On 10/29/20 12:13 PM, Paul B. Henson wrote:
Any other suggestions for achieving a separate primary/failover configuration for two different network locations in a fashion that would work properly with the Java kerberos client?
I have no idea if this would work or not.But I would consider DNS views / host entries such that the first name in the list always resolved to the local server and subsequent names resolved to remote servers.
The other thing I might try is to work with the networking team to see if it's possible to have things on an anycast IP to attract clients to the closest server. In the event that the close server has a problem, stop announcing the anycast IP and things will naturally go to the next closest server.
You might be able to achieve similar behavior with something like a load balancer.
I have no idea what sort of protections are in place that might fight this or what would need to be done to overcome it. Possibly having the local and remote instance be a clone of each other so that they seem to be the same entity.
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
