Best Practises with ACS Replication & external databases

I am looking for a best practise with the following scenario:
2 ACS Servers in 2 separate locations, each providing mutual backup to each other - i.e. all devices/users in Site X point to local ACS Server X 1st and remote ACS Server Y 2nd. In Site Y the devices/users point to the local ACS Server Y 1st and remote ACS Server X 2nd. This works fine; currently Server X replicates the Database to Server Y.
In the future we will be implementing a remote LDAP database and will forward unknown users to this database for authentication. As I understand it if an unknown user exists on the LDAP database then the ACS Server will create a local account (depending the mapping policy etc) and point the password at the remote LDAP server. If we replicate from Server X to Server Y, but Server Y has created an account for an unknown user will this get deleted on replication? Is there a best practise to handle this scenario?
Andy

I could not find a best practices document as such but a lot of ground is covered in the document 'CiscoSecure Database Replication' at http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/sad.htm#wp755988.

Similar Messages

  • Issues with ACS replication

    We have 2 ACS appliances that are separated by a WAN.
    Both appliances are at the same software version and I have replication set up per Cisco's (as well as others') directions.
    When I run replication, I get the error "Cannot replicate to 'ciscoacs2' - server not responding".
    If I try replication in the other direction, I get the same error.
    I can ping both appliances and access the web interface from both subnets.
    There is a firewall between them, but I have port 2000 open and I do not see any other deny messages relating to the ACS replication in the firewall logging.
    I ran a sniffer on the receiving appliance's port and got the following:
    10.127.101.5 10.127.80.63 TCP evb-elm > cisco-sccp [SYN] Seq=0 Win=65535 Len=0 MSS=1380
    10.127.101.5 10.127.80.63 TCP evb-elm > cisco-sccp [ACK] Seq=1 Ack=1 Win=65535 Len=0
    10.127.80.63 10.127.101.5 TCP cisco-sccp > evb-elm [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
    10.127.101.5 10.127.80.63 TCP evb-elm > cisco-sccp [RST] Seq=25 Win=0 Len=0
    10.127.80.63 10.127.101.5 TCP [TCP Dup ACK 1515#1] cisco-sccp > evb-elm [ACK] Seq=1 Ack=1 Win=65535 Len=0
    Logging on the devices themselves is terrible, so I really have no idea what would be causing replication to fail.
    Thanks.
    Jason

    One update if it will help. I've been doing some research and I found that ACS replication doesn't like NAT and replication will fail if the IP address is changed through NAT.
    While NAT is running on the firewall that our ACS appliance is behind, there is a static mapping to basically keep the NAT address the same. So NAT is being applied, but NAT is just giving it the same address.
    I don't know if the NAT process is what's causing the problem? Based on the sniff I posted earlier, the source address of 101.5 is the IP of the ACS appliance.
    Taking the device out from behind the firewall could be an option, but it would be a last resort because we would then need to reconfigure all of our equipment to point to the new address, and we have a lot of equipment.
    Thanks.
    Jason

  • Problem with ACS 4.2 Database replication

    Greetings,
    I am not able to replicate Database between two ACS SE 4.2. I am getting the following error:
    Inbound database replication from ACS 'ACS_BEX_001' denied - shared secret mismatch.
    The configuration apparently is ok. I am attaching the configuration from both ACS.

    The solution posted by Nevin is correct, but I must add some explanations. I had the problem yesterday and I proceeded like Nevin told:
    - I connected to the console and made a "show".
    - The IP was the correct one, but as indicated I made a "set ip"
    - The system asked for the new IP, showing the old one between brackets: ie "New IP [10.10.10.1]:"
    - I pressed Intro, because the IP is correct.
    - After confirming the IP, mask, gateway and DNS the system asked me to verify connectivity. I did it and was correct.
    - The second time it asked to check connectivity I answered No. and nothing happened.
    - We checked through the web but the "Self" IP was still 127.0.0.1.
    - So I made the process again BUT this time I changed the the IP to another one. After finishing, (when I answered No to check connectivity) I saw that the system was stopping all ACS processes and starting then again.
    - In the web page the "Self" IP was the new one.
    - I made the process again changing the IP to the original one. This time also the system stopped and started all processes.
    - In the web page the "Self" IP was correct.
    - Now the replication worked correctly.
    So the problem was that the system is "inteligent" and if it discover that you don't change the IP (even if you change the DNS), it doesn't reconfigure it. So you must change to another IP (even a dummy one) and the change again to the correct one.
    I hope this can help to other people.

