Failover of Directory Servers
If you are using an LDAP-compliant security realm, the Integrity Lifecycle Manager Agent supports the use of multiple directory servers to handle authentication when one server fails. The Integrity Lifecycle Manager Agent uses the Domain Name Service (DNS) list to find all directory servers associated with the server host name and authenticates to the first server in the list that responds to the connection request. To minimize waiting time, the Integrity Lifecycle Manager Agent maintains a pool of the directory servers that it has connected to.
If you are using failover, you should review the following cache settings in agent.properties:
java.security.property.networkaddress.cache.ttl
java.security.property.networkaddress.cache.negative.ttl
You should also review the time-out settings used by Integrity Lifecycle Manager Agent when trying to connect to a directory server. These settings are specified in the security.properties file in the following properties:
|
Property
|
Description
|
|
ldap.connect.timeout
|
Number of seconds Integrity Lifecycle Manager Agent waits when connecting to directory server before deciding it is not responding. Default is 5.
|
|
ldap.blacklist.timeout
|
Minimum number of seconds Integrity Lifecycle Manager Agent waits before trying to reconnect to inactive directory server. Default is 300.
|
|
ldap.pool.timeout
|
Number of seconds active directory server connection remains in pool before removing its connection. Default is 60.
|