AnsweredAssumed Answered

SiteMinder trusted host registration in dynamically scaled environment

Question asked by dmt953 on May 7, 2018
Latest reply on May 15, 2018 by dmt953

We are moving our web applications onto the AWS cloud with dynamically scaled environment meaning that the servers could be deleted or created as needed based on application traffic demands.  Each time a server is "created" an automation script is run to build the entire server stack including the installation of the Apache web server along with SiteMinder web agent installation and configuration.

 

Where we running into issues here is the registration of the Linux trusted host to the policy server.  We found this documentation - - > https://docops.ca.com/ca-single-sign-on/12-6-01/en/configuring/policy-server-configuration/agents-and-agent-groups/use-web-agent-in-dynamically-scaled-environment/ that describes a solution for this scenario, but it seems a bit complicated and involves coding.

 

This is our proposed idea:

 

We would have up to three different Linux server/trusted hosts for a given application but at times we would delete one or two servers and then build new servers up on the fly when application traffic demand is high.  Our question here is that if we plan to have a maximum of three (3) Linux server/trusted hosts for an app then we would use only three trusted host names to be registered to the policy server, meaning that Linux server #1 will always be assigned to a trusted host name "server-1-trusted_host" so that if this server is deleted and then later re-created then it will always use this smreghost command parameter - - > /etc/siteminder/webagent/bin/smreghost -i [linux-server-hostname] -u siteminder -p [pw] -hn server-1-trusted_host -hc smpolicyserver_hco -o

 

Next week this server may be deleted and the trusted host "server-1-trusted_host" would be an orphaned object in SMPS but later when the server is created again we would run the exact same smreghost command to overwrite the existing trusted hosted that is already registered on SMPS.  Likewise for "server-2-trusted_host" and "server-3-trusted_host" each of those server will always use their specific smreghost command which will always assign the same trusted host name for the policy server.

 

The reason why we want to post this to the community is to see if folks would approve this approach and foresee any potential issues. 

 

Much thanks in advance for your input!

Outcomes