To convert a secondary Access Manager Appliance into a primary Access Manager Appliance, a recent backup of Access Manager Appliance must be available. For information about how to perform a backup, see Section 30.2, Backing Up the Access Manager Appliance Configuration. A backup is necessary to restore the certificate authority (CA).
If the failed server holds a master replica of any partition, you must use ndsrepair to designate a new master replica on a different server in the replica list.
This conversion includes the following tasks:
If your primary Access Manager Appliance is running, you must log in as an administrator and shut down the service.
Start YaST, click System > System Services (Runlevel), and then select to stop the ndsd service.
Changing the master replica to reside on the new primary Access Manager Appliance makes this Access Manager Appliance into the certificate authority for Access Manager. You need to first designate the replica on the new primary Access Manager Appliance as the master replica. Then you need to remove the old primary Access Manager Appliance from the replica ring.
At secondary Access Manager Appliance, log in as root.
Change to the /opt/novell/eDirectory/bin directory.
Run DSRepair with the following options:
./ndsrepair -P -Ad
Select the one available replica.
Select Designate this server as the new master replica.
Type I Agree when prompted.
Specify the DN of the admin user in leading dot notation. For example:
.admin.novell
Run ndsrepair -P -Ad again.
Select the one available replica.
Select View replica ring.
Select the name of the failed primary server.
Select Remove this server from replica ring.
Specify the DN of the admin user in leading dot notation. For example:
.admin.novell
Specify password.
Type I Agree when prompted.
Continue with Restoring CA Certificates.
Perform the following steps on the machine that you are promoting to be a primary Appliance.
Copy your most recent Access Manager Appliance backup files to your new primary Access Manager Appliance.
Change to the backup bin directory:
/opt/novell/devman/bin
Verify the IP address in the backup file. The IP_Address parameter value should be the IP address of the new Primary Administration Console.
Open the backup file:
defbkparm.sh
Verify that the value in the IP_Address parameter is the IP address of your new primary console.
Save the file.
Run the certificate restore script:
sh aminst-certs.sh
When prompted, specify the administrator’s password and location of the backup files.
Continue with Verifying the vcdn.conf File.
Verify whether the vcdn.conf file contains IP address of the new Administration Console. If it contains IP address of the failed primary Administration Console, replace it with the new IP address.
IMPORTANT:Delete the line <vcdnPrimaryAddress><Failed Primary Administration Console IP address></vcdnPrimaryAddress> from the vcdn.conf file.
For example, delete <vcdnPrimaryAddress>10.10.10.11</vcdnPrimaryAddress> where 10.10.10.11 is the IP address of the failed primary administration console.
Change to the Appliance configuration directory:
opt/novell/devman/share/conf
Run the following command in the command line interface to restart Access Manager Appliance:
/etc/init.d/novell-ac restart OR rcnovell-ac restart
Continue with Deleting Objects from the eDirectory Configuration Store.
Objects representing the failed primary Access Manager Appliance in the configuration store must be deleted.
Log in to the new Administration Console, then click Access Gateways.
If the failed primary Appliance's Access Gateway is the primary server (has the red icon next to it), then change the primary Access Gateway server.
Click [Access Gateway cluster name] > Edit.
Select a different primary Access Gateway > click Ok > click Close.
Ignore any trust store related warnings.
Click Update All.
Wait until the status becomes current for all except the failed primary Appliance.
Click Troubleshooting.
In the Other Known Device Manager Servers section, select the old primary Access Manager Appliance, then click Remove.
Remove traces of the failed primary Access Manager Appliance from the configuration datastore:
In the Access Manager menu bar, select View Objects.
In the Tree view, select novell.
Delete all objects that reference the failed primary Access Manager Appliance.
You should find the following types of objects:
SAS Service object with the hostname of the failed primary console
Any object that starts with the last octet of the IP address of the failed primary console
LDAP server object with the hostname of the failed primary console
LDAP group object with the hostname of the failed primary console
SNMP Group object with the hostname of the failed primary console
HTTP Server object with the hostname of the failed primary console
DNS AG object with the hostname of the failed primary console
DNS EC AG object with the hostname of the failed primary console
DNS IP object with the hostname of the failed primary console
SSL CertificateDNS with the hostname of the failed primary console
SSL EC CertificateDNS with the hostname of the failed primary console
SSL CertificateIP with the hostname of the failed primary console
IP AG object with the hostname of the failed primary console
IP EC AG object with the hostname of the failed primary console
NCP server object with the hostname of the failed primary console
PS object with the hostname of the failed primary console
Continue with Performing Component-Specific Procedures.
If you have installed the following components, perform the cleanup steps for the component:
If you installed a third Appliance used for failover, you must manually perform the following steps on that server:
Open the vcdn.conf file.
/opt/novell/devman/share/conf
In the file, look for the line that is similar to the following:
<vcdnPrimaryAddress>10.1.1.1</vcdnPrimaryAddress>
In this line, 10.1.1.1 represents the failed primary Appliance IP address.
Change this IP address to the IP address of the new primary Appliance.
Restart Access Manager Appliance by entering the following command from the command line interface:
/etc/init.d/novell-ac restart OR rcnovell-ac restart
For each Access Gateway Service imported into Administration Console, edit the settings.properties file on Access Gateway if the primary Administration Console was not configured as the Audit Server.
If the primary Administration Console was configured as an Audit Server, you must update the old IP address with the IP address of the new primary Administration Console.
At Access Gateway Service, log in as the root or the Administrator user.
Shut down all Access Gateway Services.
/etc/init.d/novell-appliance stop OR rcnovell-appliance stop
(Conditional) If your audit server was on the primary Administration Console, replace the old IP address with the new primary Administration Console IP address:
On the secondary Administration Console Dashboard, click Auditing.
In the Server Listening Address field change the IP address to the secondary Administration Console’s IP address.
Click Apply > OK.
Edit the settings.properties file:
Change to the directory and open the file.
/opt/novell/devman/jcc/conf
Change the IP address in the remotemgmtip list from the IP address of the failed Appliance to the address of the new primary Appliance.
Save and exit.
At Access Gateway Service, start all services by entering the following command:
/etc/init.d/novell-appliance start OR rcnovell-appliance start
(Conditional) Repeat this process for each Access Gateway Service that has been imported into Administration Console.