  • Best practises regarding Internal and External access to SIM

    Currently we have two separate Active Directories one internal and one in the DMZ and plan to have one SIM on an segmented network allowing access for our internal users directly to SIM UI and external users thru portlets that talks to SIM.
    The external AD hosts some internal users that also needs access to the DMZ applications so we can save efforts in managing to separate SIM environments in development, tests, upgrades, unique UID etc...
    What are the best practices on the market is this a preferred choice with only one SIM or with one SIM internally and one SIM in DMZ hosting suppliers, customers etc?
    With a single SIM environment are you allowing internal users accessing SIM from Internet to change internal AD password or have you restricted the functionality in some way for internal users accessing SIM from internet?
    How about challenge response questions are you allowing users to have the same both internally and externally or setup different for different user interfaces?
    Anyone willing to share how your environment is setup for internal and external access?

    Yes for handling the access to the SIM we probably need to look into some kind of access management solution to get it to work in a secure way.
    The question is a bit complex with many different factors controlling the outcome of the SIM implementation, but I hope to get some idées with this thread of how we can solve it.
    The question still remains if its common to have one or to SIM's and what internal users is allowed to do in SIM from Internet.
    Ex are internal users allowed to change their password in internal Active Directory thru SIM from Internet or what have others done to limit the functionality?

  • Getting started/best practises with iphoto?

    I've have a messy Picture folder and once the files were imported into iPhoto it became apparent just how messy...
    I would like guidance as to the best approach to organizing the mess.
    I am considering:
    1) delete the Original Import Folder as suggested fixes in Discussions here
    2) review and remove unwanted Pictures in "Pictures" folder using Finder.
    3) reimporting "Originals Folder" gets me my old files back doesn't it?
    4) Editing Library in iPhoto leaves my Pictures folders in a mess??
    The direction I think is right is to:
    a: First reorganize/edit photos & folders in Pictures.
    b: Import all folders from Pictures, (which it doesn't look like was Originally done) currently missing photos.
    c: remove & save the files from Pictures to External HD
    d: Better understand importing and organizing future material.
    What I am concerned about is how to accomplish step b: given my current state.
    your help is most appreciated.
    janice

    The iPhoto library always keeps the original photo plus the latest modified version (if one exists).
    Whatever you do, don't ever mess with the innards of the iPhoto library. You can move it as a unit and copy to CD/DVD as a unit but don't ever take it apart. If any photos exist anywhere OUTSIDE OF THE LIBRARY, then they are truly unnecessary dupes.

  • Xml driver used with a teradata external database

    hi everyone,
    I would like to use the db_props feature within the xml driver to create the xml schema inside a teradata database. With some oracle examples, the JDBC URL looks like this :
    jdbc:snps:xml?f=../demo/xml/xxx.xml&s=XXX&dod=true&iue=true&dp_driver=com.ncr.teradata.TeraDriver&dp_url=jdbc:teradata://localhost/TMODE=ANSI,CHARSET=UTF8&dp_user=xxx&dp_password=xxx&dp_schema=xxx
    And this returns the following error :
    java.sql.SQLException: Unsupported technology (Driver: com.teradata.jdbc.TeraDriver, Url: jdbc:teradata://localhost/TMODE=ANSI,CHARSET=UTF8)
    Do you know how I can solve this ? Thanks

    Hi,
    For a customer Entity Framework integration, it is beyond the scope of our support.
    This forum is related to the current versions of the ADO.NET Entity Framework and LINQ to Entities including object-relational mapping and entity data modeling.
    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click
    HERE to participate the survey.

  • ACS and external database

    Please I have a domain which my ACS on win 2000 server is part of. I am trying to point the ACS to the user datbase on windows,please tell me the basic config. if you must reffer me to a user guide, please tell me the part and page.

    Here is the link.
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/installation/guide/windows/postin.html#wp1041202
    The account running acs services should be a part of domain admin group.
    Regards,
    ~JG
    Do rate helpful posts

  • API for connecting  to an external database object

    Hi,
    Can anyone provide me with the API for connecting to the external database table and to create , update and delete data with an Oracle external database object.
    Wish you great time.
    Best Regards
    Sid

    Questions like yours are best asked over at the webOS Developer's Forum.  The Palm Support Community here is geared to answering end-user questions about devices, not programming information.
    https://developer.palm.com/
    WyreNut
    I am a Volunteer here, not employed by HP.
    You too can become an HP Expert! Details HERE!
    If my post has helped you, click the Kudos Thumbs up!
    If it solved your issue, Click the "Accept as Solution" button so others can benefit from the question you asked!

