Does the Identity Suite support a Silo deployment style?
Article ID: 396532
Updated On:
Products
CA Identity Manager
Issue/Introduction
Do the Identity Management Suite products support deployment in a "Silo" architecture rather than a true J2EE cluster?
Where each node of the Product runs in a non-clustered, separate Application Server deployment?
Cause
Virtual Appliance
Identity Manager
Identity Governance
Identity Portal
Release Versions: 14.5
Resolution
The Identity Suite products do not support deployment in a SILO architecture. The Identity Suite software Products are J2EE applications that rely on the Java Messaging Services queue to keep the Clustered nodes in sync.
This is listed in the Documentation, for example for Identity Manager:
Additional Information
The following illustrates a potential security risk with a Siloed deployment:
Example of a Problem with Silo Architecture
In a silo architecture with two, non-clustered, instances of Identity Manager, the "System Manager‟ role has been
configured such that User1 and User2 are explicitly defined members.
User1 logs into Identity Manager (handled by Node1) and is authorized as a System Manager. The App Server
Node 1 now caches the membership of the System Manager role. User1 logs out. App server node1 retains the
cached membership.
User2 logs into Identity Manager (handled by Node2) and is authorized as a System Manager. App Server Node 2
now caches the membership of the System Manager role. User2 removes User1 as a member of System Manager
(handled by Node2). App Server node 2 updates its cached role membership.
App Server node 1 is unaware and its cache is not updated. User 1 logs into Identity Manager (handled by Node1)
and is found to be a member of System Manager since Node1 has a cached value of ‘System Manager’ role
membership.
The final step erroneously allowed User1 System Manager privilege – which is a security breach.
Example of a Problem with Silo Architecture
In a silo architecture with two, non-clustered, instances of Identity Manager, the "System Manager‟ role has been
configured such that User1 and User2 are explicitly defined members.
User1 logs into Identity Manager (handled by Node1) and is authorized as a System Manager. The App Server
Node 1 now caches the membership of the System Manager role. User1 logs out. App server node1 retains the
cached membership.
User2 logs into Identity Manager (handled by Node2) and is authorized as a System Manager. App Server Node 2
now caches the membership of the System Manager role. User2 removes User1 as a member of System Manager
(handled by Node2). App Server node 2 updates its cached role membership.
App Server node 1 is unaware and its cache is not updated. User 1 logs into Identity Manager (handled by Node1)
and is found to be a member of System Manager since Node1 has a cached value of ‘System Manager’ role
membership.
The final step erroneously allowed User1 System Manager privilege – which is a security breach.
Feedback
Yes
No
Powered by
