@Shammi, yes as nuwan mentioned its not mandatory but it will added advantage to deployment. And according to your use case you may have 5 users and then they will have 10 tokens max. If they invoke 5 APIs(which has 5 resource per API) from single application then total number of calls will be 10 x 5 x 5 = 250. Then from that point onward everything will be cached at API gateway. And no load to key manager. So if few users access same node with high concurrency gateway to key manager will not be big issue. If load balancer properly distribute load across gateways that would be enough.
@Prabath, Sometimes back i did try to use mutual auth for key validation and it was successful. I have listed steps i followed here[1]. This need small change to key validation client implementation. [1] http://sanjeewamalalgoda.blogspot.com/2014/11/how-to-enable-mutual-ssl-connection.html Thanks, sanjeewa. On Wed, Sep 7, 2016 at 10:04 AM, Prabath Siriwardana <[email protected]> wrote: > [resending] > > > On Tue, Sep 6, 2016 at 9:26 PM, Prabath Siriwardana <[email protected]> > wrote: > >> We would need to get rid of username/password based validation for system >> to system admin service calls. As you said its costly and also we need to >> share the credentials. >> >> Can we use mutual auth for that instead...? >> >> Thanks & regards, >> -Prabath >> >> On Tue, Sep 6, 2016 at 9:22 PM, Nuwan Dias <[email protected]> wrote: >> >>> Having sticky sessions between Gateway and Key Manager is not mandatory. >>> Having sticky sessions will only provide you a gain in performance and will >>> not have any functional impact otherwise without it. >>> >>> *Why?* >>> >>> How this works is the Gateway logs into a Key Manager and obtains a >>> cookie. This cookie is used in all subsequent calls from the Gateway to Key >>> Manager. The basic auth (admin) credentials are also passed in each >>> request. The Key Manager will first try to validate the cookie and if that >>> fails it will fall-back and authenticate the user based on the basic auth >>> credentials and issue a new cookie. Having sticky sessions will ensure that >>> the cookie validation will only fail when the session times out. If sticky >>> sessions aren't setup there will be cases the cookie validation will fail >>> and hence the Key Manager will have to perform the additional step of >>> authenticating the credentials in the basic auth header. >>> >>> Thanks, >>> NuwanD. >>> >>> On Wed, Sep 7, 2016 at 2:34 AM, Shammi Jayasinghe <[email protected]> >>> wrote: >>> >>>> Hi, >>>> >>>> WSO2 always asks to enable sticky sessions in a distributed setup which >>>> has multiple key manager nodes. According to my understanding, We needs to >>>> have this since there are multiple calls going back and forth between >>>> Gateway and the Key manager node when it comes to do key generation and >>>> other token related stuff. >>>> >>>> Having sticky sessions always needs to be enabled always, Introduces >>>> another problem when balancing the load as in following example. >>>> >>>> Eg: We have 5 GW servers in a cluster. There are 1000 users using this >>>> system. We declare 1 GW server can handle 1000 TPS as max. So, the total >>>> Max Capacity of the system, We say as 5000 TPS. >>>> >>>> In a particular time, There are 5 users generating traffic like 800 TPS >>>> and other 995 users generates only 1 TPS. So, as the total it is under the >>>> Max capacity, >>>> >>>> 800 x 5 + 995 = 4995 >>>> >>>> But, with the Sticky sessions, if these 5 top users made the initial >>>> session with a single GW node, the load to that server will be 4000 TPS >>>> which exhausting the resources. >>>> >>>> So, Having Sticky sessions is introducing a problem with >>>> load balancing. >>>> >>>> Is there any possibility to avoid this sticky session requirement by >>>> introducing a way to do token related operations in a single call from GW >>>> to KM ? >>>> >>>> >>>> Thanks >>>> shammi >>>> >>>> -- >>>> Best Regards, >>>> >>>> * Shammi Jayasinghe* >>>> >>>> >>>> *Technical Lead* >>>> *WSO2, Inc.* >>>> *+1-812-391-7730 <%2B1-812-391-7730>* >>>> *+1-812-327-3505 <%2B1-812-327-3505>* >>>> >>>> *http://shammijayasinghe.blogspot.com >>>> <http://shammijayasinghe.blogspot.com>* >>>> >>>> >>> >>> >>> -- >>> Nuwan Dias >>> >>> Software Architect - WSO2, Inc. http://wso2.com >>> email : [email protected] >>> Phone : +94 777 775 729 >>> >> >> >> >> -- >> Thanks & Regards, >> Prabath >> >> Twitter : @prabath >> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena >> >> Mobile : +1 650 625 7950 >> >> http://facilelogin.com >> > > > > -- > Thanks & Regards, > Prabath > > Twitter : @prabath > LinkedIn : http://www.linkedin.com/in/prabathsiriwardena > > Mobile : +1 650 625 7950 > > http://facilelogin.com > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- *Sanjeewa Malalgoda* WSO2 Inc. Mobile : +94713068779 <http://sanjeewamalalgoda.blogspot.com/>blog :http://sanjeewamalalgoda.blogspot.com/ <http://sanjeewamalalgoda.blogspot.com/>
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
