Replication of Identity Manager, Exit Point Manager, SIEM Agent, and Central Administration in a High Availability Environment

These instructions provide structure on how centrally-administered Powertech products can be configured for replication in a High Availability (HA) environment. You will see references in this document to Identity Manager, Exit Point Manager 7, and SIEM Agent. These are connected to the Central Administration product component and must be simultaneously handled. You cannot exclude one without the other.

NOTE: In these instructions, if only one of Identity Manager, Exit Point Manager 7, or SIEM Agent is installed, you may ignore the references to the product not installed. However, Central Administration references should be acknowledged in all scenarios.

Definitions

  • Endpoint - A system managed by a Manager system.
  • Manager – The Central Administration Managing system for Endpoints.
  • Standalone – A system not in a Manager-Endpoint configuration. The system is its own Manager.
  • Address – The reference of the System described in the Central Administration network configuration on both the Manager and the Endpoints. The address may be a system name, DNS name, or an IP address.
  • Source system – The system replication information is moving from.
  • Target system – The system replication information is moving to.

Limitations

An Endpoint can only connect to one Managing system (Manager) at any given moment. Conversely, the Manager can connect with many Endpoints, but each active Endpoint must have a unique Address. Furthermore, a source system and its associated target system must not both be connected to the same Manager because their Powertech data is the exact same. Therefore, it is strongly recommended a DNS name is used for the address when connecting Managers with Endpoints and the network DNS server has the IP address altered to point to a system involved in a role swap situation.

NOTE: Simultaneous full-functionality of the products on both the Source system and the Target system is not possible at this time. Therefore, the Central Administration and product monitor jobs found within the PTWRKMGT subsystem should not be active at the same time on each system. The function key F22=Status found throughout the products may be helpful when managing these jobs which are also known as Operational Resources.
NOTE: Exit Point Manager Users:
Exit Point Manager cannot have its exit programs registered on the target system during library replication. Object locks contention due to exit program transactions activity may interfere with successful replacement of the Exit Point Manager rule sets. The admin may opt to deactivate and reactivate the exit programs each time, or refrain from using active server exit programs on the target system.

Product Installation

The install of the product must occur on both the Source and the Target systems. Replication must be stopped during this process. The install will place Libraries, Profiles, Authorization Lists, Commands, and Exit Points on the system, and also ensure that each of these objects have the proper owner and authorities.

Replication and Backup Recommendation

Replication of all the product libraries is required. The libraries for Identity Manager (PTPMLIB), Exit Point Manager 7 (PTNSLIB or PTNSLIB07), SIEM Agent (PTSALIB), and Central Administration (PTPLLIB) must be simultaneously replicated. Failure to keep the libraries synchronized may render the products irretrievably inoperable.

Finally, the library for Powertech Work Management (PTWRKMGT) should also be considered for replication. This library houses a few work management related objects to support Powertech products, but typically experiences minimal ongoing changes.

Product Configuration Recommendations

For Central Administration environments that have systems connected in a Manager-Endpoint configuration, we recommend that the Address within Central Administration not be set to an IP address or the actual system name (unless the system name also represents the DNS name). Additionally, this configuration should be defined within your Network DNS table, which ultimately points to the hardware IP address. This strategy allows for a smooth role swap to the Target since the Network DNS is the only change required to ensure the Manger and Endpoints continue to communicate.

If the previously identified Network DNS option is not feasible, changes could be made to the host table entries for each of the systems involved within the configuration, including Manager and all Endpoints. Large environments with many systems may find this option quite time consuming as each system needs to have its product monitor jobs stopped and restarted.

Finally, when a Target system’s name differs from the Source’s, use the PTPLLIB/PPLCHGSYS command to quickly change the system name within Central Administration’s database. Although this name changing is not required for the software to function properly, doing so may alleviate confusion while in the user interface.

Objects for Replication (if they exist on both Source and Target systems)

NOTE: The following objects must only be replicated while the product is not actively used on the Target system.
  • PTPLLIB – Central Administration Library
  • PTPMLIBIdentity Manager Library
  • PTNSLIB or PTNSLIB07Exit Point Manager Library
  • PTWRKMGT – Powertech Work Management Library

  • PTSALIB – Powertech SIEM Agent 4 Library

  • User Profiles – PTUSER, PTADMIN, PTWRKMGTOW
  • Authorization lists – PTADMIN
  • Commands and programs in QGPL:
    • WRKPTNS *CMD QGPL PRX
    • WRKPTPA *CMD QGPL PRX
    • WRKPTSA *CMD QGPL PRX
    • POWERTECH *CMD QGPL PRX
    • POWERTECH *MENU QGPL PGM

Objects That Should Not Be Replicated (if they exist)

Central Administration

  • PTPLLIB/PPLITS *USRIDX
  • PTPLLIB/PPL4000Q *DTAQ
  • PTPLLIB/PPL4100Q *DTAQ
  • PTPLLIB/PPL4200Q *DTAQ
  • PTPLLIB/PPL5100Q *DTAQ

Exit Point Manager

  • QGPL/PTNS0107 *PGM
  • QGPL/PTNS0107LI *PGM
  • QGPL/PTNS0107CO *PGM
  • QGPL/PTNS0107AC *PGM
  • PTNSLIB or PTNSLIB07 / PNS5100Q *DTAQ

    User Indexes

  • PTNSLIB07/PTNSGMUI *USRIDX
  • PTNSLIB07/PLKNSVFC *USRIDX
  • PTNSLIB07/PLKNSVFB *USRIDX

  • PTNSLIB07/PNSCCLI000

  • PTNSLIB07/PNSCFTP000

  • PTNSLIB07/PNSCGEP000

  • PTNSLIB07/PNSCP000

  • PTNSLIB07/PNSCPS000

  • PTNSLIB07/PNSCR000

  • PTNSLIB07/PNSCSCK000

  • PTNSLIB07/PNSCSCQ000

    User Spaces

  • PTNSLIB07/LNSU108CLI

  • PTNSLIB07/LNSU108FTP

  • PTNSLIB07/LNSU108GEP

  • PTNSLIB07/LNSU108P

  • PTNSLIB07/LNSU108PS

  • PTNSLIB07/LNSU108R

  • PTNSLIB07/LNSU108ACC

  • PTNSLIB07/LNSU108CON

  • PTNSLIB07/LNSU108LIS

  • PTNSLIB07/LNSU108SCQ

  • PTNSLIB07/LNSU108TS1

Identity Manager

  • PTPMLIB/PPM5100Q *DTAQ

SIEM Agent 4

  • PSA5100Q *DTAQ
  • PSA5200Q *DTAQ
  • Exclude all user index types in PTSALIB (*USRIDX)

Product License Considerations

Currently all Powertech products have a feature that supports the ability to store multiple product license keys on a given system. This feature will allow you to enter the key for the system where the software is currently installed as well as a key for the future Target system. Please be aware that if no Target system license has previously been acquired that a temporary license request will need to be handled ad-hoc at the time of a role swap. Finally, ensure that each product library is being replicated to the Target system so that the license key is transferred to it.