How to set up a dbrouter on your admin server when using external directory servers. (tier 2 failover, db_router)

Document ID : KB000055467
Last Modified Date : 14/02/2018
Show Technical Document Details

DESCRIPTION:

The documentation is recommending deploying the admin server and the directory server on different machines.

The examples in the High Availability guide describe only how to put up a db router on the eTrust Directory machines. This means that the admin server process will point to an eTrust Directory server for finding the DB router. If this eTrust Directory server is down, there will effectively be no failover.

This document describes how to move the DB Router over to the Admin server instead, so that the Admin server will not depend on one eTrust directory server to do failover.

SOLUTION:

For the scenario below the following assumptions are made:

  • Two eTrust Admin servers
  • Two eTrust Directory servers
  • They have been configured following the eTrust Admin High Availability Guide using the samples included at installation.
  • The samples use the hostnames root01 and root02. This will be used for the eTrust Directory servers
  • The above configuration is working.
  • For the eTrust Admin servers the name admin01 and admin02 will be used

The default installation of eTrust Admin server should have installed eTrust Directory on admin01 and admin02. If not, please install it now.

For 8.1 sp2; Use CD2 and the command below (Please change the paths as needed):

    D:\install\eTrustDirectory\dxserver\windows\dxsetup.exeADDLOCAL=DXServer,IngresDBMS,IngresNet,JXplorerETRDIRBASEPATH="c:\Program Files\CA\eTrust Directory"INGRES_DESTINATION="c:\Program Files\CA\Ingres [EI]"REBOOT=ReallySuppress ETRDIR_DXSERVER_SAMPLES=0 ETRDIR_DXSERVER_README=0 ETRDIR_SILENT_INSTALL=1 INGRES_CKPDIR="c:\Program Files\CA\Ingres [EI]\ingres\ckp"INGRES_DATADIR="c:\Program Files\CA\Ingres [EI]\ingres\data"INGRES_DMPDIR="c:\Program Files\CA\Ingres [EI]\ingres\dmp" INGRES_JNLDIR="c:\Program Files\CA\Ingres [EI]\ingres\jnl"INGRES_PRIMLOGDIR="c:\Program Files\CA\Ingres [EI]\ingres\log"INGRES_WORKDIR="c:\Program Files\CA\Ingres [EI]\ingres\work"ETRDIR_DXSERVER_EMBEDDED=1 CALLER_ID=IAM


For 8.1 sp1 use the command:

    D:\install\eTrustDirectory\dxserver\windows\dxsetup.exeADDLOCAL=DXServer,IngresDBMS,IngresNet,JXplorer,TeraTerm ETRDIR_DXSERVER_EMBEDDED=1 CALLER_ID=ETADMIN TRDIR_DXSERVER_SAMPLES=0 ETRDIR_DXSERVER_README=0ETRDIR_BASIC_UI_INSTALL=1 

Both these commands are described in the implementation guide.

How to reconfigure

We will use root01 for the reconfiguration. It is best to create all needed files on this one, and then create the certificates here before copying/moving the files to the other machines

Configure the DSA

  1. Copy admin_dbrouter_root01.dxc to admin_dbrouter_admin01.dxc and admin_dbrouter_admin02.dxc


  • Edit admin_dbrouter_admin01.dxc and change the following. The following lines should be changed:
    • set dsa admin_dbrouter_root01 =
      to
      set dsa admin_dbrouter_admin01 =


  • dsa-name = <dc etadb><cn admin_dbrouter_root01>
    to
    dsa-name = <dc etadb><cn admin_dbrouter_admin01>


  • address = tcp "root01" port 21399
    to
    address = tcp "admin01" port 21399


  • Repeat the changes outlined in step 2 for admin_dbrouter_admin02.dxc but replace admin01 with admin02.


  • Edit admin_dbrouter.dxg and insert the following lines at the end of the file

    source "admin_dbrouter_admin01.dxc";
    source "admin_dbrouter_admin02.dxc";
  • You should now have all the needed DSA's

    Create and configure the certificate

    1. The next steps effectively create/recreate the certificates. This is done using dxcertgen.exe (Full usage described in High Availability guide).
      A sample command is: "dxcertgen -d 365 -i "dc=etadb" certs"


  • Locate the security certificate with the issuer dc=etadb in the generated root Certificate Authority (CA) certificate, stored in the %DXHOME%\config\ssld\trusted.pem file, and copy and append this certificate to etrustadmin_trusted.pem
  • Copy master configuration and modify host specifics for root02 and admin01 and admin02

    1. Shut down the admin services on both admin01 and admin02


  • Shut down all directory services on all servers (dxserver stop all)


  • Create a backup of the file %DXHOME%\config\ssld\trusted.pem on the hosts: root02, admin01 and admin02


  • Copy the following files to the directory %DXHOME%\config\knowledge on root02:
    • admin_dbrouter.dxg
    • admin_dbrouter_admin01.dxc
    • admin_dbrouter_admin02.dxc


  • Copy the directory %DXHOME%\config\ssl to the directory %DXHOME%\config\ssld on root02


  • Copy back the backup of file trusted.pem for root02 taken in step 9


  • Copy the directory %DXHOME%\config to the directory %DXHOME%\config on both admin01 and admin02


  • Restore the backup version of file trusted.pem taken in step 9, for both admin01 and admin02


  • Start up the directory services on root01 and root02
  • Modify host specifics for admin01 and admin02

    1. Go over to admin server admin01 (all subsequent operations need to be performed on admin02 as well, replacing admin01 with admin02)


  • Go to %DXHOME%\config\servers and delete all files apart from *.help and admin_dbrouter_root01.dxi


  • Rename the file %DXHOME%\config\servers\admin_dbrouter_root01.dxi to %DXHOME%\config\servers\admin_dbrouter_admin01.dxi


  • Edit the file %DXHOME%\config\knowledge\admin_dbrouter.dxg , move the following two lines

    source "admin_dbrouter_admin01.dxc";
    source "admin_dbrouter_admin02.dxc";


    to the beginning of the file (for admin02, change the order of the lines)


  • From a command prompt; execute the following command to install the dbrouter as a service:

    dxserver install admin_dbrouter_admin01


  • To change the dependencies of the Admin services, do the following two commands:

    slapd remove eta_slapd
    slapd install eta_slapd "eTrust Admin Provisioning" auto
    "DXServer_admin_dbrouter_admin01;eta_connector" .\etaslapd
    password_"description"


  • Goto the %ETAHOME%\data and edit eta_be.conf. It should read the following (Only showing relevant lines. Lines not showing should not be changed)

      # ETA Parameters to connect to the databaseDbHost admin01DbPort 21399DbTlsPort 21399

  • Change over to host admin02 and repeat step 16 to 22 for that host (Using admin02 instead of admin01)
  • Starting all services and verification

    1. Start up directory services on admin01 and admin02


  • Start up the admin services on admin01 and admin02


  • Verify that all services are up and running


  • Test with admin manager (etadmin.exe) to see if it works
  • Troubleshooting

    If it does not work, please check the log files. Relevant files will be the directory log files (%DXHOME%\logs. Check the DSA logs and the SSLD log (eTrust Admin.log)) and the admin logs (%ETAHOME%\logs)

    If the DSA is not starting at all, a good trick would be to start it with the -d flag (dxserver -d start <DSA name> (dxserver -d start admin_dbrouter_admin01)). This will show you any syntax errors.