EIAM replication

Document ID : KB000055352
Last Modified Date : 14/02/2018
Show Technical Document Details

One Way Failover

Failover is the ability to ensure uninterrupted data flow and operability even when the data becomes unavailable.

You can configure eTrust IAM Toolkit to support two types of failover scenarios:

  • Data store failover

  • Server failover

Note: In this scenario, we assume the host names are Server1 and Server2. Updates made from Server1 will be propagating to Server2 whereas vice-versa will not be allowed.

Data Store Failover

The eTrust IAM Toolkit Server uses eTrust Directory as its data store. The directory provides built-in support for failover and recovery.

How You Configure eTrust Directory Server

To configure eTrust Directory to support multi-write, with Server1 as the preferred master:

  1. Install eTrust IAM Toolkit Server on the server hosts (Server1 and Server2) and ensure their system time is synchronized. This is accomplished as part of the UWCC component install.

  2. Configure Knowledge Files

  3. Enable Failover

Configure the Knowledge Files
The knowledge files provide reference to servers for data store failover configuration. You must configure the following knowledge files:

  • Data knowledge file (iTechPoz-Server1.dxc, iTechPoz-Server2.dxc) to add the host name

  • Router knowledge file (iTechPoz-Server1-Router.dxc, iTechPoz-Server2-Router.dxc) to add the host information in the router

  • Group knowledge file (iTechPoz.dxg) to achieve group knowledge that all (Directory System Agent) DSAs in the domain can access

To configure knowledge files

  1. Open the knowledge directory

    Windows: use the Run command in start menu and enter %DXHOME%\config\knowledge

    Linux and UNIX: ~dsa/config/knowledge

  2. Edit the Server1 router knowledge file (iTechPoz-Server1-Router.dxc) as follows:

    Modify the following entry:
    dsa-name  = <cn iTechPozRouter><cn PozDsa>
    To read:
    dsa-name  = <cn iTechPozRouter><cn PozDsaServer1>
  3. Edit the Server2 router knowledge file (iTechPoz-Server2-Router.dxc) as follows:

    Modify the following entry:
    dsa-name  = <cn iTechPozRouter><cn PozDsa>
    To read:
    dsa-name  = <cn iTechPozRouter><cn PozDsaServer2>
  4. Edit the Server1 knowledge file (iTechPoz-Server1.dxc) and set the following preferences:

    Modify the following entries:
    tcp  localhost port 509dsa-name  = <cn iTechPoz><cn PozDsa>
    To read:
    tcp  "Server1" port 509, tcp localhost port 509dsa-name  = <cn iTechPoz><cn PozDsaServer1>
    Add the following entry after the auth-levels line and before the link-flags line.
    dsa-flags  = multi-write

  5. Edit the Server2 knowledge file (iTechPoz-Server2.dxc) and set the following preferences:

    Modify the following entries:

    tcp localhost port 509
    dsa-name = <cn iTechPoz><cn PozDsa>

    To read:

    tcp "Server2" port 509, tcp localhost port 509
    dsa-name = <cn iTechPoz><cn PozDsaServer2>

    Add the following entry after the auth-levels line and before the link-flags line.

    dsa-flags = multi-write, shadow

    Note: If the knowledge files do not exist on Server2, you must create them by copying from the config/Knowledge folder of Server1.

  6. Edit the group knowledge file (iTechPoz.dxg) and set the preferences to the new data and router knowledge files on Server1 and Server2.

