Section 26.1.1, Troubleshooting a Windows Administration Console Installation
Section 26.1.2, Secondary Administration Console Installation Fails
Section 26.1.3, Troubleshooting an Identity Server Import and Installation
Section 26.1.4, Troubleshooting the Windows Access Gateway Service Installation
Section 26.1.5, Access Gateway Appliance Installation Fails Due to an XML Parser Error
Section 26.1.7, Troubleshooting the Uninstall of the Access Gateway Service
Section 26.1.8, Troubleshooting the Uninstall of the Windows Identity Server
Section 26.1.9, Installing RHEL on the Administration Console Fails if IPv6 is Disabled
The following instructions explain how to run the installation program in debug mode and how to clean up after such an installation.
Use the following command to start the installation program:
<filename>.exe -DAM_INSTALL_DEBUG=true -DAM_INSTALL_DEBUG_JAVA=true
Replace <filename> with the name of the executable.
Press the Ctrl key until the progress bar reaches 100% and goes away.
A terminal window opens to display standard output.
Additional verbose information is sent to the \am32setup_debug.txt file.
Use the output and the log file to discover the cause of the problem.
After you run the installation in debug mode, you must clean up the results:
Delete the temporary packages in the \pkgdirs directory, then delete the directory.
Delete the \am32setup_debug.txt file.
Delete the installation log files in the following directories:
Windows 2008 Server: \am32setup.log
Windows 2008 Server: \Program Files (x86)\Novell\log
IMPORTANT:You need to delete the log files because they contain sensitive information in clear text.
The secondary Administration Console installation fails with a message “'Verifying time synchronization”. If you are installing the secondary Admin Console, ensure that time is in sync with the primary Admin console, prior to installation.
If the time is in sync and the secondary Administration Console installation fails or takes a long time, see the eDirectory install logs under /tmp/novell_access_manager. The log file name will be similar to install_edir_xxxxxx. If at the end of the log you see an entry “Verifying time synchronization” multiple times, you should repair the eDirectory. To repair the eDirectory:
Log in to the primary Administration Console and execute the ndsrepair -T command.
The replica servers and their time sync status is displayed.
Execute the ndsrepair -N command and select the server which has the problem.
Log in to the secondary Administration Console and you can see that the installation has proceeded. You need not to re-run the installer.
Check for the following problems if you have installed your Administration Console on one machine and the Identity Server on another machine:
Is the firewall enabled on the Administration Console or the Identity Server?
The firewall needs to have the following ports opened between the machines so that the Identity Server can import into the Administration Console:
The Identity Server firewall also needs to have ports 8080 and 8443 open between the server and the clients in order for the clients to log into the Identity Server. For more information about firewalls and ports, see Setting Up Firewalls in the NetIQ Access Manager 4.1 Installation and Upgrade Guide.
Time needs to be synchronized between the two machines. Make sure that both machines have been configured to use a Network Time Protocol server.
If firewalls and time synchronization do not solve the problem, run the reimport script. See Reimporting the Identity Server for instructions.
Verify that the Administration Console is up by logging into the Administration Console from a Web browser.
Verify that you can communicate with the Administration Console. From the command line of the Identity Server machine, enter a ping command with the IP address of the Administration Console.
If the ping command is unsuccessful, fix the network communication problem before continuing.
In the Administration Console, delete the Identity Server.
For more information about how to delete the Identity Server in the Administration Console, see Section 4.1, Identity Server Advance Configuration.
On the Identity Server machine, change to the jcc directory:
Linux: /opt/novell/devman/jcc
Windows: \Program Files\Novell\devman\jcc
Run the reimport script for jcc:
Linux: ./conf/reimport_nidp.sh jcc
Windows: conf\reimport_nidp.bat jcc
Run the reimport script for the Administration Console:
Linux: ./conf/reimport_nidp.sh nidp
Windows: conf\reimport_nidp.bat nidp <admin>
Replace <admin> with the name of your administrator for the Administration Console.
