How to Move the Authentication Module to an External Server

This article contains the following topics:
casm1401
This article contains the following topics:
The authentication module in CA SDM is a singleton daemon that is responsible for the user authentication. The authentication module runs on the primary server for the conventional configuration and on the background server for the advanced availability configuration. You can move the authentication module to an external server for the following scenarios:
  • Conventional configuration:
    • The primary server is on UNIX or a Linux platform and you require a Windows authentication, you move the authentication module to a Windows secondary server.
    • The primary server is on a Solaris platform and you require the CA EEM authentication, you move the authentication module to the secondary server as CA SDM does not support the CA EEM integration on Solaris.
  • Advanced availability configuration:
    • The background server is on UNIX or a Linux platform and you require a Windows authentication, you move the authentication module to a Windows application server.
    • The background server is on a Solaris platform and you require the CA EEM integration, you move authentication module to an application server as CA SDM does not support the EEM integration on Solaris.
The following diagram illustrates how to move the authentication module:
The selected external server must have CA SDM installed. If you move the authentication module to an external server such as an application server, it becomes a single point of failure. If the application server is down, users cannot log in.
Verify the Prerequisites
The analysis of the CA SDM server platforms helps you to decide how to move the authentication module to an external server.
Follow these steps:
  • Identify the operating system of the following server, which is based on the configuration type:
    • Conventional:
      Primary server.
    • Advanced Availability
      : Application server.
  • Identify the type of required authentication from the following models:
    • Windows authentication for the CA SDM implementation on UNIX or Linux.
    • CA EEM authentication for the CA SDM implementation on Solaris.
  • Make sure that CA SDM is installed on the selected external server.
Configure CA SDM for Using External Authentication
To redirect the authentication requests to an external server, specify the hostname of the target server where the authentication module is present. The process of configuring CA SDM for moving the authentication module is different for the conventional and advanced availability configuration of CA SDM.
Conventional Configuration
Follow these steps:
  1. Log in to the primary server as an administrator.
  2. From the command prompt, change the directory to samples\pdmconf under NX_ROOT and run pdm_perlpdm_edit.pl.
  3. From the pdm_edit.pl top menu select U, and press Enter.
    The User Validation server submenu appears.
  4. Enter E to specify the hostname of the external server, and press Enter.
  5. Enter primary for the primary server or the hostname of the secondary server, and press Enter.
You have configured the redirection of authentication requests to an external server.
Advanced Availability Configuration
Follow these steps:
  1. Log in to the background server web interface as an administrator.
  2. Select the Administration
    tab.
  3. Expand Options Manager, Security.
  4. Click the bopauth_nxd_host entry in the Option
    List.
    The bopauth_nxd_host Options Details page is displayed.
  5. Click Edit.
  6. Select the hostname of the target server from the Option Value
    drop-down list.
  7. Click Save.
By default, the authentication module runs on the background server.
You have configured the redirection of authentication requests to an external server.
How to Restart the CA SDM Servers
Depending on your CA SDM configuration, perform the following processes:
  • Restart the CA SDM servers in conventional configuration.
  • Restart the CA SDM servers in advanced availability configuration.
Restart the CA SDM Servers in Conventional Configuration
For the conventional configuration, you restart the servers in the following order:
 To restart a server click Start, Settings, Control Panel, Administrative Tools, Services. Right-click the CA SDM Server and select Start.
  1. Restart the secondary server.
  2. Restart the primary server.
Restart the CA SDM Servers in Advanced Availability Configuration
For the advanced availability configuration, we recommend that you restart the CA SDM servers in the following order:
 To restart a server click Start, Settings, Control Panel, Administrative Tools, Services. Right-click the CA SDM Server and select Start.
  1. Restart all Standby Servers.
  2. Start the Old Background Server.
    When you start the background server, it becomes a standby server.
  3. Restart the Less Active Application Server.
  4. Start the Application Server.
  5. Perform the steps 6 and 7 for the other application servers.
Promote the Standby Server as the New Background Server
Before you stop the background server, promote the standby server (that you have upgraded) as the new background server. If Support Automation is installed with CA SDM, notify the active Support Automation users about the background server shutdown.
Follow these steps:
  1. Execute the following command on the background server to notify all active users using Support Automation to save their work:
    sa_server_notifier [-h] | [-q seconds] | [-c]
    • -h
      Displays the help page.
    • -q seconds
      This option notifies a local server (background) to quiesce in a specified time interval. This interval is the number of seconds before the server goes offline. This option cannot be used for a standby server or application server.
    • -c
      This option cancels a previously sent quiesce request.
    A pop-up message is displayed to all the active users using Support Automation. This message notifies the users about the server shutdown and the time that is left for the shutdown. The users must save their work and logout within that scheduled time.
  2. Execute the following command on the standby server that you wish to promote as the new background server:
    pdm_server_control -b
    • -b
      Notifies a local standby server to become the background server. The standby server must already be running. If the server is not running, it is started but no failover is performed; to start a failover, run the command again.
    The background server shuts down automatically and the standby server is promoted as the new background server. This change does not affect the end-user sessions. The in-progress updates (if any) are stored and delayed, until the new background server comes online.
Choose the Less Active Application Server
You choose an application server with the least user activity. Run the following command on each application server to choose the one with no or minimal active sessions:
pdm_webstat
This command does not capture the SOAP or REST Web Service sessions.
 
Stop the Other Application Server
You inform all the active users on an application server to move to the less active application server before you stop it. Ensure that you have restarted the less active application server before moving all the users to it.
Follow these steps:
  1. (Recommended) Inform all active Support Automation analysts on the application server which you want to stop, to create a ticket in CA SDM with their session information. This process ensures that the session information is not lost. For example, the Support Automation analyst is in a session with a customer to resolve a hardware issue. In such a case, the Support Automation analyst can create an issue in CA SDM with the session information before the application server shuts down.
  2. Send a notification (for example, an email notification) to all the active users on the application server to move to the less active application server that you just restarted. This notification can include the details of the updated application server.
  3. Execute the following command on the application server:
    pdm_server_control [-h] -q interval -s server_name
    • -h
      Displays the help page.
    • -q interval -s server_name
      Notifies a local or remote application server to quiesce in a specified time interval.  This interval is the number of seconds before the server goes offline. When using this option without a server_name, the local server is notified to quiesce. This option cannot be used for a background or a standby server.
    A pop-up message is displayed to all the active users on the application server to notify them about the server shutdown and the time left for the shutdown. The users must save their work and logout within that time. The application server stops after the specified time. The users log on to the other application server to resume their work. The Support Automation analyst can refer to the ticket and resume their work.
    The application server is stopped successfully.
Verify the Authentication
Verify the authentication with a user ID that has a corresponding contact record in Windows or CA EEM, based on the authentication type. A successful login indicates that you have successfully moved the authentication module.
Follow these steps:
  1. Launch the browser and enter the CA SDM URL.
  2. Log in to CA SDM with a user name having a corresponding contact record in Windows or CA EEM, based on the authentication type.
If the module has been moved successfully, the Service Desk Home Page
opens.