    Example:
    # iTechPoz - iTechnology rePOZitory # Source the knowledge files of the iTechPozRouter and iTechPoz DSAs. source "iTechPoz-Server1-Router.dxc";source "iTechPoz-Server2-Router.dxc";source "iTechPoz-Server1.dxc";source "iTechPoz-Server2.dxc";

Enable One Way Failover
You must enable failover to successfully configure the data store failover.
To enable failover

  1. Copy the following knowledge files from Server1 to knowledge directory of Server2:
    iTechPoz-Server1-Router.dxc iTechPoz-Server2-Rotuer.dxc iTechPoz-Server1.dxc iTechPoz-Server2.dxc iTechPoz.dxg
  2. Edit the Server1 knowledge file (iTechPoz-Server2.dxc) on the Server2 and modify the following preferences:

    Modify the following entries:
    dsa-flags =  multi-write
    To read:
    dsa-flags =  multi-write, read-only
    Note: This makes sure that changes from the Server2 don?t get propagated to Server1

    After modification the ItechPoz files would look like the following:

    ON SERVER1
    iTechPoz-SERVER1.dxc
    # iTechPoz - iTechnology rePOZitory
    #
    set dsa "iTechPoz-SERVER1" =
    {
    prefix = <cn iTechPoz>
    dsa-name = <cn iTechPoz><cn PozDsaSERVER1>
    dsa-password = "4season5"
    address = tcp "SERVER1" port 509, tcp localhost port 509
    snmp-port = 509
    console-port = 10510
    ssld-port = 21847
    auth-levels = anonymous
    dsa-flags = multi-write
    link-flags = ssl-encryption
    };
    iTechPoz-SERVER2.dxc
    #
    # iTechPoz - iTechnology rePOZitory
    #
    set dsa "iTechPoz-SERVER2" =
    {
    prefix = <cn iTechPoz>
    dsa-name = <cn iTechPoz><cn PozDsa SERVER2>
    dsa-password = "4season5"
    address = tcp " SERVER2" port 509, tcp localhost port 509
    snmp-port = 509
    console-port = 10510
    ssld-port = 21847
    auth-levels = anonymous
    dsa-flags = multi-write, shadow
    link-flags = ssl-encryption
    };

    ON SERVER1
    iTechPoz-SERVER1.Router.dxc
    #
    # iTechPozRouter - iTechnology rePOZitory
    #
    set dsa "iTechPoz- SERVER1-Router" =
    {
    prefix = <cn iTechPozRouter>
    dsa-name = <cn iTechPozRouter><cn PozDsa SERVER1>
    dsa-password = "4season5"
    address = tcp localhost port 1684
    snmp-port = 1684
    console-port = 11684
    ssld-port = 21847
    auth-levels = anonymous
    link-flags = ssl-encryption
    };
    iTechPoz-SERVER2.Router.dxc
    #
    # iTechPozRouter - iTechnology rePOZitory
    #
    set dsa "iTechPoz- SERVER2-Router" =
    {
    prefix = <cn iTechPozRouter>
    dsa-name = <cn iTechPozRouter><cn PozDsa SERVER2>
    dsa-password = "4season5"
    address = tcp localhost port 1684
    snmp-port = 1684
    console-port = 11684
    ssld-port = 21847
    auth-levels = anonymous
    link-flags = ssl-encryption
    };
    iTechPoz.dxg
    #
    # iTechPoz - iTechnology rePOZitory
    #

    #
    # Source the knowledge file of the iTechPozRouter and iTechPoz DSAs.
    #
    source "iTechPoz- SERVER1.dxc";
    source "iTechPoz- SERVER1-Router.dxc"; source "iTechPoz- SERVER2.dxc";
    source "iTechPoz- SERVER2-Router.dxc";

