Content Platform Engine supports LDAP failover for authorization when Active Directory is the configured directory server. You can configure Active Directory failover using host:post pairs or by using domain names.
Connections between Content Platform Engine and Active Directory fail if the configured domain controller is not available. Therefore, you should provide Active Directory failover for authorization if your FileNet® P8 system requires continuous availability and a high degree of reliability. Active Directory failover eliminates a single point of failure by switching automatically to another domain controller when the current domain controller becomes unavailable. The Content Platform Engine server can be unavailable for a variety of reasons, including system failure, decommissioning the directory server, stopping the server for maintenance, or changing its host name. Because failover happens automatically and no application restart is necessary, users usually do not experience service disruption. Of the three types of Active Directory configurations (single-realm, multi-realm, and entire forest), you can configure failover for single-realm and multi-realm, but not for the entire forest.
For performance reasons, you should create your failover list by using Active Directory and Content Platform Engine servers that are local, that is, at the same network site. If you must specify remote Active Directory servers and you are using the host:port pair method, place the remote servers at the end of the failover list.
To provide failover support for authentication, that is, for login, use the features of the Content Platform Engine application server. Consult your application server documentation. For a more detailed procedure on how to configure a failover, see Configuring directory server failover (Microsoft Active Directory).
One way to configure Active Directory failover support is by specifying a failover list. A failover list consists of one or more host:port pairs, for example, dc1:389 dc2:389 dc3:389. The host can be a host name or an IP address. The host name can be either a short name such as dc1 or a fully-qualified DNS name such as dc1.mydomain.com. Although you can specify only one pair in the failover list, you should have two or more pairs to create a true failover sequence. You must create both a DC failover list and a GC failover list.
When Content Platform Engine is started, it attempts to connect to each pair in order from left to right until it finds a working pair. Content Platform Engine then uses this pair for LDAP access until the server that is specified by this pair becomes unavailable for some reason. Content Platform Engine then starts the failover process again by going back to the beginning of the failover list and trying each pair from left to right. If it cannot connect to any pair in the list, various types of errors can be generated on the client, depending on the point of failure. For example it might be a DNS error such as UnknownHost, a network error, or a connection refused error.
Properties in Administration Console for Content Platform Engine | Value |
---|---|
Host | dc1:389 dc2:389 dc3:389 (for nonsecured connection) dc1:636 dc2:636 dc3:636 (for SSL connection) |
Port | Content Platform Engine ignores any value in the Port property |
GCHost | gc4:3268 gc5:3268 gc6:3268 (for nonsecured connection) gc4:3269 gc5:3269 gc6:3269 (for SSL connection) |
GCPort | Content Platform Engine ignores any value in the GCPort property |
The benefit of using domain names for failover is that you do not need to modify a failover list when you decommission a domain controller or change its host name. Instead, the DNS data will be updated by the DNS Server, and Content Platform Engine will read the latest DNS data when it needs to fail over to another domain controller.
A DNS A (address) record is a DNS record that associates a DC or GC host name with one or more IP addresses. For example, you could create an A record named my_dc that will associated with three local domain controllers: 9.39.50.155, 9.39.50.157, and 9.39.50.159. Content Platform Engine pings these domain controllers until one is available.
In some cases, this method is preferable to the host:port pairs method. For example, if you have many applications communicating with many directory servers and a directory server is decommissioned or its host name is changed, you remove it from the DNS server and all applications will use the updated DNS data to perform failover. No application restart is necessary.
You can maintain a list of directory servers that is associated to a DNS name on your DNS server. All applications point to this DNS name instead of specific server names. The DNS name can be either an AD domain name or an arbitrary host name that is associated to multiple IP addresses of AD servers.
Properties in Administration Console for Content Platform Engine | Value |
---|---|
Host | mydomain.com |
Port | 389 |
GCHost | mydomain.com |
GCPort | 3268 |
Name Type Data
==========================================
localAD Host (A) 10.10.10.11
localAD Host (A) 10.10.10.12
Then, in Administration Console for Content Platform Engine, you can set the following fields.
Properties in Administration Console for Content Platform Engine | Value |
---|---|
Host | localAD |
Port | 389 |
GCHost | localAD |
GCPort | 3268 |
For more information about DNS A records, see your Active Directory documentation.