Security Directory Server proxy environment setup

A Security Directory Server proxy is a special type of IBM Security Directory Server that provides request routing, load balancing, fail over, distributed authentication and support for distributed/membership groups and partitioning of containers.

ISAM customers who want to use the Security Directory Server proxy server must purchase a separate Security Directory Server entitlement. The version of Security Directory Server that is part of the ISAM package does not allow ISAM customer-use of the Security Directory Server proxy server. See the proxy server instructions in the IBM Security Directory Server Administration Guide. Then, return to this document for instructions about setting up the proxy server to work with IBM Security Verify Access.

ISAM stores metadata within a required suffix called secAuthority=Default. Metadata includes information used to track user and group status information specific to ISAM. When we use a proxy, the secAuthority=Default object itself cannot be modified using the proxy because the object at a proxy partition split point that cannot be modified through the proxy. Therefore, ISAM cannot be configured directly through the proxy because ISAM must modify the secAuthority=Default object during configuration.

In a proxy environment, the administrator must decide on the back-end server the secAuthority=Default subtree is hosted and set up that back-end server and the proxy partition information to reflect that topology. This example configures Server A to host the secAuthority=Default subtree.

Data under a proxy partition split point (for example, o=ibm,c=us) is hashed to determine which back-end server has the subtree. In this example, Proxy is configured to hash RDN values immediately after o=ibm,c=us among two servers. This example also means the RDN values more than 1 away from o=ibm,c=us will map to the same server as values immediately after o=ibm,c=us. For this reason, it is more advantageous to configure the proxy with a single partition for the secAuthority=Default suffix.

To distribute the ISAM metadata within the secAuthority=Default suffix among multiple back-end servers, it is best to split the partition below the cn=Users,secAuthority=Default container. Entries are made on behalf of each user who is defined, below the cn=Users,secAuthority=Default container and therefore splitting this user information can help distribute the data more evenly across the back-end servers. This example does not distribute the data but instead maintain the entire secAuthority=Default subtree within Server A.

• Add the ISAM suffix to the proxy
  
• Security Verify Access configuration with the proxy
  

Parent topic: User registry configuration