2.1 Migrating Access Manager on SLES

2.1.1 Migrating Administration Consoles

Prerequisites for the Administration Console Migration

In addition to the following prerequisites, ensure that you also meet the hardware requirements for the Administration Console. For details, see Installation Requirements on Linuxin the NetIQ Access Manager 4.0 SP2 Installation Guide.

  • A new IP address, that will be temporarily used during the Primary Administration Console migration.

  • Timeout Per Protected Resource (TOPPR) is enabled and applied in the Access Gateway. In the Administration Console, click Devices > Access Gateways > Edit, then click Enable Timeout Per Protected Resource.

    If the Enable Timeout Per Protected Resource option has already been applied, it will not be displayed on the screen.

  • The primary and secondary 3.1 SP4 or 3.1 SP5 Administration Console time is synchronized. You can synchronize the time by enabling the Network Time Protocol (NTP) server through YaST. To do this, go to YaST > Network Services > NTP Configuration page.

  • The new 4.0 Administration Console that you want to install should be on the same subnet as the existing primary console.

  • The health statuses for all devices in the Administration Console are green in color.

    For more information, see Viewing Device Health in the NetIQ Access Manager 4.0 SP1 Administration Console Guide.

  • You have physical access to the server or server console (in case of VMWare setups) as a root user and you are familiar with iptables.

    The required ports are opened in the firewall. For more information about ports, see Section 1.1.4, Port Details.

  • Note down the contracts selected under the Satisfies contract list of SAML2.0 and Liberty identity providers. These are under Devices > Identity Servers > Edit > [Protocol] > [IdentityProvider] > Authentication Card.

    The application interface for this feature has changed in version 4.0. You must manually configure these contracts after migration. This configuration will be effective after the Identity Server migration is done.

    (Optional) If federation is configured, see the contracts configured for 3.1 SP4 or 3.1 SP5, and navigate to Administration Console > Devices > Identity Servers > Edit > [Protocol] > [Identity Provider] > Authentication Card. The Satisfies Contract field lists all the configured contracts.

  • The host name of the new 4.0 Administration Console should be different from the existing primary and secondary Administration Consoles.

  • Ensure that the /etc/hosts file of the system where you are installing Access Manager 4.0 has the host name and IP address for the new 4.0 Administration Console server. If the hostname of the Administration Console is not listed in DNS, the /etc/hosts file is used to resolve the hostname of the machine to a valid IP address.

WARNING:If three Administration Consoles are already installed and configured in the existing setup, uninstall one secondary Administration Console before running the install_and_migrate.sh script.

For more information about how to deconfigure and uninstall the Administration Console, see Step 12 and Uninstalling the Linux Administration Console in the NetIQ Access Manager 4.0 SP2 Installation Guide.

Migration Scenarios for the Administration Console

The following scenarios are supported for migrating NetIQ Access Manager from 3.1 SP4 and 3.1 SP5 to 4.0 on Linux.

IMPORTANT:Ensure that you identify the scenario that best describes your migration environment and review the appropriate steps before you begin the process of migration.

Administration Console, Identity Server, 3.1 SP4 or 3.1 SP5 Access Gateway Appliance, and SSL VPN Are Installed on Different Servers

Workflow:

  1. Migrate the Administration Consoles.

  2. Migrate the Identity Server.

  3. Migrate the 3.1 SP4 or 3.1 SP5 Access Gateway Appliance to the 4.0 Access Gateway Appliance.

  4. Migrate the SSL VPN from 3.1 SP4 or 3.1 SP5 to 4.0.

Administration Console and Identity Server Are on the Same Server, and 3.1 SP4 or 3.1 SP5 Access Gateway Appliance Is on a Different Server

Workflow:

  1. Migrate the primary Administration Console.

  2. Migrate the Identity Server.

  3. Migrate the 3.1 SP4 or 3.1 SP5 Access Gateway Appliance to the 4.0 Access Gateway Appliance.

Secondary Administration Console and Identity Server are on the Same Server

Workflow:

  1. Migrate the primary Administration Console.

  2. Migrate the secondary Administration Console.

  3. Migrate the Identity Server.

The Administration Console, Identity Server, and SSL VPN Are on the Same Server

Workflow:

  1. Migrate the Administration Consoles.

  2. Migrate the Identity Server.

  3. Migrate SSL VPN.

NOTE:If the device has multiple interfaces, use YaST to manually configure the primary IP address on each NIC.

To do this, go to YaST > Network Devices > Network Settings > Overview. Select the network card and click Edit. Enter the primary IP address. Click Next > Ok > Quit.

Migrating the Primary Administration Console

IMPORTANT:Before you proceed with the steps for migration, ensure that you have followed the instructions in the Prerequisites for the Administration Console Migration.

If you have multiple components installed on the same system, before starting migration of any component, ensure that you read the migration prerequisites of all components.

Migration Process

Figure 2-1 Process of Migration of the Primary Administration Console

  1. Back up the 3.1 SP4 or 3.1 SP5 primary Administration Console configuration by using the /opt/novell/devman/bin/ambkup.sh script.

    Remember the password that you enter while saving the backup file. You will need this password in Step 10.

    The NetIQ Access Manager backup file is used only for restoring the certificates. The rest of the data is synchronized through eDirectory replication.

    For more information about how to perform a backup,  see Backing Up and Restoring in the NetIQ Access Manager 4.0 SP1 Administration Console Guide

    IMPORTANT:It is strongly recommended that you review the log file to confirm if the backup process was completed without any errors.

  2. Copy the backup zip file to /tmp or any other folder on the new 64-bit server where you plan to install the 4.0  Administration Console.

    Make a note of the location and file name in absolute format. You need to provide this information in the installation and migration script (for example, /tmp/idpq_20120111_1314.zip).

  3. Ensure you have downloaded the software or you have the CD available.

  4. Do one of the following:

    • Insert the CD into the drive, then navigate to the device. Enter the following:

      cd /media

      Browse to your CD-ROM drive.

    • If you downloaded the AM_40_AccessManagerService_Linux64.tar.gz file, unpack the file using the following command:

      tar -xzvf AM_40_AccessManagerService_Linux64.tar.gz

  5. Browse to the novell-access-manager folder.

    All the files are extracted to the novell-access-manager folder.

  6. Run the install_and_migrate.sh script from the folder to migrate the primary Administration Console from 3.1 SP4 or 3.1 SP5 to 4.0.

    Ensure that you install the 4.0 Administration Console in the same subnet as the 3.1 SP4 or 3.1 SP5 Administration Console. For more information about the ports, see Section 1.1.4, Port Details.

    NOTE:Ensure that there is no duplicate entry of the host name in the /etc/hosts file.

  7. Type Y and press Enter when the system prompts you.

  8. Accept the license agreement by entering y when the system prompts you.

  9. Type Y and press Enter when the system displays the confirmation message.

  10. Provide the following details:

    3.1 Primary Administration Console IP address: Enter the 3.1 SP4 or 3.1 SP5 primary IP address. Ensure that the IP address is static.

    Access Manager Administration user ID: Enter the administrator user ID.

    Access Manager Administration password: Enter the administrator password. Re-enter the password for verification.

    Enter the backup file with absolute path: Enter the absolute path of the backup file that you created in Step 1.

    Enter a password for decrypting the data: Enter the private key encryption password of the backup file. Re-enter the password for verification.

    NOTE:To view installation progress, refer to the log files in /tmp/novell_access_manager.

    After installing the 4.0 Administration Console, the system displays the following:

  11. Verify if the 4.0 Access Manager server is functional. Perform one of the following steps from the 4.0 terminal:

    1. Run /opt/novell/eDirectory/bin/ndsstat -r command. This lists all the replicas available. Verify that the status of the 4.0 replica is On.

    2. Run /opt/novell/eDirectory/bin/ldapsearch -A -LLL -b "ou=accessManagerContainer,o=novell" -D "cn=<username>,o=novell" -w <password> command. This lists all the objects in the NAM container. You can run the same command on the 3.1 SP4 or 3.1 SP5 terminal to verify if the object list is complete and accurate.

