Previous Topic: Security ZonesNext Topic: Authentication and a Centralized Login Server


Multiple Data Centers

CA SiteMinder® treats a global deployment the same as multiple data centers in the same continent. As such, factors outside of CA SiteMinder® affect the performance of a multi–data center deployment. The following key factors include:

We recommend that you consider the following outside factors as you plan for a multi–data center deployment:

Best Practices

Consider the following when configuring data centers:

Architectural Considerations

Consider the following architectural factors when planning for a CA SiteMinder® data center:

Example: Local Host Files Pointing Policy Servers to the Local Consumer User Store

Two geographically separated data centers include Policy Servers pointing to a consumer user store named myusers.

To point Policy Server to the local consumer

  1. From the Policy Server host systems in data center one, use a local host file to map myusers to 111.11.111.1.
  2. From the Policy Server host systems in data center two, use a local host file to map myusers to 222.22.222.2.

Multiple Data Center Use Cases

The purpose of the following use cases is to get you thinking about your CA SiteMinder® data centers in terms of network latency and resiliency. The use cases begin with a simple deployment and progress into more complex scenarios.

These use cases are intended to identify techniques that you can use as part of a global architecture and are not intended as a final architecture. Extrapolate the necessary infrastructure from these cases to configure data centers that best meet the needs of your organization.

All Components in One Data Center

The simplest deployment includes all required CA SiteMinder® components in a single data center.

The following diagram illustrates:

Consider the following:

More information:

Redundancy and High Availability

All Components in Multiple Data Centers

You extend the CA SiteMinder® environment by deploying multiple data centers. The following factors can influence your decision to implement multiple data centers:

The following diagram illustrates:

More information:

Policy Server to Policy Store Communication

All Components in One Data Center

CA SiteMinder® Agent Communicating Across a Data Center

If all components cannot be in the same data center, we recommend at least collocating Policy Servers and user stores in the same data center.

The following diagram illustrates:

More information:

Policy Server to Policy Store Communication

Policy Server Communicating Across a Data Center

If all components cannot be in the same data center, we recommend at least collocating Policy Servers and user stores in the same data center.

The following diagram illustrates:

More information:

Policy Server to Policy Store Communication

Master Policy Store

All Components in One Data Center

Login Server Controlling User Store Writes

The location of LDAP writable masters can constrain a CA SiteMinder® deployment. Consider using one or more centralized login servers to eliminate requirements for writable masters in each data center.

The following diagram illustrates:

When users request access to a protected URL in data center one:

  1. The Web Agent redirects the request to the logon server in data center two. The redirect is based on the authentication scheme that is protecting the resource.

    Note: For more information about authentication schemes, see the Policy Server Configuration Guide.

  2. The Policy Server in data center two authenticates the user and writes to the master user store.
  3. The Policy Server creates a CA SiteMinder® session ticket and passes it back to the original protected URL.

    Note: For more information about user sessions, see the Policy Server Configuration Guide.

  4. A Web Agent places the CA SiteMinder® session ticket into a cookie. The Web Agent uses the cookie to handle subsequent authentication and authorization requests in the data center, until one of the following occurs: