Problem:

Customers have requirements to have high availability for policy store and key store - failover

Replication is the mechanism that is used to maintain multiple copies of directory data synchronized and available for all LDAP applications

Resolution:

CA Directory has the following replication schemes available:

• Multiwrite-DISP-Recovery (preferred while not recommended for SiteMinder Session Store DSAs)
• Multiwrite
• DISP

Replication can be configured in one of two ways Configuration files or DXManager (beyond this training):

• Configuration files
   
  • Peer DSA's have flag
  • DSAs have knowledge of one another

Instructions:

Followed the steps below to create the CA Directory DSAs for Policy Store and Session Store for each server in the replication agreement

ServerA with DSA name 'ServerA_smpolicystore' as a Policy Store datastore.

ServerB with DSA name 'ServerB_smpolicystore' as a Policy Store datastore.

On ServerA:

1. From ServerB copy the DXHOME\config\knowledge\ServerB_smpolicystore.dxc in the same folder on ServerA.
2. Edit both .DXC files under DXHOME\config\knowledge folder to ADD 'dsa-flags' parameter under 'auth-levels' parameter. e.g.
   
   auth-levels = anonymous, clear-password
   dsa-flags = multi-write
    
3. Create a knowledge group file (e.g. smpolicystore.dxg) under DXHOME\config\knowledge folder and source in both configuration .dxc file. e.g.
   
   source "ServerA_smpolicystore.dxc";
   source "ServerB_smpolicystore.dxc";
    
4. Edit the '# knowledge' reference in DXHOME\config\servers\ServerA_smpolicystore.dxi by changing 'ServerA_smpolicystore.dxc' to 'smpolicystore.dxg'.

5. Within the same DXHOME\config\servers\ServerA_smpolicystore.dxi file, edit the following line setting it to 'true' to enable MW-DISP recovery replication.

   set multi-write-disp-recovery = true;

   By default (when a DSA gets created), this is set to 'false'.

On ServerB:

1. From ServerA copy the DXHOME\config\knowledge\ServerA_smpolicystore.dxc as well as 'smpolicystore.dxg' in the same folder on ServerB.
2. Add the same 'dsa-flags' parameter (as mentioned in #2 above) in ServerB_smpolicystore.dxc.
3. Reverse the 'source' order in .DXG file. Common practice: Local DSA(s) listed at the top. e.g.
   
   source "ServerB_smpolicystore.dxc";
   source "ServerA_smpolicystore.dxc";
    
4. Edit the '# knowledge' reference in DXHOME\config\servers\ServerB_smpolicystore.dxi by changing 'ServerB_smpolicystore.dxc' to 'smpolicystore.dxg'.

5. Within the same DXHOME\config\servers\ServerB_smpolicystore.dxi file, edit the following line setting it to 'true' to enable MW-DISP recovery replication.

   set multi-write-disp-recovery = true;

   By default (when a DSA gets created), this is set to 'false'.

Now will a good time to restart the DSAs on BOTH servers. Once done, test your multi-write replication setup to confirm it is working. See example below.

Example:

1. Using JXplorer LDAP browser connect to 'ServerA_smpolicystore' DSA.
2. Create a test entry (or you can make modification in an existing entry).
3. Disconnect from JXplorer and connect to 'ServerB_smpolicystore' DSA
4. Check to confirm the change made on 'ServerA_smpolicystore' DSA is visible over here.
5. While still connected to 'ServerB_smpolicystore' DSA, revert the change and disconnect.
6. Re-connect to 'ServerA_smpolicystore' DSA and confirm the change got replicated.

Configure Failover from SMCONSOLE

Access SMCONSOLE
Data TAB enter LDAP server IP addresses and port numbers in the LDAP Server field as a space-delimited list of LDAP server addresses.

You can specify a unique port for each server. If your LDAP servers are running on a non-standard port (389 for non SSL/ 636 for SSL), append the port number to the last server IP address using a ':' as a delimiter. For example, if your servers are running on ports 511 and 512, you can enter the following:

123.123.12.11:511 123.123.12.22:512

For this technote example SMCONSOLE data tab configuration: (NOTE no port was added using the default LDAP port of 389)

LDAP IP Address:
ServerA ServerB