How to get SiteMinder web agent to fail over between Policy Servers?


Article ID: 51035


Updated On:


DIRECTORY CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On SECURITY MISC CODES SINGLE SIGN ON - LEGACY CA Data Protection (DataMinder) CA User Activity Reporting



Use: SmHosts.conf file for an initial failover at time of bootstrap. Use Host Configuraiton Object for an on-going agent failover.


A web agent is deployed into a web server and is part of that web server. Establishing an initial connection to any policy server requires a local mechanism on the agent's side to tell it which policy server to connect to. However, once connected to any policy server then a trust is established by the web agent and the site minder policy server and another most trusted mechanism is used to maintain the connection from that point onwards.

The Agent's bootstrap mechanism is a local file called: SmHosts.conf located at: \CA\WebAgent\Config folder. This file tells the web agent which site minder policy server to connect to. Once connected and trusted a Host Configuration Object is handling the connection between the agent and the Site Minder policy server going forward.

We can think of failover in two ways:

FailOver at bootstrap time: That is in case the agent is starting and not yet connected to any policy server and can't connect to its primary policy server. We need a mechanism to allow for FailOver at this point.

FailOver on an on-going basis: That is in case the agent is already connected to a site minder policy server and would need a failover mechanism to provide a seamless experience to its protected applications.

BootStrap Time:

As said the SmHosts.conf file is controlling the agent's initial policy server connection. You should use the 'Policy Server' parameter to specify a list of semicolon separated policy servers. The first in this list is considered the primary and will be tried first. If unsuccessful the agent will try to connect to each of the policy servers in the order they appear in this list. For example: Policy Server = "PS1,44441,44442,44443;PS2,44441,44442,44443;PS3,44441,44442,44443".

In this example the web agent will connect to PS1 first. If unsuccessful will try to connect to PS2 then PS3.

On-Going Time:

Once a connection is established a Host Configuration Object is retreived from the policy store to continue to serve the trusted agent's requests. The Host Configuration Object can help in an on-going failover for the web agent. You should:

Edit the EnableFailOver parameter and set it to 'YES'.

Edit the Policy Server parameter and set it to a list of policy server separated by semicolons (for example: PS1,44441,44442,44443;PS2,44441,44442,44443;PS3,44441,44442,44443) where upon detection of the current policy server being unavailable the next in the list will be used to maintain the active agent's connection.


Component: IDMGR