Replicate the authorization database

Domain administrators can make security policy changes to a domain at any time. The policy server make the adjustments to the domain master authorization database to reflect any changes. When the policy server modifies the master authorization database, it can send out notification of this change to all resource manager servers with replica databases. The authorization servers then request a database update from the policy server. Resource manager servers can check for database updates by polling the policy server at regular intervals. Update notifications from the policy server can be configured as an automatic process or a manually controlled task. Notification is determined by the auto-database-update-notify stanza entry in the [ivmgrd] stanza of ivmgrd.conf. By default, the stanza entry value is set to yes (update notification is automatically done by the policy server):

[ivmgrd]
auto-database-update-notify = yes

This automatic setting is appropriate for environments where database changes are few and infrequent. When configuring update notification to be automatic, we must also correctly configure the max-notifier-threads and notifier-wait-time stanza entries. For information about these entries, see:

• Set the number of update-notifier threads
• Set the notification delay time

Set update notification to be manual. This requires manual execute of the server replicate command controls to trigger replication events.

[ivmgrd]
database-update-notify = no

This manual setting is appropriate for environments where database modifications occur frequently and involve substantial changes. In some cases, several database modifications can generate many update notifications that soon become obsolete because of the continuing changes to the master database. These obsolete notifications cause unnecessary network traffic and impair the performance of resource managers because of continued requesting and processing of policy updates. Use the manual control of update notification to complete the process of modifying the master authorization database before update notifications are sent out to authorization servers with database replicas. In manual mode, update notification uses the notifier thread pool as it does in automatic mode. Therefore, the manual mode setting is affected by the max-notifier-threads stanza value.

Parent topic: Policy server administration tasks