This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
Esilva
Micro Focus Expert
Micro Focus Expert
‎2020-12-04 16:28
345 views

Connecting Identity Apps to Multiple eDirectory Servers

It is supported to configure Identity Applications (4.8.2) to authenticate with Identity Vault replica ring (eDir 9.2.2) through a load balancer (F5).

If the above is not possible, what options are there to be able to have a connection to more than one eDir server and in case of a crash of the first eDir server, Identity Apps will automatically connect to another eDir?

0 Likes
Reply
Report Inappropriate Content
3 Replies
rivey
Vice Admiral
Vice Admiral
‎2020-12-04 16:41

The way it was explained to me is that Identity Applications performs many sequential write/reads, which makes load balancing problemmatic, as the read that follows a write could potentially occur before the write has been replicated to other eDirectory nodes.

When you say that it is supported to use a load balancer, I believe you must be using it in failover configuration.  This means it isn't utilizing both nodes, but simply flipping to the other node in the event of a failure on the first node.

Because of some new security features in java, the LDAPS cert must match the hostname provided, which makes it difficult to repoint a running node, since the tomcat process will cache the DNS response and/or the host file entry and it'll only refresh that after restarting the server (to my knowledge).  I believe you'll need to change your ism-configuration.properties file in order to point to a new node, unless it is pointed at a load balancer where failover can occur.

Robert Ivey
GCA Technology Services
https://www.gca.net
0 Likes
Reply
Report Inappropriate Content
geoffc
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2020-12-04 17:08

Generally, if your Load balancer has sticky sessions, so that one client stays on the same node until a failover event, that helps a lot.

 

As for Rob's reasonable issue with Certs and DNS names, you probably need a common cert for all LDAPS ops, and a DNS name for the load balanced IP. 

Nothing super rhard to do. But needs to be just right.

Reply
Report Inappropriate Content
klasen
Micro Focus Expert
Micro Focus Expert
‎2020-12-07 10:42

To avoid issues from replication, you also need to point Identity Apps at the eDirectory node where the Role and Resource Service driver is running:

https://www.netiq.com/documentation/identity-manager-48/setup_windows/data/deploying-identity-manager-for-high-availablility.html

NOTE:Identity Manager does not support load balancing LDAP or LDAPS communication between Identity Vault and Identity Applications.

--
Norbert
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.