If these steps do not work, reinstall the device.
If the Identity Server fails to install, check the installation logs.
The installation logs are located in the /tmp/novell_access_manager directory. The following log files should contain useful content. Check them for warning and error messages.
Table 26-1 Installation Log Files for the Linux Identity Server
|
Log File |
Description |
|---|---|
|
inst_nids_<date&time>.log |
Contains the messages generated for the Identity Server module. |
|
inst_main_<date&time>.log |
Contains the Tomcat messages generated during the installation. |
|
inst_jcc_<date&time>.log |
Contains the messages generated for the communications module. |
|
inst_audit_<date&time>.log |
Contains the messages generated for the Novell auditing components. |
|
inst_devman_<date&time>.log |
Contains the messages generated for the interaction between the Identity Server and the Administration Console. |
The installation logs are located in the \Program Files\Novell\Tomcat\webapps \nps\WEB-INF\logs\install directory. The following log files should contain useful content. Check them for warning and error messages.
Table 26-2 Installation Log Files for the Windows Identity Server
|
Log File |
Description |
|---|---|
|
basejar_InstallLog.log |
Contains the messages generated when installing the Identity Server JAR files. |
|
base_InstallLog.log |
Contains the messages generated during the installation of the Identity Server. |
|
nauditjar_InstallLog.log |
Contains the messages generated when installing the Novell Audit JAR files. |
|
nauditjar_InstallLog.log |
Contains the messages generated for the Novell auditing components. |
|
NIDS_Pluginjar_InstallLog.log |
Contains the messages generated when installing the Identity Server plug-in JAR. |
|
NIDS_Plugin_InstallLog.log |
Contains the messages for the plug-in component. |
|
NMASjar_InstallLog.log |
Contains the messages generated when installing the NMAS JAR files. |
|
NMAS_InstallLog.log |
Contains the messages for the NMAS component. |
The following instructions explain how to run the installation program in debug mode and how to clean up after such an installation.
Use the following command to start the installation program:
<filename>.exe -DAM_INSTALL_DEBUG=true -DAM_INSTALL_DEBUG_JAVA=true
Replace <filename> with the name of the executable.
Press the Ctrl key until the progress bar reaches 100% and goes away.
A terminal window opens to display standard output.
Additional verbose information is sent to the \agsinstall_debug.txt file.
Use the output and the log file to discover the cause of the problem.
After you run the installation in debug mode, you must clean up the results:
Delete the \agsinstall_debug.txt file.
Delete the installation log files in the following directories:
Windows 2008 Server: \agsinstall.log
Windows 2008 Server: \Program Files (x86)\Novell\log
IMPORTANT:You need to delete the log files because they contain sensitive information in clear text.
This error may happen if the Appliance is installed by using a remotely mounted installer. Use a locally mounted installer to avoid this issue.
When you install the Access Gateway, it should automatically be imported into the Administration Console you specified during installation. If the Access Gateway does not appear in the server list, you need to repair the import.
If the repair option does not correct the problem, the following sections explain what should happen and how you can discover what went wrong. This information can be used to accurately report the problem to NetIQ Support.
If the Access Gateway does not appear in the Administration Console within ten minutes of installing an Access Gateway, complete the following steps:
If a firewall separates the Administration Console and the Access Gateway, make sure the correct ports are opened. See When a Firewall Separates the Administration Console from a Component in the NetIQ Access Manager 4.1 Installation and Upgrade Guide
In the Administration Console, click Devices > Access Gateways.
Wait a few minutes, then click Refresh.
Look for a failed import message.
If the device starts an import but fails to finish, a message similar to the following appears at the bottom of the table:
Server gateway-<name> is currently importing. If it has been several minutes after installation, click repair import to fix it.
Click repair import.
If the device still does not appear or you do not receive a repair import message, continue with Triggering an Import Retry.
If triggering an import retry does not solve the problem, reinstall the device.
