Configuring Access Manager With Directory Server in MMR Mode

This deployment scenario includes the following components:

• Two Directory Server instances are installed on separate machines and configured in multi-master replication (MMR) mode. Directory Proxy Server (DPS) or a load balancer for the Directory Server instances is not used. To install the Directory Server instances, use the Java ES installer.

  The Directory Server instances used in the following examples are ds1.example.com and ds2.example.com.

• Two Access Manager instances are installed on separate host servers, accessing the Directory Server instances in MMR mode. To install the Access Manager instances, use either the Java ES installer (Realm Mode or Legacy Mode) or deploy the Access Manager 7.1 WAR file (Realm Mode only). When you install each Access Manager instance, point to the first Directory Server instance (ds1.example.com).

  The Access Manager instances used in the following examples are amserver1.example.com and amserver2.example.com.

  Optionally, configure the Access Manager instances for session failover, if required for your deployment. For information, see Chapter 6, Implementing Session Failover.

Depending on whether you installed Access Manager in Realm Mode or Legacy Mode, perform the following configuration steps for each Access Manager instance:

• To Configure Each Access Manager Instance in Realm Mode

• To Configure Each Access Manager Instance in Legacy Mode

To Configure Each Access Manager Instance in Realm Mode

Before You Begin

Start the Directory Server instance (ds1.example.com) on the first machine only. Add the Access Manager indexes to the first Directory Server instance, as described in Indexing Access Manager Attributes in Directory Server.

1. Log in as or become superuser (root) on the server where Access Manager is installed.

2. Backup the serverconfig.xml file.

   The serverconfig.xml file is in the following directory, depending on your platform:

   • Solaris systems: /etc/opt/SUNWam/config

   • Linux and HP-UX systems: /etc/opt/sun/identity/config

   • Windows systems: C:\Program Files\Sun\JavaES5\identity\config

3. In the serverconfig.xml file, add the secondary Directory Server instance. For example:

   ...
   <iPlanetDataAccessLayer>
       <ServerGroup name="default" minConnPool="1" maxConnPool="10">
               <Server name="Server1" host=" ds1.example.com" port="389" type="SIMPLE" />
               <Server name="Server2" host=" ds2.example.com" port="389" type="SIMPLE" />
   ...

4. Login to the Access Manager Realm Mode Console as amadmin.

5. Click Access Control > Realm Name realm-name General .

   1. Add both Access Manager instances to the Realm/DNS Aliases list. For example:

      amserver1.example.com amserver2.example.com

   2. Save the changes.

6. Click Access Control > Realm Name realm-name > Authentication Module Instances – LDAP .

   1. Add the secondary Directory Server instance to Secondary LDAP Server. For example: ds2.example.com:389

   2. Save the change.

7. After you have performed the changes on both Access Manager instances, restart the Access Manager web container on both host servers.

8. On the secondary Directory Server instance, add the Access Manager indexes as follows:

   1. Start the secondary Directory Server instance.

   2. Add the Access Manager indexes using either the Directory Server 6.0 Directory Service Control Center (DSCC) or the ldapmodify utility.

      For information about adding indexes, see Indexing Access Manager Attributes in Directory Server.

   3. Restart the secondary Directory Server instance.

To Configure Each Access Manager Instance in Legacy Mode

Before You Begin

Start the Directory Server instance (ds1.example.com) on the first machine only. Add the Access Manager indexes to the first Directory Server instance, as described in Indexing Access Manager Attributes in Directory Server.

1. Log in as or become superuser (root) on the server where Access Manager is installed.

2. Backup the serverconfig.xml file.

   The serverconfig.xml file is in the following directory, depending on your platform:

   • Solaris systems: /etc/opt/SUNWam/config

   • Linux and HP-UX systems: /etc/opt/sun/identity/config

   • Windows systems: C:\Program Files\Sun\JavaES5\identity\config

3. In the serverconfig.xml file, add the secondary Directory Server instance. For example:

   ...
   <iPlanetDataAccessLayer>
       <ServerGroup name="default" minConnPool="1" maxConnPool="10">
               <Server name="Server1" host=" ds1.example.com" port="389" type="SIMPLE" />
               <Server name="Server2" host=" ds2.example.com" port="389" type="SIMPLE" />
   ...

4. Login to the Access Manager Legacy Mode Console as amadmin.

5. Click Directory Management > Organizations organization-name.

   1. Make sure that Organization Aliases includes both Access Manager instances. Add the instances, if necessary. For example:

      amserver1.example.com amserver2.example.com

   2. Add both Access Manager instances to the DNS Aliases Names list.

   3. Save the changes.

6. Click Configuration > Authentication Service Name – LDAP.

   1. Add the secondary Directory Server instance to Secondary LDAP Server. For example: ds2.example.com:389

   2. Save the change.

7. After you have performed the changes on both Access Manager instances, restart the Access Manager web container on both host servers.

8. On the secondary Directory Server instance, add the Access Manager indexes as follows:

   1. Start the secondary Directory Server instance.

   2. Add the Access Manager indexes using either the Directory Server 6.0 Directory Service Control Center (DSCC) or the ldapmodify utility.

      For information about adding indexes, see Indexing Access Manager Attributes in Directory Server.

   3. Restart the secondary Directory Server instance.