Database connection handling

It is possible to make more than one database available to OneSpan Authentication Server by creating additional databases and corresponding ODBC data sources. The additional database(s) can be used for redundancy and/or load sharing.

If this is done, it is critical that the second and any subsequent databases are synchronized with the first database. To achieve this, use the methods available to your database type, according to the database vendor's instructions. Typical methods include mirroring, shadow databases, and instantaneous replication.

After configuring a second data source, OneSpan Authentication Server will open connections to the second data source if all connections to the main data source fail and cannot be reopened. Similarly, a third data source can be used when the first and second ones are both unavailable.

You can configure the maximum number of ODBC connections to the data source that OneSpan Authentication Server can have open at one time. This prevents too many connections being opened to the database in case of peak load. However, each request uses a connection for its duration, so the number of connections effectively limits the number of requests that can be concurrently executed. It may improve performance to increase this setting, when there are a lot of concurrent requests – provided that the database is able to handle the increased load.

The effect of this setting depends on the characteristics of your ODBC driver and database. Some ODBC drivers may not open a separate connection to the database for each connection that is made to it. They may rather set up a pool of connections to the database or they may even just maintain a single connection.

When the maximum number of database connections are already open and a new request arrives, OneSpan Authentication Server will wait for a database connection to become available (unless the Enable Load Sharing option is set). The Connection Wait Time value specifies this waiting period.

If the database does not respond within the Connection Wait Time period, OneSpan Authentication Server reports a timeout on that database. OneSpan Authentication Server will then attempt to connect to the next available database (if any). If OneSpan Authentication Server reports a timeout on all available databases, then OneSpan Authentication Server will report a timeout on the authentication request.

However, if the database rejects the connection before the Connection Wait Time period expires, OneSpan Authentication Server will wait for the Connection Wait Time period to pass before retrying a connection to the same database.

If Enable Load Sharing is set, OneSpan Authentication Server will immediately attempt to connect to the next available database if its connection attempt was refused or if Connection Wait Time expires.

A load sharing mechanism can be implemented if you make a second database available to OneSpan Authentication Server. You can add any number of databases to the list of data sources and share the load across all of them.

If you have more than one database available and the Enable Load Sharing option is set, OneSpan Authentication Server will open connections to the second database when it would exceed the maximum number of connections allowed to the first database. Similarly, it will open connections to the third database when it has reached the maximum for the second one, and so on. In general, connections to the first database will be used whenever available, in preference to connections to any other database.

After the first data source has become unavailable, OneSpan Authentication Server will attempt at intervals to reconnect, even if it has successfully failed over to a second data source. It will always use the first data source in preference to the others.

The Min. Reconnect Interval and Max. Reconnect Interval settings control the minimum and maximum intervals between the retries, respectively. The interval will start at the minimum and increase in steps until the maximum is reached. After that, the interval will stay at the maximum.

The Network Timeout specifies the general timeout for database operations, that is the time to wait for any database request to complete before OneSpan Authentication Server continues or tries to fail over to another database. The value is specified in milliseconds.

For some databases, such as Microsoft SQL Server, the value can be changed to 5000 or 10000 milliseconds to enable a timeout to occur within the 20-second authentication window.

You need to set this value in the OneSpan Authentication Server configuration file, i.e. identikeyconfig.xml.

XPath: //VASCO/Storage/ODBC/Network-Timeout/@data

Possible values: 0, 1000–600000

The default value is 0, which means there is no timeout.