Hi:
I have an ISAM cluster configured with two policy servers, on the other hand I have one ISIM server with one service for ISAM configured, that ISIM service uses a TDI instance to perform ISAM users administracion, TDI configuration has been set to comunicate to the primary policy server on the ISAM cluster, there is any way to setup Policy servers load balancing? In that case what would be the network protocol to setup on the load balancing?. The goal is that in case the primary Policy server becomes unavailable the TDI configuration can contact the secondary policy server promoted as primary. Any help would be appreciated.
Thanks in advance.

------------------------------
David Vicenteño
------------------------------

The ISAM Runtime for Java does not support load balancing - it only provides failover.  You can configure it with more than one Policy Server and Authorization Server such that when the highest ranked server is unreachable, it will try the next highest ranked server as alternative etc.

Ref: https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.7/com.ibm.isam.doc/develop/authj/ameb_authjava_guide/concept/con_svrsslcfg.html


------------------------------
---------------------
Phil Goodman
IBM ISAM Support
------------------------------

Original Message:
Sent: Fri May 08, 2020 04:27 PM
From: David Vicenteño
Subject: ISAM policy servers load balancing.

Hi:
I have an ISAM cluster configured with two policy servers, on the other hand I have one ISIM server with one service for ISAM configured, that ISIM service uses a TDI instance to perform ISAM users administracion, TDI configuration has been set to comunicate to the primary policy server on the ISAM cluster, there is any way to setup Policy servers load balancing? In that case what would be the network protocol to setup on the load balancing?. The goal is that in case the primary Policy server becomes unavailable the TDI configuration can contact the secondary policy server promoted as primary. Any help would be appreciated.
Thanks in advance.

------------------------------
David Vicenteño
------------------------------

Thank you very much Phil, it helped me a lot. Regards.

------------------------------
David Vicenteño
------------------------------

Original Message:
Sent: Mon May 11, 2020 05:06 AM
From: Phil Goodman
Subject: ISAM policy servers load balancing.

The ISAM Runtime for Java does not support load balancing - it only provides failover.  You can configure it with more than one Policy Server and Authorization Server such that when the highest ranked server is unreachable, it will try the next highest ranked server as alternative etc.

Ref: https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.7/com.ibm.isam.doc/develop/authj/ameb_authjava_guide/concept/con_svrsslcfg.html


------------------------------
---------------------
Phil Goodman
IBM ISAM Support

Original Message:
Sent: Fri May 08, 2020 04:27 PM
From: David Vicenteño
Subject: ISAM policy servers load balancing.

Hi:
I have an ISAM cluster configured with two policy servers, on the other hand I have one ISIM server with one service for ISAM configured, that ISIM service uses a TDI instance to perform ISAM users administracion, TDI configuration has been set to comunicate to the primary policy server on the ISAM cluster, there is any way to setup Policy servers load balancing? In that case what would be the network protocol to setup on the load balancing?. The goal is that in case the primary Policy server becomes unavailable the TDI configuration can contact the secondary policy server promoted as primary. Any help would be appreciated.
Thanks in advance.

------------------------------
David Vicenteño
------------------------------

Hi David, Checkout Registry Direct Java API link below. It might eliminate dependency on Policy Server.


https://www.ibm.com/support/knowledgecenter/SSPREK_7.0.0/com.ibm.isam.doc_70/ameb_adminjava_guide/concept/con_reg_dir_java_api.html


Regards,
Rama

------------------------------
Rama Yenumula
------------------------------

Original Message:
Sent: Fri May 08, 2020 04:27 PM
From: David Vicenteño
Subject: ISAM policy servers load balancing.

Hi:
I have an ISAM cluster configured with two policy servers, on the other hand I have one ISIM server with one service for ISAM configured, that ISIM service uses a TDI instance to perform ISAM users administracion, TDI configuration has been set to comunicate to the primary policy server on the ISAM cluster, there is any way to setup Policy servers load balancing? In that case what would be the network protocol to setup on the load balancing?. The goal is that in case the primary Policy server becomes unavailable the TDI configuration can contact the secondary policy server promoted as primary. Any help would be appreciated.
Thanks in advance.

------------------------------
David Vicenteño
------------------------------

Thank you very much Rama. It helps me a lot.

