AnsweredAssumed Answered

In CA Directory router configuration is not sharing load equally in both Policy Store.

Question asked by PKSahu on Mar 19, 2018
Latest reply on Mar 20, 2018 by PKSahu

Hi All,


We have two CA Directory which we are using as Policy store and Session Store, to share a load we have configured router in both CA Directory, But in policy store summary logs we only see that most of the request is served by primary policy stores, and at the time of replication only we see request in secondary policy store.


 can someone help us to identify where we are missing ? below steps we followed-


  1.  Make sure following schema is configured in $DXHOME/config/schema/***.dxg

source "x500.dxc";

source "cosine.dxc";

source "umich.dxc";

source "inetop.dxc";

source "dxserver.dxc";

source "netegrity.dxc";

source "nsroaming.dxc";

  1. Create router DSA,

dxnewdsa -t router ****** 11389 "o=***,c=xx"

dxnewdsa -t router ****** 11489 "o=***,c=xx"


  1. Go to $DXHOME/config/knowledge/***.dxg in both servers and add the 2 new dsas in there. Make sure router dsas are mentioned before data dsas:

In router xx01:

source "xxxx.dxc";

source "xxxx.dxc";

in router xx02:

source "xxxx.dxc";

source "xxxx.dxc";

  1. In /config/knowledge/<dsa_name>.dxc: (also make sure to change IPs in the )


router dsas:

auth-levels   = anonymous, clear-password

trust-flags   = allow-check-password, trust-conveyed-originator

data dsas:

auth-levels   = anonymous, clear-password

dsa-flags     = multi-write, load-share, no-service-while-recovering

       trust-flags   = allow-check-password, trust-conveyed-originator

in all dsas:

      address       = tcp "<add locahost IP address>" port #specific port no.


  1. In /config/servers/<dsa_name>. dxi router dsa:

 router xx01:

# write-precedence

set write-precedence = data_DSA01, data_DSA02;


router xx02:

# write-precedence

set write-precedence = data_DSA01, xxxx02;


  1. In /config/settings/***.dxc:


# CA Siteminder specific settings

set mimic-netscape-for-siteminder = true;

set concurrent-bind-user = <c XX><o xxxxx><ou xxxx><cn admin>;

set ignore-name-bindings = true;


  1. In /config/limits/***.dxc


set max-op-size = 2000;

  1. In /config/servers/ on the data .dxi files add the lines:


# cache configuration

set max-cache-size = 2000;

set cache-index = all-attributes;

set lookup-cache = true;

and comment out previous cache-index and lookup-cache    and


set wait-for-multiwrite = true;

  1. In /config/servers/<router_dsa_name>.dxi 


# schema

source "../schema/***.dxg";


# knowledge

clear dsas;

source "../knowledge/***.dxg"


# operational settings

source "../settings/***.dxc";


# service limits

source "../limits/***.dxc";

  1. Add the router config in the policy server smconsole. In SMCONSOLE we added Policy router DSA name and port no. and each policy router has both data DSA configuration setting, so if request comes on 1st policy router it should load share to both data DSA configured in it.