Layer 7 Access Management

Multi-Mastered LDAP Policy Stores( R12.52 SP1  CA SSO ) 

04-06-2015 03:52 PM

Environment Example:

1. Policy server 1 is talking to Policy stores 42,43,44,45 (in the same order)

2. Policy Server 2 is also to the same set of policy stores in the same order (42,43,44, 45)


Both the policy server 1 and policy server 2 are registered to the same WAMUI. When I login to the policy server 1 using WAMUI, I am able to create, modify domains. When I login to the same WAM UI using the policy server 2, I am NOT able to create domains.

If we have multiple policy store instances, issues can occur while trying to create objects

due to not updating the schema in all Policy Store instances (schema is not replicated, data is), coupled with making Policy Store changes from the same WAMUI, but pointing at different Policy Store LDAP instances.


We should check the Policy Server Upgrade Guides, and if we do not clearly document that if an upgrade requires an update to the schema, that each Policy Store instance in a Replicated LDAP Policy Store environment needs to have the schema update applied; again schema updates are not replicated and need to be made on each LDAP instance.


Also any Administrative changes in a SiteMinder environment should be made against a single Policy Store instance in a Multi-Master LDAP Policy Store environment.


Following is from the R12.52 SP1 Policy Server Release Notes;


Multi-Mastered LDAP Policy Stores

LDAP directories using multi-master technology may be used as CA SiteMinder® policy stores. The following configuration is recommended when configuring an LDAP policy store in multi-master mode:

A single master should be used for all administration.

A single master should be used for key storage.


This master does not need to be the same as the master used for Administration. However, we recommend that you use the same master store for both keys and administration. In this configuration, all key store nodes should point to the master rather than a replica.

Note: If you use a master for key storage other than the master for administration, then all key stores must use the same key store value. No key store should be configured to function as both a policy store and a key store.

All other policy store masters should be set for failover mode.


Due to possible synchronization issues, other configurations may cause inconsistent results, such as policy store corruption or Agent keys that are out of sync.

Contact CA SiteMinder® Support for assistance with other configurations.

0 Favorited
0 Files

Tags and Keywords

Related Entries and Links

No Related Resource entered.