------------------------------
David Vicenteño
------------------------------

Original Message:
Sent: Wed May 13, 2020 10:04 AM
From: Rama Yenumula
Subject: ISAM policy servers load balancing.

Hi David, Checkout Registry Direct Java API link below. It might eliminate dependency on Policy Server.


https://www.ibm.com/support/knowledgecenter/SSPREK_7.0.0/com.ibm.isam.doc_70/ameb_adminjava_guide/concept/con_reg_dir_java_api.html


Regards,
Rama

------------------------------
Rama Yenumula

Original Message:
Sent: Fri May 08, 2020 04:27 PM
From: David Vicenteño
Subject: ISAM policy servers load balancing.

Hi:
I have an ISAM cluster configured with two policy servers, on the other hand I have one ISIM server with one service for ISAM configured, that ISIM service uses a TDI instance to perform ISAM users administracion, TDI configuration has been set to comunicate to the primary policy server on the ISAM cluster, there is any way to setup Policy servers load balancing? In that case what would be the network protocol to setup on the load balancing?. The goal is that in case the primary Policy server becomes unavailable the TDI configuration can contact the secondary policy server promoted as primary. Any help would be appreciated.
Thanks in advance.

------------------------------
David Vicenteño
------------------------------

Hi,
We are moving from PD.jar API to Registry Direct API and we would like to know the best practice concerning the permission on LDAP.
On DN: SECAUTHORIY=DEFAULT, we gave this read permission for the service account:
access-id:UID=ACCESSMANAGER-XXXX,OU=SERVICEACCOUNTS,DC=CA,DC=TENANTX:normal:rsc

On DN: secAuthority=tenantX,cn=Subdomains,SECAUTHORIY=DEFAULT, we gave this write permission for the service account:
access-id:UID=ACCESSMANAGER-XXXX,OU=SERVICEACCOUNTS,DC=CA,DC=TENANTX:normal:rwsc:object:ad

This write access will give the permission to the service account to modify the group cn=iv-admin,cn=SecurityGroups,secAuthority=tenantX,cn=Subdomains,SECAUTHORITY=DEFAULT and other resources.


The DN cn=Users,secAuthority=tenantX,cn=Subdomains,SECAUTHORITY=DEFAULT inherit his permission from secAuthority=tenantX,cn=Subdomains,SECAUTHORIY=DEFAULT.
We are thinking about adding the write access only on cn=Users,secAuthority=tenantX,cn=Subdomains,SECAUTHORITY=DEFAULT. Is it a good practice?


Thanks
------------------------------
Martin Caron
------------------------------


------------------------------
Martin Caron
------------------------------

Original Message:
Sent: Wed May 13, 2020 04:46 PM
From: David Vicenteño
Subject: ISAM policy servers load balancing.

Thank you very much Rama. It helps me a lot.

------------------------------
David Vicenteño

Original Message:
Sent: Wed May 13, 2020 10:04 AM
From: Rama Yenumula
Subject: ISAM policy servers load balancing.

Hi David, Checkout Registry Direct Java API link below. It might eliminate dependency on Policy Server.


https://www.ibm.com/support/knowledgecenter/SSPREK_7.0.0/com.ibm.isam.doc_70/ameb_adminjava_guide/concept/con_reg_dir_java_api.html


Regards,
Rama

------------------------------
Rama Yenumula

Original Message:
Sent: Fri May 08, 2020 04:27 PM
From: David Vicenteño
Subject: ISAM policy servers load balancing.

Hi:
I have an ISAM cluster configured with two policy servers, on the other hand I have one ISIM server with one service for ISAM configured, that ISIM service uses a TDI instance to perform ISAM users administracion, TDI configuration has been set to comunicate to the primary policy server on the ISAM cluster, there is any way to setup Policy servers load balancing? In that case what would be the network protocol to setup on the load balancing?. The goal is that in case the primary Policy server becomes unavailable the TDI configuration can contact the secondary policy server promoted as primary. Any help would be appreciated.
Thanks in advance.

------------------------------
David Vicenteño
------------------------------

Original Message------

Hi David, Checkout Registry Direct Java API link below. It might eliminate dependency on Policy Server.


https://www.ibm.com/support/knowledgecenter/SSPREK_7.0.0/com.ibm.isam.doc_70/ameb_adminjava_guide/concept/con_reg_dir_java_api.html


Regards,
Rama

------------------------------
Rama Yenumula
------------------------------