cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

We are happy to announce the new Windchill Customization board! Learn more.

Dedicating users to a Particular MS or Cluster Node

ssingh-2
3-Visitor

Dedicating users to a Particular MS or Cluster Node

Dear All,

We need to assign one particular user ( which is used for importing data from other system) into a dedicated MS or to a dedicated Cluster node.

is their any way to configure this?

Also would like to know is their a way to block one particular user from using one dedicated cluster Node?

Thanks & Regards,

Shekhr Singh

1 ACCEPTED SOLUTION

Accepted Solutions

Unless you are offloading the authentication portion to load balancer leveraging the SSO capabilities, I don't think there is a way to achieve this using username. The best option available would be using client/source IP address.There are several ways of doing it using the source IP( this is under the assumption that you are importing the data to Windchill system through HTTP access/not API)

  • At a very basic if your user uses a specific client machine  to connect to Windchill servers, you can modify the hosts file in that machine to direct the traffic to a dedicated member, provided the client machine should have direct access to slaves. Map the cluster alias to the desired cluster member's IP in your hosts file
  • If you are using F5 load balancer, you can create an iRule is such a way that  when a 'CLIENT_ACCEPTED' event occurs, the load balancer will validate the source IP address/address range and direct to a specific member in the cluster.

If  you want to block a particular user from access a node in the cluster, you can achieve this by using Apache directives - allow from, deny from orders. You can also ldap auth filters to filter out this specific user.

Hope it helps and Have a great New Year!

Thank you

Binesh Kumar

View solution in original post

4 REPLIES 4

Unless you are offloading the authentication portion to load balancer leveraging the SSO capabilities, I don't think there is a way to achieve this using username. The best option available would be using client/source IP address.There are several ways of doing it using the source IP( this is under the assumption that you are importing the data to Windchill system through HTTP access/not API)

  • At a very basic if your user uses a specific client machine  to connect to Windchill servers, you can modify the hosts file in that machine to direct the traffic to a dedicated member, provided the client machine should have direct access to slaves. Map the cluster alias to the desired cluster member's IP in your hosts file
  • If you are using F5 load balancer, you can create an iRule is such a way that  when a 'CLIENT_ACCEPTED' event occurs, the load balancer will validate the source IP address/address range and direct to a specific member in the cluster.

If  you want to block a particular user from access a node in the cluster, you can achieve this by using Apache directives - allow from, deny from orders. You can also ldap auth filters to filter out this specific user.

Hope it helps and Have a great New Year!

Thank you

Binesh Kumar

habat
4-Participant
(To:BineshKumar1)

Shekhr - I am completely aligned with the approach presented by Binesh.

If you are on a Windchill cluster I would not advise any programmatic portion under the form of any frontend processing using Java or any other language, purely on an Authentication perspective within the Windchill cluster.

Instead I would recommend to configure the Load Balancer (F5) with a specific way to balance users through their specific IPs across the various front nodes in the cluster. You can also use Advanced Apache configuration so that to apply a filtering on username. However, I do not think it is really required if you take an overall look of the network topology (of course this depends on how your infrastructure is established with Physical or Virtual components, or even over the cloud).

When discussing with "classic" virtualization topics in mind when it comes to Windchill Clustering, we are more enclined to consider specific VLAN with specific LUNs associated to dedicated ESX Farms. Using this categorization over the network, we can completely load balance according to the network characteristics and best possible performances.

Presented hereafter is a typical infrastructure based on F5-BIG-IP (for Load Balancing) and F5 ARX (for Intelligent Virtual Storage Management)

WNC_Cluster_Load_Balancing_F5_VLANs_ESX_Farms_ARX_NFS.jpg

Ideally ESX Servers are allocated to specific VLANs and from within each VLAN, we can also distinguish specific network segments where regular loads can be higher than with others and with a specific configuration on the F5, we can micro-load balance over those segments within the same VLANs.

Please keep in mind that I have provideda limited example of configuration which may allow to understand how to consider F5 Hardware components within a Virtualized Network where Windchill Clusters are hosted on ESX Servers and connected to Virtual NFS through ARX or even using NetApp.

HTH!&VBR/H

Hi Binesh/ Herve,

Thanks for quick response as always and have a great New Year ahead to you.

Currently we are in Cluster Testing Phase and so we are using Apache as Load Balancer.

However it looks like it will work fine with above suggested method ( Host File and Apache Deny config). I will test this and update this post.

Regards,

Shekhr

On the foreground method server (FGMS), a user is always bound to the same server once they login. Possible to confirm this via Info*Engine examples and cookie session metadata in the browser.  Ideally, it does not hurt to customize the JESSIONID for Tomcat to match the related FGMS.

Top Tags