Connecting Identity Apps to Multiple eDirectory Servers
It is supported to configure Identity Applications (4.8.2) to authenticate with Identity Vault replica ring (eDir 9.2.2) through a load balancer (F5).
If the above is not possible, what options are there to be able to have a connection to more than one eDir server and in case of a crash of the first eDir server, Identity Apps will automatically connect to another eDir?
The way it was explained to me is that Identity Applications performs many sequential write/reads, which makes load balancing problemmatic, as the read that follows a write could potentially occur before the write has been replicated to other eDirectory nodes.
When you say that it is supported to use a load balancer, I believe you must be using it in failover configuration. This means it isn't utilizing both nodes, but simply flipping to the other node in the event of a failure on the first node.
Because of some new security features in java, the LDAPS cert must match the hostname provided, which makes it difficult to repoint a running node, since the tomcat process will cache the DNS response and/or the host file entry and it'll only refresh that after restarting the server (to my knowledge). I believe you'll need to change your ism-configuration.properties file in order to point to a new node, unless it is pointed at a load balancer where failover can occur.
GCA Technology Services
Generally, if your Load balancer has sticky sessions, so that one client stays on the same node until a failover event, that helps a lot.
As for Rob's reasonable issue with Certs and DNS names, you probably need a common cert for all LDAPS ops, and a DNS name for the load balanced IP.
Nothing super rhard to do. But needs to be just right.
To avoid issues from replication, you also need to point Identity Apps at the eDirectory node where the Role and Resource Service driver is running:
NOTE:Identity Manager does not support load balancing LDAP or LDAPS communication between Identity Vault and Identity Applications.