Symantec IGA

  • 1.  CA IDM Disaster Recovery Environment

    Posted 07-31-2018 05:06 AM

    Hello There,

     

    We're planning on building a Disaster recovery environment for CA IDM and CA Siteminder. We have integrated CA IDM and CA Siteminder. CA Directory and CA Provisioning Directory are replicated between DC and DR.

     

    Can someone please share some ideas on how the database is replicated(MS SQL Server) since on replicating DC and DR database the configuration of DC will be copied to DR.

     

     

    Regards,

    Rajesh



  • 2.  Re: CA IDM Disaster Recovery Environment
    Best Answer

    Posted 07-31-2018 11:10 AM

    Here are my thoughts but maybe others who are involved with implementation work can comment better than myself.

     

    Setting up of database layer replication would be likely depend on the database vendor and best practices of that would likely come from that vendor.

     

    Regarding the configuration of the application layer connecting to the database layer, I think there are two approaches if you wanted the DC application server connecting to the DC database while having the DR application server connecting to the DR database which is to either:

     

    1) Not have exact copies of the configuration such that the DC application server is configured with the DC database name while the DR application server is configured with the DR database name

    2) Have both the DC application server and the DR application server configured to reference a database-alias-name where that database-alias-name would resolve differently to either the DC database or the DR database by way of DNS or host file entries

     

    Option 2 might be the better approach since references to the database may not be limited to just the application server configuration as there may be other references to the database in PX policies, custom code, etc too.



  • 3.  Re: CA IDM Disaster Recovery Environment

    Posted 08-02-2018 01:59 AM

    Hi Kenny, 

     

    We have implemented the same way, now the challenge is with IDM and Siteminder integration where the Siteminder policy store is also replicated.

    In this case the configurations of DC environment will be replicated to DR environment. The IDM domain created on integration with Siteminder on DC environment will overwrite that of DR environment. Any suggestions how can we manage this ?

     

    Regards,

    Rajesh



  • 4.  Re: CA IDM Disaster Recovery Environment

    Broadcom Employee
    Posted 07-31-2018 11:29 AM

    As KennyV noted, replication of the DB is very dependent on the DB vendor and its available functionality and 3rd party software.

     

    The thing to note about IM is that if the DR site IMs are pointing to the replica DB (which are usually read-only), they should probably be shut done until a DR event. In the DR event, the DB replica will switch to master (dependent on implementation), and then the DR IM nodes can be started and take over.

     

    The reason to keep the DR IMs off, is that if there are scheduled tasks or event, they will fail continually, as the underlining DB is read-only.



  • 5.  Re: CA IDM Disaster Recovery Environment

    Broadcom Employee
    Posted 08-01-2018 06:44 AM

    When using MS SQL Server as the IDM database, we have used the "Log Shipping" functionality to replicate the DB data to the DR database.

    Similar to what Gil mentions, this DB is in offline mode and all applications are in the shut-down state. In the case of IM, the DR app servers are not in the same app server cluster as the primary app servers.

    In the case of a disaster, the DB is brought online and the applications are started up.

    We hat a MRPO of 15 minutes, so logs were shipped every 15 minutes.

     

    I'm not so familiar with the Oracle tools, but I believe that there are native and 3rd-party options for this.

     

    As KennyV says, we used aliases in the hosts file so that prod and DR applications can use the same alias name to point to their respective databases

     

    We used asynchronous replication to replicate the user store and provisioning directory to the DR site.



  • 6.  Re: CA IDM Disaster Recovery Environment

    Posted 08-02-2018 01:44 AM

    Hi Pearse, 

     

    We have implemented the same way, now the challenge is with IDM and Siteminder integration where the Siteminder policy store is also replicated.

    In this case the configurations of DC environment will be replicated to DR environment. The IDM domain created on integration with Siteminder on DC environment will overwrite that of DR environment. Any suggestions how can we manage this ?

     

    Regards,

    Rajesh