2.4 Migrating Access Manager on Windows

2.4.1 Prerequisites

  • The 3.1 SP4 or 3.1 SP5 setup should be on Windows 2003.

  • Back up your configuration. For instructions, see Backing Up and Restoring in the Access Manager 3.1 SP5 Administration Console Guide.

    If the upgrade fails, you need a way to recover your configuration. Because a backup can only be restored to the version on which it was created, you must restore your Access Manager components to that version. You can then restore the configuration with the backup file and work with NetIQ Technical Support to solve the upgrade problem before attempting to upgrade again.

  • Back up the following files manually:

    • C:\Program Files\Novell\Tomcat\conf\server.xml

    • C:\Program Files\Novell\Tomcat\conf\web.xml

    • C:\Program Files\Novell\Tomcat\webapps\nidp\jsp

    • C:\Program Files\Novell\Tomcat\webapps\nidp\WEB-INF\lib\

    • C:\Program Files\Novell\jre\lib\security\bcslogin.conf

    • C:\Program Files\Novell\Tomcat\webapps\nidp\WEB-INF\classes

  • For the Windows components (Identity Server, Administration Console, Access Gateway Appliance and Service), you should select a platform supported by Windows 2008 Server R2 Standard or Enterprise Edition.

2.4.2 Migrating Administration Consoles From Windows 2003 to Windows 2008

  1. Before you proceed with the steps for migrating ensure you have followed the instructions in Section 2.4.1, Prerequisites.

  2. Remove the Identity Server from the cluster configuration if the Identity Server is installed on the same machine as the Administration Console.

    1. In the Administration Console, click Devices > Identity Servers.

    2. Select the server, then click Stop. Wait for the Health indicator to turn red.

    3. Select the server, then choose Actions > Remove from Cluster.

      NOTE:Shut down the old server to prevent duplicate IP address conflict. These IP addresses will be re-used in Step 6.

  3. Copy the files that are backed up to the new 64-bit server and shut down Windows 2003. The IP address and host name will be reused in Step 6.

  4. Perform a fresh installation of Windows 2008 R2 Server, 64-bit operating system on 64-bit hardware, in either Standard or Enterprise Edition with the latest patches applied.

  5. If you have any secondary administration consoles, bring them down.

  6. Install the 3.1 SP4 or 3.1 SP5 version of the Administration Console.

    Use the same IP address and DNS name as that of Windows 2003.

    For more information, see Installing on Windows in the Access Manager 3.1 SP5 Installation Guide.

  7. Restore any customized files from the backup taken earlier in Prerequisites.

    To restore the files, copy the content of the following files to the corresponding file in the new location.

    Old File Location

    New File Location

    C:\Program Files\Novell\Tomcat\conf\server.xml

    C:\Program Files (x86)\Novell\Tomcat\conf\server.xml

    C:\Program Files\Novell\Tomcat\conf\web.xml

    C:\Program Files (x86)\Novell\Tomcat\conf\web.xml

    C:\Program Files\Novell\Tomcat\webapps\nidp\jsp

    C:\Program Files (x86)\Novell\Tomcat\webapps\nidp\jsp

    C:\Program Files\Novell\Tomcat\webapps\nidp\WEB-INF\lib\

    C:\Program Files (x86)\Novell\Tomcat\webapps\nidp\WEB-INF\lib\

    C:\Program Files\Novell\jre\lib\security\bcslogin.conf

    C:\Program Files (x86)\Novell\jre\lib\security\bcslogin.conf

    C:\Program Files\Novell\Tomcat\webapps\nidp\WEB-INF\classes

    C:\Program Files (x86)\Novell\Tomcat\webapps\nidp\WEB-INF\classes

    server.xml: If you have modified any elements or attributes in the 3.1 SP4 or 3.1 SP5 environment on Windows 2003, the corresponding changes will need to be applied to the 3.1 SP4 or 3.1 SP5 C:\Program Files (x86)\Novell\Tomcat\conf\server.xml file on Windows 2008.

    Typical changes done to the C:\Program Files\Novell\Tomcat\conf\server.xml in 3.1 SP4 or 3.1 SP5 include modifying the 'Address=' attribute to restrict the IP address the application will listen on, or 'Ciphers=' attribute to restrict ciphers used when communicating with application over SSL.

    In the following example, 3.1 SP4 or 3.1 SP5 is customized to use the following ciphers:

    <Connector NIDP_Name="connector" port="8443" address="" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, ... ../>

    When migrating to 3.1 SP4 or 3.1 SP5 to Windows 2008, copy this cipher list from your 3.1 SP4 or 3.1 SP5 server.xml on Windows 2003 and replace it in the SSL connector section of the 3.1 SP4 or 3.1 SP5 C:\Program Files (x86)\Novell\Tomcat\conf\server.xml on Windows 2008.