  • Basics:  Best practise when using a thesaurus?

    Hi all,
    I currently use a function which returns info for a search on our website, the function is used by the java code to return hits:
    CREATE OR REPLACE FUNCTION fn_product_search(v_search_string IN VARCHAR2)
    RETURN TYPES.ref_cursor
    AS
    wildcard_search_string VARCHAR2(100);
    search_results TYPES.ref_cursor;
    BEGIN
    OPEN search_results FOR
    SELECT
              DCS_PRODUCT.product_id,
              DCS_CATEGORY.category_id,
              hazardous,
              direct_delivery,
              standard_delivery,
              DCS_CATEGORY.short_name,
              priority
              FROM
              DCS_CATEGORY,
              DCS_PRODUCT,
              SCS_CAT_CHLDPRD
              WHERE
              NOT DCS_PRODUCT.display_on_web = 'HIDE'
              AND ( contains(DCS_PRODUCT.search_terms, v_search_string, 0) > 0)
              AND SCS_CAT_CHLDPRD.child_prd_id = DCS_PRODUCT.product_id
              AND DCS_CATEGORY.category_id = SCS_CAT_CHLDPRD.category_id
              ORDER BY SCORE(0) DESC,
              SCS_CAT_CHLDPRD.priority DESC,
              DCS_PRODUCT.display_name;
    RETURN search_results;
    END;
    I want to develop this function so that is will use a thesaurus in case of no data found.
    I have been trying to find any documentation that might discuss 'best practise' for this type of query.
    I am not sure if I should just include the SYN call in this code directly or whether the use of the thesaurus should be restricted so that it is only used in circumstances where the existing fuction does not return a hit against the search.
    I want to keep overheads and respose times to an absolute minimum.
    Does anyone know the best logic to use for this?

    Hi.
    You want so much ("... absolute minimum for responce time...") from OracleText on 9.2.x.x.
    First, text queries on 9.2 is so slowly than on 10.x . Second - this is bad idea - trying to call query expansion functions directly from application.
    My own expirience:
    The best practise with thesauri usage is:
    1. Write a good searcg string parser which add thes expansion function (like NT,BT,RT,SYN...) directly in result string passed through to DRG engine.
    2. Use effective text queries: do not use direct or indirect sorts (hint DOMAIN_INDEX_NO_SORT can help).
    3. Finally - write effective application code. Code you show is inefficient.
    Hope this helps.
    WBR Yuri

  • ACS 4.2 appliance external database configuration with AD

    Dear All,
    How to configure external database in ACS 4.2 appliance for Windows Active Directory.Active Directory is configured in Windows 2012.ACS internal database is working fine without interruption.What configuration is requred to configure external database(Active Directory).It would be highly appreciated if you share your experience with me.
    Thanks,
    AS

    Please check
    Supported Interoperable Devices and Software Tables for Cisco Secure ACS Release 4.2
    http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4-2/device/guide/sdt42.html

  • Best practises for replication

    Hi,
    I want to know what is best practise for duration of replicaation of database between two Cisco ACS.
    Regards,
    Atif.

    Hi Atif,
    The replication time interval should always be higher.
    Reason: Everytime you replicate the data it requires ACS services to restart so doing this frequently may affect your production enviroment.
    However, if you want to replicate internal user's password then there is an option to replicate password changes right awayvwithout a full replication.  You can enable this option under System Configuration -> Local Password Management.  With this enabled you could potentially set the replications to a larger interval.
    It also depend how often you do changes in your ACS. If its normal then I would say set it to every sunday 12:00 PM.
    This is how replication happens:
    The primary ACS stops its authentication and creates a copy of the ACSinternal database components that it is configured to replicate. During this
    step, if AAA clients are configured properly, those that usually use the primary ACS fail over to another ACS. The primary ACS resumes its authentication service.
    After the preceding events on the primary ACS, the database replication process continues on the secondary ACS. The secondary ACS stops its authentication service and replaces its database components with the database components that it received from the primary ACS. During this step, if AAA clients are configured properly, those that usually use the secondary ACS fail over to another ACS. The secondary ACS resumes its authentication service.
    HTH
    Regards,
    JK
    Plz rate helpful posts-

