2.2 Prerequisites

IMPORTANT:Check the currently installed NetIQ and Third Party applications to determine if those products are supported on eDirectory 9.2 before upgrading your existing eDirectory environment. The prerequisites for other NetIQ products can be found on the NetIQ Documentation site. We also recommend you back up an eDirectory instance before performing any upgrades on that instance.

  • Ensure that you install the following RPMs based on your operating system:

    • RHEL 8.x and RHEL9: dnf-utils and createrepo

      Execute the following steps to install RHEL 8.x RPM

      1. Install the yum-utils package

        yum install createrepo yum-utils

      2. Install the following libraries required for eDirectory.

        yum install libgcc*.i686 libncurses*

      3. Navigate to the SELinux configuration file located in /etc/selinux/config location and set SELinux to permissive mode as follows:

        SELINUX=permissive

    • RHEL Minimal Versions: ncurses, libxcrypt-compat, iproute, initscripts, procps, and net-tools.

    • SLES: Zypper

  • If upgrading the RHEL OS fails when eDirectory is installed follow the below steps as a work around.

    • Use the below command to remove the package before the RHEL OS upgrade.

      rpm -e --nodeps novell-NLDAPsdk

    • Upgraded the RHEL OS from 8.6 to 9.0.

    • After the OS upgrade, install the package using the below command.

      rpm -ivh ./novell-NLDAPsdk*

    • Restart the eDirectory service.

  • Execute the following steps to install eDirectory, if SELINUX is set to Enforcing:

    1. Download and untar the eDirectory build.

    2. Install the eDirectory packages, run ./nds-install located at untared_location/eDirectory/setup.

    3. Before configuring the tree, create data directory at default eDirectory dib location /var/opt/novell/eDirectory.

      Now, dib location will be /var/opt/novell/eDirectory/data

      (For custom location provide custom path ex/home/edirectory/data)

    4. Run following commands,

      • touch /var/opt/novell/eDirectory/data/ndsd.pid

      • semanage fcontext -a -t var_run_t '/var/opt/novell/eDirectory/data/ndsd.pid'

      • restorecon -v '/var/opt/novell/eDirectory/data/ndsd.pid'

    5. Now configure the tree using ndsconfig new command.

  • (Conditional) Novell International Cryptographic Infrastructure (NICI) 3.2 and eDirectory 9.2 support key sizes up to 8192 bits. If you want to use a 8 KB key size, every server must be upgraded to eDirectory 9.2. In addition, every workstation using the management utilities, for example, iManager must have NICI 3.2 installed on it.

    When you upgrade your Certificate Authority (CA) server to eDirectory 9.2, the key size will not change but will still be 2 K. The only way to create a 8 K key size is recreate the CA on an eDirectory 9.2 server. In addition, you would have to change the default from 2 K to 8 K for the key size during the CA creation.

    When you install eDirectory, the nds-install utility automatically installs NICI. For more information about installing eDirectory, see Using the nds-install Utility to Install eDirectory Components. However, if you need to install only NICI, and not eDirectory itself, on a workstation that has the management utilities installed, you must install NICI manually. For more information about manually installing NICI, see Installing NICI.

  • Ensure to obtain 168-bit 3DES tree key for your eDirectory servers.

  • (Conditional) Service Location Protocol (SLP) should be installed and configured only if you plan to use SLP to resolve tree names when DNS is not available.

    With eDirectory 9.2, SLP does not get installed as part of the eDirectory installation.

    Only a root user can install SLP.

    For more information on installing SLP, refer to Using SLP with eDirectory.

  • The Linux host enabled for multicast routing

    To check if the host is enabled for multicast routing, enter the following command:

    /bin/netstat -nr

    The following entry should be present in the routing table:

    224.0.0.0 0.0.0.0

    If the entry is not present, log in as root and enter the following command to enable multicast routing:

    route add -net 224.0.0.0 netmask 240.0.0.0 dev interface

    The interface could be a value such as eth0, hme0, hme1, or hme2, depending on the NIC that is installed and used.

    For more information on multicast and broadcast routes, refer to the OpenSLP Web site.

  • Network server time synchronized

    Use Network Time Protocol's (NTP) ntp to synchronize time across all network servers.

  • (Conditional) If you are installing a secondary server, all the replicas in the partition that you install the product on should be in the On state.

  • (Conditional) If you are installing a secondary server into an existing tree as a non-administrator user, create a container and then partition it. Ensure that you have the following rights:

    • Supervisor rights to this partition.

