Micro Focus Expert
Micro Focus Expert
345 views

Connecting Identity Apps to Multiple eDirectory Servers

It is supported to configure Identity Applications (4.8.2) to authenticate with Identity Vault replica ring (eDir 9.2.2) through a load balancer (F5).

If the above is not possible, what options are there to be able to have a connection to more than one eDir server and in case of a crash of the first eDir server, Identity Apps will automatically connect to another eDir?

0 Likes
3 Replies
Vice Admiral
Vice Admiral

The way it was explained to me is that Identity Applications performs many sequential write/reads, which makes load balancing problemmatic, as the read that follows a write could potentially occur before the write has been replicated to other eDirectory nodes.

When you say that it is supported to use a load balancer, I believe you must be using it in failover configuration.  This means it isn't utilizing both nodes, but simply flipping to the other node in the event of a failure on the first node.

Because of some new security features in java, the LDAPS cert must match the hostname provided, which makes it difficult to repoint a running node, since the tomcat process will cache the DNS response and/or the host file entry and it'll only refresh that after restarting the server (to my knowledge).  I believe you'll need to change your ism-configuration.properties file in order to point to a new node, unless it is pointed at a load balancer where failover can occur.

Robert Ivey
GCA Technology Services
https://www.gca.net
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Generally, if your Load balancer has sticky sessions, so that one client stays on the same node until a failover event, that helps a lot.

 

As for Rob's reasonable issue with Certs and DNS names, you probably need a common cert for all LDAPS ops, and a DNS name for the load balanced IP. 

Nothing super rhard to do. But needs to be just right.

Micro Focus Expert
Micro Focus Expert

To avoid issues from replication, you also need to point Identity Apps at the eDirectory node where the Role and Resource Service driver is running:

https://www.netiq.com/documentation/identity-manager-48/setup_windows/data/deploying-identity-manager-for-high-availablility.html

NOTE:Identity Manager does not support load balancing LDAP or LDAPS communication between Identity Vault and Identity Applications.

--
Norbert
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.