16.1 Prerequisites

16.1.1 Identity Vault

Before installing the Identity Vault in a clustered environment, NetIQ recommends reviewing the following considerations:

  • You must have external shared storage supported by the cluster software, with sufficient disk space to store all Identity Vault and NICI data:

    • The Identity Vault DIB must be located on the cluster shared storage. State data for the Identity Vault must be located on the shared storage so that it is available to the cluster node that is currently running the services.

    • The root Identity Vault instance on each of the cluster nodes must be configured to use the DIB on the shared storage.

    • You must also share NICI (NetIQ International Cryptographic Infrastructure) data so that server-specific keys are replicated among the cluster nodes. NICI data used by all cluster nodes must be located on the cluster shared storage.

    • NetIQ recommends storing all other eDirectory configuration and log data on the shared storage.

  • You must have a virtual IP address.

  • (Conditional) If you are using eDirectory as the support structure for the Identity Vault, the nds-cluster-config utility supports configuring the root eDirectory instance only. eDirectory does not support configuring multiple instances and non-root installations of eDirectory in a cluster environment.

For more information about installing the Identity Vault in a clustered environment, see Deploying eDirectory on High Availability Clusters in the NetIQ eDirectory Installation Guide.

16.1.2 Identity Applications

You can install the database for the identity applications in an environment supported by Tomcat clusters with the following considerations:

  • The cluster must have a unique cluster partition name, multicast address, and multicast port. Using unique identifiers separates multiple clusters to prevent performance problems and anomalous behavior.

    • For each member of the cluster, you must specify the same port number for the listener port of the identity applications database.

    • For each member of the cluster, you must specify the same hostname or IP address of the server hosting the identity applications database.

  • You must synchronize the clocks of the servers in the cluster. If server clocks are not synchronized, sessions might time out early, causing HTTP session failover not to work properly.

  • NetIQ recommends to not use multiple log ins across browser tabs or browser sessions on the same host. Some browsers share cookies across tabs and processes, so allowing multiple logins might cause problems with HTTP session failover (in addition to risking unexpected authentication functionality if multiple users share a computer).

  • The cluster nodes reside in the same subnet.

  • A failover proxy or a load balancing solution is installed on a separate computer.

16.1.3 Database for Identity Applications

Database clustering is a feature of each respective database server. NetIQ does not officially test with any clustered database configuration because clustering is independent of the product functionality. Therefore, we support clustered database servers with the following caveats:

  • By default, the maximum number of connections is set to 100. This value might be too low to handle the workflow request load in a cluster. You might see the following exception:

    (java.sql.SQLException: Data source rejected establishment of connection, message from server: "Too many connections."

    To increase the maximum number of connections, set the max_connections variable in the my.cnf file to a higher value.

  • Some features or aspects of your clustered database server might need to be disabled. For example, Transactional Replication must be disabled on certain tables due to constraint violations when trying to insert a duplicate key.

  • We do not provide assistance on the installation, configuration, or optimization of the clustered database server, including installation of our products into a clustered database server.

  • We exert our best effort to resolve any issues that might arise with the use of our products in a clustered database environment. Troubleshooting methods in a complex environment often require cooperative work to resolve issues. NetIQ provides expertise to analyze, plan, and troubleshoot the NetIQ products. The customer must provide expertise to analyze, plan and troubleshoot any third-party products. We ask customers to reproduce issues or analyze behavior of their components in a non-clustered environment to help isolate potential cluster setup issues from NetIQ product issues.