B.1 Planning a Multiple-Tree Solution

Consider the following guidelines when creating a multiple-tree business continuity cluster.

B.1.1 Cluster Synchronization

Creating the Cluster Synchronization driver pair and its associated SSL Certificate is required in order for BCC to work between the two eDirectory trees. Typically, the cluster synchronization is between one cluster in each of the trees, then those clusters synchronize the information with other peer clusters in the same tree.

B.1.2 User Synchronization

If user-based access control is required for the cluster resources in the business continuity cluster, you must synchronize the user identities between the two eDirectory trees.To do this, create a single User Synchronization driver for the business continuity cluster.

If user-based access control is not needed for your cluster resources, the User Synchronization driver is optional.

Only one User Synchronization driver is required per eDirectory tree, even if you have multiple business continuity clusters set up. It is okay to have multiple User Syncrhonization drivers per tree.

The User object container should be in the same eDirectory partition as the Identity Manager node and cluster that you are using to create the User Synchronization driver. If the User object container is not in the same partition, you can create a partition for the User container, then add a read/write replica of the partition on the Identity Manager node in the cluster that you are using to create the User Synchronization driver. If you create multiple User Synchronization drivers, each of the clusters involved must have a read/write replica of that User object container. An alternative approach when using a single User Synchronization driver is to make the eDirectory master server be a node in the cluster, install Identity Manager on that same node, then use that cluster when creating a User Synchronization driver. In this case, you do not need to create the User object container and to add server replicas.

The BCCAdmin user needs administrator rights in the container where the User objects reside so that User objects can be synchronized between eDirectory trees. For information, see Section 4.1.5, Novell eDirectory 8.8.

B.1.3 SSL Certificates for Drivers

In a multiple-tree business continuity cluster, you should create separate SSL certificates for the Cluster Resource Synchronization driver and for the User Object Synchronization driver. We recommend that you create SSL certificates for your business continuity cluster to support secure data transfers between eDirectory trees. BCC works without the SSL certificates, but there is a security consideration.

You create one certificate for each of the driver pairs if the data flow is unidirectional. Two certificates are required if the data flow for the driver is bidirectional (one certificate for each direction). For example, create one SSL certificate for data flowing from TreeA to TreeB and a second SSL certificate for data flowing from TreeB to TreeA.

For security considerations, you should create or use a different certificate than the default (dummy) certificate (BCC Cluster Sync KMO) that is included with BCC.