SiteMinder with CA Directory as policy store store and key store high availability
search cancel

SiteMinder with CA Directory as policy store store and key store high availability

book

Article ID: 21215

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

This document describes a simple setup to meet requirements to have high availability for policy store and key store - failover using CA Directory

Replication is the mechanism that is used to maintain multiple copies of directory data synchronized and available for all LDAP applications

 

 

Environment

CA SiteMinder all versions up to present one (12.8.8)

Resolution

CA Directory has the following replication schemes available:

  • Multiwrite-DISP-Recovery (preferred while not recommended for SiteMinder Session Store DSAs)
  • Multiwrite
  • DISP

Replication can be configured in one of two ways: Configuration files or DXManager (which is not covered in this document):

  • Configuration files
     
    • Peer DSA's have flag
    • DSAs have knowledge of one another

Instructions:

Follow the steps below to create the CA Directory DSAs for Policy Store and Session Store for each server in the replication agreement. Assuming that:

  • ServerA will use  DSA with name 'ServerA_smpolicystore' as a Policy Store datastore.
  • ServerB will use  DSA with name 'ServerB_smpolicystore' as a Policy Store datastore.

Then this would be the procedure

On ServerA:

  1. From ServerB copy the <DXHOME>\config\knowledge\ServerB_smpolicystore.dxc in the same folder on ServerA.
  2. Edit both .DXC files under <DXHOME>\config\knowledge folder to ADD 'dsa-flags' parameter under 'auth-levels' parameter. e.g.

    auth-levels = anonymous, clear-password
    dsa-flags = multi-write
     
  3. Create a knowledge group file (e.g. smpolicystore.dxg) under <DXHOME>\config\knowledge folder and source in both configuration .dxc file. e.g.

    source "ServerA_smpolicystore.dxc";
    source "ServerB_smpolicystore.dxc";
     
  4. Edit the '# knowledge' reference in DXHOME\config\servers\ServerA_smpolicystore.dxi by changing 'ServerA_smpolicystore.dxc' to 'smpolicystore.dxg'.

  5. Within the same DXHOME\config\servers\ServerA_smpolicystore.dxi file, edit the following line setting it to 'true' to enable MW-DISP recovery replication.

    set multi-write-disp-recovery = true;

    By default (when a DSA gets created), this is set to 'false'.

On ServerB:

  1. From ServerA copy the <DXHOME>\config\knowledge\ServerA_smpolicystore.dxc as well as 'smpolicystore.dxg' in the same folder on ServerB.
  2. Add the same 'dsa-flags' parameter (as mentioned in #2 above) in ServerB_smpolicystore.dxc.
  3. Reverse the 'source' order in .DXG file. Common practice: Local DSA(s) listed at the top. e.g.

    source "ServerB_smpolicystore.dxc";
    source "ServerA_smpolicystore.dxc";
     
  4. Edit the '# knowledge' reference in <DXHOME>\config\servers\ServerB_smpolicystore.dxi by changing 'ServerB_smpolicystore.dxc' to 'smpolicystore.dxg'.

  5. Within the same <DXHOME>\config\servers\ServerB_smpolicystore.dxi file, edit the following line setting it to 'true' to enable MW-DISP recovery replication.

    set multi-write-disp-recovery = true;

    By default (when a DSA gets created), this is set to 'false'.

Now will a good time to restart the DSAs on BOTH servers. Once done, test your multi-write replication setup to confirm it is working. See example below.

Example:

  1. Using JXplorer LDAP browser connect to 'ServerA_smpolicystore' DSA.
  2. Create a test entry (or you can make modification in an existing entry).
  3. Disconnect from JXplorer and connect to 'ServerB_smpolicystore' DSA
  4. Check to confirm the change made on 'ServerA_smpolicystore' DSA is visible over here.
  5. While still connected to 'ServerB_smpolicystore' DSA, revert the change and disconnect.
  6. Re-connect to 'ServerA_smpolicystore' DSA and confirm the change got replicated.

Configure Failover from SMCONSOLE

Access SMCONSOLE
Data TAB enter LDAP server IP addresses and port numbers in the LDAP Server field as a space-delimited list of LDAP server addresses.

You can specify a unique port for each server. If your LDAP servers are running on a non-standard port (389 for non SSL/ 636 for SSL), append the port number to the last server IP address using a ':' as a delimiter. For example, if your servers are running on ports <Port_ServerA> and <Port_ServerB>, you can enter the following:

<IP_Address_ServerA>:<Port_ServerA> <IP_Address_ServerB>:<Port_ServerB>

For this technote example SMCONSOLE data tab configuration: (NOTE no port was added using the default LDAP port of 389)

LDAP IP Address:
ServerA ServerB

 

Powered by Wolken Software