Environment
Novell NetWare 6.5
Novell SUSE Linux Enterprise Server 10
Novell SUSE Linux Enterprise Server 9
Novell Identity Manager - Nsure Identity Manager 2.0
Novell Identity Manager 3.0
Novell Identity Manager 3.5
Situation
When the Identity Manager (IDM) engine makes a connection via the
network to a remote system for the Remote Loader (RL) or
application connection the destination host can be configured using
an Internet Protocol (IP) address or a Domain Name Service (DNS)
name. In the latter case if the DNS record changes for some
reason the engine does not connect to the new server until
eDirectory itself is restarted. Restarting the driver or
unloading other IDM components is not sufficient to cause the
engine to see the change in DNS's resolution.
Resolution
Java currently caches DNS names indefinitely by default and has
always done so. As a result for the names to be re-resolved
to a new IP address the Java Virtual Machine (JVM) must be
reloaded. This component is loaded when eDirectory is started
so restarting all of eDirectory is required for this change to take
effect. Sun's documentation states this is set by default for
security reasons to prevent DNS spoofing from causing other
issues.
As a result of customer requests a new option is available in (at least) Java 1.5 and later which lets the administrator configure how long caching takes place within Java. Sun bug# 6247501 discusses this issue and provides a possible resolution:
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6247501
It is possible to set the new parameter to change the caching period via the command loading Java or the java.security file in the $JRE/lib/security directory. On a Linux server running eDirectory 8.8.1 that file will be located by default in /opt/novell/eDirectory/lib/nds-modules/jre/lib/security . Line 181 has the following line already present with IDM 3.5:
#networkaddress.cache.ttl=-1
Changing the line so it is not commented out and has a 0 at the end will instruct Java not to cache DNS names at all.
networkaddress.cache.ttl=0
The value can also be set to other integer values representing the number of seconds to cache the IP address associated with a DNS name. Restarting eDirectory is required for this change to take effect.
There are also programatic ways of setting this within an application though none of them apply to IDM directly.
As a result of customer requests a new option is available in (at least) Java 1.5 and later which lets the administrator configure how long caching takes place within Java. Sun bug# 6247501 discusses this issue and provides a possible resolution:
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6247501
It is possible to set the new parameter to change the caching period via the command loading Java or the java.security file in the $JRE/lib/security directory. On a Linux server running eDirectory 8.8.1 that file will be located by default in /opt/novell/eDirectory/lib/nds-modules/jre/lib/security . Line 181 has the following line already present with IDM 3.5:
#networkaddress.cache.ttl=-1
Changing the line so it is not commented out and has a 0 at the end will instruct Java not to cache DNS names at all.
networkaddress.cache.ttl=0
The value can also be set to other integer values representing the number of seconds to cache the IP address associated with a DNS name. Restarting eDirectory is required for this change to take effect.
There are also programatic ways of setting this within an application though none of them apply to IDM directly.