  • ACS external database issue

    Hi
    I have the following issue, user exists on both the ACS and token server authenication is set to external database with no unknown user policy as the user is known to the ACS! this fails authenication error message is CS user unknown... Now if the unknown user policy is set to the external database the authenication works fine this is on 3.3. I have checked for bugs to no avail.
    Any assistance would be good...
    Thanks MJ

    Hi JG
    Many thanks for your response, it is configured this way due the documentation below:
    Known Users -Users explicitly added, either manually or automatically, into the CiscoSecureACS database.
    These are users added through User Setup in the HTML interface, by the RDBMS Synchronization feature, by the Database Replication feature, or by the CSUtil.exe utility. For more information about CSUtil.exe, see "CSUtil Database Utility".
    CiscoSecureACS attempts to authenticate a known user with the single database that the user is associated with. If the user database is the CiscoSecure user database and the user does not represent a Voice-over-IP (VoIP) user account, a password is required for the user. If the user database is an external user database or if the user represents a VoIP user account, CiscoSecureACS does not have to store a user password in the CiscoSecure user database.
    This is from the following link....
    http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user/qu.htm
    Many thanks MJ

  • Connecting AIR with external database

    Is it possible to connect AIR application to the external database in MySQL technology?

    Are you trying to connect to a MySQL database on a web server somewhere? If so, by far the easiest way to do so is to use some sort of application server layer (e.g. PHP, ColdFusion, Java) on the web server, and have the AIR application call the PHP (or whatever) code to get the data. That is the approach that all the links Greg has given you are talking about.
    Of course, in order to make that work you need to know enough PHP/Java/ColdFusion to write that middle layer. In the example you're asking about, the information it wants to know is the name of the server that the MySQL database is running on, and the MySQL username and password for the MySQL account that your PHP code is supposed to use. There are tons of resources on the web for writing PHP code that accesses MySQL, so you'll find much more and better information in other places than what you'll find in the Adobe AIR forums.
    However, maybe you want to have the MySQL server running directly on the user's computer rather than on a web server somewhere. In that case you would have a few options:
    Run a web server and application server (e.g. Apache and PHP) on the user's computer and use those to connect between the AIR application and the MySQL server.
    Write Java code to communicate between the MySQL server and the AIR app, and call that code using Merapi (http://merapiproject.net/)
    Run the MySQL server on the user's computer and call the server directly from AIR using ActionScript. While there is no built-in support for MySQL in AIR, there is a third-party (open source) library for calling MySQL directly from ActionScript available here: http://code.google.com/p/assql/. I haven't tested it so I have no idea how complete it is, but it's a solution to consider.
    However, in all three cases you're depending on some external pieces that have to be installed and loaded separate from your AIR application. (For instance, most users probably don't want a MySQL server running on their computer all the time if they aren't using your AIR app all the time -- so you'd want a way to start and stop the server, which also couldn't be done directly in AIR.) People do write applications that use external resources like this, but it's not the easiest thing to implement.
    If you're really wanting to run the database locally, the best solution (assuming it works for your needs) is to use AIR's built in local SQL database engine (based on SQLite). If you've looked at that option already, and found that it doesn't work for you, I'd be interested to know more about what you're trying to accomplish that you can't accomplish with the AIR local database.

  • One-time import from external database - best practices/guidance

    Hi everyone,
    I was wondering if there was any sort of best practice or guideline on importing content into CQ5 from an external data source.  For example, I'm working on a site that will have a one-time import of existing content.  This content lives in an external database, in a custom schema from a home-grown CMS.  This importer will be run once - it'll connect to the external database, query for existing pages, and create new nodes in CQ5 - and it won't be needed again.
    I've been reading up a bit about connecting external databases to CQ (specifically this:http://dev.day.com/content/kb/home/cq5/Development/HowToConfigureSlingDatasource.html), as well as the Feed Importer and Site Importer tools in CQ, but none of it really seems to apply to what I'm doing.  I was wondering if there exists any sort of guidelines for this kind of process.  It seems like something like this would be fairly common, and a requirement in any basic site setup.  For example:
    Would I write this as a standalone application that gets executed from the command-line?  If so, how do I integrate that app with all of the OSGi services on the server?  Or,
    Do I write it as an OSGi module, or a servlet?  If so, how would you kick off the process? Do I create a jsp that posts to a servlet?
    Any docs or writeups that anyone has would be really helpful.
    Thanks,
    Matt

    Matt,
    the vault file format is just an xml representation of what's in the
    repository and the same as the package format. In fact, if you work on
    your projects with eclipse and maven instead of crxdelite to do your
    work, you will become quite used to that format throughout your project.
    Ruben

  • What's 'best-practice' with external hard drives?

