IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

SDS HA or master/replica with ISVA

  • 1.  SDS HA or master/replica with ISVA

    Posted Thu April 01, 2021 10:00 AM
    Hi all,

    Which is the best practices using Security Directory Server HA or master/replica with ISVA?

    Regards,
    Rodrigo

    ------------------------------
    Rodrigo Xavier
    ------------------------------


  • 2.  RE: SDS HA or master/replica with ISVA

    Posted Fri April 16, 2021 04:21 AM
    Hi Rodrigo,

    There are some considerations depending on the size and geographical distribution of your data-centres and failover/DR methodology.

    In general, the best way to set up IBM Security Directory Server for use with Verify Access is to set up the directory cluster in multi-master mode but then configure the "replica" configuration in Verify Access so that it load-balances read operations but favours a single directory instance for writes (with failover).  That way you get high performance read operations and you do not risk conflicts in your write operations.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 3.  RE: SDS HA or master/replica with ISVA

    Posted Tue April 20, 2021 03:32 PM
    Thank you, Jon!
    We´ll study the customer scenario to check the best solution.

    Regards,
    Rodrigo

    ------------------------------
    Rodrigo Xavier
    ------------------------------

    Original Message


  • 4.  RE: SDS HA or master/replica with ISVA

    Posted Thu April 22, 2021 05:28 AM
    Hi Jon:
    In the Federated Directory, I can create multiple ones.
    When I create a new one, I can find the attributes "Name", "Hostname", and more.
    I can add multiple Suffixes, but only 1 hostname. How do I specify the IP address of both SDS Masters?

    I only see one possibility, which is adding another entry in the Federated Directory, where I can specify a new one, but with the same suffix.
    Is this the correct way to configure a highly available ldap servers?

    ------------------------------
    Joao Goncalves
    Pyxis, Lda.
    Sintra
    +351 91 721 4994
    ------------------------------

    Original Message


  • 5.  RE: SDS HA or master/replica with ISVA

    Posted Thu April 22, 2021 05:56 AM
    Hi Joao,

    You can only configure a single LDAP server when configuring a new federated directory in the UI.
    [It is the same for the "primary" LDAP actually (set up during initial config)]

    In both cases, the way to add replicas is to edit the ldap.conf file.  In the LMI, navigate to the Web-->Runtime Component page and then select Manage-->Configuration files-->ldap.conf from the drop-down menu.

    In the ldap.conf configuration file you'll find comments that describe how to specify replicas for both the primary and federated directories. It's the same in both cases (addition of replica entries) except that the primary replicas are added in the [ldap] stanza and the federated replicas are added in the [server:<federated directory>] stanza.

    As an aside, worth noting that replicas can be configured with a priority (which controls load-balancing and failover behaviour) and with a type (so you can define different behaviour for read vs write operations).

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 6.  RE: SDS HA or master/replica with ISVA

    Posted Thu April 22, 2021 06:02 AM
    Thanks.

    ------------------------------
    Joao Goncalves
    Pyxis, Lda.
    Sintra
    +351 91 721 4994
    ------------------------------

    Original Message


  • 7.  RE: SDS HA or master/replica with ISVA

    Posted Mon June 14, 2021 02:45 PM
    Hi Jon,

    Do i need check to install a "Proxy Server" in ISDS Installation Manager?

    Regards,

    ------------------------------
    Alexandre Gammaro
    CyberSecurity Especialist
    Triscal
    ------------------------------

    Original Message


  • 8.  RE: SDS HA or master/replica with ISVA

    Posted Mon June 14, 2021 03:19 PM
    Edited by Jon Harry Mon June 14, 2021 03:19 PM

    Alexandre,

    You do not need to install the Proxy. This is an extra component which is used if you have a very large directory and you need to segment different parts of the dataset into different clusters.

    I don't think this component is covered by the entitlement for Directory Server that comes with Verify Access.

    From licence information document:
    ---
    Prohibited Components

    Licensee is not authorized to use any of the following components or functions of the Program:
    IBM Security Directory Server Proxy server (of IBM Security Directory Server)
    IBM Security Directory Integrator Federated Directory Server

    ---
    https://www-03.ibm.com/software/sla/sladb.nsf/lilookup/18B10C746F0BCDBF8525863E004D11A0?OpenDocument

    Jon. 



    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 9.  RE: SDS HA or master/replica with ISVA

    Posted Mon June 14, 2021 06:23 PM
    Hi Jon,

    Ok great.
    But... how i do a configuration as master/replica in ISVA to do that?
    The documentation from Knowledge Center is not so clarify to implement HA of ISDS.

    Regards,

    ------------------------------
    Alexandre Gammaro
    CyberSecurity Especialist
    Triscal
    ------------------------------

    Original Message


  • 10.  RE: SDS HA or master/replica with ISVA

    Posted Wed June 16, 2021 11:05 AM
    Hi Jon,

    Do i need follow this note to do a ISDS replication? or the ISVA do that of another way?
    ibm.com/docs/pt-br/sdse/6.4.0?topic=topology-using-command-line

    Regards,

    ------------------------------
    Alexandre Gammaro
    CyberSecurity Especialist
    Triscal
    ------------------------------

    Original Message


  • 11.  RE: SDS HA or master/replica with ISVA

    Posted Wed June 16, 2021 11:20 AM
    Hi Alexandre,

    It's been a long time since I set up replication for ISDS.  If I remember correctly you can set it up using the IDSWebApp (it's a .war file - requires a Java App Server to run) or you can set it up by using a set of LDIF files loaded into the servers.

