Directory Server Replication Considerations

Two methods to improve Access Manager performance and response time are using load balancing across replicated Directory Servers and locating replicated servers closer to users. Directory Server can be set up in single-supplier or multi-supplier configurations. Load-balancing applications such as Sun Java System Directory Proxy Server can also be used. Directory Proxy Server dynamically performs proportional load balancing of LDAP operations across a set of configured Directory Servers. If one or more Directory Server instances become unavailable, the load is proportionally redistributed among the remaining servers. When the server comes back on line, the load is proportionally and dynamically reallocated.

Directory Server replication must be configured before installing Access Manager. This configuration ensures that the supplier and consumer databases are synchronized correctly, allowing time to verify that referrals and updates are synchronized properly.

When Access Manager is installed for replication purposes, each instance of Directory Server and each instance of Access Manager, must be configured with the same values for the following:

• Directory Manager

• Directory Manager Password

• Directory Server Administrator ID

• Server Administrator Password

• Base suffix

• Default organization

Configuring For Replication

Access Manager can be configured to work with single-supplier or multiple-supplier replication. The following figure shows a single-supplier configuration where the consumer is a read-only database. Requests for write operations are referred to the supplier database. This configuration provides some measure of enhanced server performance by distributing the workload to more than one directory.

Figure 5–2 Single-Supplier Directory Server Replication

The following figure shows a multiple-supplier configuration, or multi-master replication (MMR), using multiple instances of Access Manager. This configuration provides failover protection as well as high availability, resulting in further enhanced server performance.

Figure 5–3 Multiple-Supplier Directory Server Configuration

Follow these steps to configure replication at the root or top level of the Access Manager directory tree when Access Manager has not yet been installed or to configure replication at the default organization level:

1. Install the supplier and consumer Directory Server instances.

   See the Sun Java Enterprise System 5 Installation Guide for UNIX for detailed instructions.

2. Set up replication agreements between the supplier and consumer and verify that the directory referrals and updates are working properly.

   You might need to migrate existing Directory Server data to work with this version of Access Manager. For information, see the Sun Java System Access Manager 6 2005Q1 Migration Guide.

3. If you are deploying Access Manager and Directory Server for the first time, or if there is no plan to use existing user data, run the Java ES installation program to install Access Manager.

   During installation, answer yes when asked if there is an existing Directory Server, and specify the host name and port number for a supplier Directory Server you installed in Configuring For Replication.

4. On the host server where Access Manager is installed, modify the AMConfig.properties file in the following directory, depending on your platform:

   • Solaris systems: /etc/opt/SUNWam/config

   • Linux and HP-UX systems: /etc/opt/sun/identity/config

   • Windows systems: javaes-install-dir\identity\config

     The javaes-install-dir variable represents the Java ES 5 installation directory. The default value is C:\Program Files\Sun\JavaES5.

5. Modify the following properties to reflect the host and port number of a consumer Directory Server installed in Configuring For Replication .

   • com.iplanet.am.directory.host

   • com.iplanet.am.directory.port

6. Modify the following property to reflect the number of times Access Manager should continue to make the same request when the requested entry is not found.

   com.iplanet.am.replica.retries

7. Modify the following property to reflect the number of milliseconds Access Manager should allow to elapse between retries.

   com.iplanet.am.replica.delay.between.retries

8. In each Access Manager Authentication module enabled, use the Access Manager Console to specify the consumer directory installed in Configuring For Replication:

   • For the first LDAP server and port, specify the host name and port number for the primary (consumer) Directory Server. For example: consumer1.example.com:389.

   • For the second LDAP server and port, specify the host name and port number for the secondary (or supplier) Directory Server. For example, supplier1.example.com:389.

9. In the serverconfig.xml file, specify the host name and port number of the consumer directory installed in Configuring For Replication, as shown in the following example for the serverconfig.xml file.

10. Restart Access Manager by restarting the web container.

Example of the serverconfig.xml File

The following example shows the serverconfig.xml replication modification.

<iPlanetDataAccessLayer>
<ServerGroup name="default" minConnPool="1"
maxConnPool="10">
<Server name="Server1"
host="consumer1.example.com" port="389"
type="SIMPLE" />

Configuring With a Load Balancer

The following figure shows a multiple-supplier configuration that includes Directory Proxy Server or a hardware load balancer. This configuration takes advantage of Access Manager support for failover, high availability, and managed load-balancing.

Figure 5–4 Multiple-Supplier Configuration With a Load Balancer

Using LDAP load balancers adds a layer of high availability and directory failover protection beyond the level that is available with Access Manager. For example, Directory Proxy Server can specify the percentage of the load that gets redistributed to each server. And, if all back-end LDAP servers become unavailable, Directory Proxy Server continues to manage requests, rejecting client queries. If you install a load balancer, Access Manager must be configured to recognize the application.

1. Before configuring Access Manager, Set up the Directory Servers for replication. For information about directory replication and for detailed setup instructions, see the Sun Java System Directory Server documentation: http://docs.sun.com/coll/1224.1.

2. Install and configure the LDAP load balancer. Follow the instructions in the documentation that comes with the load balancer you are using.

3. In the AMConfig.properties file, modify the com.iplanet.am.directory.host and com.iplanet.am.directory.port properties to point to the load balancer host and port number of a consumer Directory Server.

4. For each Access Manager Authentication module enabled, use the Access Manager Console to specify the consumer Directory Server. In the following steps, the LDAP Authentication module is used as an example:

   • For the first LDAP server and port, type the host name and port number for the primary (consumer) Directory Server using the form proxyhostname:port.

   • Do not enter anything for the second LDAP Server and Port.

5. In the serverconfig.xml file, specify the host name and port number of the consumer Directory Server, as shown in the following example for the serverconfig.xml file.

6. Restart Access Manager by restarting the web container.

Load Balancer Modification to the serverconfig.xml File

The following example shows the load balancer modification to the serverconfig.xml file.

<iPlanetDataAccessLayer>
<ServerGroup name="default" minConnPool="1"
maxConnPool="10">
<Server name="Server1"
host="idar.example.com" port="389"
type="SIMPLE"