Content Platform Engine supports LDAP failover for authorization when IBM® Tivoli® Directory Server is the configured directory server.
If your FileNet® P8 requires continuous availability and a high degree of reliability, you should configure failover for authorization. By configuring Tivoli Directory Server failover you eliminate a single point of failure by switching automatically to another directory server when the current one becomes unavailable. This can happen for a variety of reasons, including system failure, decommissioning the directory server, stopping the server for maintenance, or changing its host name. Because failover happens automatically and no application restart is necessary, users usually do not experience service disruption.
To provide failover support for authentication, that is, for login, use the features of the Content Platform Engine application server. Consult your application server documentation.
A load balancer with a virtual IP address can be used to distribute directory service workload. When connecting to the virtual IP, the request is routed to a directory server behind it. If you configure session affinity on your load balancer, requests from the same client always get routed back to the same server. When that directory server is brought down, the connection is lost and the ongoing LDAP operation errors out. However, by using virtual IP failover, Content Platform Engine will catch the error and send a connection retry request back to the load balancer which dispatches the request to a different directory server still in service
The failover list method is useful if you have a preferred order of servers for your failover sequence. A failover list consists of one or more host:port pairs, for example, host1:389 host2:389 host3:389. The host can be a host name or an IP address. The host name can be either a short name such as host1 or a fully-qualified DNS name such as host1.mydomain.com. Although it is possible to specify only one pair in the failover list, you should have two or more pairs to create a true failover sequence.
For best performance, you should create your failover list by using a Tivoli Directory Serverthat is local to your Content Platform Engine servers, that is, at the same network site. If you must specify remote a Tivoli Directory Server and you are using the host:port pair method, place the remote servers at the end of the failover list.
When Content Platform Engine is started, it attempts to connect to each pair in order from left to right until it finds a working pair. Content Platform Engine then uses this pair for LDAP access until the server that is specified by this pair becomes unavailable for some reason. Content Platform Engine then starts the failover process again by going back to the beginning of the failover list and trying each pair from left to right. If it cannot connect to any pair in the list, various types of errors are generated on the client, depending on the point of failure. For example, it might be a DNS error such as UnknownHost, a network error, or a connection refused error.
Properties in Administration Console for Content Platform Engine | Value |
---|---|
Host | host1:389 host2:389 host3:389 (for nonsecured connection) host1:636 host2:636 host3:636 (for SSL connection) |
Port | Content Platform Engine ignores any value in the Port property |
Name Type Data
==========================================
tdsServers Host (A) 10.10.10.11
tdsServers Host (A) 10.10.10.12
tdsServers Host (A) 10.10.10.13
Notice that the host name tdsServers is mapped to three IP addresses. Using Administration Console for Content Platform Engine, you can set tdsServers as the value of Host field, and 389 as the value of Port field. During the failover process, Content Platform Engine performs the following steps:
The benefit of using multiple IP host name for failover is that you do not need to modify a failover list when you decommission a Tivoli Directory Server or change its host name. Instead, the DNS data will be updated in DNS Server, and Content Platform Engine will read the latest DNS data when it needs to fail over to another Tivoli Directory Server.
In some cases, this method is preferable to the host:port pairs method. For example, if you have many applications communicating with many directory servers and a directory server is decommissioned or its host name is changed, you change it in the DNS server and all applications will use the updated DNS data to perform failover. No application restart is necessary. Also, the multiple IP host name method uses the services of the DNS server and can require less maintenance than other methods.