  12. In the Access Manager 3.1 SP4 or 3.1 SP5 Administration Console, run the following command to deconfigure the eDirectory replica in the 3.1 SP4 or 3.1 SP5 server:

    /opt/novell/eDirectory/bin/ndsconfig rm /etc/opt/novell/eDirectory/conf/nds.conf

    1. Enter admin credentials in the admin.novell format and proceed with deletion.

      The system displays the following warning:

      Deconfiguring Novell eDirectory might cause problems in the operation of modules dependent on eDirectory. Do you wish to continue? (y/n) 
      
    2. Enter Y to proceed with deletion.

      After deletion, the following message will be displayed:

      Deconfiguration of eDirectory server is complete.
      The instance at /etc/opt/novell/eDirectory/conf/nds.conf is successfully removed.
      Stopping the service 'ndsd'... Done
      
  13. Shut down the 3.1 SP4 or 3.1 SP5 Administration Console.

  14. In the Access Manager 4.0 Administration Console, use YaST to change the IP address to the old primary Administration Console IP address:

    1. Go to YaST > Network Devices > Network Settings > Overview.

      NOTE:Launch YaST from the physical server or if you are using a virtual machine, use the console. We do not recommend that you use a remote connection for changing the IP address, since you may lose the remote connection.

    2. Select the network card and click Edit.

    3. Change the IP address to the 3.1 SP4 or 3.1 SP5 primary Administration Console IP address.

    4. Click Next > Ok > Quit.

  15. Run the install_and_migrate.sh script from the novell-access-manager folder again to complete the installation. A confirmation message is displayed.

    1. Enter Y and the following message is displayed:

      Installation will continue to finish the rest of the 4.0 migration tasks
      
      Would you like to continue this installation (y/n)?
      
    2. Enter Y and then provide the following details:

      • Enter the Access Manager Administration user ID.

      • Enter the Access Manager Administration password.

      • Re-enter the password for verification.

      After migration is complete, the system displays the following message:

      4.0 Administration Console migration completed successfully.
      

Migrating the Secondary Administration Console

To install the secondary Administration Console you can either use a new server that supports a 64-bit installer to install the secondary Administration Console or you can reuse the existing server for installation if it supports the 64-bit installer.

To migrate the secondary Administration Console to 4.0, use one of the following procedures:

Using a New Server for the Secondary Administration Console

IMPORTANT:Before you install the 4.0 secondary Administration Console on a 64-bit server, it is important to de-commission the 3.1 SP4 or 3.1 SP5 secondary Administration Console. This process helps ensure that the number of Administration Consoles do not exceed three instances.

  1. Verify if the 4.0 Access Manager server is functional. Perform one of the following steps from the 4.0 terminal:

    1. Run /opt/novell/eDirectoy/bin/ndsstat -r command. This lists all the replicas available. Verify that the status of the 4.0 replica is On.

    2. Run /opt/novell/eDirectory/bin/ldapsearch -A -LLL -b "ou=accessManagerContainer,o=novell" -D "cn=<username>,o=novell" -w <password> command. This lists all the objects in the NAM container. You can run the same command on the 3.1 SP4 or 3.1 SP5 terminal to verify if the object list is complete and accurate.

  2. Run the following command to delete the eDirectory replica in the 3.1 SP4 or 3.1 SP5 secondary Administration Console server:

    /opt/novell/eDirectory/bin/ndsconfig rm /etc/opt/novell/eDirectory/conf/nds.conf
    
  3. Enter admin credentials in the admin.novell format and proceed with deletion.

  4. Log in to the 4.0 primary Administration Console.

  5. Click Auditing > Troubleshooting> Other Known Device Manager Servers.

  6. Click Remove for this server.

  7. Install the 64-bit SLES 11 SP2 or SP3 on the new 64-bit server with a different host name.

    1. Go to YaST > Network Devices > Network Settings > Overview.

    2. Select the network card and click Edit.

    3. Specify a different host name.

      For more information, see SLES 11 Installation Quick Start http://www.suse.com/documentation/sles11/book_quickstarts/data/book_quickstarts.html.

  8. Ensure that you have downloaded the software or you have the CD available.

  9. Do one of the following:

    • Insert the CD into the drive, then navigate to the device. Enter the following:

      cd /media

      Browse to your CD-ROM drive.

    • If you downloaded the AM_40_AccessManagerService_Linux64.tar.gz file, unpack the file using the following command:

      tar -xzvf AM_40_AccessManagerService_Linux64.tar.gz

  10. Browse to the novell-access-manager folder.

    All the files are extracted to the novell-access-manager folder.

Reusing the Existing Server or IP Address for the Secondary Administration Console

To use the existing server for installing the secondary Administration Console, ensure it is a 64-bit server.

  1. Verify if the 4.0 Access Manager server is functional. Perform one of the following steps from the 4.0 terminal:

    1. Run /opt/novell/eDirectory/bin/ndsstat -r command. This lists all the replicas available. Verify that the status of the 4.0 replica is On.

    2. Run /opt/novell/eDirectory/bin/ldapsearch -A -LLL -b "ou=accessManagerContainer,o=novell" -D "cn=<username>,o=novell" -w <password> command. This lists all the objects in the NAM container. You can run the same command on the 3.1 SP4 or 3.1 SP5 terminal to verify if the object list is complete and accurate.

  2. Run the following command to delete the eDirectory replica in the 3.1 SP4 or 3.1 SP5 secondary Administration Console server:

    /opt/novell/eDirectory/bin/ndsconfig rm /etc/opt/novell/eDirectory/conf/nds.conf

  3. Enter the admin credentials in admin.novell format and proceed with deletion.

  4. Log in to the 4.0 primary Administration Console.

  5. Click Auditing > Troubleshooting> Other Known Device Manager Servers.

  6. Click Remove for this server.

  7. Format the server with the 64-bit SLES 11 SP2 or higher operating system and a different host name or configure the same IP address with a different host name.

    1. Go to YaST > Network Devices > Network Settings > Overview.

    2. Select the network card and click Edit.

    3. Specify a different host name.

      IMPORTANT:Even after formatting the server, old certificates are not cleaned up from the user store. If you are using an existing host name during Access Manager installation, it may lead to a conflict with the existing certificates. It is recommended to use a different host name during IP address configuration.

  8. Ensure you have downloaded the software or you have the CD available.

  9. Do one of the following:

    • Insert the CD into the drive, then navigate to the device. Enter the following:

      cd /media

      Browse to your CD-ROM drive.

    • If you downloaded the AM_40_AccessManagerService_Linux64.tar.gz file, unpack the file using the following command:

      tar -xzvf AM_40_AccessManagerService_Linux64.tar.gz

  10. Browse to the novell-access-manager folder.

    All the files are extracted to the novell-access-manager folder.

  11. Install the secondary Administration Console by using the install.sh script.

    For more information about how to install the secondary Administration Console, see Installing Secondary Versions of the Administration Console in the NetIQ Access Manager 4.0 SP1 Setup Guide.

NOTE:If the secondary Administration Console migration exits stating that the Server’s DIB does not contain replicas, see Section 5.4, Migration Exits Stating That the Server’s DIB Does Not Contain Replicas.

2.1.2 Migrating Identity Server

It is recommended that you replace the Identity Servers individually. The 3.1 SP4 or 3.1 SP5 and 4.0 Identity Servers can coexist until the migration is complete.

Prerequisites for the Identity Server Migration

In addition to the following prerequisites, ensure that you also meet the hardware and software requirements for the Identity Server. For details, see Installation Requirements on Linux in the NetIQ Access Manager 4.0 SP2 Installation Guide.

  • The Identity Server can perform a DNS resolution with the ESP (Embedded Service Provider) host name of the Access Gateway.

    For more information, see DNS Name Resolution in the NetIQ Access Manager 4.0 SP1 Identity Server Guide.

  • The Identity Server time is synchronized with the time of the Administration Console. You can synchronize the time by enabling the Network Time Protocol (NTP) server through YaST. To do this, go to YaST > Network Services > NTP Configuration.

  • You have physical access to the server or server console (in case of VMWare setups) as a root user and are familiar with firewall configurations. The required ports also must be opened in the firewall. For more information about the ports, see Section 1.1.4, Port Details.

  • Determine if you want to reuse an existing IP address or use a new IP address for the migration process.

  • If the services are managed by an L4 switch, remove the device that you are migrating from the L4 switch. Add the device back to the L4 switch once the migration is done successfully. This is required so that no user requests are sent by L4 switch to that device during migration.

  • If you have customized any files use the migrate_backup.sh script to back up the files. This script is located in the novell-access-manager folder in the AM_40_AccessManagerService_Linux64.tar.gz file. Copy this script to the 3.1 SP4 or 3.1 SP5 server and run the script to do the back up. It is important to take the backup regardless of whether you are reusing the same machine or a new machine.

