Sun Java System Access Manager 7 2005Q4 Deployment Planning Guide

Configuring an Access Manager Deployment as a Site

Access Manager 7 2005Q4 introduces the “site concept,” which provides centralized configuration management for an Access Manager deployment. When Access Manager is configured as a site, client requests always go through the load balancer, which simplifies the deployment as well as resolves issues such as a firewall between the client and the back-end Access Manager servers. A site includes the following components:

Multiple (two or more) Access Manager instances are deployed on at least two different host servers. For example, you might deploy two instances on one server and a third instance on another server. Or you might deploy all instances on different servers. You can also configure the Access Manager instances in session failover mode, if required for your deployment.
One or more load balancers route client requests to the various Access Manager instances. You configure each load balancer according to your deployment requirements (for example, to use round-robin or load average) to distribute the load between the Access Manager instances.
All Access Manager instances access the same Directory Server.

The following procedures refer to the Access Manager 7 2005Q4 Console in Realm Mode.

Site Configuration

If you have an Access Manager multiple server deployment, use either of these methods to configure your deployment as a site:

If you plan to implement Access Manager session failover, the amsfoconfig script configures a deployment as a site. See Implementing Access Manager Session Failover.
If you don't plan to implement session failover, follow the steps in this section.

When you configure a deployment as a site, you perform these functions in the Access Manager Console:

Add the load balancer URL to the Site Name (site ID).
Map the load balancer Site Name (site ID) to each Access Manager instance in the Platform Server List.
Add the load balancer to the Realm/DNS Aliases.

In addition, Access Manager automatically sets the fqdnMap property (in memory) to include the load balancer, so you do not need to explicitly set this property in the AMConfig.properties file.

To configure an Access Manager deployment as a site, follow this procedure:

Log in to the Access Manager Console as amAdmin.
Add the load balancer URL to the Site Name:
1. In the Access Manager Console, click Configuration, System Properties, and then Platform.
2. Under Site Name, click New and enter the following values for the load balancer:
  - Server: Load balancer protocol, host name, and port. For example: http://lb.example.com:80
  - Site Name: Unique two-digit site identifier (site ID). For example: 10
    
    When you are finished, click OK.
3. After adding the load balancer to the Site Name, click Save. The entry for the load balancer now includes the site ID. For example: http://lb.example.com:80|10
  
  The site ID must be unique with respect to server IDs and other site IDs. For example, you cannot use 01 for both a site ID and a server ID.
On the same Console panel, map the load balancer to each Access Manager instance:
1. In the Server list under Instance Name, click each instance name to display the Edit Server Instance panel for the instance.
2. Map the Site Name (site ID) for the load balancer to the Access Manager instance. For example, using a load balancer with a Site Name of 10, for the first server, the Instance Name would 01(|10).
3. Click OK and repeat the steps for the other Access Manager instances.
  
  When you are finished, all Access Manager instances should be mapped to the load balancer. For example:
```
http://amserver1.example.com:8080|01|10
http://amserver2.example.com:8080|02|10
http://amserver3.example.com:8080|03|10
```
4. Click Save to save the configuration.
Add the Realm/DNS alias for the load balancer:
1. In the Access Manager Console, click Access Control and then the root or top-level realm under Realm Name.
2. Under Realm Attributes, add the load balancer to Realm/DNS Aliases and then click Add. For example: lb.example.com.
3. Click Save to save your changes.
For clients such as a policy agent, the load balancer (as opposed to the individual Access Manager instances) should be the sole entry point. For example, if you are using a policy agent, modify the appropriate entries in the AMAgent.properties file to point to the load balancer.