Some customers in questions regarding the fault tolerance, might have confused as there wasn't a lot of statements releases the SDS Typologies for IBM Security Identity Manager fault tolerance recently in 2019 since there are not much changes this area, and in term of Topology has to be involved with the complex service work has to be done with unique business requirements. As with many customers, I have been on a steep learning curve to understand the capabilities this brings for many years. As an interesting exercise, I thought I'd try a short simple SDS identity blog and look at in the various layers of the SDS could be managed as what the best recommended method, specially for IBM Security Directory server with ISIM environment..
This article provides an overview of the SDS/Identity and the aspects of it. The article(s) does provide a detailed explanation of SDS/Identity. Where appropriate I will highlight where IBM Security capabilities apply on SDS however, some are not relevant to the IBM Security Identity Manager.
The simple topology for the ISIM on SDS is "Master to Replica Technology" only a way to support due to a number of reasons behind this, one of the most part transaction data intensive applications on WAS, might cause the data integrity issue which might want to prevent from when the SDS replica configuration concerns.
We have older documents for the developer workers like Tivoli, SDS Typologies has not changed in terms of how the SDS runs, and recover from data.
ISIM typologies with SDS
Master to replica only
Master → Replica
The master to replica topology is one of the most common typologies. It is the most basic topology and is easy to set up. It has one read-write server and one read-only server.
Peer to Peer Topology sync each other
Peer 1 ←→ Peer 2 ---( This part could be potential data integrity issue when Peer 2 sync'ed back to Peer 1, but the request sent to some stage, never completed.)
The peer to peer topology is the second most common topology used. It is mostly used in high availability applications as it has two read-write servers.
The Master forwarder replica Topology
Master → Forwarder → Replica
Though not used frequently, we included this topology as the Forwarder is a special type of server. It is a read-only server which acts as a "router" to a set of replicas under it.
Second article is greater detail on how the ISIM 6. And 7 are supported regarding HA and DR setup. Only highlight is important part of configuration is
Summary :
Only one server can be active at a time. The other must be in a failover-only mode.
I would say this below article might be the best practice of all for SDS replica for ISIM environment.
Below is pasted from Welcome to Wikis
| Ibm |
remove preview |
|
| Welcome to Wikis |
| developerWorks wikis allow groups of people to jointly create and maintain content through contribution and collaboration. Wikis apply the wisdom of crowds to generating information for users interested in a particular subject. You can search all wikis, start a wiki, and view the wikis you own, the wikis you interact with as an editor or reader, and the wikis you follow. |
| View this on Ibm > |
|
|
Set up IBM Security Directory Server (ISDS) Replication
IBM Security Directory Server stores users, accounts, and organizational data. To provide failover capability, install it as a cluster using a IBM Security Directory server on each of two separate systems. Data is synched between the two servers.
Only one server can be active at a time. The other must be in a failover-only mode. It must be running but not accessed by ISIM. Use a failover-only load balancer between ISIM and the IBM Security Directory Server nodes. The load balancer routes traffic to one directory server until that server fails. The load balancer then routes the traffic to the other active node.
Only one back-end directory server should be active at a time. Upon failover the load balancer should terminate any other active connections to the failed server.
The following steps illustrate how to set up a peer-to-peer replication. In the example, the server host names are hadrsds1 and hadrsds2. The LDAP suffix declaration is dc=com. You must run the ISIM middleware configuration utility tool for each server. It creates the instances to use the same user password, LDAP suffix and encryption seed.
For details on running middleware configuration utility, see Running the middleware configuration utility in the IBM Knowledge Center for IBM Security Identity Manager 6.0.0.6.
Edit the /home/itimldap/idsslapd-itimldap/etc/ibmslapd.conf file on both ISDS servers. Find ibm-slapdServerId: and set it as in the following example.
On hadrsds1:
ibm-slapdServerId: peer1
On hadrsds2:
ibm-slapdServerId: peer2
Start both ISDS servers
- /opt/IBM/ldap/V6.3.1/sbin/ibmslapd -I itimldap
-
On each server, create file /temp/rep1.ldif with the following content:
dn: cn=Master Server, cn=configuration
objectclass: ibm-slapdReplication
cn: Master Server
ibm-slapdMasterDN: cn=any
ibm-slapdMasterPW: secret
On each server, add the entries into ibmslapd.conf
/opt/IBM/ldap/V6.3.1/bin/idsldapadd -D cn=root -w <password> -i /temp/rep1.ldif
Stop the ISDS servers
/opt/IBM/ldap/V6.3.1/sbin/ibmslapd -I itimldap -k
On each server, create the following in a file called /temp/rep2.ldif
dn: cn=replication,cn=IBMpolicies
objectclass: container
dn: cn=simple,cn=replication,cn=IBMpolicies
objectclass:ibm-replicationCredentialsSimple
cn:simple
replicaBindDN:cn=any
replicaCredentials:secret
description:Bind method of the peer master (hadrsds1) to the peer master(hadrsds2)
On each server, add the entries. Ignore the error message about one of the entries already in existence.
/opt/IBM/ldap/V6.3.1/sbin/idsldif2db -r no -i /temp/rep2.ldif -I itimldap
Restart the servers.
Create the following in a file called /temp/dccom.ldif
dn: dc=com
objectclass: top
objectclass: domain
dc: com
Add the dc=com suffix object.
