6.1 Configuring Identity Manager Drivers for the Business Continuity Cluster

The Identity Manager preconfigured templates for iManager that were installed when you ran the Novell Business Continuity Clustering installation must be configured so you can properly manage your business continuity cluster. The preconfigured templates include the following:

The Identity Manager engine and eDirectory driver must be installed on one node in each cluster. The node where Identity Manager is installed must have an eDirectory full replica with at least read/write access to all eDirectory objects that will be synchronized between clusters. For information about the full replica requirements, see Section 4.1.5, Novell eDirectory 8.8.

Identity Manager requires a credential that allows you to use drivers beyond an evaluation period. The credential can be found in the BCC license. In the Identity Manager interface in iManager, enter the credential for each driver that you create for BCC. You must also enter the credential for the matching driver that is installed in a peer cluster. You can enter the credential, or put the credential in a file that you point to.

6.1.1 Configuring the Identity Manager Drivers and Templates

  1. Start your Internet browser and enter the URL for iManager.

    The URL is http://server_ip_address/nps/iManager.html. Replace server_ip_address with the IP address or DNS name of the server that has iManager and the Identity Manager preconfigured templates for iManager installed.

  2. Specify your username and password, specify the tree where you want to log in, then click Login.

  3. In the left column, click Identity Manager Utilities, then click the New Driver link.

  4. Choose to place the new driver in a new driver set, then click Next.

    Both the User Object Synchronization driver and the Cluster Resource Synchronization driver can be added to the same driver set.

  5. Specify the driver set name, context, and the server that the driver set will be associated with.

    The server is the same server where you installed the Identity Manager engine and eDirectory driver.

  6. Choose to not create a new partition for the driver set, then click Next.

  7. Choose to import a preconfigured driver from the server, select the Identity Manager preconfigured template for cluster resource synchronization, then click Next.

    The template name is BCCClusterResourceSynchronization.XML.

  8. Fill in the values on the wizard page as prompted, then click Next.

    Each field contains an example of the type of information that should go into the field. Descriptions of the information required are also included with each field.

    • Driver name: Specify a unique name for this driver to identify its function. For example, Cluster1SyncCluster2. If you use both preconfigured templates, you must specify different driver names for each driver template.

    • Name of SSL Certificate: If you do not have an SSL certificate, leave this value set to the default. The certificate is created later in the configuration process. See Creating SSL Certificates for instructions on creating SSL certificates.

      In a single tree configuration, if you specify the SSL CertificateDNS certificate that was created when you installed NetWare on the Identity Manager node, you do not need to create an additional SSL certificate later.

    • DNS name of other IDM node: Specify the DNS name or IP address of the Identity Manager server in the other cluster.

    • Port number for this driver: If you have a business continuity cluster that consists of three or four clusters, you must specify unique port numbers for each driver template set. The default port number is 2002.

      You must specify the same port number for the same template in the other cluster. For example, if you specify 2003 as the port number for the resource synchronization template, you must specify 2003 as the port number for the resource synchronization template in the peer driver for the other cluster.

    • Full Distinguished Name (DN) of the cluster this driver services: For example, Cluster1.siteA.Novell.

    • Fully Distinguished Name (DN) of the landing zone container: Specify the context of the container where the cluster pool and volume objects in the other cluster are placed when they are synchronized to this cluster.

      This container is referred to as the landing zone. The NCP™ server objects for the virtual server of a BCC enabled resource are also placed in the landing zone.

      IMPORTANT:The context must already exist and must be specified using dot format without the tree name. For example, siteA.Novell.

      Prior to performing this step, you could create a separate container in eDirectory specifically for these cluster pool and volume objects. You would then specify the context of the new container in this step.

    The IDM Driver object must have sufficient rights to any object it reads or writes in the following containers:

    • The Identity Manager driver set container.

    • The container where the Cluster object resides.

    • The container where the Server objects reside.

      If server objects reside in multiple containers, this must be a container high enough in the tree to be above all containers that contain server objects. The best practice is to have all server objects in one container.

    • The container where the cluster pool and volume objects are placed when they are synchronized to this cluster.

      This container is referred to as the landing zone. The NCP server objects for the virtual server of a BCC enabled resource are also placed in the landing zone.

    You can do this by making the IDM Driver object security equivalent to another User object with those rights. See Step 9.

    IMPORTANT:If you choose to include User object synchronization, exclude the Admin User object from being synchronized. See Step 7 in Section B.5, Synchronizing the BCC-Specific Identity Manager Drivers for information about synchronizing User objects when adding new clusters to the business continuity cluster.

  9. Make the IDM Driver object security equivalent to an existing User object:

    1. Click Define Security Equivalences, then click Add.

    2. Browse to and select the desired User object, then click OK.

    3. Click Next, then click Finish.

  10. Repeat Step 1 through Step 9 above on the other clusters in your business continuity cluster.

    This includes creating a new driver and driver set for each cluster.

