Configuring a Dual Connector Setup in a Multi-Node Identity Server Environment

Let us assume that your setup details are as follows:

  • Base URL of the Identity Server cluster: https://abc.idp.com:8443/nidp

  • Value of the common name of the Certificate, cn=*.idp.com

  • Details of the Identity Server nodes:

    Identity Server

    IP Address

    Host

    Node 1

    1.1.1.10

    abc

    Node 2

    1.1.1.11

    auth

Perform the following steps to configure a dual connector setup:

NOTE:The second Identity Sever node acts as a connector host.

  1. Create an X.509 authentication class and method. See Configuring X.509 Authentication and Configuring Attribute Mappings.

  2. Navigate to Devices > Identity Servers > Edit > Local > Methods.

  3. Select the X.509 authentication method and click New under Properties.

    Specify the following details:

    Property Name: CONNECTOR_HOST

    Property Value: https://auth.idp.com:8448

    NOTE:Do not add a / after the port number.

  4. Navigate to Devices > Identity Servers > Edit > Options.

  5. Click New and specify the following details:

    Property Name: CLUSTER COOKIE DOMAIN

    Property Value: .idp.com

    Property Name: CLUSTER COOKIE PATH

    Property Value: /nidp

  6. (Identity Server Node 1 and Node 2) Back up server.xml and context.xml files located at the following paths:

    • server.xml: /opt/novell/nam/idp/conf

    • context.xml: /opt/novell/nids/lib/webapp/META-INF

  7. In the Identity Server Node 1, navigate to the /opt/novell/nam/idp/conf directory.

    1. Open the server.xml file.

    2. Search the <Connector NIDP_Name="connector" string and create a copy of the existing connector in the same file.

    3. In the new connector, change the port number to 8448.

      NOTE:Ensure that clientAuth="false".

    4. Save the server.xml file.

  8. In the Identity Server Node 2, navigate to the /opt/novell/nam/idp/conf directory.

    1. Open the server.xml file.

    2. Search the <Connector NIDP_Name="connector" string and create a copy of the existing connector in the same file.

    3. In the new connector, change the port number to 8448.

    4. Change the clientAuth="false" string to clientAuth="want".

    5. Add protocol="org.apache.coyote.http11.Http11NioProtocol".

    6. Save the server.xml file.

  9. (Identity Server Node 1 and Node 2) Navigate to the /opt/novell/nids/lib/webapp/META-INF directory and open the context.xml file.

  10. Ensure that the following strings are available:

    <Context sessionCookiePath="/" sessionCookieDomain=".idp.com"> 
    <Manager pathname="" saveOnRestart="false"/> 
    <CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" />
</Context>

  11. Save the files and restart both the Identity Server nodes. Check the log files and ensure that there are no errors.

  12. Create a user certificate. See Section 16.0, Creating Certificates.

  13. Import the certificate to the browser.

  14. Create a contract for the method. See Configuring Authentication Contracts.

Verifying the Dual Connector Setup

To verify that the dual connector setup configuration is successful, execute the X.509 dual connector contract as an end user and ensure that the CONNECTOR_HOST URL is visible in the browser URL and in the Identity Server logs.

  1. At the User Portal, select the X.509 dual connector contract.

  2. Select the user certificate when prompted.

A successful login to the User Portal verifies that the dual connector setup configuration is complete.