Implementation Guide › Configuration Considerations › Multiple Data Centers
Multiple Data Centers
CA SiteMinder® treats a global deployment the same as multiple data centers in the same continent. As such, factors outside of CA SiteMinder® affect the performance of a multi–data center deployment. The following key factors include:
- Network latency
- Resiliency
We recommend that you consider the following outside factors as you plan for a multi–data center deployment:
- Network infrastructure
- Application locations
- User locations
- User store vendors and their restrictions, such as the number of masters allowed
Best Practices
Consider the following when configuring data centers:
- Collocating the following components in each data center helps to reduce the effect network latency and resiliency has on CA SiteMinder® performance:
- CA SiteMinder® Agents
- Policy Servers
- User stores
Note: If a CA SiteMinder® feature, such as Password Services, requires a write–enabled store, we recommend having a write–enabled store in each data center.
- If all components cannot be in the same data center, we recommend at least collocating Policy Servers and user stores in the same data center.
Architectural Considerations
Consider the following architectural factors when planning for a CA SiteMinder® data center:
Example: Local Host Files Pointing Policy Servers to the Local Consumer User Store
Two geographically separated data centers include Policy Servers pointing to a consumer user store named myusers.
- The local consumer in data center one is available at 111.11.111.1
- The local consumer in data center two is available at 222.22.222.2
To point Policy Server to the local consumer
- From the Policy Server host systems in data center one, use a local host file to map myusers to 111.11.111.1.
- From the Policy Server host systems in data center two, use a local host file to map myusers to 222.22.222.2.
Multiple Data Center Use Cases
The purpose of the following use cases is to get you thinking about your CA SiteMinder® data centers in terms of network latency and resiliency. The use cases begin with a simple deployment and progress into more complex scenarios.
These use cases are intended to identify techniques that you can use as part of a global architecture and are not intended as a final architecture. Extrapolate the necessary infrastructure from these cases to configure data centers that best meet the needs of your organization.
All Components in One Data Center
The simplest deployment includes all required CA SiteMinder® components in a single data center.
The following diagram illustrates:
Consider the following:
- Although not illustrated, CA SiteMinder® supports database clusters that are configured for write and read–only transactions.
- You can configure multiple components in a data center for operational continuity, redundancy, and high availability.
More information:
Redundancy and High Availability
All Components in Multiple Data Centers
You extend the CA SiteMinder® environment by deploying multiple data centers. The following factors can influence your decision to implement multiple data centers:
- The network infrastructure
- The location of applications
- The location of users
The following diagram illustrates:
- Applications in multiple data centers
- Each data center using its own policy store. Data center one contains the primary policy store. Data center two contains the replicated version, as the dotted line details.
Note: Every Policy Server in the deployment must share a common view into the same policy store. For more information about policy store redundancy, see Policy Server to Policy Store Communication.
- Each data center using its own master/consumer user stores.
Important! For more information about multi–mastered LDAP user store support limitations, see the Policy Server Release Notes.
- A centralized replicated session store to enable single sign–on between all applications.
More information:
Policy Server to Policy Store Communication
All Components in One Data Center
CA SiteMinder® Agent Communicating Across a Data Center
If all components cannot be in the same data center, we recommend at least collocating Policy Servers and user stores in the same data center.
The following diagram illustrates:
- Applications in multiple data centers.
- Data center one only containing a web server with a CA SiteMinder® Agent. The agent communicates across the wide area network to a Policy Server in data center two.
- Data centers 2 and 3:
More information:
Policy Server to Policy Store Communication
Policy Server Communicating Across a Data Center
If all components cannot be in the same data center, we recommend at least collocating Policy Servers and user stores in the same data center.
The following diagram illustrates:
- Applications in multiple data centers.
- Data center 1 only containing an Agent and Policy Server. The Policy Server only communicates across the wide area network to perform LDAP writes to the master user store in data center 2.
Important! We do not recommend configuring a Policy Server to communicate across the wide area network to perform LDAP reads and writes.
- All data centers:
- Sharing a common view into the policy store through a master/replicated policy store.
- Using a centralized replicated session store to enable single sign–on between all applications.
- Data centers 2 and 3 using their own master/consumer user stores.
Important! For more information about multi–mastered LDAP user store support limitations, see the Policy Server Release Notes.
More information:
Policy Server to Policy Store Communication
Master Policy Store
All Components in One Data Center
Login Server Controlling User Store Writes
The location of LDAP writable masters can constrain a CA SiteMinder® deployment. Consider using one or more centralized login servers to eliminate requirements for writable masters in each data center.
The following diagram illustrates:
- A multiple data center deployment in which:
- A login server in data center two and data center three.
When users request access to a protected URL in data center one:
- The Web Agent redirects the request to the logon server in data center two. The redirect is based on the authentication scheme that is protecting the resource.
Note: For more information about authentication schemes, see the Policy Server Configuration Guide.
- The Policy Server in data center two authenticates the user and writes to the master user store.
- The Policy Server creates a CA SiteMinder® session ticket and passes it back to the original protected URL.
Note: For more information about user sessions, see the Policy Server Configuration Guide.
- A Web Agent places the CA SiteMinder® session ticket into a cookie. The Web Agent uses the cookie to handle subsequent authentication and authorization requests in the data center, until one of the following occurs:
- The user requests another resource that requires additional credentials.
- The session expires.
Copyright © 2013 CA.
All rights reserved.
|
|