CA SSO: CA Directory Startup Behavior with multiwrite enabled

Document ID : KB000113060
Last Modified Date : 05/09/2018
Show Technical Document Details
Issue:
We have CA Directory used as policy store and  it has multiwrite enabled to update to other 5 multiwrite nodes. 

When CA Directory started, it will try to reach out to other multiwrite nodes. 

For example, it will reach out node A, and if it cannot contact node A after 15 seconds, it will try node B etc. 

During this period, policy server is unable to connect to its policy store, and the warn.log will show:

"WARN : Bind: Only accepting binds from peer DSAs" 

Only after all the multiwrite nodes have been attempted to connect, it can then allow policy server to connect to it. 

This raise a concern whenever the server is restarted. If the CA directory has not started and allowed connections to Siteminder Policy Server in time, policy server failed to start, and in the smps.log, it will show 

"Opening policy store connection to LDAP server  SmObjLdap failed to bind to LDAP server as uid=xx. LDAP error 52-DSA is unavailable. Failed to initialize policy store Policy store failed operation 'ProviderInit' for object type 'Policy store provider'. Failed to connect to the LDAP Policy Store." 
Resolution:
Removed no-service-while-recovering flag from the DSA for siteminder policy store. 

See "Asynchronous Replication:" 

https://docops.ca.com/ca-single-sign-on/12-52-sp2/en/installing/install-a-policy-server/configure-ldap-directory-server-policy-session-and-key-stores/configure-ca-directory-as-a-session-store

no-service-while-recovering is only needed for the session store.