Search

Chapter 5. Optimizing the replica topology

download PDF

A robust replica topology distributes workloads and reduces replication delays. Follow these guidelines to optimize the layout of your replica topology.

5.1. Guidelines for determining the appropriate number of IdM replicas in a topology

Plan IdM topology to match your organization’s requirements and ensure optimal performance and service availability.

Set up at least two replicas in each data center
Deploy at least two replicas in each data center to ensure that if one server fails, the replica can take over and handle requests.
Set up a sufficient number of servers to serve your clients
One Identity Management (IdM) server can provide services to 2000 - 3000 clients. This assumes the clients query the servers multiple times a day, but not, for example, every minute. If you expect frequent queries, plan for more servers.
Set up a sufficient number of Certificate Authority (CA) replicas
Only replicas with the CA role installed can replicate certificate data. If you use the IdM CA, ensure your environment has at least two CA replicas with certificate replication agreements between them.
Set up a maximum of 60 replicas in a single IdM domain
Red Hat supports environments with up to 60 replicas.

5.2. Guidelines for connecting IdM replicas in a topology

Connect each replica to at least two other replicas
This ensures that information is replicated not just between the initial replica and the first server you installed, but between other replicas as well.
Connect a replica to a maximum of four other replicas (not a hard requirement)

A large number of replication agreements per server does not add significant benefits. A receiving replica can only be updated by one other replica at a time and meanwhile, the other replication agreements are idle. More than four replication agreements per replica typically means a waste of resources.

Note

This recommendation applies to both certificate replication and domain replication agreements.

There are two exceptions to the limit of four replication agreements per replica:

  • You want failover paths if certain replicas are not online or responding.
  • In larger deployments, you want additional direct links between specific nodes.

Configuring a high number of replication agreements can have a negative impact on overall performance: when multiple replication agreements in the topology are sending updates, certain replicas can experience a high contention on the changelog database file between incoming updates and the outgoing updates.

If you decide to use more replication agreements per replica, ensure that you do not experience replication issues and latency. However, note that large distances and high numbers of intermediate nodes can also cause latency problems.

Connect the replicas in a data center with each other
This ensures domain replication within the data center.
Connect each data center to at least two other data centers
This ensures domain replication between data centers.
Connect data centers using at least a pair of replication agreements
If data centers A and B have a replication agreement from A1 to B1, having a replication agreement from A2 to B2 ensures that if one of the servers is down, the replication can continue between the two data centers.

5.3. Replica topology examples

You can create a reliable replica topology by using one of the following examples.

Figure 5.1. Replica topology with four data centers, each with four servers that are connected with replication agreements

A diagram showing 4 data centers - Geo 1 through 4. Each data center has four servers connected to each other with replication agreements. There are also replication agreements connecting two servers from Geo 1 to two servers in Geo 2. This pattern continues with two servers in Geo 2 connected to two servers in Geo 3 and two servers in Geo 3 connected to Geo 4. This connects each data center so each server is at most 3 hops away from another Geo.



Figure 5.2. Replica topology with three data centers, each with a different number of servers that are all interconnected through replication agreements

A diagram showing 3 data centers: Geo 1 has 5 servers each connected to the other - Geo 2 has two servers connected to each other - Geo 3 has 3 servers connected in a triangle. There are 2 connections from each Geo connecting two of its servers to 2 servers in the next Geo.

5.4. Uninstalling the IdM CA service from an IdM server

If you have more than four Identity Management (IdM) replicas with the CA Role in your topology and you run into performance problems due to redundant certificate replication, Red Hat recommends that you remove redundant CA service instances from IdM replicas. To do this, you must first decommission the affected IdM replicas completely before re-installing IdM on them, this time without the CA service.

Note

While you can add the CA role to an IdM replica, IdM does not provide a method to remove only the CA role from an IdM replica: the ipa-ca-install command does not have an --uninstall option.

Prerequisites

  • You have the IdM CA service installed on more than four IdM servers in your topology.

Procedure

  1. Identify the redundant CA service and follow the procedure in Uninstalling an IdM server on the IdM replica that hosts this service.
  2. On the same host, follow the procedure in Installing an IdM server: With integrated DNS, without a CA.

5.5. Additional resources

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.