ConnectionURL and FailoverServers on ra.xml

book

Article ID: 51614

calendar_today

Updated On:

Products

DIRECTORY CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On SINGLE SIGN ON - LEGACY CA Data Protection (DataMinder) CA User Activity Reporting

Issue/Introduction

Description:

We understand the rules for configuring Siteminder connection from IM in the \IdentityMinder.ear\policyserver.rar\META-INF\ra.xml file, and understand how it is to be configured for SM clusters, etc. We want to know how the values for "ConnectionURL" and "FailoverServers" are used.

Specifically:

  1. Why there needs to be two separate properties

  2. Why ConnectionURL can only use one SMPS server

  3. Why FailoverServers must have all SMPS servers in the same SMPS cookie domain

  4. Is the order of the SMPS servers important for the FailoverServers property

Solution:

  1. There is a distinction as ConnectionURL is meant to specify the primary policy server IDM must contact in order to establish a connection with
    SM and is by design allowed to accept only 1 IP address. The FailoverServers are as clearly understood the list of servers to fail over to. Once Failover is set to true, the entire list of FailOver servers are tried in failover fashion and the ConnectionURL server is understood to be the primary one. Once Failover is set to false, the entire list of Failover servers is used in load balanced fashion. So the 2 properties help set a distinction between what is primary and to be always contacted first vs failover/loadbalancing.

  2. IDM must know what is the primary policy server to contact at all times - it will always try this one first.

  3. The SM servers have to be in the same cookie domain and the reasoning behind that is so IDM can maintain session easily with SM during transactions.

  4. Yes, in the sense you would specify the order of policy servers you would like it to contact first in that list. IDM will try to contact in that order in the event it needs to failover. If the order doesn't matter to you in your scenario, then you don't have to worry about the order in which you write this.

Environment

Release: CAPUEL99000-12.5-Identity Manager-Blended upgrade to Identity &-Access Mgmt Ente
Component: