One Way Failover

Failover is the ability to ensure uninterrupted data flow and operability even when the data becomes unavailable.

You can configure eTrust IAM Toolkit to support two types of failover scenarios:

• Data store failover
  
  
• Server failover

Note: In this scenario, we assume the host names are Server1 and Server2. Updates made from Server1 will be propagating to Server2 whereas vice-versa will not be allowed.

Data Store Failover

The eTrust IAM Toolkit Server uses eTrust Directory as its data store. The directory provides built-in support for failover and recovery.

How You Configure eTrust Directory Server

To configure eTrust Directory to support multi-write, with Server1 as the preferred master:

1. Install eTrust IAM Toolkit Server on the server hosts (Server1 and Server2) and ensure their system time is synchronized. This is accomplished as part of the UWCC component install.
   
   
2. Configure Knowledge Files
   
   
3. Enable Failover

Configure the Knowledge Files
The knowledge files provide reference to servers for data store failover configuration. You must configure the following knowledge files:

• Data knowledge file (iTechPoz-Server1.dxc, iTechPoz-Server2.dxc) to add the host name
  
  
• Router knowledge file (iTechPoz-Server1-Router.dxc, iTechPoz-Server2-Router.dxc) to add the host information in the router
  
  
• Group knowledge file (iTechPoz.dxg) to achieve group knowledge that all (Directory System Agent) DSAs in the domain can access

To configure knowledge files

1. Open the knowledge directory
   
   Windows: use the Run command in start menu and enter %DXHOME%\config\knowledge
   
   Linux and UNIX: ~dsa/config/knowledge
   
   
2. Edit the Server1 router knowledge file (iTechPoz-Server1-Router.dxc) as follows:
   
   Modify the following entry:

   dsa-name  = <cn iTechPozRouter><cn PozDsa>

   To read:

   dsa-name  = <cn iTechPozRouter><cn PozDsaServer1>

3. Edit the Server2 router knowledge file (iTechPoz-Server2-Router.dxc) as follows:
   
   Modify the following entry:

   dsa-name  = <cn iTechPozRouter><cn PozDsa>

   To read:

   dsa-name  = <cn iTechPozRouter><cn PozDsaServer2>

4. Edit the Server1 knowledge file (iTechPoz-Server1.dxc) and set the following preferences:
   
   Modify the following entries:

   tcp  localhost port 509dsa-name  = <cn iTechPoz><cn PozDsa>

   To read:

   tcp  "Server1" port 509, tcp localhost port 509dsa-name  = <cn iTechPoz><cn PozDsaServer1>

   Add the following entry after the auth-levels line and before the link-flags line.

   dsa-flags  = multi-write

   
   
5. Edit the Server2 knowledge file (iTechPoz-Server2.dxc) and set the following preferences:
   
   Modify the following entries:
   
   tcp localhost port 509
   dsa-name = <cn iTechPoz><cn PozDsa>
   
   To read:
   
   tcp "Server2" port 509, tcp localhost port 509
   dsa-name = <cn iTechPoz><cn PozDsaServer2>
   
   Add the following entry after the auth-levels line and before the link-flags line.
   
   dsa-flags = multi-write, shadow
   
   Note: If the knowledge files do not exist on Server2, you must create them by copying from the config/Knowledge folder of Server1.
   
   
6. Edit the group knowledge file (iTechPoz.dxg) and set the preferences to the new data and router knowledge files on Server1 and Server2.
   
   Example:
   

   # iTechPoz - iTechnology rePOZitory # Source the knowledge files of the iTechPozRouter and iTechPoz DSAs. source "iTechPoz-Server1-Router.dxc";source "iTechPoz-Server2-Router.dxc";source "iTechPoz-Server1.dxc";source "iTechPoz-Server2.dxc";

Enable One Way Failover
You must enable failover to successfully configure the data store failover.
To enable failover

1. Copy the following knowledge files from Server1 to knowledge directory of Server2:

   iTechPoz-Server1-Router.dxc iTechPoz-Server2-Rotuer.dxc iTechPoz-Server1.dxc iTechPoz-Server2.dxc iTechPoz.dxg

2. Edit the Server1 knowledge file (iTechPoz-Server2.dxc) on the Server2 and modify the following preferences:
   
   Modify the following entries:

   dsa-flags =  multi-write

   To read:

   dsa-flags =  multi-write, read-only

   Note: This makes sure that changes from the Server2 don?t get propagated to Server1
   
   After modification the ItechPoz files would look like the following:
   
   

   ON SERVER1

   iTechPoz-SERVER1.dxc

   # iTechPoz - iTechnology rePOZitory # set dsa "iTechPoz-SERVER1" = { prefix = <cn iTechPoz> dsa-name = <cn iTechPoz><cn PozDsaSERVER1> dsa-password = "4season5" address = tcp "SERVER1" port 509, tcp localhost port 509 snmp-port = 509 console-port = 10510 ssld-port = 21847 auth-levels = anonymous dsa-flags = multi-write link-flags = ssl-encryption };

   iTechPoz-SERVER2.dxc

   # # iTechPoz - iTechnology rePOZitory # set dsa "iTechPoz-SERVER2" = { prefix = <cn iTechPoz> dsa-name = <cn iTechPoz><cn PozDsa SERVER2> dsa-password = "4season5" address = tcp " SERVER2" port 509, tcp localhost port 509 snmp-port = 509 console-port = 10510 ssld-port = 21847 auth-levels = anonymous dsa-flags = multi-write, shadow link-flags = ssl-encryption };

   
   

   ON SERVER1

   iTechPoz-SERVER1.Router.dxc

   # # iTechPozRouter - iTechnology rePOZitory # set dsa "iTechPoz- SERVER1-Router" = { prefix = <cn iTechPozRouter> dsa-name = <cn iTechPozRouter><cn PozDsa SERVER1> dsa-password = "4season5" address = tcp localhost port 1684 snmp-port = 1684 console-port = 11684 ssld-port = 21847 auth-levels = anonymous link-flags = ssl-encryption };

   iTechPoz-SERVER2.Router.dxc

   # # iTechPozRouter - iTechnology rePOZitory # set dsa "iTechPoz- SERVER2-Router" = { prefix = <cn iTechPozRouter> dsa-name = <cn iTechPozRouter><cn PozDsa SERVER2> dsa-password = "4season5" address = tcp localhost port 1684 snmp-port = 1684 console-port = 11684 ssld-port = 21847 auth-levels = anonymous link-flags = ssl-encryption };

   iTechPoz.dxg

   # # iTechPoz - iTechnology rePOZitory # # # Source the knowledge file of the iTechPozRouter and iTechPoz DSAs. # source "iTechPoz- SERVER1.dxc"; source "iTechPoz- SERVER1-Router.dxc"; source "iTechPoz- SERVER2.dxc"; source "iTechPoz- SERVER2-Router.dxc";

   
   

   ON SERVER2

   iTechPoz.SERVER1.dxc

   # # iTechPoz - iTechnology rePOZitory # set dsa "iTechPoz- SERVER1" = { prefix = <cn iTechPoz> dsa-name = <cn iTechPoz><cn PozDsa SERVER1> dsa-password = "4season5" address = tcp " SERVER1" port 509, tcp localhost port 509 snmp-port = 509 console-port = 10510 ssld-port = 21847 auth-levels = anonymous dsa-flags = multi-write, read-only link-flags = ssl-encryption };

   iTechPoz.SERVER2.dxc

   # # iTechPoz - iTechnology rePOZitory # set dsa "iTechPoz- SERVER2" = { prefix = <cn iTechPoz> dsa-name = <cn iTechPoz><cn PozDsa SERVER2> dsa-password = "4season5" address = tcp " SERVER2" port 509, tcp localhost port 509 snmp-port = 509 console-port = 10510 ssld-port = 21847 auth-levels = anonymous dsa-flags = multi-write, shadow link-flags = ssl-encryption };

   
   

   ON SERVER2

   iTechPoz-SERVER1-Router.dxc

   # # iTechPozRouter - iTechnology rePOZitory # set dsa "iTechPoz- SERVER1-Router" = { prefix = <cn iTechPozRouter> dsa-name = <cn iTechPozRouter><cn PozDsa SERVER1> dsa-password = "4season5" address = tcp localhost port 1684 snmp-port = 1684 console-port = 11684 ssld-port = 21847 auth-levels = anonymous link-flags = ssl-encryption };

   iTechPoz-SERVER2-Router.dxc

   # # iTechPozRouter - iTechnology rePOZitory # set dsa "iTechPoz- SERVER2-Router" = { prefix = <cn iTechPozRouter> dsa-name = <cn iTechPozRouter><cn PozDsa SERVER2> dsa-password = "4season5" address = tcp localhost port 1684 snmp-port = 1684 console-port = 11684 ssld-port = 21847 auth-levels = anonymous link-flags = ssl-encryption };

   iTechPoz.dxg

   # # iTechPoz - iTechnology rePOZitory # # # Source the knowledge file of the iTechPozRouter and iTechPoz DSAs. # source "iTechPoz- SERVER2.dxc"; source "iTechPoz- SERVER2-Router.dxc"; source "iTechPoz- SERVER1.dxc"; source "iTechPoz- SERVER1-Router.dxc";

   
   
3. Copy the certificate files of Server1 to Server2 and from Server2 to Server1 as follows:
   
   Note: Certificate files are found in the %DXHOME%\config\ssld\personalities directory
   
   Copy the files itechpoz-server1.pem and itechpoz-server1-router.pem from Server1 to Server2
   
   Copy the files itechpoz-server2.pem and itechpoz-server2-router.pem from Server2 to Server1
   
   
4. Create a new iTechPoz-trusted.pem file by concatenating the contents of iTechPoz-trusted.pem of Server1 and iTechPoz-trusted.pem of Server2.
   
