Symantec Access Management

What is the best topology for replicate DSA (session store and policy store) ?

I have 2 site and 4 dsa (two on each site)

Now for policy store each dsa has all 4 config/knowledge file,
For session store instead for each site, each dsa has only the knowledge of the same site dsa.

Now I need change my topology beacuse I need sessions sincronized site to site.

Can I use the same topology that I have for policy store ? (Each dsa ha all dsa's knowledge) ?

I have another question: My DSA do not use multi-write-disp-recovery but I'd like to use it. What is the best way to change the sync mode ?

Thanks in advance
Marco

Marco,

Yes, to setup replication among DSAs (regardless MW replication OR MW-DISP recovery replication) , one has to share knowledge of all DSAs with each other for it to work. Just like how you currently have it configured for Policy Store DSAs.

It is NOT recommended to configure Session Store DSAs with MW-DISP recovery replication. I believe that is the reason why you might currently have the following defined in each of the session store DSA's SERVERS .dxi file.

set multi-write-disp-recovery = false; (This is the default value when you create a DSA).

The above is clearly specified in SSO online documentation where it talks about how to configure Symantec Directory as Session Store. As session store needs to perform at high level, it is recommended not to have MW-DISP recovery replication along with the fact that transaction log should also be disabled for session store DSAs.

See:
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/installing/install-a-policy-server/configure-ldap-directory-servers-as-policy-session-and-key-stores/configure-ca-directory-as-a-session-store.html

Hope this helps and clarifies.

~Hitesh
Original Message:
Sent: 07-26-2021 03:28 AM
From: Marco Trucillo
Subject: DSA Replication - best practice


What is the best topology for replicate DSA (session store and policy store) ?

I have 2 site and 4 dsa (two on each site)

Now for policy store each dsa has all 4 config/knowledge file,
For session store instead for each site, each dsa has only the knowledge of the same site dsa.

Now I need change my topology beacuse I need sessions sincronized site to site.

Can I use the same topology that I have for policy store ? (Each dsa ha all dsa's knowledge) ?

I have another question: My DSA do not use multi-write-disp-recovery but I'd like to use it. What is the best way to change the sync mode ?

Thanks in advance
Marco

Thanks! 
Now i have all my session store replicated with async replication
Original Message:
Sent: 07-27-2021 11:34 AM
From: HITESH PATEL
Subject: DSA Replication - best practice

Marco,

Yes, to setup replication among DSAs (regardless MW replication OR MW-DISP recovery replication) , one has to share knowledge of all DSAs with each other for it to work. Just like how you currently have it configured for Policy Store DSAs.

It is NOT recommended to configure Session Store DSAs with MW-DISP recovery replication. I believe that is the reason why you might currently have the following defined in each of the session store DSA's SERVERS .dxi file.

set multi-write-disp-recovery = false; (This is the default value when you create a DSA).

The above is clearly specified in SSO online documentation where it talks about how to configure Symantec Directory as Session Store. As session store needs to perform at high level, it is recommended not to have MW-DISP recovery replication along with the fact that transaction log should also be disabled for session store DSAs.

See:
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/installing/install-a-policy-server/configure-ldap-directory-servers-as-policy-session-and-key-stores/configure-ca-directory-as-a-session-store.html

Hope this helps and clarifies.

~Hitesh
Original Message:
Sent: 07-26-2021 03:28 AM
From: Marco Trucillo
Subject: DSA Replication - best practice


What is the best topology for replicate DSA (session store and policy store) ?

I have 2 site and 4 dsa (two on each site)

Now for policy store each dsa has all 4 config/knowledge file,
For session store instead for each site, each dsa has only the knowledge of the same site dsa.

Now I need change my topology beacuse I need sessions sincronized site to site.

Can I use the same topology that I have for policy store ? (Each dsa ha all dsa's knowledge) ?

I have another question: My DSA do not use multi-write-disp-recovery but I'd like to use it. What is the best way to change the sync mode ?

Thanks in advance
Marco