    • All Attributes rights: read, compare, and write rights over the W0.KAP.Security object.

    • Entry rights: browse rights over Security container object.

    • All Attributes rights: read and compare rights over Security container object.

    • (Conditional) If the W1.KAP.Security object exists, all attributes rights: read, compare, and write rights over this object. For more information about the W1.KAP.Security object, see Creating an AES 256-Bit Tree Key in the NICI Administration Guide.

  • (Conditional) If you are installing a secondary server into an existing tree as a non-administrator user, ensure that at least one of the servers in the tree has the same or higher eDirectory version as that of the secondary being added as container admin. In case the secondary being added is of later version, then the schema needs to be extended by the administrator of the tree before adding the secondary using container admin.

  • While configuring eDirectory, you must enable SLP services and a NetWare Core Protocol (NCP) port (the default is 524) in the firewall to allow the secondary server addition. Additionally, you can enable the following service ports based on your requirements:

    • LDAP clear text - 389

    • LDAP secured - 636

    • HTTP clear text - 8028

    • HTTP secured - 8030

    In case, if you have enabled user-defined ports, you must mention these ports while configuring eDirectory.

    NOTE:This step is required only if you have SLP configured in your system.

  • Do not set the user-defined ports to 8008 and 8010 while upgrading eDirectory 8.8 SP8 or later versions to 9.2. If the ports are set to 8008 or 8010, ndsconfig assumes that the server is a pre-eDirectory 8.8.x server and automatically resets them to 8028 and 8030 respectively.

  • During eDirectory upgrade, if SecretStore has not already been configured with the previous versions, or you do not want to configure SecretStore, use the -m no_ss option with the nds-install utility.

  • If you do not have the latest Platform Agent (PA) installed while upgrading to eDirectory 9.2, please run the novell-AUDTplatformagent-2.0.2-80.x86_64.rpm file from the <eDirectory build extracted folder>/eDirectory/setup/ location to install.

  • The NetIQ eDirectory Management Toolbox (eMBox) lets you access all of the eDirectory back-end utilities remotely, as well as on the server. The command line client is a Java application. To run it, you must install the latest version of Oracle Java (1.8 or above). You must also ensure to upgrade any older version of Java by installing the patch upgrades available. Once you have the latest version of Java installed, export any of the following environment variables:

    • EDIR_JAVA_HOME

    • JAVA_HOME

    • JRE_HOME

      NOTE:

      • If none of the above mentioned environment variables are found, command line client searches for the Java binary in the default PATH environment variable.

      • If you are using any prior version of eDirectory 9.0 SP4, To run the command line client, you must have access to the Java Runtime Environment, Oracle Java 1.8, which is installed with eDirectory.

  • (Optional) From eDirectory 9.2.8 and onwards, JRE 11 compatible packages will be bundled under jre11 directory. To upgrade eDirectory RPMs to JRE 11, execute the following steps:

    • Locate the JRE 11 RPM files at <untarred location of eDirectory>/eDirectory/setup/jre11 path and install all the RPMs using rpm -Uvh –force <rpm file>.

      For example: rpm -Uvh -force novell-eba-9.2.8.0000.x86_64.rpm

    • Restart NDS services.

    NOTE:Installing IDM 487 will upgrade Java dependent packages in eDirectory from JRE 8 to JRE 11.

RPM Signing: Public Key to validate the signature

Use the following steps to perform the RPM Signature Verification, before installing the eDirectory components on Linux systems from eDirectory 9.2.7 and above onwards:

  1. Navigate to the following location for Public Key:

    <untarred location of eDirectory> /eDirectory/license/MicroFocusGPGPackageSign.pub

    (Optional) While installing eDirectory 9.2.8 for the first time, the MicroFocusGPGPackageSign.pub can be downloaded from SLD: Patch PH_210777 (GPGPackageSign).

  2. Run the following command to import the Public Key:

    rpm --import MicroFocusGPGPackageSign.pub

  3. (Optional) Run the following command to verify the RPM signature:

    rpm --checksig -v <RPM Name>

    For Example:

    rpm --checksig -v novell-NDSbase-9.2.x.0000.x86_64.rpm

NOTE:eDirectory 9.2.7 and above can be installed on FIPS enabled OS with the supported versions of RHEL8.0 and above, SLES 12 SP5 and SLES 15.0.

Configuring Static IP Address

Static IP address must be configured on the server for the eDirectory to perform efficiently. Configuring eDirectory on the servers with DHCP address can lead to unpredictable results.