ConnectionURL and FailoverServers on ra.xml

Document ID : KB000051614
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

We understand the rules for configuring Siteminder connection from IM in the \IdentityMinder.ear\policyserver.rar\META-INF\ra.xml file, and understand how it is to be configured for SM clusters, etc. We want to know how the values for "ConnectionURL" and "FailoverServers" are used.

Specifically:

  1. Why there needs to be two separate properties

  2. Why ConnectionURL can only use one SMPS server

  3. Why FailoverServers must have all SMPS servers in the same SMPS cookie domain

  4. Is the order of the SMPS servers important for the FailoverServers property

Solution:

  1. There is a distinction as ConnectionURL is meant to specify the primary policy server IDM must contact in order to establish a connection with
    SM and is by design allowed to accept only 1 IP address. The FailoverServers are as clearly understood the list of servers to fail over to. Once Failover is set to true, the entire list of FailOver servers are tried in failover fashion and the ConnectionURL server is understood to be the primary one. Once Failover is set to false, the entire list of Failover servers is used in load balanced fashion. So the 2 properties help set a distinction between what is primary and to be always contacted first vs failover/loadbalancing.

  2. IDM must know what is the primary policy server to contact at all times - it will always try this one first.

  3. The SM servers have to be in the same cookie domain and the reasoning behind that is so IDM can maintain session easily with SM during transactions.

  4. Yes, in the sense you would specify the order of policy servers you would like it to contact first in that list. IDM will try to contact in that order in the event it needs to failover. If the order doesn't matter to you in your scenario, then you don't have to worry about the order in which you write this.