Ssl Certificates For Drivers; Using Identity Manager To Copy User Objects To Another Edirectory Tree; Configuring User Object Synchronization - Novell BUSINESS CONTINUITY CLUSTERING 1.1 SP2 - ADMINISTRATION Administration Manual

replica of the partition on the Identity Manager node in the cluster that you are using to create the
User Synchronization driver. If you create multiple User Synchronization drivers, each of the
clusters involved must have a read/write replica of that User object container. An alternative
approach when using a single User Synchronization driver is to make the eDirectory master server
be a node in the cluster, install Identity Manager on that same node, then use that cluster when
creating a User Synchronization driver. In this case, you do not need to create the User object
container and to add server replicas.
The BCCAdmin user needs administrator rights in the container where the User objects reside so
that User objects can be synchronized between eDirectory trees. For information, see Section 4.1.5,
"Novell eDirectory 8.8," on page 40.
B.1.3 SSL Certificates for Drivers
In a multiple-tree business continuity cluster, you should create separate SSL certificates for the
Cluster Resource Synchronization driver and for the User Object Synchronization driver. We
recommend that you create SSL certificates for your business continuity cluster to support secure
data transfers between eDirectory trees. BCC works without the SSL certificates, but there is a
security consideration.
You create one certificate for each of the driver pairs if the data flow is unidirectional. Two
certificates are required if the data flow for the driver is bidirectional (one certificate for each
direction). For example, create one SSL certificate for data flowing from TreeA to TreeB and a
second SSL certificate for data flowing from TreeB to TreeA.
For security considerations, you should create or use a different certificate than the default (dummy)
certificate (BCC Cluster Sync KMO) that is included with BCC.
B.2 Using Identity Manager to Copy User Objects
to Another eDirectory Tree
The procedures explained in this section are normally performed after meeting "Requirements for
BCC 1.1 SP2 for NetWare" on page 37.
The Identity Manager eDirectory driver has a synchronization feature that copies objects that exist
in one tree to another tree where they don't exist. For business continuity clusters, this feature can be
used to copy User objects from one cluster to another cluster in a separate eDirectory tree. For
example, if you have one tree that has 10,000 users and a second new tree that does not yet have
users defined, you can use Identity Manager to quickly copy the 10,000 users to the new tree.
For more information on copying User objects by using Identity Manager, see "Migrating or
Copying User Objects" (http://www.novell.com/documentation/idmdrivers/index.html?page=/
documentation/idmdrivers/edirectory/data/brj81j4.html) in the Identity Manager Driver for
eDirectory Implementation Guide.
B.3 Configuring User Object Synchronization
If the clusters in your business continuity cluster are in separate eDirectory trees and you require
user-based access control, then User object synchronization is required.
128 BCC 1.1 SP2: Administration Guide for NetWare 6.5 SP8