    As part of the backup process, the files that get backed up are:

    • /var/opt/novell/tomcat5/webapps/nidp/jsp

    • /var/opt/novell/tomcat5/webapps/nidp/html

    • /var/opt/novell/tomcat5/webapps/nidp/images

    • /var/opt/novell/tomcat5/webapps/nidp/config

    • /var/opt/novell/tomcat5/webapps/nidp/WEB-INF/lib

    • /var/opt/novell/tomcat5/webapps/nidp/WEB-INF/web.xml

    • /var/opt/novell/tomcat5/webapps/nidp/WEB-INF/classes

    • /var/opt/novell/tomcat5/webapps/nidp/WEB-INF/conf

    • /opt/novell/java/jre/lib/security/nidpkey.keytab

    • /opt/novell/java/jre/lib/security/bcslogin.conf

    • /var/opt/novell/tomcat5/webapps/nidp/classUtils

    • /var/opt/novell/tomcat5/conf/server.xml

    • /var/opt/novell/tomcat5/conf/tomcat5.conf

  • (Conditional) If the Identity Server cluster has been assigned to delegated administrators, remove them before migration and re-add them after the migration is complete.

    If you do not perform this action, the delegated administrators will not be able to log in and configure devices assigned to them. You must manually re-create these administrators and assign the respective devices.

    For more information about delegated users, Managing Delegated Administrators in the NetIQ Access Manager 4.0 SP1 Administration Console Guide.

Reusing an Existing IP Address

The Identity Server Is the Only Component on the Server

Workflow:

  1. Back up the files if they have been customized.

  2. Stop and remove the 3.1 SP4 or 3.1 SP5 Identity Server.

  3. Delete the 3.1 SP4 or 3.1 SP5 Identity Server which is removed from the Identity Servers cluster.

  4. Uninstall the 3.1 SP4 or 3.1 SP5 Identity Server if you are going to use the current server to install 4.0 Identity Server.

  5. Add the 4.0 Identity Server to the existing Identity Server cluster in the Administration Console.

  6. Update the Identity Server and apply changes.

  7. Restore any customized files from the backup taken earlier.

The Identity Server and SSL VPN Are on the Same Server

Workflow:

  1. Back up the customized files.

  2. Stop the source Identity Server. (Source can be a 3.1 SP4 or 3.1 SP5 server)

  3. Remove the source Identity server from the cluster.

  4. Delete the source Identity Server from the Identity Servers cluster.

  5. Uninstall the source Identity Server if you are going to use the current server to install 4.0 Identity Server.

  6. Uninstall the source SSL VPN Server if you are going to use the current server to install 4.0 SSL VPN Server.

    WARNING:Ensure that you uninstall the SSL VPN server and do not delete the SSL VPN server object. Deleting the SSL VPN server instead of uninstalling the server will result in loss of settings.

  7. Use the NetIQ Access Manager 4.0 installer to install the 4.0 Identity Server on a 64-bit SLES 11 SP2 or 64-bit SLES 11 SP3 operating system.

  8. Add the 4.0 Identity Server to the existing Identity Servers cluster in the Administration Console.

  9. Update the Identity Server and apply changes.

  10. Restore any customized files from the backup taken earlier.

  11. Install SSL VPN on the same server.

  12. (Optional) For the ESP-enabled SSL VPN: When the Identity Server and ESP-enabled SSL VPN are migrated to the same server:

    1. Click Device > SSL VPN > Edit > Authentication Configuration.

    2. In the Embedded Service Provider Base URL field, change the ports to 3080 and 3443 for http and https respectively.

  13. (Optional) For the traditional SSL VPN: When the Identity Server and traditional SSL VPN are migrated to the same server:

    1. Click Access Gateway > Edit > Service.

    2. Click the SSL VPN Web server address and change the connection ports to 3080 and 3443 for http and https respectively.

      NOTE:For NetIQ Access Manager 3.2 and later, release onwards, SSL VPN will be accessible on ports 3080 (http) and 3443 (https) when installed on the same server as the Identity Server.

Using a New IP Address

The Identity Server Is the Only Component on the Server

Workflow:

  1. Back up the customized files.

  2. Use the NetIQ Access Manager 4.0 installer to install the 4.0 Identity Server on a 64-bit SLES 11 SP2 or higher operating system.

  3. Add the 4.0 Identity Server to the existing Identity Server cluster in the Administration Console.

  4. Update the Identity Server and apply changes.

  5. Restore any customized files from the backup taken earlier.

The Identity Server and SSL VPN Are on the Same Server

Workflow:

  1. Back up the customized files.

  2. Run the NetIQ Access Manager 4.02 installer on a 64-bit SLES 11 SP2 or SP3 operating system and install the Identity Server.

  3. Add the 4.0 Identity Server to the existing Identity Servers cluster in the Administration Console.

  4. Update the Identity Server and apply the changes.

  5. Install SSL VPN on the same server.

  6. Add the 4.0 SSL VPN to the existing SSL VPN cluster in the Administration Console.

  7. Update and apply changes.

  8. Restore any customized files from the backup taken earlier.

  9. (Optional) For the ESP-enabled SSL VPN: When the Identity Server and ESP-enabled SSL VPN are migrated to the same server:

    1. Click Device > SSL VPN > Edit > Authentication Configuration.

    2. In the Embedded Service Provider Base URL field, change the ports to 3080 and 3443 for http and https respectively.

  10. (Optional) For the traditional SSL VPN: When the Identity Server and traditional SSL VPN are migrated to the same server:

    1. Click Access Gateway > Edit > Service.

    2. Click the SSL VPN Web server address and change the connection ports to 3080 and 3443 for http and https respectively.

      NOTE:For NetIQ Access Manager 3.2 and later, SSL VPN is accessible on ports 3080 (http) and 3443 (https) when it is installed on the same server as the Identity Server.

Process of Migration

Figure 2-2 Process of Migrating the Identity Server

IMPORTANT:Before you proceed with the steps for migration, ensure that you have followed the instructions in the Prerequisites for the Identity Server Migration.

  1. Stop the Identity Server and remove the Identity Server from the cluster configuration.

    1. In the Administration Console, click Devices > Identity Servers.

    2. Select the server, then click Stop.

    3. Select the server, then choose Actions > Remove from cluster.

    4. Update the cluster configuration.

  2. If you are using an existing machine, delete the existing Identity Server from the Administration Console before installing the new Identity Server.

    1. In the Administration Console, click Devices > Identity Servers.

    2. Select the server, then click Stop.

    3. Click Actions > Delete.

  3. If the operating system is 32-bit (i586), perform a new installation of 64-bit SLES 11 SP2 or higher. For more information, see SLES 11 Installation Quick Start http://www.suse.com/documentation/sles11/book_quickstarts/data/book_quickstarts.html.

    If the operating system is already 64-bit SLES 11 SP2 or higher, uninstall the 3.1 SP4 or 3.1 SP5 version and install the 4.0 Identity Server.

  4. Ensure the following packages are installed:

    • perl-gettext, gettext-runtime: The required library and tools to create and maintain message catalogs.

    • python: The Python library.

    • compat: Libraries to address compatibility issues. On SLES 11 SP2 or SP3 platform, the compat-32bit package is available in the SLES11-Extras repository. For information about enabling this repository, see TID 7004701.

    1. Use YaST to install the packages that have not yet been installed.

    2. Use the following command to verify the installation:

      rpm -qa | grep <package name>
      

      Replace <package name> with the name of the package you want to verify. For example:

      rpm -qa | grep compat

    3. Ensure that you have downloaded the software or you have the CD available.

    4. Do one of the following:

      • Insert the CD into the drive, then navigate to the device. Enter the following:

        cd /media

        Browse to your CD-ROM drive.

      • If you downloaded the AM_40_AccessManagerService_Linux64.tar.gz file, unpack the file using the following command:

        tar -xzvf AM_40_AccessManagerService_Linux64.tar.gz

    5. Browse to the novell-access-manager folder.

      All the files are extracted to the novell-access-manager folder.

    6. Run the install.sh script from the novell-access-manager folder on a 64-bit SLES 11 SP2 or SP3 platform and choose the option to install the Identity Server.

  5. Enter the following details:

    • IP address of the 4.0 primary Administration Console as the primary Administration Console IP address

    • Access Manager Administration User ID

    • Access Manager Administration password

    • Re-enter the password for verification

  6. If local NAT is available for the Identity Server, enter the NAT IP address. For more information about configuring Network Address Translation, see Configuring Network Address Translation in the NetIQ Access Manager 4.0 SP2 Installation Guide

  7. Enter Y to proceed with installation.

    After installation, this Identity Server device is displayed in the Administration Console.

