Replicate the authorization database

A Security Access Manager domain administrator can make security policy changes to a domain at any time.

A primary responsibility of the policy server is to make the necessary adjustments to the domain master authorization database to reflect these changes.

When the policy server modifies the master authorization database, it can send out notification of this change to all resource manager servers with replica databases. The authorization servers must then request a database update from the policy server.

Note: Additionally, resource manager servers can check for database updates by polling the policy server at regular intervals. Polling configuration for a WebSEAL client, for example, is explained in the IBM Security Access Manager for Web: WebSEAL Administration Guide.

Update notifications from the policy server can be configured as an automatic process or a manually controlled task. Notification is determined by the auto-database-update-notify stanza entry in the [ivmgrd] stanza of the ivmgrd.conf configuration file. By default, the stanza entry value is set to yes (update notification is automatically done by the policy server):

[ivmgrd]
auto-database-update-notify = yes

This automatic setting is appropriate for environments where database changes are few and infrequent. When you configure update notification to be automatic, you must also correctly configure the max-notifier-threads and notifier-wait-time stanza entries. For more information about these entries, see Set the number of update-notifier threads and Set the notification delay time.

When you configure update notification to be manual, manual application of the server replicate command controls this event.

[ivmgrd]
auto-database-update-notify = no

This manual setting is appropriate for environments where database modifications occur frequently and involve substantial changes. In some cases, several database modifications can generate many update notifications that soon become obsolete because of the continuing changes to the master database. These obsolete notifications cause unnecessary network traffic and impair the performance of resource managers because of continued requesting and processing of policy updates.

Use the manual control of update notification to complete the process of modifying the master authorization database before update notifications are sent out to authorization servers with database replicas.

In manual mode, update notification uses the notifier thread pool as it does in automatic mode. Therefore, the manual mode setting is affected by the max-notifier-threads stanza entry value. For more information about this stanza entry, see Set the number of update-notifier threads.