P T E R 4 Administration Screen
111
Demotion and Promotion of Your Permissions
NOTE: Use Promote
with care. If you promote
your permissions, be
aware that conflicts may
arise among multiple
users who have Read-
Write-All permission. For
example, administrative
changes you make may be
overwritten by another
user.
If a user with Read-Write or Read-Write-All permission logs on
while another user with Read-Write or Read-Write-All permission is
logged on, the SA8250 "demotes" the later users permissions to
Read-only. The system informs the demoted user of their status.
Demoted Notification
The demoted Read-Write-All user can restore his or her original
permission level by clicking Promote in the User tab. This button is
located in the Current Logon box at the tabs lower left.
List of Logged-On Users
The right hand side of the "Current Logon" box at the bottom of the
Users tab displays a list of all currently logged on users, their log on
times, their permissions, and their log on method (either the
Command Line Interface or the GUI).
Logoff All Other Users
NOTE: Use Logoff All
Users with care, as it can
leave the system in an
ambiguous state. For
example, if a user is in the
process of performing a
Restore operation, and
another user logs them off
before the Restore
completes, the system is
left in an unknown state.
Users with Read-Write-All permission can click Logoff All Users at
the Users tabs lower right to end the sessions of all other users
currently logged on. This logs off all other administrative users from
the SA8250. Users logged on using the GUI who are logged off in this
manner will see this message in their browser window.
Logoff by Another User
C H A P T E R 4 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
112
Routing Tab The Administration screens Routing tab manages the following:
System Role
Active Routing Protocol
OSPF Protocol
RIP Protocol
The Administration Screens Routing Tab
C H A P T E R 4 Administration Screen
113
System Role
The choice of System Role (or simply "role") depends in part on your
networks topology and on the number of SA8250s installed. A single
SA8250s role must be "Standalone." If two SA8250s are employed,
and you intend to use serial cable failover you must designate both
SA8250s as "standalone." If two SA8250s are employed, and you
intend to use Router Failover, one must be designated as the
"Primary" and the other as the "Backup." In such cases, the primary
SA8250 accepts all client requests and routes them according to its
configuration while the backup SA8250 monitors the primary and
comes online if the primary fails.
The system roles are defined in this table.
To select the SA8250s System Role:
1. In the System Role box, click the appropriate button.
Active Routing Protocol
The SA8250 needs to know what your networks active routing
protocol is (either OSPF or RIP).
1. In the Active Routing Protocol box, click the appropriate radio
button.
RIP Protocol
If your networks active routing protocol is RIP, click the appropriate
button in the RIP Protocol box to specify the applicable RIP version.
Failover Method System Role
for SA8250
#1
System Role
for SA8250
#2
N/A (Single-SA8250
Installation) Standalone N/A
Router Failover Primary Backup
Serial Cable Failover Standalone Standalone
Disabled Standalone Standalone
System Roles
C H A P T E R 4 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
114
OSPF Protocol
NOTE: Unless the
config route
protocol command is
set to ospf, OSPF
protocol is not active.
For more information,
see Chapter 5.
The Router tabs OSPF Protocol box specifies the following values:
OSPF Area: This value must be set to the same OSPF area as the
ingress router to which the SA8250 is talking. This can be the
keywords "backbone" or Default, an integer, or dotted decimal
format (xxx.xxx.xxx.xxx). The integer range is from 0 to
2,147,483,647, and the default is Default.
Hello Interval: The number of seconds between hello packets
sent on this interface. This value must match the hello interval of
the ingress router. The valid range is from 1 to 65,535, and the
default is 10.
NOTE: The Router Dead
value must be at least four
times the Hello interval.
Router Dead Interval: The number of seconds the SA8250's
OSPF neighbors should wait before assuming this OSPF SA8250
is down. This value must match the router dead interval of the
ingress router. The valid range is from 1 to 2,147,483,647, and
the default is 40.
Authentication type and key are security mechanisms to
guarantee that routing information is exchanged only with trusted
routers. The type and key together comprise the "authentication
scheme." An OSPF Area can have only one OSPF
Authentication scheme.
NOTE: Both sides of the
OSPF connection must
use the same
authentication type and
key and key ID if
applicable.
Authentication Type: Specifies the type of OSPF authentication.
To disable OSPF authentication, click None. To enable Simple
password authentication, click Simple and then proceed to the
Authentication Key field. To enable MD5 authentication, click
MD5, then enter an authentication key and key id.
Authentication Key: A user-specified string (excluding double
quotes and spaces) used as an authentication password. The
authentication key is from 1 to 8 characters for Simple
authentication, and 1 to 16 characters for MD5 authentication.
Confirm Authentication Key: Re-enter the Authentication Key to
verify it to the SA8250.
Key ID: MD5 key id, an integer from 1 to 255. MD5
authentication provides a stronger level of security for OSPF
users.
C H A P T E R 4 Administration Screen
115
Security Tab The security screen implements IP Packet Forwarding (IPFW)
security policies. Three modes are available:
Closed mode disables all remote administration capabilities.
Open mode enables all remote administration capabilities,
SA9200 agent traffic, and IP Forwarding.
