SM setup

book

Article ID: 211132

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Federation (SiteMinder)

Issue/Introduction

 

When configuring and running a Policy Server with CA Directory as
Policy and Session Store, one might like to know :

  1. How to configure CA siteminder in High Availability mode or
     clustering mode?

  2. How to point CA siteminder to backend two CA directory server
     (policy store & session store)?

Resolution

 

At first glance, according to documentation high availability for
Policy and Session Stores are limited to Failover (1)(2). And this
applies to both ODBC and LDAP Stores. Usually, cluster means that
there's loadbalancing. So there's no clustering configuration for
Policy Store nor Session Store.

As there's no clustering for Policy nor Session Store, so you have to
configure them to point to 1 first, and if this first one cannot be
reached (it's down) then Policy Server will use the next one.

 

Additional Information

 

(1)

  Primary Policy Store

    Deploying a primary policy store with replicated versions is a way to
    achieve policy store redundancy. A single primary policy store lets
    each Policy Server communicate with the closest replicated
    version. This method of communication:

    Improves the performance of geographically separated Policy
    Servers. Sending Policy Server requests to policy stores outside a
    certain locale can result in increased network communication overhead
    and network congestion.

    Allows for failover. If a primary policy store fails, Policy Servers
    failover to a secondary store.

  https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/implementing/implementing-ca-single-sign-on/architectural-use-cases.html

(2)

  Policy Server to Session Store Communication

    If you deploy a session store, all Policy Servers in the environment
    must use the same session store database.

    Deploying a primary session store is a way to achieve session store
    redundancy. A primary session store lets each Policy Server
    communicate with the closest replicated version. This method of
    communication:

    Improves the performance of geographically separated Policy
    Servers. Sending Policy Server requests to a centralized session store
    outside a certain locale can result in increased network communication
    overhead and network congestion.

    Allows for failover. If a primary session store fails, Policy Servers
    failover to a secondary session store.

  https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/implementing/implementing-ca-single-sign-on/architectural-use-cases.html