  8. Restore any customized files from the backup taken earlier as part of steps in Prerequisites for the Identity Server Migration.

    NOTE:Ensure that you sanitize the restored customized JSP file to prevent XSS attacks. For more information about how to sanitize the JSP file, see Preventing Cross-site Scripting Attacks in the NetIQ Access Manager 4.0 SP1 Identity Server Guide.

    To restore the files, copy the content of the following files to the corresponding file in the new location.

    Table 2-1 Restoring Files During IDP Migration

    Old File Location

    New File Location

    /var/opt/novell/tomcat5/webapps/nidp/jsp

    /opt/novell/nam/idp/webapps/nidp/jsp

    /var/opt/novell/tomcat5/webapps/nidp/html

    /opt/novell/nam/idp/webapps/nidp/html

    /var/opt/novell/tomcat5/webapps/nidp/images

    /opt/novell/nam/idp/webapps/nidp/images

    /var/opt/novell/tomcat5/webapps/nidp/config

    /opt/novell/nam/idp/webapps/nidp/config

    /var/opt/novell/tomcat5/webapps/nidp/WEB-INF/lib

    /opt/novell/nam/idp/webapps/nidp/WEB-INF/lib

    /var/opt/novell/tomcat5/webapps/nidp/WEB-INF/web.xml

    /opt/novell/nam/idp/webapps/nidp/WEB-INF/web.xml

    /var/opt/novell/tomcat5/webapps/nidp/WEB-INF/classes

    /opt/novell/nam/idp/webapps/nidp/WEB-INF/classes

    /var/opt/novell/tomcat5/webapps/nidp/WEB-INF/conf

    /opt/novell/nam/idp/webapps/nidp/WEB-INF/conf

    /opt/novell/java/jre/lib/security/bcslogin.conf

    /opt/novell/java/jre/lib/security/bcslogin.conf

    /opt/novell/java/jre/lib/security/nidpkey.keytab

    /opt/novell/java/jre/lib/security/nidpkey.keytab

    /var/opt/novell/tomcat5/webapps/nidp/classUtils

    /opt/novell/nam/idp/webapps/nidp/classUtils

    server.xml: If you have modified any elements or attributes in the 3.1 SP4 or 3.1 SP5 environment, the corresponding changes will need to be applied to the 4.0 /opt/novell/nam/idp/conf/server.xml file.

    Typical changes done to the server.xml in 3.1 SP4 or 3.1 SP5 include modifying the 'Address=' attribute to restrict the IP address the application will listen on, or 'maxThreads=' attribute to change the number of threads.

    In the following example, 3.1 SP4 or 3.1 SP5 is customized to use the following ciphers.

    <Connector NIDP_Name="connector" port="8443" address="" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,, ... ../>

    When migrating to 4.0, copy the cipher list from your 3.1 SP4 or 3.1 SP5 server.xml and replace it in the SSL connector section of the 4.0 server.xml file.

    tomcat5.conf: Copy any elements or attributes that you have customized in the 3.1 SP4 or 3.1 SP5 tomcat5.conf file to the 4.0 tomcat7.conf file.

    For example, if you have included the environment variable in the 3.1 SP4 or 3.1 SP5 tomcat5.conf file to increase the heap size by using -Xmx/Xms/Xss settings, the variables should be copied to the 4.0 /opt/novell/nam/idp/conf/tomcat7.conf file.

  9. Add the newly installed Identity Server to the existing Identity Servers cluster.

    For more information, see Clustering Identity Serversin the NetIQ Access Manager 4.0 Setup Guide.

    The cluster object stores all the existing Identity Server configurations. The newly added Identity Servers inherit these configurations.

    1. Delete the 3.1 SP4 or 3.1 SP5 Identity Server from the Administration Console. Shutdown the corresponding machine.

  10. On the newly added Identity Server, restart Tomcat using the /etc/init.d/novell-idp restart or rcnovell-idp restart command.

  11. Repeat Step 1 through Step 10 until all the 3.1 SP4 or 3.1 SP5 Identity Servers are replaced with 4.0 Identity Servers.

2.1.3 Migrating 3.1 SP4 or 3.1 SP5 Access Gateway Appliance to 4.0 Access Gateway Appliance

Prerequisites for the Access Gateway Appliance Migration

In addition to the following prerequisites, ensure that you also meet the hardware and software requirements for Access Gateway. For details, see Access Gateway Appliance Requirementsin the NetIQ Access Manager 4.0 SP2 Installation Guide.

  • Timeout Per Protected Resource (TOPPR) is enabled and applied in the Access Gateway. In the Administration Console, click Devices > Access Gateways > Edit, then click Enable Timeout Per Protected Resource.

    If the Enable Timeout Per Protected Resource option has already been applied, it will not be displayed on the screen.

  • Access Gateway should be in a cluster before migration. If the Access Gateway is on a single device, create an access gateway cluster with a single device before migration.

    For more information, see Managing a Cluster of Access Gateways in the NetIQ Access Manager 4.0 SP1 Access Gateway Guide.

  • You have physical access to the server or server console (in case of VMWare setups) as a root user and are familiar with firewall configurations. The required ports must be opened in the firewall. For more information about the ports, see Section 1.1.4, Port Details.

  • Ensure that you have migrated all the Administration Consoles and Identity Servers before migrating the 3.1 SP4 or 3.1 SP5 Access Gateway Appliance to the 4.0 Access Gateway Appliance.

  • Make a note of the IP addresses and host name of the 3.1 SP4 or 3.1 SP5 Access Gateway Appliance before installing the Access Gateway Appliance. The IP address used by 3.1 SP4 or 3.1 SP5 Access Gateway Appliance to communicate with the Administration Console will be used for installing the Access Gateway Appliance.

  • Determine if you want to reuse an existing IP address or use a new IP address for the migration process.

  • Ensure that you have the same number of network interfaces on the new 4.0 Access Gateway as in the 3.1 SP4 or 3.1 SP5 Access Gateway Appliance.

  • If the services are managed by an L4 switch, remove the device that you are migrating from the L4 switch. Add the device back to the L4 switch once the migration is done successfully. This is required so that no user requests are sent by the L4 switch to that device during migration.

  • If you have older versions prior to the 3.1 SP4 Access Gateway Appliance, first upgrade to 3.1 SP4 or 3.1 SP5 by using the instructions at Access Manager 3.1 Installation Guide.

  • If you have customized any files back them up using the migrate_backup.sh script. This script is located in the novell-access-manager folder in the AM_40_AccessManagerService_Linux64.tar.gz file.Copy this script to the 3.1 SP4 or 3.1 SP5 server and run the script to back up.

    It is important to take the backup regardless of whether you are reusing the same machine or a new server.

    The files that get backed up are:

    • /var/opt/novell/tomcat5/conf/server.xml

    • /var/opt/novell/tomcat5/conf/tomcat5.conf

    • /var/opt/novell/tomcat5/conf/web.xml

    • /var/opt/novell/tomcat5/webapps/nesp/WEB-INF/web.xml

    • /var/opt/novell/tomcat5/webapps/nesp/jsp

    • /var/opt/novell/tomcat5/webapps/nesp/html

    • /var/opt/novell/tomcat5/webapps/nesp/images

    • /var/opt/novell/tomcat5/webapps/nesp/config

    • /chroot/lag/opt/novell/bin/preapply.sh

    • /chroot/lag/opt/novell/bin/postapply.sh

    • /var/novell/errorpagesconfig/current/ErrorMessages.xml

    • /var/novell/ErrorPagesConfig.xml

  • If you have touch files configured in the 3.1 SP4 or 3.1 SP5 Access Gateway Appliance, copy the touch file migration utility files lag2mag_touchfiles.csv and migrate_touchfiles.sh to the 3.1 SP4 or 3.1 SP5 Access Gateway Appliance. These files are located in the novell-access-manager/utils folder in the AM_40_AccessManagerService_Linux64.tar.gz file.

    Use the sh migrate_touchfiles.sh > touchfile_list command and back up the output file touchfile_list.

    The touchfile_list file contains the options that needs to be mapped to the advanced options in the Access Gateway Appliance.

    Here is an example of sample output:

    # Global Option example
    NAGGlobalOptions InPlaceSilent=on
    
    # Virtual Host/Server Option example
    NAGGlobalOptions DebugHeaders=on
    
    

Reusing an Existing IP Address

The 3.1 SP4 or 3.1 SP5 Access Gateway Appliance Is the Only Component on the Server

Workflow:

  1. Back up any files that you have customized and note down the IP address and host name of the 3.1 SP4 or 3.1 SP5 Access Gateway Appliance.

