Absent Member.
Absent Member.
165 views

Multiple User Applications installations in the sme IDV


Our existing UA install includes some functionality that needs to be
widely available as well as some other functions we'd like to carefully
restrict. We've been asked to stand up a second User Application server
that would be in our DMZ and allow password changes, self-service
provisioning requests and so forth, and move the existing one within the
DMZ so that only local network access would be allowed. Our user
application developer recently departed for greener pastures so I am the
one trying to make this happen.

I need to make sure I understand the implications of doing so. I know we
would need to add a second User Application driver that includes the
existing provisioning request definitions for those requests we want to
be available from the 'net. I understand how to re-create the
application configuration, register the porltets, create the pages and
so forth. I am a bit concerned that there is some other piece that I am
overlooking. This would be a distinct, stand-alone User Application
server with its own database and so forth.


--
keithbmartin
------------------------------------------------------------------------
keithbmartin's Profile: https://forums.netiq.com/member.php?userid=524
View this thread: https://forums.netiq.com/showthread.php?t=45052

Labels (1)
0 Likes
3 Replies
Highlighted
Absent Member.
Absent Member.

Re: Multiple User Applications installations in the sme IDV


keithbmartin;216700 Wrote:
> Our existing UA install includes some functionality that needs to be
> widely available as well as some other functions we'd like to carefully
> restrict. We've been asked to stand up a second User Application server
> that would be in our DMZ and allow password changes, self-service
> provisioning requests and so forth, and move the existing one within the
> DMZ so that only local network access would be allowed. Our user
> application developer recently departed for greener pastures so I am the
> one trying to make this happen.
>
> I need to make sure I understand the implications of doing so. I know we
> would need to add a second User Application driver that includes the
> existing provisioning request definitions for those requests we want to
> be available from the 'net. I understand how to re-create the
> application configuration, register the porltets, create the pages and
> so forth. I am a bit concerned that there is some other piece that I am
> overlooking. This would be a distinct, stand-alone User Application
> server with its own database and so forth.


Steve can correct me if I'm wrong.

I THINK it's "supported" if say, one is used for password stuff (you can
also deploy just the password something .war file I believe) pointing to
say, O=ABC, and the other one is used for say, RPBM stuff and pointed to
say, O=XYZ

I don't think (again, could be wrong) that it's supported to have two
userapp drivers pointing to the same O=ABC (same tree) even if they are
on different servers.


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=45052

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Multiple User Applications installations in the sme IDV

On 10/31/2012 11:44 AM, kjhurni wrote:
>
> keithbmartin;216700 Wrote:
>> Our existing UA install includes some functionality that needs to be
>> widely available as well as some other functions we'd like to carefully
>> restrict. We've been asked to stand up a second User Application server
>> that would be in our DMZ and allow password changes, self-service
>> provisioning requests and so forth, and move the existing one within the
>> DMZ so that only local network access would be allowed. Our user
>> application developer recently departed for greener pastures so I am the
>> one trying to make this happen.
>>
>> I need to make sure I understand the implications of doing so. I know we
>> would need to add a second User Application driver that includes the
>> existing provisioning request definitions for those requests we want to
>> be available from the 'net. I understand how to re-create the
>> application configuration, register the porltets, create the pages and
>> so forth. I am a bit concerned that there is some other piece that I am
>> overlooking. This would be a distinct, stand-alone User Application
>> server with its own database and so forth.

>
> Steve can correct me if I'm wrong.
>
> I THINK it's "supported" if say, one is used for password stuff (you can
> also deploy just the password something .war file I believe) pointing to
> say, O=ABC, and the other one is used for say, RPBM stuff and pointed to
> say, O=XYZ
>
> I don't think (again, could be wrong) that it's supported to have two
> userapp drivers pointing to the same O=ABC (same tree) even if they are
> on different servers.
>
>

Greetings,
What Kevin outlined is mostly correct. You can only have two (2)
different User Applications set-ups where each has their own UAD and
RRSD if and only if you have two (2) completely different areas within
the Vault. Also, the RRSD must be configured in such a way that they
can never overlap in the Vault.

UserApp, UAD, and RRSD set-up #1 points to o=abc

UserApp, UAD, and RRSD set-up #2 points to o=xyz


Since the "Standard" version now also utilizes Roles and the RRSD you
can not do the part that Kevin outlined about it being okay if you were
just using Password Self Service (that was true in the 361 days).


If you go with this approach understand that you could have performance
issues depending upon how much Role/Resource work you do, because you
will have 2 RRSD drivers. You most likely will want them running on
different eDirectory servers within the Tree. You could also consider
having them in different driversets.


Overall, the above configuration is not the normal/expected configuration.

--
Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Multiple User Applications installations in the sme IDV


That's unfortunate.

Any suggestions as to how else this can be accomplished? We can't be the
only shop that needs to firewall off some functionality and leave some
of it public. We discussed standing up a separate directory just for the
public facing parts and using the eDir-to-EDir connector to sync the
data back to the IDV but that has its own set of problems. Is running a
second User Application install against the existing UA Driver even an
option? If that would work I could go that route and simply not register
the portlets that have to be behind the firewall in that install, but
somehow I suspect I'll run into problems there as well.


--
keithbmartin
------------------------------------------------------------------------
keithbmartin's Profile: https://forums.netiq.com/member.php?userid=524
View this thread: https://forums.netiq.com/showthread.php?t=45052

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.