Symantec IGA

Background - Currently we have IDM version 12.5 SP10 with about 2500 global users.  We utilize password self-service / sync and have AD (3 endpoints), SQL DB (7 endpoints), Oracle DB (7 endpoints), and UNIX ETC (50 endpoints).  For AD, we currently are only using the password self-service / sync; however, soon we would like to begin using provisioning roles to create AD accounts, assign AD groups, and create exchange mailboxes.  One of the Oracle endpoints we have configured a template and corresponding provisioning role to create account, assign it to roles in the DB, and we push the users AD password to this endpoint - about 1500 users have an account in this endpoint.  We are not doing much with the SQL DB's at this point in time; however, we would like to set up something similar to what we have for Oracle endpoint mentioned previously.  For UNIX ETC we are currently only using it to manually create accounts (via provisioning manager tool) and manage UNIX passwords.  We do not push the AD password to the UNIX endpoints though we would also like to do this.  We do have RCM (aka GovernanceMinder), but we have not integrated IDM with it yet.

1 - We are planning to upgrade IDM to 12.6 SP3...  I am reading through the volumes of documentation, but is there anything in particular we should be aware of while migrating from 12.5.10 to 12.6.3?  Any tips or guidance would be appreciated.

2 - Currently our IDM environment is supported on 3 servers...  One server runs JBOSS IDM App Server, another server runs CA Directory, CA Connector Server, and all the Provisioning components, and the third server is a SQL 2005 DB.  Given the background info above, should we add more servers to our environment?  The user console / password self-service runs VERY SLOW.  Also the connectors are very flaky...constantly loosing connectivity.  I am thinking maybe we should break out the Connectors to their own server or multiple?   We do not want to add any functionality to this environment until we have upgraded and performance is better.   

Any input would be greatly appreciated!

conniejean:

Background - Currently we have IDM version 12.5 SP10 with about 2500 global users.  We utilize password self-service / sync and have AD (3 endpoints), SQL DB (7 endpoints), Oracle DB (7 endpoints), and UNIX ETC (50 endpoints).  For AD, we currently are only using the password self-service / sync; however, soon we would like to begin using provisioning roles to create AD accounts, assign AD groups, and create exchange mailboxes.  One of the Oracle endpoints we have configured a template and corresponding provisioning role to create account, assign it to roles in the DB, and we push the users AD password to this endpoint - about 1500 users have an account in this endpoint.  We are not doing much with the SQL DB's at this point in time; however, we would like to set up something similar to what we have for Oracle endpoint mentioned previously.  For UNIX ETC we are currently only using it to manually create accounts (via provisioning manager tool) and manage UNIX passwords.  We do not push the AD password to the UNIX endpoints though we would also like to do this.  We do have RCM (aka GovernanceMinder), but we have not integrated IDM with it yet.

1 - We are planning to upgrade IDM to 12.6 SP3...  I am reading through the volumes of documentation, but is there anything in particular we should be aware of while migrating from 12.5.10 to 12.6.3?  Any tips or guidance would be appreciated.

2 - Currently our IDM environment is supported on 3 servers...  One server runs JBOSS IDM App Server, another server runs CA Directory, CA Connector Server, and all the Provisioning components, and the third server is a SQL 2005 DB.  Given the background info above, should we add more servers to our environment?  The user console / password self-service runs VERY SLOW.  Also the connectors are very flaky...constantly loosing connectivity.  I am thinking maybe we should break out the Connectors to their own server or multiple?   We do not want to add any functionality to this environment until we have upgraded and performance is better.   

Any input would be greatly appreciated!

Hi All,

Anyone have input here for Conniejean?

Thanks!

Chris

conniejean,

1 - We are planning to upgrade IDM to 12.6 SP3...  I am reading through the volumes of documentation, but is there anything in particular we should be aware of while migrating from 12.5.10 to 12.6.3?  Any tips or guidance would be appreciated.

My understanding, from discussions with CA architects, is that the Provisioning/Connector layer architecture in 12.6.3 has been drastically overhauled, from the 12.5 footprint.  We are looking to upgrade as well, and this was noted as one of the major differences...

2 - Currently our IDM environment is supported on 3 servers...  One server runs JBOSS IDM App Server, another server runs CA Directory, CA Connector Server, and all the Provisioning components, and the third server is a SQL 2005 DB.  Given the background info above, should we add more servers to our environment?

To boost performance there are several options:

• Adding an additional JBOSS server and running it in a cluster would help the web tier be more responsive for sure. (We run a 4 legged IBM WAS cluster on 12.5 sp14, 2gb jvm size per leg)
• CA architects have noted that most companies do not separate the Provisioning and Connector servers, however moving the Provisioning Directory to its own 64 bit server should give you a big boost in performance.
  • The Provision Directory loads all the data into memory and runs 4 instances of dxserver to handle the various data needs of IDM under the covers (memory intensive).
  • The Provisioning Server is only a 32-bit application, so that limits memory usage. However, the Provisioning Directories can be installed as 64-bit, and leverage more memory.
  • We run 2 - 8gb 64bit Provisioning servers that sit on top of 2 - 16gb 64bit Provisioning Directory servers (for high availability).

In summary, I would recommend an additional JBOSS leg and splitting off the CA Directory to its own 64-bit server.  This should give you plenty of capacity for 2500 users.

The next step, if more capacity is needed, would be to add an additional Provisioning server and setup a load balancer between the web tier and the provisioning tier.

Hope this helps,

Rob

Great info, thanks Rob!