Deployment Example 1: Access Manager 7.0 Load Balancing, Distributed Authentication UI, and Session Failover

7.2 Enabling Multi-Master Replication

In this procedure you enable multi-master replication (MMR) between two directory masters. Then you use the data and schema from the first directory master to initialize the second directory master. When you're finished, you will have two Directory Servers, and each will contain two instances. The instance named ds-config stores Directory Server administration configuration. The instance named am-config stores the user data and Access Manager configuration.

On each Directory Server, the ds-config instance is a local configuration instance. Do not replicate this instance to other host systems. On each Directory Server, the am-config instance is the directory data instance. You enable the am-config instance for MMR with its counterpart on the other Directory Server host.

Use the following as your checklist for enabling multi-master replication:

  1. Enable multi-master replication on Directory Server 1.

  2. Enable multi-master replication on Directory Server 2.

  3. Create replication agreements on Directory Server 1.

  4. Create replication agreements on Directory Server 2.

  5. Initialize the master replica.

ProcedureTo Enable Multi-Master Replication on Directory Server 1

  1. On Directory Server 1, start the Directory Server console.


    # cd /var/opt/mps/serverroot/ 
    # ./startconsole &
  2. Log in to the Directory Server 1 console using the following information:

    Username

    cn=Directory Manager

    Password

    d1rm4n4ger

    Administration URL

    http://DirectoryServer-1.example.com:1391

  3. In the Directory Server console, under the Servers and Applications tab, expand the Server Administration domain list until you see the Server Group item.

  4. Click to expand the Server Group.

    You should see the following items: an Administration Server, a Directory Server (am-config), a Directory Server (ds-config), and a Directory Server (am-users).

  5. Double-click the instance name Directory Server (am-users) to display the console for managing the instance am-users.

  6. Click the Configuration tab and navigate to the Replication pane.

    1. Expand the Data node.

    2. Expand the node for the suffix you want to be a master replica.

      In this example, double-click the suffix dc=company,dc=com.

    3. Click Replication.

  7. Click the “Enable replication” button to start the Replication Wizard.

  8. Select Master Replica, and then click Next to continue.

  9. Enter a Replica ID, and then click Next.

    For this example, when enabling replication on DirectoryServer-1, assign the number 11.

  10. If you have not already been prompted to select the change log file, you are prompted to select one now.

    The default change log file is shown in the text field. If you do not wish to use the default, type in a filename for the change log, or click Browse to display a file selector. If the change log has already been enabled, the wizard will skip this step.

  11. If you have not already been prompted to enter and confirm a password for the default replication manager, you are prompted now.

    The replication manager is not used in the case of single-master replication, but you must still enter a password to proceed. For this example, enter replm4n4ger.

    1. Click Next.

    The Replication Wizard displays a status message while updating the replication configuration.

  12. Click Close when replication is finished.

ProcedureTo Enable Multi-Master Replication on Directory Server 2

  1. On Directory Server 2, start the Directory Server console.


    # cd /var/opt/mps/serverroot/ 
    # ./startconsole &
  2. Log in to the Directory Server 2 console using the following information:

    Username

    cn=Directory Manager

    Password

    d1rm4n4ger

    Administration URL

    http://DirectoryServer-2.example.com:1391

  3. In the Directory Server console, under the Servers and Applications tab, expand the Server Administration domain list until you see the Server Group item.

  4. Click to expand the Server Group.

    You should see the following items: an Administration Server, a Directory Server (am-config), a Directory Server (ds-config), and a Directory Server (am-users).

  5. Double-click the instance name Directory Server (am-users) to display the console for managing the instance am-config.

  6. Click the Configuration tab and navigate to the Replication pane.

    1. Expand the Data node.

    2. Expand the node for the suffix you want to be a master replica.

      In this example, double-click the suffix dc=company, dc=com.

    3. Click Replication.

  7. Click the “Enable replication” button to start the Replication Wizard.

  8. Select Master Replica, and then click Next to continue.

  9. Enter a Replica ID, and then click Next.

    For this example, when enabling replication on DirectoryServer-2, assign the number 22.

  10. If you have not already been prompted to select the change log file, you are prompted to select one now.

    The default change log file is shown in the text field. If you do not wish to use the default, type in a filename for the change log, or click Browse to display a file selector. If the change log has already been enabled, the wizard will skip this step.

  11. If you have not already been prompted to enter and confirm a password for the default replication manager, you are prompted now.

    The replication manager is not used in the case of single-master replication, but you must still enter a password to proceed. For this example, enter replm4n4ger.

    1. Click Next.

    The Replication Wizard displays a status message while updating the replication configuration.

  12. Click Close when replication is finished.

ProcedureTo Create Replication Agreements on Directory Server 1

  1. On DirectoryServer-1, in the Directory Server console, display the general properties for the Directory Server instance named am-users .

    Navigate through the tree in the left panel to find the Directory Server instance named am-users, and click on the instance name to display its general properties.