/opt/IBM/ldap/V6.4/bin/ldapadd -h localhost -p 389 -D cn=root -w <password> -c -v -f /temp/dccom.ldif
Use the ISDS Web Admin tool to connect to each ISDS server. Log in as an administrative user.
-
Select Directory management > Manage entries
-
Click the dc=com check-box and select Action > Edit ACL
-
Select Non-filtered ACLs > Add
-
Subject DN> Enter cn=root
-
Click Grant all
-
Click Ok
-
Click Owners
-
Subject DN> Enter cn=root
-
Click Add
-
Click Ok
Click Logout
-
On each server, create the following in file /temp/dccontext.ldif
dn: dc=com
changetype: modify
add: objectclass
objectclass: ibm-replicationcontext
-
On each server, add the context to dc=com.
/opt/IBM/ldap/V6.3.1/bin/idsldapmodify -D cn=root -w <password> -i /temp/dccontext.ldif
Stop the ISDS servers.
/opt/IBM/ldap/V6.3.1/sbin/ibmslapd -I itimldap -k
-
On each server, create the following content in file /temp/rep3.ldif
dn: ibm-replicaGroup=default,dc=com
objectclass: top
objectclass: ibm-replicaGroup
ibm-replicaGroup: default
dn: ibm-replicaServerId=peer1,ibm-replicaGroup=default,dc=com
objectclass: top
objectclass: ibm-replicaSubentry
ibm-replicaServerId: peer1
ibm-replicationServerIsMaster: true
cn: peer1
description: peer1 (peer master) ibm-replicaSubentry
dn: ibm-replicaServerId=peer2,ibm-replicaGroup=default,dc=com
objectclass: top
objectclass: ibm-replicaSubentry
ibm-replicaServerId: peer2
ibm-replicationServerIsMaster: true
cn: peer2
description: peer2 (peer master) ibm-replicaSubentry
#peer1 to peer2 agreement
dn: cn=peer2,ibm-replicaServerId=peer1, ibm-replicaGroup=default,dc=com
objectclass: top
objectclass: ibm-replicationAgreement
cn: peer2
ibm-replicaConsumerId: peer2
ibm-replicaUrl: ldap://hadrsds2:389
ibm-replicaCredentialsDN: cn=simple,cn=replication,cn=IBMpolicies
description: peer1(master) to peer2(master) agreement
#peer2 to peer1 agreement
dn: cn=peer1,ibm-replicaServerId=peer2, ibm-replicaGroup=default,dc=com
objectclass: top
objectclass: ibm-replicationAgreement
cn: peer1
ibm-replicaConsumerId: peer1
ibm-replicaUrl: ldap://hadrsds1:389
ibm-replicaCredentialsDN: cn=simple,cn=replication,cn=IBMpolicies
description: peer2(master) to peer1(master) agreement
cn=ibmpolicies
dn: ibm-replicaGroup=default,cn=ibmpolicies
objectclass: top
objectclass: ibm-replicaGroup
ibm-replicaGroup: default
dn: ibm-replicaServerId=peer1,ibm-replicaGroup=default,cn=ibmpolicies
objectclass: top
objectclass: ibm-replicaSubentry
ibm-replicaServerId: peer1
ibm-replicationServerIsMaster: true
cn: peer1
description: peer1 (peer master) ibm-replicaSubentry
dn: ibm-replicaServerId=peer2,ibm-replicaGroup=default,cn=ibmpolicies
objectclass: top
objectclass: ibm-replicaSubentry
ibm-replicaServerId: peer2
ibm-replicationServerIsMaster: true
cn: peer2
description: peer2 (peer master) ibm-replicaSubentry
#peer1 to peer2 agreement
dn: cn=peer2,ibm-replicaServerId=peer1, ibm-replicaGroup=default,cn=ibmpolicies
objectclass: top
objectclass: ibm-replicationAgreement
cn: peer2
ibm-replicaConsumerId: peer2
ibm-replicaUrl: ldap://hadrsds2:389
ibm-replicaCredentialsDN: cn=simple,cn=replication,cn=IBMpolicies
description: peer1(master) to peer2(master) agreement
#peer2 to peer1 agreement
dn: cn=peer1,ibm-replicaServerId=peer2, ibm-replicaGroup=default,cn=ibmpolicies
objectclass: top
objectclass: ibm-replicationAgreement
cn: peer1
ibm-replicaConsumerId: peer1
ibm-replicaUrl: ldap://hadrsds1:389
ibm-replicaCredentialsDN: cn=simple,cn=replication,cn=IBMpolicies
description: peer2(master) to peer1(master) agreement
On each server, add the replica agreement entries
/opt/IBM/ldap/V6.3.1/sbin/idsldif2db -r no -i /temp/rep3.ldif -I itimldap
Start the ISDS servers
/opt/IBM/ldap/V6.3.1/sbin/ibmslapd -I itimldap
-
Install ISIM and point to either ISDS server as the target. Give the peer ISDS server a few minutes after the ISIM install completes to catch up on all the replication entries.
If you have existing data under suffix dc=com before the replication is set up, you need to export it.
/opt/IBM/ldap/V6.3.1/sbin/idsdb2ldif -I <INSTANCE_NAME> -o <OUTPUT FILE>
Transfer the exported ldif file to the destination server and import it into the ISDS instance.
/opt/IBM/ldap/V6.3.1/sbin/idsldif2db -I <INSTANCE_NAME> -i <INPUT_FILE>
------------------------------
Masa Imokawa
Software Engineer
IBM
------------------------------