Cloning SiteMinder Policy Server VM

Idea created by Hubert Dennis Employee on Nov 11, 2014
    Not planned
    • sgangaraboina
    • thomas.neudhart
    • b55
    • stephen.mcgilligan

    I was working with one of CA's Internal SaaS Hosting Product Team and a question that arose was "Does SiteMinder Support Cloning on VM". The Customer had Policy Servers deployed on VM Machines in a hosted platform.


    Use Case : Whether cloning a SiteMinder Policy Server VM  and have both VMs running using the same Policy Store is supported or not?

    Use Case Initiators :

    1. Customer has multiple data centers across the globe. Customer would like to install configure once within a data center and then use that as a template to deploy on other new hardware for resilience and load balancing within the data center. Customer does not need to start installing on every server from scratch.
    2. In case of a traffic upsurge OR performance failure. Customer can spawn a new server in a matter of minutes and add that to the pool of active servers. Less manual intervention and efficiency in deployment.
    3. Customer is looking at only using cloning across Production Infrastructure.
    4. Customer is looking for Server level cloning, hence only one Policy Server instance per Server.


    Here are my views on this.

    • Theoretically this should work from Policy Server perspective. Because cloning would mean when a template is loaded into VM, typically the product is in the same path, with same files, same encryption key file and pointing to same store.
    • Where this could fail for certain is RM  / Advanced Auth. The RM Service does the host registration on each machine and creates its own HCO object as part of Policy Server Configuration process. Hence we need to investigate here if we could support cloning.
    • Where this could fail possibly is WAM UI. Again needs some investigation.
    • We may need to support cloning as it also internally helps us maintain copies of VM Templates. We could also extend this to customers sharing their VM template and we just deploy the Template inhouse, we are all ready to go for a major part (thought a few manual tweaks may be needed).



    Other areas of discussion with PM is captured below.


    [PM] : VM clone to run on same hardware instance or to move to other hardware instances.

    [HUBERT] I think we should start with atleast supporting one Policy Server instance per VM to be cloned.


    [PM] : VM cloning to move from dev to test to prod.

    [HUBERT] I think we should atleast start looking at cloning using the same PStore instance i.e. Cloning only in Production OR Cloning only in preProdn.


    [PM] : “data centers across the globe”, “deploy on new hardware within the data center”…so will they create a data-center specific template for each data center?

    [HUBERT] Yes. There is a reason in doing so. Because then the template for a particular datacenter would point locally to its own Policy Store as primary.

    However Application is going to be hosted across 4 OR 5 DataCentre’s (US EastCoast, US WestCoast, Europe, Australia and one more in APAC). Now if all DataCentre’s pointed to the same Policy Store then one template would suffice; doing that invariably means some DC’s would have templates which have policy store sitting continents away. Hence one template per DataCentre is advised (key is one template for all PS pointing to one Policy Store structure e.g. primary Pstore, secondary PStore).


    [PM] Admin UI – will it be able to will there be a need for the Admin UI to connect to the new PS instance?

    [HUBERT] No, Cloning is primarily to suffice end user traffic. So primary object is Policy Server only. If WAM UI is needed we should have a different enhancement with a reference of Policy Server Enhancement.


    [PM] How will SM Agents know new Policy Servers are available to dealing with load?

    [HUBERT] Here is where 2 of our critical features would come into play. Using Clustered HCO Object and DynamicHCO Parameter. Clustered HCO would help us manage the addition in the right proportion and hierarchy. DynamicHCO would tell WebAgents that a new Policy Server has been added OR removed without having to restart (One restart would be needed after we enable DynamicHCO parameter, after that no restarts for addition / removal of Policy Server hosts).


    [PM] Are there other end point configuration items to think through (e.g. session assurance server in SPS …how is it configured to talk to a Policy Server and how will a new instance of PS be known to it?)

    [HUBERT] Same as above. If the FlowApp on SPS OR other Apps in SPS which use its own SmHost.conf OR for that matter any SiteMinder client component which does not honor “DynamicHCO” needs to be listed clearly.




    Finally according to me it should be added, because in today’s world of Virtualization what is the level of acceptance for “Cloning”. If I read the biz news on Virtualization, then cloning is referred to as taking Virtualization to the next level. I do always hear the criticism from both internal and external peers that SiteMinder is heavy weight. In the world of cloud computing, how do we try to make such a heavy weight champion, fit in. I think VM Cloning is one such step that could benefit SiteMinder in tremendous ways.