    Hello folks,
    I just got myself a 500GB LaCie d2 'Quadra' hard drive, and it works great - just as I was led to expect. Now I've connected it to my iMac with a FW400 cable. I've a few questions regarding general usage and 'best practice' when using an external hard drive like this:
    1. Do I need to disconnect it (pull out the cable from my iMac) every time I Shutdown - and reconnect on Startup? Or can I leave it it and pretty much just forget about it?
    2. Can I turn it 'on' and 'off' any number of times (using the on/off switch on the back) when working on the iMac? I might like to switch it off if I'm not using it for an extended period of time while still working on the computer. Is this okay?
    3. When I'm not using the drive and the drive switch is 'off', can the drive still remain connected to 'mains' power? Or is it necessary to disconnect it from the 'mains' entirely?
    4. I understand it's best to disconnect when 'Repairing Permissions?' Can this be confirmed?
    Thanks so much.
    Cheers!
    Steve.

    1. Do I need to disconnect it (pull out the cable from my iMac) every time I Shutdown - and reconnect on Startup? Or can I leave it it and pretty much just forget about it?
    What I do is shut down my Mac, leaving it connected to the mains: the external HD, external speakers and other peripherals are all connected to a mains switch and I turn these off. There's no need to disconnect the cable: some disks spin down when the computer is shut down, some don't. It probably wouldn't hurt to leave it spinning anyway, though I prefer to shut it off at the mains. Incidentally I shouldn't disconnect the computer from the mains when you shut down: doing this will run down the PRAM battery and hasten the day it needs replacing, which is expensive.
    2. Can I turn it 'on' and 'off' any number of times (using the on/off switch on the back) when working on the iMac? I might like to switch it off if I'm not using it for an extended period of time while still working on the computer. Is this okay?
    I shouldn't do this: the most strain on a hard disk is when it is starting up, not when it is running: I should leave it running all the time the Mac is on. If you do switch it off, make sure to unmount it first (drag it to the trash) otherwise you will have all sorts of problems.
    3. When I'm not using the drive and the drive switch is 'off', can the drive still remain connected to 'mains' power? Or is it necessary to disconnect it from the 'mains' entirely?
    No: I see no problem in leaving it plugged in to the mains: the 'off' switch disconnects it anyway.
    4. I understand it's best to disconnect when 'Repairing Permissions?' Can this be confirmed?
    I've never heard this, and I can't see that there's any neccesity: the repairing process will be confined to the disk you have nominated to work on in any case.

Maybe you are looking for

  • All I get is a black screen...........

    All I get is a black screen. I am running OS10.10. EVERYTHING is up to date. Both are on the same wifi network. iTunes will play from the iMac (10.10.1) to the Apple TV (7.0.1) video and audio no problem iPad Air 2 and iPhone 6 (8.1.1) also.  I can N

  • NAT with a block of 4 IP's

    Hi Guys, I have come across a few discussion regarding this, however, I have not been able to suss out how to do this given my configuration. I have a static public IP which connects via PPP on my HWIC (setup as dialier1 in my config) to my ISP.  int

  • Airport Extreme to https websites

    Via wifi, have no problem accessing the normal http websites and access is blocked to https websites. However no access problem to https websites using an ethernet cable. Looks like a problem with my Airport Extreme security setting. Thanks for your

  • How to find the date my iPhone 4s was manufactured

    Hi, Please can anyone tell me how to find the date my iPhone 4s 64gb was manufactured. I have the serial and i-m-e numbers. For some reason my Insurance company want to know, all I wanted to do was add the phone to my all risks policy. Thanks in adva

  • REG:CHECK PRINT

    Dear Experts while im running the APP F110 getting following Error, where as im not able to print the check even though payment has been posted auotomatically. Its very urgent requirement plzz Job started