Hi Sudip,
Enclosing a high level view of the IGA solution components in play for Active Directory and other managed endpoints.
We use this diagram to help outline the data flows through the solution stack, including Active Directory.
The point we want to raise, is besides the C++ connector, if you are using a remote configuration (which is the new default when using the IGA virtual appliance), you may need to adjust configurations/parameters from default values to increase performance and scale to larger transaction loads.
- You may wish to review documentation on the MS Win OS ENV variables that override defaults of the C++ connector.
- You may wish to adjust the JCS parameters/configurations that improve scalability of 1000's of submissions.
- The connector tier stability is very important, as any delay here, will impact the IM UI submission rate.
- We recommend a minimal 1:2 ratio of IME (top tier) to the IMPS/JCS/CCS (provisioning/connector tiers) to avoid process delays. The solution can be impacted by both bad data at the endpoint and/or through a incorrect submission. Having additional provisioning/connector tiers will lower this risk.
References that may be of value:
Lifecycle of the userPassword in CA Identity Manager & Use of Jmeter for scalability testing
https://community.broadcom.com/enterprisesoftware/communities/community-home/digestviewer/viewthread?MessageKey=024589bb-63c6-4314-b1e1-579b482ddb7d&CommunityKey=f9d65308-ca9b-48b7-915c-7e9cb8fc3295#bm024589bb-63c6-4314-b1e1-579b482ddb7d
Monitoring Load Balancing of JCS Tier & Refresh Rate
https://community.broadcom.com/enterprisesoftware/communities/community-home/digestviewer/viewthread?MessageKey=3bb43ed0-6895-44b0-9001-b91e3dadd8f8&CommunityKey=f9d65308-ca9b-48b7-915c-7e9cb8fc3295#bm3bb43ed0-6895-44b0-9001-b91e3dadd8f8
Monitor data flow path for the CA Identity Suite CCS Service to Active Directory
https://community.broadcom.com/enterprisesoftware/communities/community-home/digestviewer/viewthread?GroupId=2197&MID=793765&CommunityKey=f9d65308-ca9b-48b7-915c-7e9cb8fc3295&tab=digestviewer
....
Depending on the release version of the IGA solution and the AD endpoint when you re-acquire an AD endpoint, you may wish to test performance by the embedded authentication by testing with one of three (3) login formats:
- UPN (aka email format) administrator@domain.com {preferred}
- LDAP DN: cn=administrator,cn=users,dc=domain,dc=com
- NT4: domain\administrator
Recommend use of openssl s_client to validate the ADS Domain public CA root cert, to ensure it is still correct. If a prior public CA root cert still existing in the MS Windows keystore (certlm.msc), this can impact TLS communication from the C++ server to the MS Windows host(s). Typically, this is a challenge when you are managing multiple ADS domains that do not have ADS trust between them. You can validate the public CA root cert with Jxplorer or other ldap client tools.
Regards,
------------------------------
Alan Baugher
ANA
------------------------------
Original Message:
Sent: May 28, 2023 12:20 AM
From: sudip karmacharya
Subject: Change of domain controller AD
Hi Rinat ,
Last time while creating new active directory endpoint we faced issue .
https://knowledge.broadcom.com/external/article/97594/im-connector-server-add-failed-code-80.html
we had to intstall C++ connector server management .Then it worked .
Now since we are changing Domain Controller AD this one is also similar case .
You did not mention about that so wanted to make sure
Thanks in Advance
------------------------------
Network and security Engineer technical associative
Cas Trading House
Putalisadak, KTM
Original Message:
Sent: May 26, 2023 03:16 AM
From: Rinat Matityahu
Subject: Change of domain controller AD
Hi Sudip
Good to hear you have plans in place to upgrade the soon to be EOS 14.3
Without knowing the extent of the change:
1. If there is any change to IP and / or credentials - you can follow https://knowledge.broadcom.com/external/article/186271/update-ad-endpoint-password.html to update the details.
2. If using SSL, ensure to validate any SSL certificate in use.
Regards
Rinat
Original Message:
Sent: May 26, 2023 02:39 AM
From: sudip karmacharya
Subject: Change of domain controller AD
Hi Rinat ,
Thanks for your quick response .
we have identity manager version 14.3 and we are already planning to upgrade .
Also we are currently running active directory on windows server 2008 with IDM .
Our team have already Migrated same AD to newer version win server 2016.
No we have to check depedency regarding what we need to do in Identity Manager as well as in New AD .
Thanks
------------------------------
Network and security Engineer technical associative
Cas Trading House
Putalisadak, KTM
Original Message:
Sent: May 26, 2023 02:16 AM
From: Rinat Matityahu
Subject: Change of domain controller AD
Hi Sudip
Depending on the Identity Manager release you are running, please ensure to check the relevant Platform Support Matrix to confirm Microsoft Active Directory 2016 is certified. It is the case, for example, for Identity Manager 14.4 https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-4/platform-support-matrix/connectors-and-endpoint-types.html
Regards
Rinat
Original Message:
Sent: May 25, 2023 07:05 AM
From: sudip karmacharya
Subject: Change of domain controller AD
Hi Team ,
we are planning to change domain controller AD from older version win server 2008 to newer version windows server 2016 .
We wanted to know if there is any dependency with IDM ?
Thanks
------------------------------
Network and security Engineer technical associative
Cas Trading House
Putalisadak, KTM
------------------------------