Verify Identity Access configuration with the proxy

Edit online

After the Security Directory Server proxy server and back-end servers are configured with the Directory Information Tree (DIT) partitioning setup, you can configureVerify Identity Access to use the proxy. The proxy server provides a unified view of the directory and shields the LDAP application (Verify Identity Access for example) from having to be aware of the DIT partitioning.

When configured to use the Security Directory Server proxy server, Verify Identity Access is only aware of the proxy and performs all operations through the proxy, as if it represented the entire DIT namespace.

To provide failover support, multiple Security Directory Server proxy servers can also be configured. For information about configuring multiple Security Directory Server proxy servers to provide failover support, see the IBM TivoliĀ® Directory Server Administration Guide.

When you configure multiple proxy servers to provide failover support, Verify Identity Access must be configured to treat each of the proxy servers as a directory server replica. The example scenario that is described here assumes a single proxy.

Because Verify Identity Access cannot be configured directly to the Security Directory Server proxy server, Verify Identity Access must first be configured to the back-end server that hosts the secAuthority=Default subtree. When you configure the Verify Identity Access Runtime component for use with this back-end server, select LDAP as the registry type. When the pdconfig utility requests the LDAP hostname, type the host name and LDAP port number of Server A (the back-end server that hosts the secAuthority=Default subtree); do not type the host name of the Security Directory Server proxy server (Proxy).

Configure SSL information for setting up an SSL connection with Server A, if SSL is to be used. When you use SSL, Proxy needs to be configured with a server certificate that is generated by the same certificate authority (CA) that was used to create the server certificate for Server A. Specify the LDAP DN (for example cn=root) and the LDAP administrator password for Server A. After the Verify Identity Access policy server is configured successfully to the back-end server (Server A), you can then retarget the Verify Identity Access policy server system to the Security Directory Server proxy server. Exit the pdconfig utility.