Manual Active/Passive Cloud Bridge Agent


The purpose of this document is to guide you on how to deploy this cool-solution/tip/how-to to get your Cloud Bridge Agents (CBAs) working in a manual active/passive setup allowing a certain degree of availability.


       Figure 1: High-Level Architecture of an IAM SaaS tenant and CBAs.


  1.  Pre-requisites:

 IMPORTANT NOTE: CBA installs and upgrades must always be performed with the assigned IAM SaaS Technical Success Manager (TSM). 

  • Before you start, please have a complete snapshot of your running CBAs. 
  • If you need to install a new CBA, follow the documented pre-requisites to install new CBAs. Any new CBA requires the “awk” and “wget” packages before attempting to run the easy button installation script. In addition, any new CBA must adhere to the same access pre-requisites (See the CBA Access Pre-requisites Section 5 at the end of this document).


  1. Validation:


  • Validate the Active CBA is running the latest version of the image, currently 1.6.2:

            Run: docker ps or podman ps depending on the container technology you are   using, you should see something like this:


                                                 Figure 2: CBA running image version.


  • Validate full synchronization is working through your AAaaS repositories. 
  • (Optional) Test connections and collections are working through IGaaS. 


                      Figure 3: AAaaS External repository full synchronization.

  • (Optional) Go to your IGaaS tenant (if you are using IGaaS) in prod or stage; log in as a Customer Admin (or igadmin if you never set up IGaaS), configure an identity collector if this is not already configured and test the connection:


              Figure 4: Identity Collector test connection.  

  • (Optional) You can also test collections to ensure the CBA communicates correctly with both your IGaaS tenants. 


  1. Installing your Passive CBA: 


  • If you haven’t done it yet, create a second CBA, your passive CBA server using the same documented pre-requisites & Access pre-requisites in section 5 below. 
  • Before installing your Passive CBA, make sure your docker or podman bridge-agent container is down on your Active CBA.

Depending on the container technology, run: docker stop bridge-agent or podman stop bridge-agent on your Active CBA. See Section 4 How to start and stop a docker/podman container below. 

  • Install the second CBA (your Passive CBA). To accomplish this, you will need to log in to your AAaaS tenant in prod or stage, edit your existing external repository, go to the bottom of the screen, enter one hour (1) for the expiration time and generate the script. 
  • Making sure you are on your Passive CBA and positioned at /opt/netiq/docker-prd/ or /opt/netiq/docker-stg/ or /opt/netiq/podman-prd/ or /opt/netiq/podman-stg/ depending on your tenant and your container technology, run the scripted install. 
  • It will ask you to create a cbadmin password. Would you please try to retain your cbadmin password as you will need it later on? Please add this password for cbadmin into your credential vault as you will need it later. 
  • The installation script will ask you to enter the service account credentials you will use for your AAaaS authentication external repository. 
  • Then the script will run and finish with a message stating the credential has been successfully added to the database. 
  • If you are not in, log back into your AAaaS tenant in prod or stage depending on the environment you are working on, log in as admin and check your repositories in AAaaS are in full synchronization. You might need to run a full synchronization and possibly a force configuration as well.



                  Figure 5: Full Synchronization and Force Configuration. 

  • Once this is working, you will have to manually enter all the credentials you have on your Active CBA here in your Passive CBA except for your primary AAaaS repository credential. The easy button script entered it automatically. 
  • Open a browser, go to http://yourPassiveCBAipAddressorDNSname:8080; enter the Unique Id you have entered previously on your Active CBA, then enter your full dn for your service account (e.g. CN=svc-id-admin,CN=Users,DC=support,DC=test) & the password for this account. Then select the blue add credential button. You will need to enter the cbadmin and the password you created when running the easy button script while installing your Passive CBA. You will see a message under the blue button showing the credential was successfully added to the database.


                             Figure 6: CBA credentials handling tool. 

  • You have to repeat this process with all the credentials you originally entered on the Active CBA on this, your Passive CBA and test connectivity one by one after adding them. To test:  
    • (Optional if you have additional AAaaS external repositories) Log in to your AAaaS tenant and run a full synchronization from your repository. 
    • Similarly, you need to log into IGaaS and test your connection every time you successfully add a new credential for an IGaaS collector. 
    • Once your Passive CBA is in full synchronization with all your AAaaS repositories and your IGaaS collectors, you can run the optional additional steps below: 
    • (Optional) If you use CSVs and Libraries for your IGaaS implementation, you need to make sure these are updated on both Active & Passive CBAs.One way to achieve this is to automatically run a service to copy the same CSVs and Libraries on both CBAs(Active & Passive). 

An important consideration for this scenario: you will need both CBAs running to perform these steps; in any case, you have to make sure only one of the CBAs is running your bridge-agent container at a time; otherwise, it will cause a conflict, and it won’t work. 

  1. How to start and stop docker/podman container: 
  • Start your container (two ways to achieve it): 

     Run (docker): docker start bridge-agent           

     Run (podman): podman start bridge-agent


     Run (positioned on your agent folder): ./

  • Stop your container (two ways to achieve it):

            Run: (docker): docker stop bridge-agent 

   Run: (podman): podman stop bridge-agent 


  Run (positioned on your agent folder): ./ 

IMPORTANT NOTE: you have to make sure only one of the CBAs runs your bridge-agent container at a time.


  • Once your Passive CBA is down or not running the bridge-agent container, go back to your Active CBA and start your agent; run: docker start bridge-agent or podman start bridge-agent depending on the container technology you are using. 
  • Ensure both your AAaaS repositories are in full synchronization and your IGaaS collectors are testing successfully on their connection tests. This process can take a few minutes. 
  • Make a snapshot of your servers regularly. 


  1. CBA Access – Pre-requisites:


  • Access to the installer of either Ubuntu LTS 18.04 or later (preferred), SuSE Enterprise Linux Server 15.1 or later or RedHat Enterprise Linux Server 8.3.
  • Access to the relevant repositories to upgrade/install OS, docker or podman.
  • Access to outbound TCP port 9092 allows outbound TLS communication from the on-premise cloud bridge agents (CBAs) to the Cloud Bridge API in our AWS cloud (* Important Note: you will need to use DNS filtering as we will not be able to give you specific hosts here.
  • Access from your on-premises cloud bridge agents (CBAs) to the on-premises authentication directory or directories for AAaaS & applications you expect to collect data as part of the IGaaS collection processes if this is your requirement.
  • Your IGaaS Customer Administrators will need internal access to the CBAs using a browser on port: 8080
  • Access to AWS S3 to download the bridge package. 

IMPORTANT NOTE: Get in touch with the CoE or IAM SaaS TSM if you have problems with your CBAs.




How To-Best Practice
Support Tip
Comment List
Related Discussions