    ON SERVER2
    iTechPoz.SERVER1.dxc
    #
    # iTechPoz - iTechnology rePOZitory
    #
    set dsa "iTechPoz- SERVER1" =
    {
    prefix = <cn iTechPoz>
    dsa-name = <cn iTechPoz><cn PozDsa SERVER1>
    dsa-password = "4season5"
    address = tcp " SERVER1" port 509, tcp localhost port 509
    snmp-port = 509
    console-port = 10510
    ssld-port = 21847
    auth-levels = anonymous
    dsa-flags = multi-write, read-only
    link-flags = ssl-encryption
    };
    iTechPoz.SERVER2.dxc
    #
    # iTechPoz - iTechnology rePOZitory
    #
    set dsa "iTechPoz- SERVER2" =
    {
    prefix = <cn iTechPoz>
    dsa-name = <cn iTechPoz><cn PozDsa SERVER2>
    dsa-password = "4season5"
    address = tcp " SERVER2" port 509, tcp localhost port 509
    snmp-port = 509
    console-port = 10510
    ssld-port = 21847
    auth-levels = anonymous
    dsa-flags = multi-write, shadow
    link-flags = ssl-encryption
    };

    ON SERVER2
    iTechPoz-SERVER1-Router.dxc
    #
    # iTechPozRouter - iTechnology rePOZitory
    #
    set dsa "iTechPoz- SERVER1-Router" =
    {
    prefix = <cn iTechPozRouter>
    dsa-name = <cn iTechPozRouter><cn PozDsa SERVER1>
    dsa-password = "4season5"
    address = tcp localhost port 1684
    snmp-port = 1684
    console-port = 11684
    ssld-port = 21847
    auth-levels = anonymous
    link-flags = ssl-encryption
    };
    iTechPoz-SERVER2-Router.dxc
    #
    # iTechPozRouter - iTechnology rePOZitory
    #
    set dsa "iTechPoz- SERVER2-Router" =
    {
    prefix = <cn iTechPozRouter>
    dsa-name = <cn iTechPozRouter><cn PozDsa SERVER2>
    dsa-password = "4season5"
    address = tcp localhost port 1684
    snmp-port = 1684
    console-port = 11684
    ssld-port = 21847
    auth-levels = anonymous
    link-flags = ssl-encryption
    };
    iTechPoz.dxg
    #
    # iTechPoz - iTechnology rePOZitory
    #

    #
    # Source the knowledge file of the iTechPozRouter and iTechPoz DSAs.
    #
    source "iTechPoz- SERVER2.dxc";
    source "iTechPoz- SERVER2-Router.dxc"; source "iTechPoz- SERVER1.dxc";
    source "iTechPoz- SERVER1-Router.dxc";

  3. Copy the certificate files of Server1 to Server2 and from Server2 to Server1 as follows:

    Note: Certificate files are found in the %DXHOME%\config\ssld\personalities directory

    Copy the files itechpoz-server1.pem and itechpoz-server1-router.pem from Server1 to Server2

    Copy the files itechpoz-server2.pem and itechpoz-server2-router.pem from Server2 to Server1

  4. Create a new iTechPoz-trusted.pem file by concatenating the contents of iTechPoz-trusted.pem of Server1 and iTechPoz-trusted.pem of Server2.

    Note: iTechPoz-trusted.pem file can be found in %DXHOME%\config\ssld directory.

  5. Copy the new iTechPoz-trusted.pem to both Server1 and Server2 to overwrite the existing files.

  6. Enter the following commands to get status, stop and start all services:

    Windows
    dxserver stop all ssld stop dxserver start all ssld startdxserver statusssld status
    Linux and UNIX
    su - dsa -c "dxserver stop all" su - dsa -c "ssld stop" su - dsa -c "dxserver start all" su - dsa -c "ssld start"
  7. On the primary server get database name using the command "dxlistdb", which will output the database name. If it doesn?t list any database you can use mdb as the database. This is because of the security features of Ingres, because eTrust Directory didn?t install the database mdb.

