Symantec IGA

  • Private Community
 View Only

  • 1.  Any issues with the components using DYN IP address rather then STATIC addresses?

    Posted Nov 09, 2015 01:07 PM

    Any issues with the components using DYN IP address rather then STATIC addresses?

     

    SAs and NAs want to move towards IPv6 and want only Dynamic Addresses and Static Hostnames.

    Any issues with  any of the IdM components?

     

    Thanks.



  • 2.  Re: Any issues with the components using DYN IP address rather then STATIC addresses?

    Posted Nov 09, 2015 04:37 PM

    I assume that you are not using IP addresses in your configurations or host files for name resolution; in which case, I can't see any component in IDM having caring that the IP is dynamic. You may want to double-check your CA Directory configuration files as I have seen many people configure those with IP addresses.



  • 3.  Re: Any issues with the components using DYN IP address rather then STATIC addresses?

    Posted Nov 09, 2015 05:26 PM

    For CA Directory, we have the following issue when using dynamic addressing when there a multiple DSAs running on different hosts:

    Host1 (addr1) DSA1 running talking to DSA2 on addr2

    Host2 (addr2) DSA2 running talking to DSA1 on addr1

     

    If Host2 is restarted and allocated addr3 we now have:

    Host1 (addr1) DSA1 running talking to DSA2 on addr2

    Host2 (addr3) DSA2 running talking to DSA1 on addr1

     

    Therefore, DSA1 is talking to the incorrect address (addr2) until it is restarted/re-initialized. Until this occurs DSA1 will fail to talk to DSA2 as it is using the wrong address and DSA1 will reject connections from DSA2 as it will fail the mutual-authentication address check.

     

    In the future, we would like the DSA to be smart enough to re-resolve a hostname when a connectivity failure is detected.