CA SiteMinder® Federation Standalone Guide › Failover Support for Federation System

Failover Support for Federation System

This section contains the following topics:

How to Configure Failover with SSL Enabled

Maintain the Same Configuration for Each System

Failover Introduction

Failover support ensures that CA SiteMinder® Federation Standalone is not a single point of failure in your federated network. Failover builds redundancy into your network by configuring a primary and secondary CA SiteMinder® Federation Standalone system. If the primary CA SiteMinder® Federation Standalone system fails, the back-up system can perform the necessary federated communication.

Failover can be configured for CA SiteMinder® Federation Standalone acting as the asserting party and the relying party.

Note: If you enabled the CA SiteMinder® Connector, failover support is available for the Connector registration process. Instructions are described in the section Configure the CA SiteMinder® Connector.

The following figure shows a CA SiteMinder® Federation Standalone deployment with failover. If the primary system fails, transactions are directed to the secondary system.

Graphic illustrating failover between the primary and secondary systems

As shown in the previous figure, CA SiteMinder® Federation Standalone is installed on two machines that use the same database.

How to Configure Failover

Configuring failover requires the following tasks:

Installing CA SiteMinder® Federation Standalone on at least two systems.
Running the Configuration wizard on the two federation systems.
Setting up a proxy server or load balancer that will manage failover of the federation systems.

We recommend that you configure each federation system before configuring failover for the proxy server or load balancer.

Important! If you plan to use SSL for federation services, follow the instructions for an SSL-enabled failover environment.

Set up Failover at Each Federation System

To enable failover in a federation deployment, a primary and a secondary CA SiteMinder® Federation Standalone system must be installed and configured.

For SSL-enabled failover environments, follow the instructions to enable SSL for a failover environment.

Important! For Solaris platforms, treat Solaris zones as phyical machines. Install and configure separate CA SiteMinder® Federation Standalone instances in each zone. CA SiteMinder® Federation Standalone does not support failover from one zone to another for a single instance because the zones have different Host IDs.

Follow these steps:

Install the product on each system, specifying the same Federation Administrator Password for each installation.
Note: The product can run in standalone or proxy mode, but the primary and secondary server must use the same mode.
Run the federation system Configuration wizard on each system using the same database information for both systems.
Log in to the Administrative UI.
From the Infrastructure tab, select System Settings.
Change the Global Base URL to include the host and port of the proxy server or load balancer in your federated network. Setting this URL helps ensure that the default URL for all entities in any partnership is correct.
If CA SiteMinder® Federation Standalone uses more than one virtual host or domain, modify the server.conf file to include all entries.

To modify the server.conf file
1. Navigate to federation_install_dir/secure-proxy/proxy-engine/conf.
2. Open the server.conf file in an editor.
3. Go to the # Default Virtual Host section.
4. Add the base URL to the hostnames setting using fully qualified host names, as follows:
  <VirtualHost name="default">
  
  hostnames="defaultbaseurl.example.com:80, newbaseurl.example.com:80"
  
  </VirtualHost>
  
  Note: Specify multiple host_name:port entries for the hostnames setting, separating each entry with a comma.
  
  Example:
  
  <VirtualHost name="default"
  
  hostnames=lb5.example.com:80
  
  </VirtualHost>

Both CA SiteMinder® Federation Standalone systems are pointing to the same database. A proxy server or load balancer can be set up to failover from the primary system to the secondary.

More information:

Run the CA SiteMinder® Federation Standalone Installation

Set up the Proxy Server or Load Balancer for Failover

You can direct a proxy server or load balancer to failover to CA SiteMinder® Federation Standalone.

Note: The administrator of the proxy server or load balancer must know how to set up failover for the system in the deployment.

Follow these steps:

Identify one CA SiteMinder® Federation Standalone system as the primary host and the other as the secondary host.
Do not configure load balancing for the systems.
Configure the proxy server or load balancer for the CA SiteMinder® Federation Standalone deployment, making sure to pass the following URLs to the CA SiteMinder® Federation Standalone systems:
- /affwebservices/*
- /siteminderagent/*
These URLs enable the proxy server or load balancer to balance traffic between the CA SiteMinder® Federation Standalone systems.

The proxy server or load balancer is now configured.