Custom mode specifies filtering of traffic based on traffic port
and source IP address.
The Administration Screens Security Tab
C H A P T E R 4 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
116
Source IP Filtering
The Security Tabs Source IP dialog box filters administration access
by source IP address. This dialog box contains a pair of buttons and
combo box. To allow any IP address to perform administrative tasks,
click Allow Any. To filter by source IP, click Allow List and type the
IP addresses and/or subnets allowed administrative access into the IP
Addresses/Subnets list. Subnets are specified in "slash" notation
(such as 209.218.0.0/16). Click the check icon to add the contents of
the text field into the list. You can delete an item from the list by
clicking the item to delete and clicking the "X" icon.
Access Options
When the Custom security mode is enabled, you can choose among
the access options in the Access security box. To enable an option,
select the corresponding check box and verify that a check mark
displays. To disable, click again to clear the check mark. Available
options are listed below:
CLI (SSH) Enable "Secure Shell," that is, secure access to the
unit's Command Line Interface. Secure Shell operates like an
ordinary telnet session, but adds encryption.
CLI (telnet) Enable standard unencrypted telnet access to the
unit's Command Line Interface.
GUI Enable administration using the unit's Graphical User
Interface.
SNMP Enable administration of the unit using SNMP (Simple
Network Management Protocol).
Multi-Site Traffic Director Server Appliance SA9200 Agent.
Permit or deny traffic to the SA9200 port.
IP Forwarding. Permit or deny traffic to specific servers. IP
forwarding allows administrative access to servers at their real IP
addresses via the SA8250. For more details, see Chapter 2.
C H A P T E R 4 Administration Screen
117
GUI Tab The GUI tab configures the following aspects of the SA8250s
Graphical User Interface (GUI):
Server port on which the GUI is accessible from the browser
Response Timeout Value
Choice of result from double-clicking the SA8250 icon in the
Topology Screen
Choice of result from double-clicking the Server icon in the
Topology Screen
The Administration Screens GUI Tab
NOTE: After changing
this setting your browser
disconnects. You must
restart your browser and
connect it to the new port
to resume using the
administration
application.
Admin HTTP Server Port: Edit this field to designate the port on
which the SA8250's GUI application listens. To change this
value, type the desired port number and click Apply. Valid ports
are any unused ports between 1 and 65535. The default is port
1095.
C H A P T E R 4 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
118
The Broker Response timeout (sec): This field specifies, in
seconds, the time the GUI will wait for a response from the
SA8250 before timing out. This value must be an integer
between 0 and 120. A value of 0 disables timeout. The default
value is 30.
The Double-click Broker topology icon displays: The drop down
menu specifies the destination within the GUI after double-
clicking a SA8250 icon in the topology screen.
The Double-click Server topology icon displays: The drop down
menu specifies the destination within the GUI after double-
clicking a Server icon in the topology screen.
C H A P T E R 4 Administration Screen
119
CLI Tab The CLI tab configures the following aspects of the SA8250s
Command Line Interface:
SSH Port
Telnet Port
Telnet Sessions
Timeout
Prompt
Login Attempts
Enable "more" for screen paging
Lines per screen
The Administration Screens CLI Tab
The CLI (SSH) Port field specifies the secure telnet port on
which the CLI runs. Valid ports are port 22 (the default) or any
unused port between 1024 and 65535.
C H A P T E R 4 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
120
The CLI (telnet) Port field specifies the standard (unencrypted)
telnet port on which the CLI runs. Valid ports are port 23 (the
default) or any port between 1024 and 65535.
The Telnet Sessions field specifies the maximum number of
concurrent inbound remote CLI logon sessions allowed. This
value must be an integer between 1 and 8. The default is 3.
Use the Timeout field to set or change the idle timeout period
before automatic logoff for CLI sessions. This feature is disabled
by setting the timeout value to "0." This timeout period is
expressed in seconds (0, or 30 to 65535). The default is 900
seconds (15 minutes).
Use the Prompt field to set or change the root level prompt. The
default prompt is an abbreviation of the product's name, for
example: "HP SA8250."
The Login Attempts field specifies the maximum allowable
number of failed login attempts before closing the connection.
The valid range is from 1 to 30.
Use 'more' for screen paging. When this box is not checked, the
CLI outputs a continuous scrolling display. When the box is
checked, the CLI scrolls one page at time.
When more is selected, the Lines per screen field becomes
available. Use this field to specify the number of lines more
displays at a time.
1. Click Apply.
C H A P T E R 4 Administration Screen
121
SNMP Tab The SNMP tab includes controls for the SA8250s Simple Network
Management Protocol (SNMP) agent.
Administration Screens SNMP Tab
SNMP Agent
The SNMP agent allows network management applications to
monitor and retrieve the SA8250s status and statistics via SNMP.
NOTE: Ensure that the
SA8250s IP Filtering
security mechanism
allows IP access to
SNMP, otherwise SNMP
requests will not pass
through the filter.
The SNMP Agent Start check box enables or disables the SA8250s
SNMP agent. The default is Enabled.