    IMPORTANT:If you have upgraded to Identity Manager 3 and click either the cluster resource synchronization driver or the user object synchronization driver, a message is displayed prompting you to convert the driver to a new architecture. Click OK to convert the driver.

6.1.2 Creating SSL Certificates

It is recommended that you create an SSL certificate for the Cluster Resource Synchronization driver. Creating one certificate creates the certificate for a driver pair. For example, creating an SSL certificate for the Cluster Resource Synchronization driver also creates the certificate for the Cluster Resource Synchronization drivers on the other clusters.

To create an SSL certificate:

  1. Start your Internet browser and enter the URL for iManager.

    The URL is http://server_ip_address/nps/iManager.html. Replace server_ip_address with the IP address or DNS name of the server that has iManager and the Identity Manager preconfigured templates for iManager installed.

  2. Specify your username and password, specify the tree where you want to log in, then click Login.

  3. In the left column, click Identity Manager Utilities, then click NDS-to-NDS Driver Certificates.

  4. Specify the requested driver information for this cluster, then click Next.

    You must specify the driver name (including the context) you supplied in Step 8 for this cluster. Use the following format when specifying the driver name:

    DriverName.DriverSet.OrganizationalUnit.OrganizationName

    Ensure that there are no spaces (beginning or end) in the specified context, and do not use the cn=DriverName.ou=OrganizationalUnitName.o=OrganizationName format.

  5. Specify the requested driver information for the driver in the other cluster.

    Use the same format specified in Step 4.

  6. Click Next, then click Finish.

6.1.3 Synchronizing Identity Manager Drivers

If you are adding a new cluster to an existing business continuity cluster, you must synchronize the BCC-specific Identity Manager drivers after you have created the BCC-specific Identity Manager drivers and SSL certificates. If the BCC-specific Identity Manager drivers are not synchronized, clusters cannot be enabled for business continuity. Synchronizing the Identity Manager drivers is only necessary when you are adding a new cluster to an existing business continuity cluster.

To synchronize the BCC-specific Identity Manager drivers:

  1. Start your Internet browser and enter the URL for iManager.

    The URL is http://server_ip_address/nps/iManager.html. Replace server_ip_address with the IP address or DNS name of the server that has iManager and the Identity Manager preconfigured templates for iManager installed.

  2. Specify your username and password, specify the tree where you want to log in, then click Login.

  3. In the left column, click Identity Manager, then click the Identity Manager Overview link.

  4. Search for and find the BCC driver set.

  5. Click the red Cluster Sync icon for the driver you want to synchronize, then click the Migrate from eDirectory button.

  6. Click Add, browse to and select the Cluster object for the new cluster you are adding to the business continuity cluster, then click OK.

    Selecting the Cluster object causes the BCC-specific Identity Manager drivers to synchronize.

If you have multiple eDirectory trees in your BCC, see Section B.5, Synchronizing the BCC-Specific Identity Manager Drivers.

6.1.4 Preventing Identity Manager Synchronization Loops

If you have three or more clusters in your business continuity cluster, you should set up synchronization for the User objects and Cluster Resource objects in a manner that prevents Identity Manager synchronization loops. Identity Manager synchronization loops can cause excessive network traffic and slow server communication and performance.

For example, in a three-cluster business continuity cluster, an Identity Manager synchronization loop occurs when Cluster One is configured to synchronize with Cluster Two, Cluster Two is configured to synchronize with Cluster Three, and Cluster Three is configured to synchronize back to Cluster One. This is illustrated in Figure 6-1 below.

Figure 6-1 Three-Cluster Identity Manager Synchronization Loop

A preferred method is to make Cluster One an Identity Manager synchronization master in which Cluster One synchronizes with Cluster Two, and Cluster Two and Cluster Three both synchronize with Cluster One. This is illustrated in Figure 6-2 below.

Figure 6-2 Three-Cluster Identity Manager Synchronization Master

You could also have Cluster One synchronize with Cluster Two, Cluster Two synchronize with Cluster Three, and Cluster Three synchronize back to Cluster Two as illustrated in Figure 6-3.

Figure 6-3 Alternate Three-Cluster Identity Manager Synchronization Scenario

To change your BCC synchronization scenario:

  1. In the Connections section of the Business Continuity Cluster Properties page, select one or more peer clusters that you want a cluster to synchronize to, then click Edit.

In order for a cluster to appear in the list of possible peer clusters, that cluster must have the following:

  • Business Continuity Clustering software installed.

  • Identity Manager installed.

  • The BCC-specific Identity Manager drivers configured and running.

  • Be enabled for business continuity.