    Tomcat properties: Go to C:\Program Files\Novell\Tomcat\bin\tomcat5w. Double-click the tomcat5w file and make a note of any elements or attributes customized in 3.1 SP4 or 3.1 SP5 on Windows 2003.

    On Windows 2008 3.1 SP4 or 3.1 SP5 server, go to C:\Program Files (x86)\Novell\Tomcat\bin\tomcat5w. Change the values and attributes as required.

    For example, if you have modified the heap size in tomcat5w file on Windows 2003, ensure you make the same changes in the tomcat5w file on Windows 2008 too.

  8. Modify the keystore locations in the server.xml file:

    1. Log in to the Administration Console server as the administrator.

    2. Open the server.xml file.

      C:\Program Files (x86)\Novell\Tomcat\conf\server.xml

    3. Search for the devman.keystore entry in the server.xml file

    4. Change the path from

      C:\Program Files\Novell\Tomcat\webapps\roma\WEB-INF\conf\devman.keystore

      to

      C:\Program Files (x86)\Novell\Tomcat\webapps\roma\WEB-INF\conf\
devman.keystore

    5. Search for the tomcat.keystore entry in the server.xml file.

    6. Change the path from

      C:\Program Files\Novell\Tomcat\webapps\roma\WEB-INF\conf\tomcat.keystore

      to

      C:\Program Files (x86)\Novell\Tomcat\webapps\roma\WEB-INF\conf\tomcat.keystore

    7. Save the file.

    8. Restart Tomcat.

      net stop Tomcat5

      net start Tomcat5

  9. Install the 3.1 SP4 or 3.1 SP5 version of the Identity Server.

    For more information, see Installing on Windows in the Access Manager 3.1 SP5 Installation Guide.

  10. Restore any customized files from the backup taken earlier in Prerequisites as in Step 7.

  11. Add the Identity Server to the cluster configuration.

    For more information, see Assigning an Identity Server to a Cluster Configuration in the Access Manager 3.1 SP5 Identity Server Guide.

  12. Remove any secondary consoles from the configuration:

    1. In the Administration Console, click Auditing > Troubleshooting.

    2. In the Other Known Device Manager Servers section, click Remove to remove any secondary consoles.

  13. Uninstall the secondary consoles.

    For more information, see Uninstalling the Windows Administration Console in the Access Manager 3.1 SP5 Installation Guide.

  14. Reinstall the secondary consoles as secondary consoles to the new primary console.

    For more information, see Installing on Windows in the Access Manager 3.1 SP5 Installation Guide.

2.4.3 Migrating the Standalone Identity Servers from Windows 2003 to Windows 2008

  1. Before you proceed with the steps for migrating ensure you have followed the instructions in Section 2.4.1, Prerequisites.

  2. Remove the Identity Server from the cluster configuration.

    1. In the Administration Console, click Devices > Identity Servers.

    2. Select the server, then click Stop. Wait for the Health indicator to turn red.

    3. Select the server, then choose Actions > Remove from Cluster.

  3. Perform a fresh installation of Windows 2008 R2 Server, 64-bit operating system on 64-bit hardware, in either Standard or Enterprise Edition with the latest patches applied.

  4. Shut down the old server to prevent duplicate IP address conflict. These IP addresses will be re-used in the next step.

  5. Install the 3.1 SP4 or 3.1 SP5 version of the Identity Server.

    Use the same IP address and DNS name for the Identity Server.

  6. Restore any customized files from the backup taken earlier in Prerequisites.

    To restore the files, copy the content of the following files to the corresponding file in the newlocation.

    Old File Location

    New File Location

    C:\Program Files\Novell\Tomcat\conf\web.xml

    C:\Program Files (x86)\Novell\Tomcat\conf\web.xml

    C:\Program Files\Novell\Tomcat\webapps\nidp\jsp

    C:\Program Files (x86)\Novell\Tomcat\webapps\nidp\jsp

    C:\Program Files\Novell\Tomcat\webapps\nidp\WEB-INF\lib\

    C:\Program Files (x86)\Novell\Tomcat\webapps\nidp\WEB-INF\lib\

    C:\Program Files\Novell\jre\lib\security\bcslogin.conf

    C:\Program Files (x86)\Novell\jre\lib\security\bcslogin.conf

    C:\Program Files\Novell\Tomcat\webapps\nidp\WEB-INF\classes

    C:\Program Files (x86)\Novell\Tomcat\webapps\nidp\WEB-INF\classes

  7. Add the Identity Server to the cluster configuration.

    For more information, see Assigning an Identity Server to a Cluster Configuration in the Access Manager 3.1 SP5 Identity Server Guide.