Use the SNMP Port: field to specify the port on which the
SA8250 receives SNMP requests. Allowable port numbers are
161 (the default) or any unused ports 5020 through 65535.
Use the Trap Port: field to specify the port on which the SA8250
sends SNMP traps. Allowable port numbers are 162 (the default)
or any unused ports 5020 through 65535.
C H A P T E R 4 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
122
System Location: corresponds to the MIB variable sysLocation
in MIB-II. System Location (sysLocation) is the physical
location of this SA8250. By default, sysLocation is NULL.
System Contact: corresponds to the MIB variable sysContact in
MIB-II. System Contact (sysContact) is the name of the
administrator of this SA8250. By default, sysContact is NULL.
System Name: corresponds to the MIB variable sysName in
MIB-II. System Name (sysName) is the name of this SA8250.
By default, sysName is the hostname of the SA8250.
The Community Strings box contains community strings accepted by
the SA8250 on incoming SNMP requests. Up to ten community
strings can be configured for use by the SA8250. Each community
string can have read-only (ro) or read-write (rw) privilege, and can be
configured for use by a specific IP address or all IP addresses. When
the value "any" is used for <ip address>, the community string can be
used by all IP addresses.
For example, the string:
community=test ip=209.218.240.5 rights=ro
creates the community string test with read-only privilege. SNMP
read-only requests using community string test are accepted only
from IP address 209.218.240.5.
By default, the following community strings are defined:
public ro "any"
private rw "any"
The Trap Receivers box contains the IP addresses to which the
SA8250 will send traps. The SA8250 SNMP can send trap
notifications to up to ten configured trap receivers. Each IP address
configured as a trap receiver is associated with a community string,
which is included in traps sent to that IP address.
For example, the string:
ip=209.218.240.5 community=NOC1
causes traps to be sent to IP address 209.218.240.5, and causes the
SA8250 SNMP agent to put the community string, NOC1 in the trap
sent to that address.
C H A P T E R 4 Administration Screen
123
Multi-Site Tab This tab contains controls for setting the port that communicates with
the HP Multi-Site Traffic Director Server Appliance SA9200.
Administration Screen Multi-Site Tab
To specify the Multi-Site Agents port:
1. In the Agent Port field, type that port number. Valid range is
from 1 to 65535, and 1999 is the default. We recommend using
ports 1024 and higher.
2. Click Apply.
C H A P T E R 4 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
124
Logging Tab The Logging tab specifies (or filters) the kinds of information written
to the SA8250s log file. This file records operational events for
troubleshooting information. You can enable or disable the logging
of specific types of information, and specify the log file size.
Administration Screens Logging Tab
Specifying System Log Parameters
1. In the System Log Levels box, select the check boxes for those
types of system information you want the log file to reflect. To
record all available information types, click Select All.
2. In the System Log File box, type the size of the log file. Valid
range is from 1,024 to 600,000 bytes, and 600,000 is the default.
3. Click Apply.
C H A P T E R 4 Administration Screen
125
Viewing the Log File
1. To view the log file, click View Log.
The System Log File displays.
The Logging Tabs File Contents Window
The File Contents windows Actions menu contains two items:
Filter
Mail To...
C H A P T E R 4 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
126
The Log File Filter dialog box filters the view of the log displayed in
the File Contents window.
Log File Filter Window
1. Select or clear the appropriate check boxes to specify the types or
categories of messages you want to display.
2. Click Apply, or Cancel to abort.
Use the Mail Log File dialog box to email the contents of the log file.
Log Mail To Window
1. In the Enter Email Address field, type the email address to which
you want to send the log file.
2. In the Enter Mail Host field, type the name or IP address of your
networks outgoing mail (SMTP) server.
3. Click OK, or Cancel to abort.
C H A P T E R 4 Configuration Screen
127
Configuration Screen
The Configuration screen saves, restores, sends, and receives
SA8250 configuration information in individual ASCII files. You can
save configuration files on the SA8250 and send them to a remote
TFTP server or retrieve them. The Configuration screen also has a
provision for restoring the factory default configuration.
Configuration Screen
Saving
Configuration
Files
To save the SA8250s current configuration to a file:
1. In the Configuration Name field, type a filename.
Valid characters include letters, digits, (-), (_), and (.). File
names cannot begin with the (.) character.
2. Click Save.
3. Verify that the new files name displays in the Saved
Configurations list.
C H A P T E R 4 HP e-Commerce/XML Director Server Appliance SA8250 User Guide
128
Restoring
Configuration
Files
To restore a configuration file:
1. In the Saved Configurations list, click the name of the file you
wish to restore.
2. Click Restore.
The system prompts you to confirm the operation.
NOTE: Username
commands are not valid
in configuration files.
The save config and
restore config operations
do not include username
data. Use the
Administration Screens
Users Tab to specify
users.
Restore Confirmation Window
3. To finish the restore operation, click Yes, or No to abort.
Deleting
Configuration
Files
To delete a configuration file:
1. In the Saved Configurations list, click the name of the file you
want to delete.
2. Click Delete.
The system prompts you to confirm the operation.
Delete Confirmation Window
3. To delete the file, click Yes, or No to abort.