  8. Now dump the database content into a file using the command
    dxdumpdb -p "cn=iTechPoz" -S iTechPoz-<hostname> databasename >  dumpfilename
  9. Sort the dump file contents using the command
    ldifsort dumpfilename <sorted  filename>
    Which creates the a file name <sorted filename>

  10. Start the services on the primary machine
    Check the dxserver build version
    dxserver version

    If dxserver build version less than 1000, do an upgrade using EIAM installer to the latest build on BOTH the machines
    Location: ftp://ftp.ca.com/pub/iTech/eiam8.1/buildJan1119/ eIAMServerMDB_8.1_070111_win32.exe
  11. Check whether all services are started after upgrade if not start those

  12. After upgrade stop all dxserver services on the primary machine

  13. Copy the sorted file to the secondary machine and then load the contents in the secondary machine using the command
    dxloaddb -p "cn=iTechPoz" -S iTechPoz-<hostname> <sorted  filename> <database name>
    <hostname> is the name of the host onto which you are loading the ldif file. <database name> check step 4.

    Note: dxserver services should be stopped before hand

  14. Start the eTrust Directory DSAs using the command, on both the servers
Server Failover
Note: Install eTrust IAM Toolkit Server on the server hosts (Server1 and Server2) and ensure their system time is synchronized.
You can configure Server1 to trust the sessions and certificates of Server2.
To configure server1 for failover
  1. Enter the URL https://server1:5250/spin.

  2. Select iTech Administrator.

  3. Log in as root or administrator by selecting Host or as eiamadmin by selecting iAuthority.

  4. Click the Configure tab, add Server2 as Hostname in the Trusted iAuthority Hosts pane and click Trust. An entry in added in iControl.conf file and Server1 starts trusting sessions from Server2.

  5. Click the iAuthority tab, enter Label as Server2, browse to the location of PEM Certificate file in the Add Trusted Root pane and click Add Trusted Root.

Note: The PEM certificate file (rootcert.pem) is located in the iTechnology directory of Server2.

An entry is added in iAuthority.conf and Server1 starts trusting certificates from Server2.

You must also configure Server2 to trust the sessions and certificates of Server1.
To configure server2 for failover

  1. Enter the URL https://server2:5250/spin.

  2. Select iTech Administrator.

  3. Log in as root or administrator by selecting Host or as eiamadmin by selecting iAuthority.

  4. Click the Configure tab, add Server1 as Hostname in the Trusted iAuthority Hosts pane and click Trust. An entry is added in iControl.conf file and Server2 starts trusting sessions from Server1.

  5. Click the iAuthority tab, enter Label as Server1, browse to the location of PEM Certificate file in the Add Trusted Root pane and click Add Trusted Root.
    Note: The PEM certificate file (rootcert.pem) is located in the iTechnology directory of Server1. An entry is added in iAuthority.conf and Server2 starts trusting certificates from Server1.

Configure eTrust IAM Toolkit Files
You must configure eTrust IAM Toolkit Server1 to receive the list of available servers to fall back on, which are replicated versions.
To configure eTrust IAM Toolkit Server1

  1. Open the iTechnology directory of Server1.

    Windows: %IGW_LOC%

    Linux and UNIX: /opt/CA/SharedComponents/iTechnology (Default)

  2. Open the iPoz.conf file and add the following tag:
    <BackboneMember>Server2</BackboneMember>
  3. Stop and start iGateway.

    Windows
    net stop igateway net start igateway
    Linux and UNIX
    /opt/CA/SharedComponents/iTechnology/S99igateway stop /opt/CA/SharedComponents/iTechnology/S99igateway start

You must also configure eTrust IAM Toolkit Server2 to receive the list of available servers to fall back on, which are replicated versions.
To configure eTrust IAM Toolkit Server2

  1. Open the iTechnology directory of Server2.

    Windows: %IGW_LOC%

    Linux and UNIX: /opt/CA/SharedComponents/iTechnology (Default)

  2. Open the iPoz.conf file and add the following tag:
    <BackboneMember>Server1</BackboneMember>
  3. Stop and start iGateway.

    Windows
    net stop igateway net start igateway
    Linux and UNIX
    /opt/CA/SharedComponents/iTechnology/S99igateway stop /opt/CA/SharedComponents/iTechnology/S99igateway start