LDAP Failover Configuration Changes
To support failover, several Windchill configuration changes are needed.
Examples of the changes are included in the following subsections that describe the changes. These examples assume that you are currently using a Windchill Directory Server on host server1.mycompany.com that is listening on port 6389 and that you have set up replication among three Windchill Directory Server servers as follows:
• server1, listening on port 6389
• server2, listening on port 389
• server3, listening on port 5389
|
In the documentation that follows, commands have been broken to display well on the page. However, command and field entries must be entered as one line, without breaks.
|
The failover capability in Windchill is based on the failover capability in the Java JNDI layer. All traffic is directed to the first server as long as it remains available. If the first server becomes unavailable, LDAP requests are directed to the second server in the list, and so on. Servers should be placed in the list in the order you want the servers to be used. For example, the fastest LDAP servers should probably be earlier in the list.
Updating JNDI Adapter Entries and Servlet baseUri
The JNDI adapter entries are held in the LDAP directory and are used by Windchill to access services such as LDAP. Typically, two JNDI adapters need to be updated:
Ldap
EnterpriseLdap
You can modify the adapters directly through LDAP using a tool such as the WindchillDS control-panel. However, an easier way to update the adapters is to use the Info*Engine Administration utility that is available in the site context from > .
After starting the Info*Engine Administration utility, you should see the adapters described previously, as well as other adapters. Open each adapter you want to change and change the Provider URL value. The single LDAP URL should be changed to a blank-separated LDAP URL list, where the URLs are listed in the order you want the servers to be used.
From the example configuration described previously, assume the value of the Provider URL is initially set to:
ldap://server1.mycompany.com:6389
Change the value of the Provider URL to the following. Edit as appropriate for your configuration and enter on one line:
ldap://server1.mycompany.com:6389 ldap://server2.mycompany.com:389
ldap://server3.mycompany.com:5389
If an enterprise LDAP was selected during the initial Windchill installation, do not update the EnterpriseLdap adapter. You can detect this case by comparing the provider URLs of the Ldap and EnterpriseLdap adapters. If the enterprise adapter has a different provider URL that points to an enterprise directory, it should not be modified.
Next, update the servlet baseUri. From the Services column of the Info*Engine Administration main page, open the entry ending in servlet. Expand the Property Administrator Properties and click Edit to change the base URI. This value should already contain an LDAP URL with an appropriate search base. Simply append the following string (edited as appropriate for your LDAP servers):
ldap://server2.mycompany.com ldap://server3.mycompany.com:5389
| The string you add must start with a blank; there must be a blank between the initial LDAP URL and these additional two URLs. |
Click OK to apply the change.
Updating Windchill Properties
To update Windchill properties, use the xconfmanager utility to update the <Windchill>/site.xconf file. PTC recommends you make a backup copy of the site.xconf file before making changes to it.
You must create a set of properties related to the ie.ldap.serverHostName and ie.ldap.serverPort properties to establish the host name and port for each Windchill Directory Server that is being used for LDAP failover. Assuming ie.ldap.serverHostName is already set to server1.mycompany.com and ie.ldap.serverPort is already set to 6389 from the previous example, these two properties do not need to be changed. However, additional hosts and ports can be specified by appending a .1, .2, and so on to these property names. Open a Windchill shell, and use the following commands to make the changes corresponding to the previous example. Enter each command on one line:
xconfmanager -s "ie.ldap.serverHostName.1=server2.mycompany.com"
-t "codebase/WEB-INF/ieStructProperties.txt”
xconfmanager -s "ie.ldap.serverHostName.2=server3.mycompany.com"
-t "codebase/WEB-INF/ieStructProperties.txt"
xconfmanager -s "ie.ldap.serverPort.1=389"
-t "codebase/WEB-INF/ieStructProperties.txt"
xconfmanager -s "ie.ldap.serverPort.2=5389"
-t "codebase/WEB-INF/ieStructProperties.txt"
Optionally, since you are using the default LDAP port of 389 for server2.mycompany.com, you can omit the property definition for ie.ldap.serverPort.1.
Additionally, you must change the wt.federation.ie.ldapServer property. For example, enter the following on one line:
xconfmanager -s "wt.federation.ie.ldapServer=
ldap://server1.mycompany.com:6389 ldap://server2.mycompany.com
ldap://server3.mycompany.com:5389" -t "codebase/wt.properties"
Finally, apply your changes to the corresponding properties files by entering the following command:
xconfmanager -p
Updating the Web Server Configuration
Apache-based web servers allow you to configure a failover list of LDAP URLs. If you are using a web server other than an Apache-based web server, refer to the appropriate documentation to determine if LDAP failover is supported. If failover is supported, determine how it should be configured.
| The URL list for Apache-based web servers has a different format from the URL lists for JNDI adapter that is described in LDAP Failover Configuration Changes. Apache supports one LDAP URL with an embedded blank-separated list of hosts and ports. |
From a Windchill shell, navigate to the Apache-based web server installation directory (if using the bundled HTTP Server, the installation directory is HTTPServer). Then enter Ant commands similar to the following to modify the server names and ports, the search base DN, and the bindDN and password for your configuration. Enter each command on one line:
ant -f webAppConfig.xml addAuthProvider -DappName=Windchill
-DproviderName=AdministrativeLdap
-DldapUrl="ldap://server1.mycompany.com:6389 server2.mycompany.com:389
server3.mycompany.com:5389/ou=people,cn=AdministrativeLdap,
cn=Windchill_10.2,o=ptc" -DbindDn="cn=Manager" -DbindPwd=admin
ant -f webAppConfig.xml addAuthProvider -DappName=Windchill
-DproviderName=EnterpriseLdap -DldapUrl="ldap://server1.mycompany.com:6389
server2.mycompany.com:389 server3.mycompany.com:5389/ou=people,
cn=EnterpriseLdap,cn=Windchill_10.2,o=ptc" -DbindDn="cn=Manager" -DbindPwd=admin
If an enterprise LDAP was selected during initial Windchill installation, omit the second command; the enterprise LDAP URL should point to that enterprise LDAP directory.