    One thing to be aware of is that the LDAP servers all need to be "cryptographically synchronised" in order for replication to be possible - otherwise they can't read the encrypted data that is exchanged.  Make sure you understand this before you start creating the servers.

    It looks like there's quite a lot of useful materials on the Security Learning Academy.  Take a look here:
    https://www.securitylearningacademy.com/local/navigator/index.php?level=iads02

    Jon.


    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 12.  RE: SDS HA or master/replica with ISVA

    Posted Wed June 16, 2021 07:07 PM
    Hi Jon,

    Ok, i understand.
    Now this app calls Web Administration Tool, but i'm reading that i can configure using cli.
    I'll try that.

    Tks Jon...

    ------------------------------
    Alexandre Gammaro
    CyberSecurity Especialist
    Triscal
    ------------------------------

    Original Message


  • 13.  RE: SDS HA or master/replica with ISVA

    Posted Thu June 17, 2021 01:18 PM
    Hi Jon,

    Sorry, but when you say "One thing to be aware of is that the LDAP servers all need to be "cryptographically synchronised" in order for replication to be possible - otherwise they can't read the encrypted data that is exchanged.  Make sure you understand this before you start creating the servers.", do you would to say about 'Replication agreements' that performed in this doc https://www.ibm.com/docs/pt-br/sdse/6.4.0?topic=replication-agreements ? or about this? https://www.ibm.com/docs/pt-br/sdse/6.4.0?topic=administering-synchronizing-two-way-cryptography-between-server-instances#t_adg_apndix_sync_crypto_server_instances

    Regards,

    ------------------------------
    Alexandre Gammaro
    CyberSecurity Especialist
    Triscal
    ------------------------------

    Original Message


  • 14.  RE: SDS HA or master/replica with ISVA

    Posted Thu June 17, 2021 01:45 PM
    Alexandre,

    The second one:
    https://www.ibm.com/docs/pt-br/sdse/6.4.0?topic=administering-synchronizing-two-way-cryptography-between-server-instances#t_adg_apndix_sync_crypto_server_instances

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 15.  RE: SDS HA or master/replica with ISVA

    Posted Thu June 17, 2021 07:53 PM
    Hi Jon,

    Cool, i will read about this.

    Regards,

    ------------------------------
    Alexandre Gammaro
    CyberSecurity Especialist
    Triscal
    ------------------------------

    Original Message


  • 16.  RE: SDS HA or master/replica with ISVA

    Posted Mon June 21, 2021 06:35 PM
    Hi Jon,

    I performed the replication and worked fine.
    In ISVA, do i need input this line in ldap.conf?
    replica = serverldap.domain.local,389,readonly,5

    Regards,

    ------------------------------
    Alexandre Gammaro
    CyberSecurity Especialist
    Triscal
    ------------------------------

    Original Message


  • 17.  RE: SDS HA or master/replica with ISVA

    Posted Tue June 22, 2021 03:51 AM
    Hi Alexandre,

    Let's consider that you have 2 LDAP servers in peer configuration (both are writable):
      ldap1.domain.local
      ldap2.domain.local

    When setting up LDAP, you configure ldap1.domain.local in the main configuration (host=ldap1.domain.local)
    We call this the "primary" LDAP.

    The "primary" LDAP is always considered to be a readwrite server with priority 5.

    So, by adding the following line:

    replica = ldap2.domain.local,389,readwrite,4

    You have configured the 2nd LDAP as a 2nd readwrite server to be used only when the "primary" is unavailable.  With this configuration both read and write operations are in "failover" mode.  While ldap1 is available, no requests will go to ldap2 (because it has a lower priority).

    If you want read operations to be balanced between both servers, you can add readonly entries to the replica list.  These should have the same priority and this priority should be higher than 5.  So, now the replica entries look like this:

    replica = ldap1.domain.local,389,readonly,6
    replica = ldap2.domain.local,389,readonly,6
    replica = ldap2.domain.local,389,readwrite,4

    With this configuration, read operations will be balanced across the two servers (because they both have priority 6 for readonly)
    Write operations will all go to ldap1 as long as it is available (because it has highest priority for readwrite)
    If ldap1 fails, write operations will go to ldap2 (because it will then be the highest readwrite server).

    Hopefully this helps to explain how the priority is used to control balance/failover behaviour.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 18.  RE: SDS HA or master/replica with ISVA

    Posted Fri June 25, 2021 03:18 PM
    Hi Jon,

    Great, with that explanation... it's easy to implement that.

    Regards,

    ------------------------------
    Alexandre Gammaro
    CyberSecurity Especialist
    Triscal
    ------------------------------

    Original Message


Related Content