  2. Shut down the 3.1 SP4 or 3.1 SP5 Access Gateway Appliance.

  3. Install the Access Gateway Appliance with the IP address and host name noted in Step 1.

  4. Restore any customized files from the backup taken earlier.

The SSL VPN and 3.1 SP4 or 3.1 SP5 Access Gateway Appliance Are on the Same Server

Workflow:

  1. Back up any files that you have customized and note down the IP address and host name of 3.1 SP4 or 3.1 SP5 Access Gateway Appliance.

  2. Shut down the 3.1 SP4 or 3.1 SP5 Access Gateway Appliance.

  3. Install the Access Gateway Appliance with the IP address and host name noted in Step 1

  4. Select Install and Enable SSL VPN service checkbox in the Appliance configuration page.

  5. Restore any customized files from the backup taken earlier.

Using a New IP Address

The SSL VPN and 3.1 SP4 or 3.1 SP5 Access Gateway Appliance Are on the Same Server

Workflow:

  1. Back up any files that you have customized.

  2. Mount the Access Gateway Appliance ISO. Start the installation.

  3. Select install and Enable SSL VPN service checkbox in the Appliance configuration page.

  4. Click Access Gateway > Edit > Service.

  5. Click the SSL VPN Web server address and change the connection ports to 3080 and 3443 for http and https respectively.

  6. Restore the customized files.

  7. Add the SSL VPN server to the existing SSL VPN cluster to get the configuration.

Migration Process

Migrating the 3.1 SP4 or 3.1 SP5 Access Gateway Appliance to 4.0 Access Gateway Appliance will not cause any disruption to the existing setup. You can add new Access Gateway Appliance nodes into the existing 3.1 SP4 or 3.1 SP5 Access Gateway Appliance cluster. They can co-exist together.

If you are using a different server with a different IP address, see Use case scenario 1: and if you are reusing the same IP address, see Use case scenario 2:.

Use case scenario 1:

This scenario assumes that you have a new 64‐bit server to install the 4.0 Access Gateway Appliance and explains how to migrate from 3.1 SP4 or 3.1 SP5 by using a different IP address.

Consider that the setup includes the following components:

  • Administration Console (AC 1)

  • Identity Server cluster (IDP 1 and IDP2)

  • 3.1 SP4 or 3.1 SP5 Access Gateway Appliance cluster (LAG 1 and LAG 2).

Migration Process

  1. Determine which server in the 3.1 SP4 or 3.1 SP5 Access Gateway cluster is the primary server.

    1. Login to Administration Console

    2. Click Devices > Access Gateways > Select the device.

      The list of servers are displayed. The primary server is indicated by a red mark beside the IP address.

  2. Install the Access Gateway Appliance (AG 1). For more information, see Installing the Access Gateway Appliance in the NetIQ Access Manager 4.0 SP2 Installation Guide. While installing the Access Gateway Appliance, specify the Administration Console's (AC 1) IP address, user name and password in the Administration Console Configuration field on the Appliance Configuration page.

  3. Add the newly installed Access Gateway Appliance to the 3.1 SP4 or 3.1 SP5 Access Gateway Appliance cluster. For more information, see Managing Access Gateways.

  4. By default, all proxy services of newly added devices to the cluster are listening on the same IP address and port. To configure each reverse proxy service to a specific IP address and port, follow the steps below.

    1. Configure a primary IP Address in YaST for the remaining interfaces.

      1. Go to YaST > Network Devices > Network Settings > Overview.

      2. Select the network card and click Edit.

      3. Specify the IP address.

        Repeat the steps for all the interfaces.

    2. Click Devices > Access Gateways > Select the device > New IP > click OK.

    3. Add the secondary IP address if applicable to the interfaces from Network Settings > Adapter List.

    4. Configure the DNS from Network Settings > DNS.

    5. Add the Host entries (if any) from Network Settings > Hosts.

    6. Set up the routing (if any) from Network Settings > Gateways.

    7. Under Services, click on Reverse Proxy/Authentication. In the Reverse Proxy List, click the proxy service name. Select the newly added cluster member and select the listening IP address for that service.

      (Optional) If you want to specify the outbound connection to the Web server, click Web Servers, then click TCP Connect Options. Select the Cluster Member and select the IP address from the drop down list against Make Outbound Connection Using if you want to select the outbound IP address to communicate with the Web server.

      For more information about configuring the network settings, see Configuring Network Settings in the NetIQ Access Manager 4.0 SP1 Access Gateway Guide.

    8. Restore any customized files backed up earlier as part of Prerequisites for the Access Gateway Appliance Migration.

      Copy the content of the following files to the corresponding file in the new location.

      Table 2-2 Restoring Files during 4.0 Access Gateway Appliance Migration - Scenario 1

      Old File Location

      New File Location

      /var/opt/novell/tomcat5/conf/web.xml

      /opt/novell/nam/mag/conf/web.xml

      /var/opt/novell/tomcat5/webapps/nesp/WEB-INF/web.xml

      /opt/novell/nam/mag/webapps/nesp/WEB-INF/web.xml

      /var/opt/novell/tomcat5/webapps/nesp/jsp

      /opt/novell/nam/mag/webapps/nesp/jsp

      /var/opt/novell/tomcat5/webapps/nesp/html

      /opt/novell/nam/mag/webapps/nesp/html

      /var/opt/novell/tomcat5/webapps/nesp/images

      /opt/novell/nam/mag/webapps/nesp/images

      /var/novell/errorpagesconfig/current/ (Contains error messages and error pages configuration)

      /opt/novell/nam/mag/webapps/agm/WEB-INF/config/current

      /var/opt/novell/tomcat5/webapps/nesp/config

      /opt/novell/nam/mag/webapps/nesp/config

      /chroot/lag/opt/novell/bin/preapply.sh

      /opt/novell/devman/jcc/scripts/presysconfig.sh

      /chroot/lag/opt/novell/bin/postapply.sh

      /opt/novell/devman/jcc/scripts/postsysconfig.sh

      NOTE:The names of preapply.sh and postapply.sh files are different in the 4.0 environment. To restore these files, open the file and copy paste the entire content to the files in the 4.0 environment. Refer Table 2-2 for details of file locations.

      server.xml: If you have modified any elements or attributes in the 3.1 SP4 or 3.1 SP5 environment the corresponding changes will need to be applied to the 4.0 /opt/novell/nam/mag/conf/server.xml file.

      Typical changes done to the server.xml in 3.1 SP4 or 3.1 SP5 include modifying the 'Address=' attribute to restrict the IP address the application will listen on, or 'maxThreads=' attribute to modify the number of threads.

      In the following example, 3.1 SP4 or 3.1 SP5 has customized maxThreads value.

      <Connector port="9009" enableLookups="false" redirectPort="8443"protocol="AJP/1.3" address="127.0.0.1" minSpareThreads="25" maxThreads="300" backlog="0" connectionTimeout="20000", ... ../>

      Make a note of the customizations and copy paste the changed values in the 4.0 server.xml file.

    9. If you have customized the error pages for branding purposes, you will need to redo the changes in the 4.0 setup. For details on modifying messages and customizing pages, see Customizing the Error Pages . The customized error messages can be restored by copying over the files as indicated in Table 2-2.

    10. In the Administration Console, copy and paste the content of the previously referenced touchfile_list output file, under the following:

      • Global Option files to Access Gateways > Edit > Advanced Options.

        Example of Global Options in the touchfile_list file.

        # Global Option example
        NAGGlobalOptions InPlaceSilent=on
        
      • Virtual Host/Server Option files to Servers > Configuration > Reverse Proxy > Proxy Service > Advanced Options.

        Example of Virtual Host/Server Options in the touchfile_list file.

        # Virtual Host/Server Option
        NAGGlobalOptions DebugHeaders=on
        
      • Files under the Administration Console are already available in the Access Gateway Appliance.

        NOTE:Ensure that you do not have blank lines between each advanced option and also do not alter the content of touchfile_list.

        For information about the migration utility files, lag2mag_touchfiles.csv and migrate_touchfiles.sh see, Utility Scripts

  5. Test the Access Gateway Appliance functionality by accessing Access Gateway protected resources and making sure that the pages are rendered successfully.

  6. Specify AG 1 as the primary server and click Update. For more information, see Changing the Primary Cluster Server.

  7. Remove 3.1 SP4 or 3.1 SP5 Access Gateway Appliance (LAG 1) from the cluster. For more information, see Viewing and Modifying Gateway Settings.

