This document guides on the procedure of how to set up EEM servers in failover mode using a response file.

Embedded Entitlements Manager (EEM)

Release: 12.5

All Supported Windows and Linux Operating Systems

EEM version 12.51 CR02 and above installed on Windows or Linux Platforms support this type of setup. This setup does not replicate the external LDAP configuration - this would have to be manually configured.

EEM servers can be installed and set up as individual standalone servers as well EEM can be configured in failover mode. In this document, the process of setting up EEM in failover mode using a response file is being looked into.

Before executing the failover tool by providing the response file as an input file, perform the following steps:

Step #1: Synchronize the system time of all servers in the failover setup

Step #2: Verify that all CA EEM Servers are configured in the same security mode, non-FIPS or FIPS-only

Step #3: Verify that DNS lookup resolves hostnames of all the servers in the failover setup

Step #4: Set the following environment variable(s) if not already done:

Set EIAM_HOME, JAVA_HOME, DXHOME

Windows

set EIAM_HOME=<installation_path_of_EIAM>
set JAVA_HOME=%EIAM_HOME%\jre
set DXHOME=<path_to_dxserver_location>
set PATH=%EIAM_HOME%/jre\bin;%DXHOME%\bin;%PATH%

UNIX

export EIAM_HOME=<installation_path_of_EIAM>
export JAVA_HOME=$EIAM_HOME/jre
export DXHOME=<path_to_dxserver_location>
export PATH=$EIAM_HOME/jre/bin:$DXHOME/bin:$PATH

Step #5: Navigate to the EIAM_HOME/samples/failovertool folder. In this folder the sample response file exists. Edit this file to suite the requirement.

Notes: Towards the end of this document there is a sample response file is provided.  The parameters require modification based upon the EEM server where this is available/copied to. The parameters are explained after the end of the sample response file.

Step #6: For setting up the EEM servers in failover using the response file, use the following command:

EIAM_HOME\bin>java -jar eiam-clustersetup.jar -r "<Location of the response file>/<response file name>"

Below is the sample response file and the explanation.

## Failover tool response file

IS_PRIMARY=true
PRIMARY_HOSTNAME=primary.ca.com
LOCAL_HOSTNAME=primary.ca.com
ADMIN_PASSWD={MUNGE2}CRAZGVQ=

RESET_PRIMARY=false
## possible values for HA_MODE are [INTERNAL/EXTERNAL]
HA_MODE=INTERNAL
DATA_DSA_PORT=509

## possible values for SYNC [NEW/DELTA]
SYNC=NEW

## Multiple comma separated nodes can be provided to ADD
#ADD=server1.ca.com:509,server2.ca.com:509

## Multiple comma separated nodes can be provided to REMOVE
#REMOVE=server1.ca.com,server2.ca.com

MODIFY_CERTS=false
## possible values for KEY_LENGTH [1024/2048/4096]
KEY_LENGTH=1024
## possible values for DIGEST_ALGORITHM [SHA1/SHA256/SHA384/SHA512]
DIGEST_ALGORITHM=SHA1

The response file can be modified to suit your requirements.

Usage and Explanation of the parameters.

Note: Do not delete any of the variables provided in the sample response file.

IS_PRIMARY=true

The IS_PRIMARY variable needs to set to 'true' only on the EEM server that will be designated as the primary EEM server. On all the other EEM servers that would be part of the failover configuration, this needs to be set to 'false'.

PRIMARY_HOSTNAME=hostname.ca.com

This variable contains the name of the primary EEM server.  This has to be the fully qualified domain name of the server. Here hostname.ca.com is the FQDN for the primary EEM server. This variable needs to be enabled on all the EEM servers that are part of the failover configuration.

LOCAL_HOSTNAME=hostname.ca.com

This is the name of the host which is being configured to be part of the failover EEM configuration. In case of the primary EEM server, the FQDN of the primary EEM server.  In case this file is being modified on the secondary EEM server, this variable will have the FQDN of the secondary EEM server.

ADMIN_PASSWD={MUNGE2}CRAZGVQ=

This is the EiamAdmin user password of the primary EEM server. Even in the response file in the secondary EEM server, this variable will have the primary EEM server's EiamAdmin password. This password can be either in encrypted format or in plain text format.
The command to generate the encrypted password (java –jar eiam-clustersetup.jar –m <plain-text-password>) needs to be executed from the 'bin' directory of EIAM_HOME

RESET_PRIMARY=false

This needs to be 'true' on the Primary EEM server only. In the response file on the secondary server, this can be set to 'false'.

## possible values for HA_MODE are [INTERNAL/EXTERNAL]

HA_MODE=INTERNAL

DATA_DSA_PORT=509

This is the port number defined during installation of EEM.  Modify this only in case the DSA port is different from the default value of 509 and provide the same port number that was specified during the EEM installation.

## possible values for SYNC [NEW/DELTA]

SYNC=NEW

This variable will set to NEW in case of newly configured failover node.

Important! When you reconfigure the servers for failiover, specify the following value for the synchronization mode to sync the secondary servers with the primary server DELTA, secondary node will be synced to update configurations.

The section below is for adding / removing secondary EEM nodes to the primary

## Multiple comma separated nodes can be provided to ADD
ADD=server1.ca.com:509,server2.ca.com:509

The host names provided in here must be in FQDN format, followed by the DSA port number on that host. This variable is only valid on the primary EEM server, on rest of the servers this variable needs to be commented out.

## Multiple comma-separated nodes can be provided to REMOVE
REMOVE=server1.ca.com,server2.ca.com

The hostnames provided here must be in FQDN format. This variable is only valid on the primary EEM server, on the rest of the servers this variable needs to be commented out.

MODIFY_CERTS=false

If this is set to ‘true’, then modify the below variables appropriately. The variables that get affected if this is set to true are ‘KEY_LENGTH=1024’ and ‘DIGEST_ALGORITHM’.

MODIFY_CERTS generates the server certificates with the specified key length and digest algorithm and replaces the existing certificates with the new certificates in the CA iTechnology iGateway folder. This option is available only when you run the tool on the EEM primary server.

## possible values for KEY_LENGTH [1024/2048/4096]
KEY_LENGTH=1024

## possible values for DIGEST_ALGORITHM [SHA1/SHA256/SHA384/SHA512].  This needs to be the same across all the EEM servers which are in a failover configuration.
DIGEST_ALGORITHM=SHA1