If a step in the import process does not complete successfully, the device does not show up in the Access Gateway list. The sections below describe the import process, where to find the log files, and how to use them to determine where the failure occurred so you can accurately report the problem.
The following operations are performed during the import process:
A user specifies the IP address for the Administration Console during installation.
A Java process called “JCC” (Java Communication Channel) detects that the Administration Console IP address/port has changed between its own configuration and the CLI-updated settings.
An import message is sent to Administration Console, notifying it of the IP, port, and ID of the Access Gateway device.
The Administration Console then connects to the Access Gateway device, asking for its configuration and version information. The Access Gateway portion of the import process is now complete.
As a separate asynchronous operation, the Embedded Service Provider (ESP) of the Access Gateway connects and registers itself with the JCC.
When the ESP connects to the JCC, a similar import message is sent to the Administration Console notifying it to import into the system.
The Administration Console connects to the JCC, asking for the ESP configuration and version information. On the Administration Console, an LDIF (Lightweight Directory Interchange Format) file containing the default configuration for the ESP is applied on the local eDirectory configuration store.
The Administration Console then makes a link between the ESP and its configuration.
If the entire process completed properly, the Access Gateway device appears in the list of Access Gateways in the Administration Console.
Various Access Manager components produce log files. You use the following logs on either the Administration Console or the Access Gateway.
Administration Console log:
Linux: /opt/novell/devman/share/logs/app_sc.0.log
Windows Server 2008: \Program Files (x86)\Novell\log\app_sc.0.log
Tomcat Log on the Administration Console:
Linux: /opt/novell/nam/device name/logs/catalina.out
The device name can be idp, mag, or adminconsole.
Windows Server 2008: \Program Files (x86)\Novell\Tomcat\logs\stdout.log and \Program Files (x86)\Novell\Tomcat\logs\stderr.log
JCC log on the Access Gateway:
Linux Appliance or Service: /opt/novell/devman/jcc/logs/
Windows Service: \Program Files\Novell\devman\jcc\logs
Go to the directory /opt/novell/devman/jcc/
cd /opt/novell/devman/jcc/
Run the sh conf/reimport_ags.sh jcc script and enter the details against the following prompts:
Choose a local listener IP address [x.x.x.x]:
(Optional) Choose a local NAT IP address [optional]:
Choose Administration Console’s IP address []:
Enter Admin User’s DN [cn=admin,o=novell]:
Enter Admin Password: *****
Wait for a few minutes for the configuration to finish.
Run the sh conf/reimport_ags.sh agm script and enter details against the following prompts:
Do you want to import the device with current configuration or initial configuration after installation (Enter C for current configuration, I for initial configuration).
Enter Admin User’s DN [cn=admin,o=novell]:
Enter Admin password:
When you uninstall an Access Gateway, the uninstall program prompts you for the credentials of the admin user for the Administration Console. If the primary Administration Console is not available for the authentication request, the uninstall fails.
To force the uninstall program to skip the authentication request, enter the following command:
/opt/novell/accessgateway/removeAccessGateway -DAM_INSTALL_AUTH_BYPASS=true
\Program Files\Novell\UninstallData\remove_AccessGateway.exe -DAM_INSTALL_AUTH_ BYPASS=true
When you uninstall a Windows Identity Server, the uninstall program prompts you for the credentials of the admin user for the Administration Console. If the primary Administration Console is not available for the authentication request, the uninstall fails.
To force the uninstall program to skip the authentication request, enter the following command:
\Program Files\Novell\Uninstall_AccessManagerServer\UninstallAccessManagerServer. exe -DAM_INSTALL_AUTH_BYPASS=true
By default IPv6 is enabled on RHEL 6.4. When IPv6 is partially disabled, eDirectory installation fails. You can disable IPv6 by adding the below entries to /etc/sysctl.conf file:
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
Use the lsmod | grep ipv6 command to verify if some of the IPv6 modules are still running. If this command returns any output, proceed with the installation only after disabling it.