  8. Install 4.0 Access Gateway Appliance (AG 2) as in Step 2 and add it to the 3.1 SP4 or 3.1 SP5 Access Gateway Appliance cluster as in Step 3.

  9. After you confirm that all the services are up and running remove LAG2 from the cluster.

  10. Remove 3.1 SP4 or 3.1 SP5 Access Gateway Appliance (LAG 2) from the cluster as in Step 7.

  11. Click OK and Update all.

  12. Repeat Step 2 to Step 8 (except step 4j) until you have completely migrated all the existing 3.1 SP4 or 3.1 SP5 Access Gateway Appliance to 4.04.0 Access Gateway Appliance.

    After installing the Access Gateway Appliance, delete all the 3.1 SP4 or 3.1 SP5 Access Gateway Appliances from the Administration Console.

  13. On the newly added Access Gateway server, restart Tomcat by using the /etc/init.d/novell-mag restart or rcnovell-mag restart command.

Use case scenario 2:

This scenario assumes that you have a new/existing 64‐bit server to install the 4.0 Access Gateway Appliance and explains how to migrate from 3.1 SP4 or 3.1 SP5 by using the existing IP address.

Consider that the setup includes the following components:

  • Administration Console (AC 1)

  • Identity Server cluster (IDP 1 and IDP 2)

  • 3.1 SP4 or 3.1 SP5 Access Gateway Appliance cluster (LAG 1 and LAG 2)

Migration Process

  1. If you have a new 64-bit server to install 4.0 Access Gateway Appliance, ensure you do the following:

    1. Shut down LAG2

    2. Have the same number of Network Interface Cards as on LAG 2 and then proceed to step 2.

      If you are reusing the existing LAG hardware, proceed to step 2.

  2. Install the Access Gateway Appliance (AG 2) with the same IP address as of the 3.1 SP4 or 3.1 SP5 Access Gateway Appliance (LAG 2). After the installation is complete, it will take some time to sync up the configuration. Ensure that you do not modify any configuration during this time.

    When the configuration is synced up, the Access Gateway Appliance and the health of all the cluster members turns green.

  3. Test the Access Gateway Appliance functionality by accessing Access Gateway protected resources and making sure pages are rendered successfully.

  4. If you have customized the error pages for branding purposes, you will need to redo the changes in the 4.0 setup. For details on modifying messages and customizing pages, see Customizing the Error Pages . The customized error messages can be restored by copying over the files as indicated in Table 2-3.

  5. In the Administration Console, copy and paste the content of the previously referenced touchfile_list output file under the following:

    • Global Option files to Access Gateways > Edit > Advanced Options.

      Example of Global Options in the touchfile_list file.

      # Global Option example
      NAGGlobalOptions InPlaceSilent=on
      
    • Virtual Host/Server Option files to Servers > Configuration > Reverse Proxy > Proxy Service > Advanced Options.

      Example of Virtual Host/Server Options in the touchfile_list file.

      # Virtual Host/Server Option
      NAGGlobalOptions DebugHeaders=on
      
    • Files under the Administration Console are already available in the Access Gateway Appliance.

    NOTE:Ensure that you do not have blank lines between each advanced option and also do not alter the content of the touchfile_list file.

    For information about the migration utility files, lag2mag_touchfiles.csv and migrate_touchfiles.sh see, Utility Scripts

  6. Click OK and Update.

  7. Restore any customized files backed up earlier as part of Prerequisites for the Access Gateway Appliance Migration.

    Copy the content of the following files to the corresponding file in the new location.

    Table 2-3 Restoring Files during 4.0 Access Gateway Appliance Migration -Scenario 2

    Old File Location

    New File Location

    /var/opt/novell/tomcat5/conf/web.xml

    /opt/novell/nam/mag/conf/web.xml

    /var/opt/novell/tomcat5/webapps/nesp/WEB-INF/web.xml

    /opt/novell/nam/mag/webapps/nesp/WEB-INF/web.xml

    /var/opt/novell/tomcat5/webapps/nesp/jsp

    /opt/novell/nam/mag/webapps/nesp/jsp

    /var/opt/novell/tomcat5/webapps/nesp/html

    /opt/novell/nam/mag/webapps/nesp/html

    /var/opt/novell/tomcat5/webapps/nesp/images

    /opt/novell/nam/mag/webapps/nesp/images

    /var/novell/errorpagesconfig/current/ (Contains error messages and error pages configuration)

    /opt/novell/nam/mag/webapps/agm/WEB-INF/config/current

    /var/opt/novell/tomcat5/webapps/nesp/config

    /opt/novell/nam/mag/webapps/nesp/config

    /chroot/lag/opt/novell/bin/preapply.sh

    /opt/novell/devman/jcc/scripts/presysconfig.sh

    /chroot/lag/opt/novell/bin/postapply.sh

    /opt/novell/devman/jcc/scripts/postsysconfig.sh

    NOTE:The names of preapply.sh and postapply.sh files are different in the 4.0 environment. To restore these files, open the file and copy paste the entire content to the files in the 4.0 environment. Refer Table 2-2 for details of file locations.

    server.xml: If you have modified any elements or attributes in the 3.1 SP4 or 3.1 SP5 environment the corresponding changes will need to be applied to the 4.0 /opt/novell/nam/mag/conf/server.xml file.

    Typical changes done to the server.xml in 3.1 SP4 or 3.1 SP5 include modifying the 'Address=' attribute to restrict the IP address the application will listen on, or 'maxThreads=' attribute to modify the number of threads.

    In the following example, 3.1 SP4 or 3.1 SP5 has customized maxThreads value.

    <Connector port="9029" enableLookups="false" protocol="AJP/1.3" address="127.0.0.1" minSpareThreads="25" maxThreads="300" backlog="0" connectionTimeout="20000", ... ../>

    Make a note of the customizations and copy paste the changed values in the 4.0 server.xml file.

  8. Repeat Step 1 through Step 6 except step 5 until you have completely migrated all the existing 3.1 SP4 or 3.1 SP5 Access Gateway Appliance to 4.0 Access Gateway Appliance.

  9. On the newly added Access Gateway server, restart Tomcat by using the /etc/init.d/novell-mag restart or rcnovell- mag restart command.

NOTE:The Advanced options from the Administration Console are available only for the Access Gateway Appliance. For the 3.1 SP4 or 3.1 SP5 Access Gateway Appliance, you should have touch files configured.

2.1.4 Migrating SSL VPN

Prerequisites for the SSL VPN Migration

In addition to the following prerequisites, ensure that you also meet the hardware and software requirements for SSLVPN. For details, see SSL VPN Installation Requirements in the NetIQ Access Manager 4.0 SP2 Installation Guide.

  • The high-bandwidth RPM is installed on the SSL VPN for clustering.

    For more information about how to install high bandwidth RPM, see Installing the Key for High-Bandwidth SSL VPN in the NetIQ Access Manager 4.0 SP2 Installation Guide

  • If you are reusing the same server for migrating the SSL VPN cluster, manually uninstall the high bandwidth RPM before migration. You must then reinstall it after migration.

    For more information about how to uninstall high-band-width RPM, see Uninstalling the RPM Key for High Bandwidth SSL VPNin the NetIQ Access Manager 4.0 SP2 Installation Guide.

  • If the services are managed by an L4 switch, remove the device that you are migrating, from the L4 switch. Add the device back to the L4 switch once the migration is done successfully. This is required so that no user requests are sent by the L4 switch to the device during migration.

  • You have physical access to the server or server console (in case of VMWare setups) as a root user and are familiar with firewall configurations. The required ports also must be opened in the firewall. For more information on the ports, see Section 1.1.4, Port Details.

  • Determine if you want to reuse an existing IP address or use a new IP address for the migration process.

  • If you have customized any files back it up using the migrate_backup.sh script. This script is located in the novell-access-manager folder in the AM_AccessManagerService_Linux64.tar.gz file. Copy this script to the 3.1 SP4 or 3.1 SP5 machine and run the script to do the backup. It is important to take the backup regardless of whether you are reusing the same server or a new server.

    This script backs up the following files:

    • /var/opt/novell/tomcat5/conf/server.xml

    • /var/opt/novell/tomcat5/conf/tomcat5.conf

    • /var/opt/novell/tomcat5/webapps/sslvpn/WEB-INF/web.xml

    • /var/opt/novell/tomcat5/webapps/sslvpn/WEB-INF/conf

    • /var/opt/novell/tomcat5/webapps/sslvpn/*.jsp

    • /var/opt/novell/tomcat5/webapps/sslvpn/pages*

    • /var/opt/novell/tomcat5/webapps/sslvpn/jsp

    • /var/opt/novell/tomcat5/webapps/sslvpn/html

    • /var/opt/novell/tomcat5/webapps/sslvpn/images

    • /var/opt/novell/tomcat5/webapps/sslvpn/common

    • /var/opt/novell/tomcat5/webapps/sslvpn/SSLVPNClientHelp

    NOTE:This step is required in all the SSL VPN migration scenarios even if you reuse the existing 64-bit compatible server.

