To install a basic iChain infrastructure, complete the following procedures:
The iChain Proxy Server should only be installed on compatible hardware (see iChain Proxy Server Requirements). To install the proxy server software:
Insert the iChain Proxy Server CD in the CD drive of the appliance or machine.
At the license page, type YES if you accept the agreement, then press Enter.
During the proxy installation process, the server reboots twice. Do not remove the CD until the proxy prompt is visible, indicating the installation is complete.
After the system reboots the first time, you will hear a series of beeps and the installation will prompt you about whether you want to select custom drivers. If you click Yes, the installation stops in HDetect.nlm and allows you to select the correct drivers for the system in the same manner as the NetWare 6 installation. Because of the iChain imaging process, you will need to do this twice during the installation.
If you click No (or if no selection is made within 30 seconds from the time of the prompt), iChain automatically detects the drivers as it does in earlier versions of iChain.
IMPORTANT:When installing iChain 2.3 with custom drivers, remove the CD immediately after the drivers are copied. Otherwise, the installation might hang when the system reboots.
If you opt to select custom drivers and the wrong drivers are selected, the iChain 2.3 Proxy Server software installation fails. We recommend that you attempt an automatic installation first, and only attempt to select your own drivers if the automatic installation fails.
If the installation does not complete, remove the CD, reboot the server, and delete the C:/rdw file.
Make sure the LAN adapter IP address is configured correctly.
After installation, the first LAN adapter on the iChain Proxy Server is preconfigured with the IP address 172.16.0.1 and subnet mask 255.255.255.0. In order to administrate the server using the Proxy Administration Tool, you either need to have a client workstation with an IP address on the same subnet (such as 172.16.0.2) or you need to use the iChain command line interface to set the IP address on the iChain Proxy Server.
The following commands from the iChain proxy server console configure the first LAN adapter with an IP address of 123.45.67.89 and a subnet mask of 255.255.252.0:
>unlock
At the Password prompt, press Enter (no password exists yet).
>set eth0 address = 123.45.67.89/255.255.252.0 >apply
After resetting the eth0 address, remove the CD, then type restart to restart the server.
If you are going to configure the iChain Proxy Server from a different segment than the one the iChain Proxy Server is on, you also need to use the following commands to configure the gateway:
>set gateway nexthop = 123.45.69.254 >apply
After installation, your iChain Proxy Server requires some basic setup to support your iChain implementation, and might require FTP to be enabled. The basic steps are detailed in Chapter 3, “Configuring a Typical Accelerator” in the online Novell iChain 2.3 Administration Guide.
To enable FTP, use the following commands:
>set miniftpserver address = 123.45.67.89 >apply
NOTE:Because FTP is an insecure protocol, enabling FTP can be a security risk on your network. We recommend that you enable the FTP server on an IP address that is only accessible from a private network such as an isolated hub or cross-over cable.
The iChain Authorization server is the access point that iChain Proxy Services uses to retrieve authentication, access privileges, user, and group information for your iChain implementation from the eDirectory database. To make your eDirectory server platform into an iChain Authorization Server, install the iChain schema extensions onto the eDirectory tree for that server.
To install iChain schema extensions on the iChain Authorization Server:
If you have not already done so, install eDirectory on the machine that will be your iChain Authorization Server.
Insert the iChain authorization CD into the CD drive of a Windows client machine with IP connectivity to the iChain Authorization Server.
If this is a Windows 2000 or Windows NT machine, you need administrator-level access to the client. The installation program launches automatically.
Click Install iChain Schema.
On the Welcome page, click Next.
Read the license agreement. If you accept the terms of the agreement, click Yes.
Enter the administrator user name in comma-delimited LDAP format (for example, cn=admin, o=novell).
Enter the administrator password.
Enter the IP address (and port, if necessary) for the server where you want to extend the schema.
Click Next.
The installation program notifies you whether the schema extension was successful. If an error occurs, look at the log file to determine what LDAP errors occurred. If a bind error occurs, the installation was not able to log in to the LDAP server.
Some of the most common bind errors are:
ldap_simple_bind failed: 49(Invalid credentials), dn: cn=admin,o=novell: Usually denotes an incorrect password. Check the password and try again.
ldap_simple_bind failed: 32(No such object), dn: cn=adm,o=novell: The specified administrator does not exist. Verify the username and try again.
ldap_simple_bind_failed: 13(Confidentiality required), dn: cn=admin,o=novell: You need to enable the Allow Clear Text Passwords option on the LDAP Group object. Open the LDAP Group object in ConsoleOne and make sure the check box labeled Allow Clear Text Passwords is selected.
ldap_simple_bind failed 81(Can't contact LDAP server), dn: cn=admin,o=novell: Either the IP address/port combination is incorrect or the LDAP server is not running. Verify the IP address and LDAP port, make sure the server is running, and try again.
Sometimes the LDAP bind succeeds but there are other errors in the log file. In these cases, there are usually multiple instances of the same error. Some common non-bind-related errors are:
The LBURP extension is not available on the server. Using standard LDAP calls: This generally means the LDAP server is out of date. You should verify that the latest LDAP server (included with eDirectory) is installed on the server to ensure that the schema is completely extended.
Record1: LBURP operation failed: 50(Insufficient access), dn:cn=schema: This error means that the specified administrator does not have sufficient rights to extend the schema.
Record1: LBURP operation failed: 20(Type or value exists), dn:cn=schema: This error is expected if the server has already been extended with a previous version of iChain with this attribute or class.
If you are unable to resolve an error, refer to the Knowledgebase on the Novell Support Web site. This site includes information for resolving a number of LBURP operation failure issues.
You must install the iChain ConsoleOne snap-in files in order to administer the iChain eDirectory objects such as the iChain Service Object. You can install the snap-in files to be used with ConsoleOne running from the iChain Authorization Server, another server in the tree, or from an administrator workstation.
NOTE:iChain 2.3 requires ConsoleOne 1.3.4 or later for all of the snap-ins to function correctly.
To install the iChain ConsoleOne snap-ins to a server or an administrator workstation:
If the server or workstation does not already have ConsoleOne installed, install ConsoleOne.
After ConsoleOne is installed, make sure you close it before starting to install the snap-ins.
Insert the iChain authorization CD into the CD drive of the server or the administrator workstation.
The installation program launches automatically.
Click Install ConsoleOne Snapins for iChain.
On the Welcome page, click Next.
Read the license agreement. If you accept the terms of the agreement, click Yes.
Select the target drive where you want to copy the snap-in files.
Click Next to start copying the files.
Click Finish.
After completing the full installation, you need to use ConsoleOne to create the iChain Service Object, along with the access control list (ACL) rule objects, and make any other configuration adjustments.