8.1 Installing Secondary Versions of the Administration Console

The Administration Console contains an embedded version of eDirectory, which contains all configuration information of Access Manager. It also contains a server communications module, which is in constant communication with the Access Manager modules. If the Administration Console goes down and you have not installed any secondary consoles, your Access Manager components also go down and your protected resources become unavailable.

You can create fault tolerance by installing up to two secondary consoles. You must install at least one secondary console.

8.1.1 Prerequisites

  • The Administration Consoles must have their time synchronized. You can ensure this by configuring the machines to use the same network time server for time synchronization.

  • Secondary consoles must be installed on the same operating system as the primary console. For example, if your primary console is installed on Windows, all secondary consoles must be installed on Windows. If your primary console is installed on Linux, all secondary consoles must be installed on Linux.

  • If you are going to install your clustered Identity Servers on the same machines as your primary and secondary consoles, the Administration Consoles cannot be configured as a virtual group on an L4 switch. For more information, see Managing Administration Consoles Installed on Clustered Identity Servers.

Managing Administration Consoles Installed on Clustered Identity Servers

You can install the primary Administration Console and the Identity Server on the same machine, even when the Identity Server is going to be assigned to a cluster of Identity Servers. You can install a secondary Administration Console on another member of the Identity Server cluster. The Administration Consoles cannot be configured as a virtual group on an L4 switch. The L4 switch interferes with the communication process between the Administration Consoles and the Access Manager components. Each Access Manager component knows which Administration Console is its primary console and its secondary console and knows how to communicate directly with each console. The component, rather than an L4 switch, needs to make the decision on which console it needs to contact.

However, traffic destined for a cluster of components (Identity Servers or Access Gateways) must pass through an L4. Figure 8-1 illustrates this configuration, showing Identity Servers on the same machine as Administration Consoles.

Figure 8-1 Identity Server Clustering with a Secondary Administration Console

  1. Install the primary Administration Console and an Identity Server on one machine by using the Administration Console’s IP address when importing the Identity Server component.

  2. Install the secondary Administration Console and a second Identity Server on another machine by using the primary Administration Console’s IP address when importing the second Identity Server.

  3. Specify the L4 VIP as the DNS for the Identity Server cluster configurations that both Identity Servers use. (See Configuring an Identity Server.)

8.1.2 Installing Second Console

  1. Insert the CD containing the Administration Console software.

    Most of the installation process is the same for a secondary console as for a primary. For these basic instructions, see Installing the Administration Console in the NetIQ Access Manager 4.2 Installation and Upgrade Guide.

  2. To install a secondary console, answer No to the following prompt:

    Is this the primary administration server in a failover group?

  3. When prompted, specify the IP address of the primary console.

  4. Continue with the installation process.

    After installing a secondary console, you might need to wait from 30 to 60 minutes before using it. The components query the primary console hourly for information about available consoles, and they reject commands from a console that is not in their approved list. You can force components to recognize the secondary console by restarting the Integration Agent on each Identity Server and Access Gateway with the following command:

    /etc/init.d/novell-jcc restart

  5. If you have added multiple replicas for any of the user stores, you need to manually add them to the secondary console. See Configuring the User Store.

8.1.3 Understanding How Consoles Interact with Each Other and with Access Manager Devices

Primary and secondary consoles use eDirectory synchronization to keep their configuration databases current.

WARNING:As long as the primary console is running, all configuration changes must be made at the primary console. If you make changes at both a primary console and a secondary console, browser caching can cause you to create an invalid configuration.

Access Manager devices use the secondary console only when the primary console is down. Therefore, if a secondary console goes down while the primary console is running, devices are notified. But they continue to run by using the primary console for configuration information. The secondary console can be down for as long as required to fix the problem without affecting other Access Manager devices.

When the primary console goes down, all of the devices discover this and switch to using the secondary console. This can take a few minutes, because each device has its own trigger for checking in with the Administration Console. After the device has switched to using the secondary console, it continues to run just as it did when it was communicating with the primary console. When the primary console comes back online, all devices discover this and switch back to using the primary console. Again, this can take a few minutes.

Not all tasks are available from the secondary console:

Tasks Requiring the Primary Console

The primary console must be used for the following tasks:

New Device Installation: The primary console must be running when you install new devices such as another Access Gateway.

Backup and Restore: Backup and restore must be run on the primary console. When the restore is completed, you must restart Tomcat on all secondary consoles.

  • Linux: Run the following command: 

    /etc/init.d/novell-ac restart

  • Windows: Run the following commands:

    net stop Tomcat7
net start Tomcat7

For more information about backup and restore, see Section 24.0, Back Up and Restore.

Tasks Available from the Secondary Console

When the primary console goes down, the secondary console can be used for the following tasks:

  • Administrators can make configuration changes on a secondary console, and these changes are sent to Access Manager components.

  • Access Manager components can use the secondary console to access their configuration information and to respond to configuration changes. When the primary console becomes functional, components revert to using the primary console, but they continue to accept commands from the secondary consoles.