   Note: iTechPoz-trusted.pem file can be found in %DXHOME%\config\ssld directory.
   
   
5. Copy the new iTechPoz-trusted.pem to both Server1 and Server2 to overwrite the existing files.
   
   
6. Enter the following commands to get status, stop and start all services:
   
   Windows

   dxserver stop all ssld stop dxserver start all ssld startdxserver statusssld status

   Linux and UNIX

   su - dsa -c "dxserver stop all" su - dsa -c "ssld stop" su - dsa -c "dxserver start all" su - dsa -c "ssld start"

7. On the primary server get database name using the command "dxlistdb", which will output the database name. If it doesn?t list any database you can use mdb as the database. This is because of the security features of Ingres, because eTrust Directory didn?t install the database mdb.
   
   
8. Now dump the database content into a file using the command

   dxdumpdb -p "cn=iTechPoz" -S iTechPoz-<hostname> databasename >  dumpfilename

9. Sort the dump file contents using the command

   ldifsort dumpfilename <sorted  filename>

   Which creates the a file name <sorted filename>
   
   
10. Start the services on the primary machine
    Check the dxserver build version
    dxserver version
    
    If dxserver build version less than 1000, do an upgrade using EIAM installer to the latest build on BOTH the machines

    Location: https://ftp.broadcom.com/user/downloads/pub/iTech/eiam8.1/buildJan1119/ eIAMServerMDB_8.1_070111_win32.exe

11. Check whether all services are started after upgrade if not start those
    
    
12. After upgrade stop all dxserver services on the primary machine
    
    
13. Copy the sorted file to the secondary machine and then load the contents in the secondary machine using the command

    dxloaddb -p "cn=iTechPoz" -S iTechPoz-<hostname> <sorted  filename> <database name>

    <hostname> is the name of the host onto which you are loading the ldif file. <database name> check step 4.
    
    Note: dxserver services should be stopped before hand
    
    
14. Start the eTrust Directory DSAs using the command, on both the servers

1. Enter the URL https://server1:5250/spin.
   
   
2. Select iTech Administrator.
   
   
3. Log in as root or administrator by selecting Host or as eiamadmin by selecting iAuthority.
   
   
4. Click the Configure tab, add Server2 as Hostname in the Trusted iAuthority Hosts pane and click Trust. An entry in added in iControl.conf file and Server1 starts trusting sessions from Server2.
   
   
5. Click the iAuthority tab, enter Label as Server2, browse to the location of PEM Certificate file in the Add Trusted Root pane and click Add Trusted Root.

Note: The PEM certificate file (rootcert.pem) is located in the iTechnology directory of Server2.

An entry is added in iAuthority.conf and Server1 starts trusting certificates from Server2.

You must also configure Server2 to trust the sessions and certificates of Server1.
To configure server2 for failover

1. Enter the URL https://server2:5250/spin.
   
   
2. Select iTech Administrator.
   
   
3. Log in as root or administrator by selecting Host or as eiamadmin by selecting iAuthority.
   
   
4. Click the Configure tab, add Server1 as Hostname in the Trusted iAuthority Hosts pane and click Trust. An entry is added in iControl.conf file and Server2 starts trusting sessions from Server1.
   
   
5. Click the iAuthority tab, enter Label as Server1, browse to the location of PEM Certificate file in the Add Trusted Root pane and click Add Trusted Root.
   Note: The PEM certificate file (rootcert.pem) is located in the iTechnology directory of Server1. An entry is added in iAuthority.conf and Server2 starts trusting certificates from Server1.

Configure eTrust IAM Toolkit Files
You must configure eTrust IAM Toolkit Server1 to receive the list of available servers to fall back on, which are replicated versions.
To configure eTrust IAM Toolkit Server1

1. Open the iTechnology directory of Server1.
   
   Windows: %IGW_LOC%
   
   Linux and UNIX: /opt/CA/SharedComponents/iTechnology (Default)
   
   
2. Open the iPoz.conf file and add the following tag:

   <BackboneMember>Server2</BackboneMember>

3. Stop and start iGateway.
   
   Windows

   net stop igateway net start igateway

   Linux and UNIX

   /opt/CA/SharedComponents/iTechnology/S99igateway stop /opt/CA/SharedComponents/iTechnology/S99igateway start

You must also configure eTrust IAM Toolkit Server2 to receive the list of available servers to fall back on, which are replicated versions.
To configure eTrust IAM Toolkit Server2

1. Open the iTechnology directory of Server2.
   
   Windows: %IGW_LOC%
   
   Linux and UNIX: /opt/CA/SharedComponents/iTechnology (Default)
   
   
2. Open the iPoz.conf file and add the following tag:

   <BackboneMember>Server1</BackboneMember>

3. Stop and start iGateway.
   
   Windows

   net stop igateway net start igateway

   Linux and UNIX

   /opt/CA/SharedComponents/iTechnology/S99igateway stop /opt/CA/SharedComponents/iTechnology/S99igateway start