Symantec Access Management

Expand all | Collapse all

Transparent Router(s) for Identity Management Provisioning Tier - DXLINK

  • 1.  Transparent Router(s) for Identity Management Provisioning Tier - DXLINK

    Posted 10-19-2018 06:13 PM

    Team,

     

    While researching on how to speed up performance for the provisioning tier, I decided to introduce a feature set from CA Directory called transparent routing aka DXLink.

     

     

    The one typical deployment model for CA Identity Manager to MS Active Directory is shown below:

    - Note:  CA Directory & CA Identity Manager Provisioning Directory DSAs are not shown for simplicity. 

     

     

    With the introduction of CA Directory transparent routers, we now have the following:

    - Note:  CA Directory & CA Identity Manager Provisioning Directory DSAs are not shown for simplicity. 

     

     

    We can now view the ADS bind over the CCS service to MS Active Directory, as the request flows from the IMPS GUI to the IAMCS/JCS to the CCS.    This process with the normal explore & correlate process, we can add in DSA trace modes to capture additional stats.

     

     

     

     

    The goal is that for CCS performance, we typically only have only two (2) default logging methods to use.

    -   satrans*.log    (in im_ccs.conf)  -  Valuble information, that enhances the data typically seen in the IMPS etatrans*.logs.

    -   full trace mode  (MS Windows Registry)  -  trace files impact performance and file growth is GBs.

     

     

     

     

    With the above process to leverage CA Directory DXlink feature set, we now have alternative method.

     

    With this data, we will expect to build testing processes, via Jmeter or other to emulate IMPS functionality to determine upper limits for performance to the CCS services.

     

     

     

    A view of the files added for the feature set for all three (3) provisioning services:  IMPS, IAMCS/JCS, and CCS.

     

     

     

     

    Using Jxplorer to pre-check that the configuration is working well:  (with and without TLS)

     

     

     

     

     

     

     

     

     

     

    The below included files are pre-setup for use with TLS.

    - Which will require updating an entry in local hosts file for  cn=eta_server.

     

    TLS may be disabled, if that has no value for your lab.

     

    Note:  The below error message will display, if eta_server is not added to the hosts files:

     

     

     

    Also, ensure the personalities (aka server certs) are setup for your admin routers; name must match.

    -  Since we are using the provisioning tier, we can just make copies of the existing cert files.

     

     

     

    To assist with your investigation:   Use trace with   set trace=x500;   to view cert and authentication to the DSAs.

     

     

     

    Note:   For this lab, since we were using CA Directory on the Identity Suite vApp, the port for the IMPS service was set to be non-SSL (TCP 20389) to avoid conflict of the hostname entry of  eta_server, that are being used for IAMCS and CCS.

    -  This configuration can be/could be avoided if we installed CA Directory binaries on the connector server; but we did not need this for the lab.

     

     

     

     

     

    For the vApp remote IAMCS connector with the embedded CCS service, there is one file that will need to be updated with the remote admin router (for ccs) hostname/ip and new TCP Port (and if TLS will be used).   [3 lines]

     

    - C:\Program Files (x86)\CA\Identity Manager\Connector Server\jcs\conf\override\server_ccs.properties

     

     

    To update the IME to IMPS Directory Port; export the IMPS Directory.xml then update the TCP port, and re-import this new XML file.

     

     

    To update the IMPS knowledge of the IAMCS/JCS Port, use CX UI to directly edit this entry; or register a new IAMCS/JCS with the new TCP Port.

     

     

    Cheers,

     

    Alan



  • 2.  Re: Transparent Router(s) for Identity Management Provisioning Tier - DXLINK

    Posted 11-08-2018 02:59 AM

    Hello Kosei,

     

    If I am not mistaken one has to configure several an LDAP records in CA PAM - one for each AD tree (irrelevant there is a trust in between)

     

    Alternatively, I can think of leveraging the CA Directories DXLink feature to basically unify both trees to one (using a so called "LDAP router")

    How this is accomplished is e.g. described here:

    Working with Multiple LDAP Servers - CA Privileged Access Manager Server Control - 14.1 - CA Technologies Documentation 

     

    Cheers,

    Andreas