Authentication Manager agent / server contact list and the sdconf.rec file
Authentication Manager Version 8.x all versions, and all agent versions
How to control and verify the Authentication Manager server contact list so that you restrict certain agents to specific AM servers; primary or replicas Or so that all currently available AM Servers; primary and replicas, are available for authentication
1. Manually Create new Server contact list and add specific servers to that list 2. Configure Agent Attributes to use this Server Contact list 3. Optionally 'automatically' update the default Server Contact list 4. Optionally Verify if your sdconf.rec file has all of your servers
1. Manually Create new Server contact list and add specific servers to that list In the Security Console - Access - Authentication Agents - AM Contact List - Add New Image description Select the specific AM servers you want in this list, then Save.
2. Configure Agent Attributes to use this Server Contact list In the Security Console, you can edit your Agent to only use this new Server Contact list Image description This agent will send authentication requests to the AM server in its Server Contact list
3. Optionally 'automatically' update the default Server Contact list Often it makes more sense to let all or most agents to find and use any and all AM servers, even after new servers have been added and older servers decommissioned and removed. Use the Automatic Rebalance option in the Security Console - Access - Authentication Agents - AM Contact List - Automaitc Rebalance Image description
4. Optionally Verify if your sdconf.rec file has all of your servers, use NotePAd++ to edit / view your sdconf.rec file Image description
Even if you are using your original sdconf.rec files and your AM servers have come and gone, as long as you run Automatic Rebalance every now and again your agents will find your AM servers for authentication.
We did see a unique situation / problem that highlights how sdconf.rec works. A customer had a single primary, so the sdconf.rec and the Server contact list had one entry, with one name and one IP address. This customer had authentication working, but then changed the Primary IP address in the Operations Console. After this change, the agents no longer could find the primary, since its IP address no longer matched what the agent knew from its sdconf.rec file, and no replica could tell this agent about the change. The primary was a single point of failure.