SiteMinder with CA Directory as policy store store and key store high availability

Document ID : KB000021215
Last Modified Date : 04/10/2018
Show Technical Document Details


Customers have requirements to have high availability for policy store and key store - failover

Replication is the mechanism that is used to maintain multiple copies of directory data synchronized and available for all LDAP applications


CA Directory has the following replication schemes available:

  • Multiwrite-DISP-Recovery (preferred)
  • Multiwrite
  • DISP

Replication can be configured in one of two ways Configuration files or DXManager (beyond this training):

  • Configuration files
    • Peer DSA's have flag
    • DSAs have knowledge of one another


Followed the steps below to create the CA Directory DSAs for Policy Store and Session Store for each server in the replication agreement

ServerA with DSA name 'ServerA_smpolicystore' as a Policy Store datastore.

ServerB with DSA name 'ServerB_smpolicystore' as a Policy Store datastore.

On ServerA:

  1. From ServerB copy the DXHOME\config\knowledge\ServerB_smpolicystore.dxc in the same folder on ServerA.
  2. Edit both .DXC files under DXHOME\config\knowledge folder to ADD 'dsa-flags' parameter under 'auth-levels' parameter. e.g.

    auth-levels = anonymous, clear-password
    dsa-flags = multi-write
  3. Create a knowledge group file (e.g. smpolicystore.dxg) under DXHOME\config\knowledge folder and source in both configuration .dxc file. e.g.

    source "ServerA_smpolicystore.dxc";
    source "ServerB_smpolicystore.dxc";
  4. Edit the '# knowledge' reference in DXHOME\config\servers\ServerA_smpolicystore.dxi by changing 'ServerA_smpolicystore.dxc' to 'smpolicystore.dxg'.

On ServerB:

  1. From ServerA copy the DXHOME\config\knowledge\ServerA_smpolicystore.dxc as well as 'smpolicystore.dxg' in the same folder on ServerB.
  2. Add the same 'dsa-flags' parameter (as mentioned in #2 above) in ServerB_smpolicystore.dxc.
  3. Reverse the 'source' order in .DXG file. Common practice: Local DSA(s) listed at the top. e.g.

    source "ServerB_smpolicystore.dxc";
    source "ServerA_smpolicystore.dxc";
  4. Edit the '# knowledge' reference in DXHOME\config\servers\ServerB_smpolicystore.dxi by changing 'ServerB_smpolicystore.dxc' to 'smpolicystore.dxg'.

Now will a good time to restart the DSAs on BOTH servers. Once done, test your multi-write replication setup to confirm it is working. See example below.


  1. Using JXplorer LDAP browser connect to 'ServerA_smpolicystore' DSA.
  2. Create a test entry (or you can make modification in an existing entry).
  3. Disconnect from JXplorer and connect to 'ServerB_smpolicystore' DSA
  4. Check to confirm the change made on 'ServerA_smpolicystore' DSA is visible over here.
  5. While still connected to 'ServerB_smpolicystore' DSA, revert the change and disconnect.
  6. Re-connect to 'ServerA_smpolicystore' DSA and confirm the change got replicated.

Configure Failover from SMCONSOLE

Data TAB enter LDAP server IP addresses and port numbers in the LDAP Server field as a space-delimited list of LDAP server addresses.

You can specify a unique port for each server. If your LDAP servers are running on a non-standard port (389 for non SSL/ 636 for SSL), append the port number to the last server IP address using a ':' as a delimiter. For example, if your servers are running on ports 511 and 512, you can enter the following:

For this technote example SMCONSOLE data tab configuration: (NOTE no port was added using the default LDAP port of 389)

LDAP IP Address:
ServerA ServerB

Please Update This Required Field