Sun Identity Manager Overview

Understanding the System Separation and Physical Proximity Guidelines

This section contains basic guidelines on what Identity Manager components should run on what servers. It also contains recommendations on which components should be physically sited near one another in order to minimize performance issues that could arise due to latency and network congestion.

Note –

Only basic guidelines are provided. For information on designing a high-availability Identity Manager architecture, see Chapter 3, Clustering and High Availability.

In a development environment, the application server and database can reside on the same machine. In testing and production environments, however, each Identity Manager instance should be installed on its own dedicated server. The relational database also requires a dedicated server.

The Identity Manager Gateway, if required, must be installed on one or more Windows machines. The Gateway is a lightweight component and does not require a dedicated server. All Windows domains managed by a Gateway must be part of the same forest. Managing domains across forest boundaries is unsupported. If you have multiple forests, install at least one Gateway in each forest. In production the Gateway must be made highly available. See Making the Gateway Highly Available for details.

In a production environment, the highest amount of network traffic occurs between the database and application servers. These two environments must be on the same LAN with the shortest network hop possible. Gateway instances, as well as managed resources, do not need to be on the same network as Identity Manager.

If Identity Manager will be used for external users in a Service Provider configuration, a set of web servers should be setup in a DMZ. See Understanding the Recommended Service Provider HA Architecture for details.