2.1 Installing the Administration Console on Linux

2.1.1 Installation Requirements on Linux

  • 4 GB RAM.

  • Dual CPU or Core (3.0 GHz or comparable chip).

  • 100 GB hard disk.

    The hard disk should have ample space for logging in a production environment. This disk space must be in the local server not in the remote server.

  • If you have custom partitioned your hard disk with partitions as in the table below, ensure that you have free disk space mentioned against each partition:

    Partitions

    Disk Space

    /opt/novell

    1 GB

    /opt/volera

    5 MB

    /var/opt/novell

    1GB

    /var

    512 MB

    /usr

    25 MB

    /etc

    1 MB

    /tmp/novell_access_manager

    10 MB

    /tmp

    10MB

    /

    512 MB

  • One of the following operating systems:

    • SUSE Linux Enterprise Server (SLES) 11 SP 2 and SP3 with 64-bit operating system (physical or virtual) x86-64 hardware. Ensure that the following packages are installed:

      Package

      Description

      perl-gettext, gettext-runtime

      The required library and tools to create and maintain message catalogs.

      python

      The basic Python library.

      compat

      Libraries to address compatibility issues. For information on enabling this repository, see TID 7004701

      Use the following command to verify:

      rpm -qa | grep <package name>

      Use YaST to install the packages.

    • Red Hat Enterprise Linux (RHEL) 6.4, 6.5 (64-bit) (physical or virtual) and 6.6 (64-bit) (physical or virtual). For installing the RHEL packages, see Section C.0, Installing Packages and Dependent RPMs on RHEL for Access Manager.

      NOTE:For details about installing Access Manager 4.0 SP1 on RHEL 6.6, see TID 7016215.

  • Install the latest net-snmp package from the SLES or RedHat update channel.

  • Zip and unzip utilities must be available for the backup and restore procedure.

  • Ports 389 and 636 need to be free.

  • Static IP address (if the IP address changes after devices have been imported, these devices can no longer communicate with the Administration Console.)

  • The tree for the configuration store is named after the server on which you install the Administration Console. Check the hostname and rename the machine if the name is not appropriate for a configuration tree name.

  • The Administration Console can be installed on the same server as the Identity Server. If you are planning to install an L4 switch on a SLES server by using the Linux Virtual Services software, you can also install the Administration Console on this server.

IMPORTANT:You cannot install the following with the Administration Console:

  • OpenLDAP. If it is installed, you must remove it.

  • LDAP software such as eDirectory.

  • Other version of iManager. You also cannot add other iManager product plug-ins to this Administration Console.

  • Because of library update conflicts, you cannot install Access Manager on a Linux User Management (LUM) machine.

  • JRE. If you have a version installed, uninstall it.

Network Requirements

In addition to the servers on which software is installed, your network environment needs to have the following:

  • A server configured with an LDAP directory (eDirectory 8.8.8 or later, Sun ONE, or Active Directory) that contains your system users. The Identity Server uses the LDAP directory to authenticate users to the system.

  • Web servers with content or applications that need protection.

  • Clients with an Internet browser.

  • An L4 switch if you are going to configure load balancing. This can be hardware or software (for example, a Linux machine running Linux Virtual Services).

  • Static IP addresses for each machine used for an Access Manager component. If the IP address of the machine changes, the Access Manager component or components on that machine cannot start.

  • Domain name server, which resolves DNS names to IP addresses and which has reverse lookups enabled.

    Access Manager devices know each other by their IP addresses, and some requests require them to match an IP address with the device's DNS name. Without reverse lookups enabled, these requests fail. In particular, Identity Servers perform reverse lookups to their user stores. If reverse lookups are not available, host table entries can be used.

  • Network time protocol server, which provides accurate time to the machines on your network. Time must be synchronized within one minute among the components, or the security features of the product disrupt the communication processes. You can install your own or use a publicly available server such as pool.ntp.org.

    IMPORTANT:If time is not synchronized, users cannot authenticate and access resources.

Browser Support

  • Internet Explorer 8.x and later

  • Mozilla Firefox

Browser pop-ups must be enabled to use the Administration Console. If you are using the latest version of Firefox, use the latest version of Sun (Oracle) JRE.

2.1.2 Installation Procedure

Installation time: about 20 minutes.

What you need to create during installation

A username and password for the Administrator.

NOTE:If the Administration Console and the Identity Server are installed on different servers, both use 8080 and 8443 ports. If the Administration Console and the Identity Server are installed on the same server, Identity Server uses 8080 and 8443 ports and Administration Console uses 2080 and 2443 ports.

  1. If you have Red Carpet or auto update running, stop these programs before you install the Administration Console.

  2. Verify that the machine meets the minimum requirements. See Section 2.1.1, Installation Requirements on Linux.

  3. Open a terminal window.

  4. Access the install script as root:

    1. Ensure that you have downloaded the software or you have the CD available.

      For software download instructions, see the Access Manager 4.0 Hotfix 1 Readme.