Reusing an Existing IP Address

The SSL VPN and 3.1 SP4 or 3.1 SP5 Access Gateway Appliance Are on the Same Server

Workflow:

  1. Back up any files that you have customized.

  2. Mount the Access Gateway Appliance ISO. Start the installation.

  3. Provide a host name same as the one on 3.1 SP4 or 3.1 SP5 Access Gateway Appliance.

  4. Select install. Enable SSL VPN service checkbox in the Appliance configuration page.

  5. Restore any customized files from the backup taken earlier.

The SSL VPN Is the Only Component on the Server

Workflow:

  1. Back up any customized files.

  2. Run the uninstall.sh script from the existing 3.1 SP4 or 3.1 SP5 Access Manager installation folder.

  3. Install SSL VPN.

  4. Restore any customized files from the backup taken earlier.

Using a New IP Address

The SSL VPN and 3.1 SP4 or 3.1 SP5 Access Gateway Appliance Are on the Same Server

Workflow:

  1. Back up any customized files.

  2. Mount the Access Gateway Appliance ISO and install the Access Gateway Appliance.

  3. Click Access Gateway > Edit > Service.

  4. From the administration console, click the SSL VPN Web server address and change the connection ports to 3080 and 3443 for http and https respectively.

  5. Restore the customized files.

  6. Add the SSL VPN server to the existing SSL VPN cluster.

The SSL VPN Is the Only Component on the Server

Workflow:

  1. Back up the customized files.

  2. Install SSL VPN.

  3. Add the 4.0 SSL VPN to the existing SSL VPN cluster in the Administration Console.

  4. Restore any customized files from the backup taken earlier.

The SSL VPN and Administration Console Are on the Same Server

Workflow:

  1. Back up the customized files.

  2. Migrate the Administration Console from 3.1 SP4 or 3.1 SP5 to 4.0

  3. Migrate the Identity Server.

  4. Migrate SSL VPN.

  5. Restore backed up files.

The SSL VPN and Identity Server Are on the Same Server

Workflow:

  1. Back up the customized files.

  2. Stop the 3.1 SP4 or 3.1 SP5 Identity Server.

  3. Remove the 3.1 SP4 or 3.1 SP5 Identity server from the cluster.

  4. Delete the 3.1 SP4 or 3.1 SP5 Identity Server from the Identity Servers cluster.

  5. Uninstall the 3.1 SP4 or 3.1 SP5 Identity Server if you are going to use the current machine to install 4.0 Identity Server.

  6. Uninstall the 3.1 SP4 or 3.1 SP5 SSL VPN Server if you are going to use the current machine to install 4.0 SSL VPN Server.

    WARNING:Ensure that you uninstall the SSL VPN server and not delete the SSL VPN server object. Deleting the SSL VPN server instead of uninstalling the server will result in loss of settings.

  7. Use the NetIQ Access Manager 4.0 installer to install the 4.0 Identity Server on a 64-bit SLES 11 SP2 or SP3 operating system.

  8. Add the 4.0 Identity Server to the existing Identity Servers cluster in the Administration Console.

  9. Update the Identity Server and apply changes.

  10. Restore any customized files from the backup taken earlier.

  11. Install the SSL VPN by running the NetIQ Access Manager 4.0 installer on the same server.

  12. (Optional) For the ESP-enabled SSL VPN: When the Identity Server and ESP-enabled SSL VPN are migrated to the same server:

    1. Click Device > SSL VPN > Edit > Authentication Configuration.

    2. In the Embedded Service Provider Base URL field, change the ports to 3080 and 3443 for http and https respectively.

  13. (Optional) For the traditional SSL VPN: When the Identity Server and traditional SSL VPN are migrated to the same server:

    1. Click Access Gateway > Edit > Service.

    2. Click the SSL VPN Web server address and change the connection ports to 3080 and 3443 for http and https respectively.

      NOTE:For NetIQ Access Manager 3.2 and later, release onwards, SSL VPN will be accessible on ports 3080 (http) and 3443 (https) when installed on the same server as the Identity Server.

Migration Process

IMPORTANT:Before you proceed with the steps for migration, ensure that you have followed the instructions in the Prerequisites for the SSL VPN Migration

Reusing an Existing Server

If the existing server supports the 64-bit installer, you can reuse the server to install the Access Manager SSL VPN 4.0.

  1. Continue with the steps for the related SSL VPN migration scenarios. For more information, see Reusing an Existing IP Address and Using a New IP Address.

  2. Restore any customized files from the backup taken earlier as part of steps in Prerequisites for the SSL VPN Migration.

    To restore the files, copy the content of the following files to the corresponding file in the new location.

    Old Location

    New Location

    /var/opt/novell/tomcat5/webapps/sslvpn/WEB-INF/web.xml

    /opt/novell/nam/sslvpn/webapps/sslvpn/WEB-INF/web.xml

    /var/opt/novell/tomcat5/webapps/sslvpn/WEB-INF/conf

    /opt/novell/nam/sslvpn/webapps/sslvpn/WEB-INF/conf

    /var/opt/novell/tomcat5/webapps/sslvpn/*.jsp

    /opt/novell/nam/sslvpn/webapps/sslvpn/*.jsp

    /var/opt/novell/tomcat5/webapps/sslvpn/pages*

    /opt/novell/nam/sslvpn/webapps/sslvpn/pages*

    /var/opt/novell/tomcat5/webapps/sslvpn/html

    /opt/novell/nam/sslvpn/webapps/sslvpn/html

    /var/opt/novell/tomcat5/webapps/sslvpn/images

    /opt/novell/nam/sslvpn/webapps/sslvpn/images

    /var/opt/novell/tomcat5/webapps/sslvpn/common

    /opt/novell/nam/sslvpn/webapps/sslvpn/common

    /var/opt/novell/tomcat5/webapps/sslvpn/SSLVPNClientHelp

    /opt/novell/nam/sslvpn/webapps/sslvpn/SSLVPNClientHelp

    server.xml: If you have modified any elements or attributes in the 3.1 SP4 or 3.1 SP5 environment the corresponding changes will need to be applied to the 4.0 /opt/novell/nam/sslvpn/conf/server.xml file.

    Typical changes done to the server.xml in 3.1 SP4 or 3.1 SP5 include modifying the 'Address=' attribute to restrict the IP address the application will listen on, or 'maxThreads=' attribute to modify the number of threads.

    In the following example, the source 3.1 SP4 server has customized maxThreads value.

    <Connector port="9029" enableLookups="false" protocol="AJP/1.3" address="127.0.0.1" minSpareThreads="25" maxThreads="300" backlog="0" connectionTimeout="20000", ... ../>

    Make a note of the customizations and copy paste the changed values in the 4.0 server.xml file.

    tomcat5.conf: Copy any elements or attributes that you have customized in the 3.1 SP4 or 3.1 SP5 tomcat5.conf file to the 4.0 tomcat7.conf file

    For example, if you have included the environment variable in the 3.1 SP4 or 3.1 SP5 tomcat5.conf file to increase the heap size by using -Xmx/Xms/Xss settings, the variables should be copied to the 4.0 /opt/novell/nam/idp/conf/tomcat7.conf file.

  3. Add the newly installed SSL VPN device to the existing SSL VPN cluster if you are not reusing the existing IP address.

    For more information, see Clustering SSL VPN Serversin the NetIQ Access Manager 4.0 Setup Guide.

    The cluster object stores all the existing SSL VPN configurations. The newly added SSL VPN servers inherit these configurations.

  4. Repeat Step 2 until all the 3.1 SP4 or 3.1 SP5 SSL VPN Servers are replaced with 4.0 SSL VPN servers.

  5. On the newly added SSL VPN servers, restart Tomcat by using the /etc/init.d/novell-sslvpn restart or rcnovell-sslvpn restart command.

Migrating ESP-enabled SSL VPN or Traditional SSL VPN Server

You can migrate the ESP-enabled SSL VPN or traditional SSL VPN server in the following cases:

  • SSL VPN server is installed independently.

  • SSL VPN server is installed with the Administration Console.

  • SSL VPN is installed with the Identity Server.

