SiteMinder with CA Directory as policy store store and key store high availability

Document ID : KB000021215
Last Modified Date : 04/10/2018
Show Technical Document Details
Introduction:

Problem:

Customers have requirements to have high availability for policy store and key store - failover

Replication is the mechanism that is used to maintain multiple copies of directory data synchronized and available for all LDAP applications

Resolution:

CA Directory has the following replication schemes available:

  • Multiwrite-DISP-Recovery (preferred)
  • Multiwrite
  • DISP

Replication can be configured in one of two ways Configuration files or DXManager (beyond this training):

  • Configuration files
     
    • Peer DSA's have flag
    • DSAs have knowledge of one another

Instructions:

Followed the steps below to create the CA Directory DSAs for Policy Store and Session Store for each server in the replication agreement

ServerA with DSA name 'ServerA_smpolicystore' as a Policy Store datastore.

ServerB with DSA name 'ServerB_smpolicystore' as a Policy Store datastore.

On ServerA:

  1. From ServerB copy the DXHOME\config\knowledge\ServerB_smpolicystore.dxc in the same folder on ServerA.
  2. Edit both .DXC files under DXHOME\config\knowledge folder to ADD 'dsa-flags' parameter under 'auth-levels' parameter. e.g.

    auth-levels = anonymous, clear-password
    dsa-flags = multi-write
     
  3. Create a knowledge group file (e.g. smpolicystore.dxg) under DXHOME\config\knowledge folder and source in both configuration .dxc file. e.g.

    source "ServerA_smpolicystore.dxc";
    source "ServerB_smpolicystore.dxc";
     
  4. Edit the '# knowledge' reference in DXHOME\config\servers\ServerA_smpolicystore.dxi by changing 'ServerA_smpolicystore.dxc' to 'smpolicystore.dxg'.

On ServerB:

  1. From ServerA copy the DXHOME\config\knowledge\ServerA_smpolicystore.dxc as well as 'smpolicystore.dxg' in the same folder on ServerB.
  2. Add the same 'dsa-flags' parameter (as mentioned in #2 above) in ServerB_smpolicystore.dxc.
  3. Reverse the 'source' order in .DXG file. Common practice: Local DSA(s) listed at the top. e.g.

    source "ServerB_smpolicystore.dxc";
    source "ServerA_smpolicystore.dxc";
     
  4. Edit the '# knowledge' reference in DXHOME\config\servers\ServerB_smpolicystore.dxi by changing 'ServerB_smpolicystore.dxc' to 'smpolicystore.dxg'.

Now will a good time to restart the DSAs on BOTH servers. Once done, test your multi-write replication setup to confirm it is working. See example below.

Example:

  1. Using JXplorer LDAP browser connect to 'ServerA_smpolicystore' DSA.
  2. Create a test entry (or you can make modification in an existing entry).
  3. Disconnect from JXplorer and connect to 'ServerB_smpolicystore' DSA
  4. Check to confirm the change made on 'ServerA_smpolicystore' DSA is visible over here.
  5. While still connected to 'ServerB_smpolicystore' DSA, revert the change and disconnect.
  6. Re-connect to 'ServerA_smpolicystore' DSA and confirm the change got replicated.

Configure Failover from SMCONSOLE

Access SMCONSOLE
Data TAB enter LDAP server IP addresses and port numbers in the LDAP Server field as a space-delimited list of LDAP server addresses.

You can specify a unique port for each server. If your LDAP servers are running on a non-standard port (389 for non SSL/ 636 for SSL), append the port number to the last server IP address using a ':' as a delimiter. For example, if your servers are running on ports 511 and 512, you can enter the following:

123.123.12.11:511 123.123.12.22:512

For this technote example SMCONSOLE data tab configuration: (NOTE no port was added using the default LDAP port of 389)

LDAP IP Address:
ServerA ServerB

Instructions:
Please Update This Required Field