    2. Do one of the following:

      • Insert the CD into the drive, then navigate to the device. Specify the following:

        cd /media

        Change to your CD-ROM drive, which is usually cdrom but can be something else such as cdrecorder or dvdrecorder, depending on your hardware.

      • If you downloaded the tar.gz file, unzip it by using the following command:

        tar -xzvf <filename>

    3. Change to the novell-access-manager directory.

  5. At the command prompt, specify the following:

    ./install.sh

    Ensure that you have adequate space in the system before you proceed with installation.

  6. When you are prompted to install a product, select 1. Install Administration Console and then press Enter.

  7. Review and accept the License Agreement.

    Novell Base and JDK for NetIQ are installed.

  8. (Optional) The installer displays a warning if the host name of the system is mapped to the IP address 127.0.0.2 in the /etc/hosts file:

    An entry of 127.0.0.2 in the /etc/hosts file affects the Access Manager functionality. Do you want to proceed with removing it (y/n) [y]

    Specify Y to proceed.

    The host name mapping to 127.0.0.2 may cause certain Access Manager processes to encounter errors when they attempt to resolve the host name of the machine. To avoid these problems, remove the 127.0.0.2 entry from the/etc/hosts file.

  9. Specify whether this is a primary Administration Console in a failover group. The first Administration Console installed becomes the primary console:

    You can install up to three Administration Consoles for replication and failover purposes. If this is not the primary console, you must provide the IP address of the primary Administration Console.

  10. Specify the administration username.

    Press Enter to use admin as the default admin username, or change this to a username of your choice.

    NOTE:The Administration Console username does not accept special characters # (hash), & (ampersand), and ()(round brackets).

  11. Specify the administration password.

    Use alphanumeric characters only.

    NOTE:The Administration Console password does not accept special characters : (colon) and "” (double quotes).

  12. Confirm the password, then wait for the system to install components.

    This may take several minutes depending on the speed of your hardware.

    The following components are installed:

    Component

    Description

    Audit Platform Agent

    Responsible for packaging and forwarding the audit log entries to the configured Novell Audit Server. For more information, see Enabling Auditing in the NetIQ Access Manager 4.0 SP1 Administration Console Guide.

    Tomcat for NetIQ

    NetIQ packaging of the Java-based Tomcat Web server used to run servlets and JavaServer Pages (JSP) associated with NetIQ Access Manager Web applications.

    Access Manager Configuration Store

    An embedded version of eDirectory used to store user-defined server configurations, LDAP attributes, Certificate Authority keys, certificates, and other Access Manager attributes that must be securely stored.

    iManager

    The Web-based Administration Console that provides customized and secure access to server administration utilities. It is a modified version and cannot be used to manage other eDirectory trees.

    Audit Server

    Audit Server is bundled with the Administration Console to monitor and log all enabled Access Manager components. For more information, see Enabling Auditing in the NetIQ Access Manager 4.0 SP1 Administration Console Guide.

    Administration Console

    A modification of iManager that enables management of all aspects of Access Manager. This component is not a standard iManager plug-in. It significantly modifies the tasks that iManager can perform.

    Identity Server Administration Plug-In

    Works in conjunction with the Administration Console to specifically manage the Identity Server.

  13. Record the login URL.

    When installation completes, the login URL is displayed. It looks similar to the following:

    http://10.10.10.50:8080/nps

    Use this to configure Access Manager components.

  14. Continue with Configuring the Linux Administration Console Firewall.

Configuring the Linux Administration Console Firewall

Before you can install other Access Manager components and import them into the Administration Console, or before you can log in to the Administration Console from a client machine, you must first configure the firewall on the Administration Console.

  1. Click Computer > YaST > Security and Users > Firewall.

    This launches the Firewall Configuration screen.

  2. Click Allowed Services > Advanced.

  3. In the TCP Ports field, specify the ports to open.

    (Conditional) If you are installing the Administration Console and Identity Server or SSL VPN on different machine, list the following additional ports in the TCP Ports field:

    • 8080

    • 8443

    • 3080

    • 3443

    (Conditional) If you are installing the Administration Console and Identity Server or SSL VPN on the same machine, list the following additional ports in the TCP Ports field:

    • 2080

    • 2443

  4. (Conditional) If you are importing an Access Gateway into the Administration Console, list the following additional ports in the TCP Ports field:

    • 1443

    • 8444

    • 1289

    • 524

    • 636

    If you are importing an Access Gateway Appliance, specify icmp in the IP Protocols field.

    For specific information about the ports listed in Step 3 and Step 4, see Table 8-2.

    NOTE:The Administration Console is accessible on ports 2080 (HTTP) and 2443 (HTTPs) when Identity Server or SSL VPN is installed on the same machine.

  5. (Conditional) If you are importing an Access Gateway Appliance, click ICMP, select all options,then click OK twice.

  6. Restart Tomcat by running the following commands from the Administration Console command line.

    /etc/init.d/novell-ac stop

    /etc/init.d/novell-ac start

  7. Continue with Section 2.3, Logging In to the Administration Console.