  2. Click the Open button to display the console for managing the am-users instance.

  3. Click the Configuration tab and navigate to the Replication pane.

    1. Expand the Data node.

    2. Expand the node for the suffix you want to be a master replica.

      In this example, double-click the suffix dc=company,dc=com.

    3. Click Replication.

  4. Click the New button.

  5. In the Replication Agreement dialog box, click the Other button.

  6. In the Remote Server dialog box, provide the following information, and then click OK.

    Host

    DirectoryServer-2.example.com

    Port

    1489

    Secure Port

    Leave this box unmarked.

  7. In the Replication Agreement dialog, for the distinguished name (DN) of the replication manager entry on the consumer server, accept the default value.

    By default, the DN is that of the default replication manager.

  8. For the password of the replication manager, enter replm4n4ger.

  9. (Optional) Provide a description string for this agreement.

    For this example, enter Replication from DirectoryServer-1 to DirectoryServer-2.

  10. Click OK when done.

  11. In the confirmation dialog, click Yes to test the connection to the server and port number.

    Use the given replication manager and password replm4n4ger.

    If the connection fails, you will still have the option of using this agreement. For example, the parameters are correct but the server is offline. When you have finished, the agreement appears in the list of replication agreements for this master replica.

ProcedureTo Create Replication Agreements on Directory Server 2

  1. On DirectoryServer-2, in the Directory Server console, display the general properties for the Directory Server instance named am-users.

    Navigate through the tree in the left panel to find the Directory Server instance named am-users, and click on the instance name to display its general properties.

  2. Click the Open button to display the console for managing the am-users instance.

  3. Click the Configuration tab and navigate to the Replication pane.

    1. Expand the Data node.

    2. Expand the node for the suffix you want to be a master replica.

      In this example, double-click the suffix dc=company,dc=com.

    3. Click Replication.

  4. Click the New button.

  5. In the Replication Agreement dialog box, click the Other button.

  6. In the Remote Server dialog box, provide the following information, and then click OK.

    Host

    DirectoryServer-1.example.com

    Port

    1489

    Secure Port

    Leave this box unmarked.

  7. In the Replication Agreement dialog, for the distinguished name (DN) of the replication manager entry on the consumer server, accept the default value.

    By default, the DN is that of the default replication manager.

  8. For the password of the replication manager, enter replm4n4ger.

  9. (Optional) Provide a description string for this agreement.

    For this example, enter Replication from DirectoryServer-2 to DirectoryServer-1.

  10. Click OK when done.

  11. In the confirmation dialog, click Yes to test the connection to the server and port number.

    Use the given replication manager and password.

    If the connection fails, you will still have the option of using this agreement. For example, the parameters are correct but the server is offline. When you have finished, the agreement appears in the list of replication agreements for this master replica.

ProcedureTo Initialize the Master Replica

  1. On DirectoryServer–1, in the Directory Server console, navigate through the tree in the left panel to find the Directory Server instance named am-users, and click on the instance name to display its general properties.

  2. Double-click the instance name Directory Server (am-users) in the tree to display the console for managing the data.

  3. Click the Configuration tab and navigate to the Replication pane.

    1. Expand the Data node.

    2. Expand the node for the suffix you want to be a master replica.

      In this example, double-click the suffix dc=company,dc=com.

    3. Click Replication.

  4. In the list of defined agreements, select the replication agreement corresponding to DirectoryServer-2, the consumer you want to initialize.

  5. Click Action > Initialize remote replica.

    A confirmation message warns you that any information already stored in the replica on the consumer will be removed.

  6. In the Confirmation dialog, click Yes.

    Online consumer initialization begins immediately. The icon of the replication agreement shows a red gear to indicate the status of the initialization process.

  7. Click Refresh > Continuous Refresh to follow the status of the consumer initialization.

    Any messages for the highlighted agreement will appear in the text box below the list.

  8. Verify that replication is working properly.

    1. Log in to both Directory Server hosts as a root user, and start both Directory Server consoles.

    2. Log in to each Directory Server console.

    3. In each Directory Server console, enable the audit log on both Directory Server instances.

      Go to Configuration > Logs > Audit Log. Check Enable Logging, and then click Save.

    4. In separate terminal windows , use the tail -f command to watch the audit log files change.

    5. On DirectoryServer-1, in the Directory Server console, create a new user entry.

      • Go to the Directory tab, and expand the suffix dc=company,dc=com.

      • Right-click users, and then choose New > User.

      • In the Create New User dialog, enter a first name and last name, an then click OK.

      Note the user entry is created in the instance audit log. Check to be sure the same entry is also created in on DirectoryServer-2 in the Directory Server instance audit log

    6. On DirectoryServer-2, in the Directory Server console, create a new user entry.

      • Go to the Directory tab, and expand the suffix dc=company,dc=com.

      • Right-click users, and then choose New > User.

      • In the Create New User dialog, enter a first name and last name, an then click OK.

        Note the user entry is created in the instance audit log. Check to be sure the same entry is also created in on DirectoryServer-1 in the Directory Server instance audit log

    7. Delete both new user entries in the Directory Server 2 console.

      Look in the Directory Server 1 console to verify that both users have been deleted.