This section discusses upgrading from the iChain 2.0, 2.1, and 2.2 software versions. The following steps should be considered:
3. Upgrade eDirectory with the iChain Schema Using the Install CD
NOTE:This step is only required if upgrading from iChain 2.0.
5. Convert and Modify Existing ACL/ISO Definitions
NOTE:This step is only required if upgrading from iChain 2.0, and is done by default if the ConsoleOne® snap-ins detect that the iChain attributes are in an older format.
This section also addresses:
Prepare a test scenario with the customer (for each app, identify key profiles). Be aware of what each application requires as input (for example, simple authentication header, parameters passed using the command line).
Test the scenario on the running iChain 2.0/2.1/2.2 system and confirm that it is working.
You should back up both the Authorization Server and the iChain Proxy Server.
Back up eDirectory™.
Do an export to LDIF of the iChain objects (Access Control List, iChain Service Object, Communities).
Back up any custom tools or modules that might have been running on the Authorization server.
Rename the ConsoleOne directory if ConsoleOne version 1.2x is installed the (iChain 2.3 Authorization Server CD ships with version 1.34). If this is not an option, rename the iChain snap-in and lib directories.
Do an export to a NAS file of the Proxy Server configuration and a screen shot of all configuration screens.
Export or back up certificates that are being used by the proxy server.
Back up the following files:
/etc/hosts — contains host mappings to IP addresses
/etc/proxy/data — contains custom login pages (ca*.html)
/ichain/oac/oac.properties — contains advanced OLAC configuration settings
/etc/proxy/r_append.cfg — if any DNS search types changed
/system/appstart.ncf and /system/tune.ncf
Copy any tools or modules that you might have used from the server (for example, lsearch.nlm for LDAP testing, netmon.nlm for taking traces).
NOTE:If you want to save your configuration so you can quickly revert back to it, the fastest way to do this is to pull SCSI drive 0 (if you have a multi-drive system) and replace it with another drive, such as the highest numbered drive from your SCSI sub-system, or better yet, use a spare you have on a shelf. Label the original “Drive 0," and set it aside. Then proceed with the install as normal.
Make sure you have everything needed to restore a valid iChain 2.0/2.1/2.2 Proxy Server image.
The 2.1/2.2/2.3 schema is compatible with 2.0, meaning that if you leave your 2.0 iChain Service Object (ISO) untouched, you could have one proxy server running 2.0 while a second one is being upgraded. (This could help in doing a seamless migration and an easy rollback.)
NOTE:This step is only required if upgrading from iChain 2.0. No schema changes exist between iChain 2.1, 2.2, and 2.3.
The install script generates many BURP errors during this phase. They can be ignored. These errors are generated because many of the modifications to the schema that the install script is trying to perform are already in place.
NOTE:If the tree you are upgrading also contains Novell BorderManager® schema extensions, you will need to manually re-link the brdsrvsOutgoingAcl attribute with the object class named brdsrvsACLRule. This is done easily in ConsoleOne schema manager, after applying the new schema and reloading ConsoleOne.
If it isn't already installed, install Console 1.34 and also install the iChain snap-ins from the Authorization Server CD. This is required for any RADIUS or token-based authentication setup.
NOTE:This step is only required if upgrading from iChain 2.0.
Convert and modify existing Access Control List (ACL)/iChain Service Object (ISO) definitions to match specifications in iChain 2.1, 2.2, and 2.3.
The ConsoleOne snap-ins that ship with iChain 2.1 and 2.2 can detect iChain 2.0-formatted objects. After upgrading the Authorization Server from 2.0 to 2.2 and selecting properties of the original 2.0 ISO with the 2.2 snap-ins, the ISO is automatically extended with the new required attributes.
NOTE:If administrators are creating completely new objects, the following should be considered:
1. The ISO has many new attributes in 2.0. The most important of these involves ACLCHECK dynamic LDAP search attributes.
2. If you decide to re-create the ISO, the corresponding Rule Objects referencing the old ISO's protected resources must be re-created. If this is not done, ACLCHECK reports “old version" errors.
Image the proxy server with iChain 2.3.
WARNING:When installing from a CD, both the original drive and the clone drive are overwritten. You cannot restore from the clone in this case, unless you first remove the clone drive from the system before installation.
Unlock the Proxy Server system console by entering unlock at the prompt. You do not need to specify a password.
Import the NAS file by placing the floppy containing the current.nas file into the proxy server. Enter import floppy. (If autoload does not exist, enter import current floppy.
Wait until the system displays “completed execution of current” at the server console.
Import the server certificates that were backed up from the 2.0/2.1/2.2 server.
If problems exist accessing the proxy server GUI, do the following from the Internet Caching System console:
Run the _kill application to kill the java ServerApplication thread and all support modules.
Unload the cert.nlm file at the system console.
Reload cert.nlm.
Execute appstart.ncf at the system console.
Restore the files backed up in 2. Back Up the Existing iChain Configuration.
Do not copy appstart.ncf and tune.ncf from your old 2.0 or 2.1 server. Make a note of the changes, and edit the appstart.ncf and tune.ncf on your new 2.3 iChain server.
Some default settings have been changed and we recommend that you do not overwrite the existing 2.3 files.
NOTE:The oac.properties file is not needed unless some non-default parameters were required for functionality in 1.5 (for example, increasing worker threads, synchronization interval).
Using the proxy server GUI, run the health check to make sure that all services are up and running.
Verify if the eDirectory server still has community objects (which shipped with 1.5, but not with 2.x) and rules based on community objects. If this is the case, modify the APPSTART.NCF to load ACLCHECK with the /M option.
Verify that you can access the iChain protected resource from the browser.
Complete an offline test using your defined scenario.
Complete a production test.
Only after you have confirmed that the old features are working should you enable any of the new iChain 2.3 features.
The iChain 2.3 schema file is found on the Authorization Server CD in the \schema subdirectory. This file documents all iChain attributes and lists the new attributes that have been added.