Migrating ESP-enabled SSL VPN or traditional SSL VPN when SSL VPN is installed independently:

IMPORTANT:Before you proceed with the steps for migration, ensure that you have followed the instructions in the Prerequisites for the SSL VPN Migration

  1. If the operating system is 64‐bit SLES 11 SP2 or SP3, uninstall version 3.1 SP4 or 3.1 SP5 and install version 4.0 SSL VPN Server. Continue with Step 8

  2. Perform a new installation of 64‐bit SLES 11 SP2 or SP3 operating system. For more information, see SLES 11 Installation Quick Start.

  3. Ensure the following packages are installed:

    • perl-gettext, gettext-runtime The required library and tools to create and maintain message catalogs.

    • python: The Python library.

    • compat: Libraries to address compatibility issues. On SLES 11 SP2 or SP3 platform, the compat-32bit package is available in the SLES11-Extras repository. For information on enabling this repository, see TID 7004701.

    1. Use YaST to install the packages that have not yet been installed.

    2. Use the rpm -qa | grep <package name> command to verify the installation.

      Replace <package name> with the name of the package you want to verify. For example:

      rpm -qa | grep compat

  4. Ensure you have downloaded the software or you have the CD available.

  5. Do one of the following:

    • Insert the CD into the drive and navigate to the device. Enter the following:

      cd /media

      Browse to your CD-ROM drive.

    • If you have downloaded the AM_32_AccessManagerService_Linux.tar.gz file, unpack the file using the tar -xzvf AM_32_AccessManagerService_Linux.tar.gz command.

  6. Browse to the novell-access-manager directory. All the files are extracted to the novell-access-manager folder.

  7. Run the install.sh script from the novell-access-manager folder on a 64-bit SLES 11 SP2 or SP3 and choose the option to install the ESP-enabled SSL VPN or Traditional SSL VPN.

  8. Review and accept the License Agreement.

  9. If the SSL VPN machine has been configured with multiple IP addresses, select an IP address for the SSL VPN server at the prompt.

  10. Specify the name of the administrator for the Administration Console.

  11. Specify and confirm the administration password.

    Wait while the SSL VPN server is installed on your system and imported into the Administration Console.

  12. The installation ends with the following message: Installation complete.

  13. If you are using an existing IP address, the device will be available in existing cluster. If it is installed with a new IP address, a new device will be found in the SSL VPN of the Administration Console.

  14. If the existing IP address is used then wait until the health status of the device status turns green. If it is installed with a new IP address and is ESP-enabled, the health status will be in Yellow state.

  15. If you are installing with a new IP address, add the device to the existing cluster and update the cluster.

  16. If the export law permits and you want to install the high bandwidth version of SSL VPN, see Traditional SSL VPN server installed with 3.1 SP4 or 3.1 SP5 Access Gateway Appliance.

  17. Check the SSL VPN functionality. Repeat Step 1 to Step 17 (except step 16) for the other devices in the cluster.

  18. Restore any customized files from the backup taken earlier as part of steps in Prerequisites for the SSL VPN Migration.

    To restore the files, copy the content of the following files to the corresponding file in the new location.

    Old Location

    New Location

    /var/opt/novell/tomcat5/webapps/sslvpn/WEB-INF/web.xml

    /opt/novell/nam/sslvpn/webapps/sslvpn/WEB-INF/web.xml

    /var/opt/novell/tomcat5/webapps/sslvpn/WEB-INF/conf

    /opt/novell/nam/sslvpn/webapps/sslvpn/WEB-INF/conf

    /var/opt/novell/tomcat5/webapps/sslvpn/*.jsp

    /opt/novell/nam/sslvpn/webapps/sslvpn/*.jsp

    /var/opt/novell/tomcat5/webapps/sslvpn/pages*

    /opt/novell/nam/sslvpn/webapps/sslvpn/pages*

    /var/opt/novell/tomcat5/webapps/sslvpn/html

    /opt/novell/nam/sslvpn/webapps/sslvpn/html

    /var/opt/novell/tomcat5/webapps/sslvpn/images

    /opt/novell/nam/sslvpn/webapps/sslvpn/images

    /var/opt/novell/tomcat5/webapps/sslvpn/common

    /opt/novell/nam/sslvpn/webapps/sslvpn/common

    /var/opt/novell/tomcat5/webapps/sslvpn/SSLVPNClientHelp

    /opt/novell/nam/sslvpn/webapps/sslvpn/SSLVPNClientHelp

    server.xml: If you have modified any elements or attributes in the 3.1 SP4 or 3.1 SP5 environment the corresponding changes will need to be applied to the 4.0 /opt/novell/nam/sslvpn/conf/server.xml file.

    Typical changes done to the server.xml in 3.1 SP4 or 3.1 SP5 include modifying the 'Address=' to restrict the IP address the application will listen on, or 'maxThreads=' attributes to modify the number of threads.

    In the following example, the 3.1 SP4 server has customized maxThreads value.

    <Connector port="9029" enableLookups="false" protocol="AJP/1.3" address="127.0.0.1" minSpareThreads="25" maxThreads="300" backlog="0" connectionTimeout="20000", ... ../>

    Make a note of the customizations and copy paste the changed values in the 4.0 server.xml file.

    tomcat5.conf: Copy any elements or attributes that you have customized in the 3.1 SP4 or 3.1 SP5 tomcat5.conf file to the 4.0 tomcat7.conf file.

    For example, if you have included the environment variable in the 3.1 SP4 tomcat5.conf file to increase the heap size by using -Xmx/Xms/Xss settings, the variables should be copied to the 4.0 /opt/novell/nam/idp/conf/tomcat7.conf file.

Traditional SSL VPN server installed with 3.1 SP4 or 3.1 SP5 Access Gateway Appliance

IMPORTANT:Before you proceed with the steps for migration, ensure that you have followed the instructions in the Prerequisites for the SSL VPN Migration

  1. Follow the steps to migrate from 3.1 SP4 or 3.1 SP5 Access Gateway Appliance to Access Gateway Appliance. For more information, see Section 2.1.3, Migrating 3.1 SP4 or 3.1 SP5 Access Gateway Appliance to 4.0 Access Gateway Appliance.

  2. Start the installation and in the Appliance configuration screen, select the Install and enable SSL VPN Service check box.

  3. If you have used an existing IP address, the existing SSL VPN within the cluster will be migrated to Access Manager 4.0. If it is installed with a new IP address, a new SSL VPN server will be displayed in the Administration Console.

  4. The import/re-import process will take some time. Wait until the Access Gateway Appliance and the SSL VPN health status becomes green.

  5. If it is not part of the SSL VPN cluster, add it to the existing cluster and update.

  6. Repeat the steps for other devices in the cluster.

  7. If the export law permits and you want to install the high bandwidth version of SSL VPN, see, Traditional SSL VPN server installed with 3.1 SP4 or 3.1 SP5 Access Gateway Appliance.

  8. Restore any customized files from the backup taken earlier as part of steps in Prerequisites for the SSL VPN Migration.

    To restore the files, copy the content of the following files to the corresponding file in the new location.

    Old Location

    New Location

    /var/opt/novell/tomcat5/webapps/sslvpn/WEB-INF/web.xml

    /opt/novell/nam/sslvpn/webapps/sslvpn/WEB-INF/web.xml

    /var/opt/novell/tomcat5/webapps/sslvpn/WEB-INF/conf

    /opt/novell/nam/sslvpn/webapps/sslvpn/WEB-INF/conf

    /var/opt/novell/tomcat5/webapps/sslvpn/*.jsp

    /opt/novell/nam/sslvpn/webapps/sslvpn/*.jsp

    /var/opt/novell/tomcat5/webapps/sslvpn/pages*

    /opt/novell/nam/sslvpn/webapps/sslvpn/pages*

    /var/opt/novell/tomcat5/webapps/sslvpn/html

    /opt/novell/nam/sslvpn/webapps/sslvpn/html

    /var/opt/novell/tomcat5/webapps/sslvpn/images

    /opt/novell/nam/sslvpn/webapps/sslvpn/images

    /var/opt/novell/tomcat5/webapps/sslvpn/common

    /opt/novell/nam/sslvpn/webapps/sslvpn/common

    /var/opt/novell/tomcat5/webapps/sslvpn/SSLVPNClientHelp

    /opt/novell/nam/sslvpn/webapps/sslvpn/SSLVPNClientHelp

    /chroot/lag/opt/novell/bin/preapply.sh

    /opt/novell/devman/jcc/scripts/presysconfig.sh

    /chroot/lag/opt/novell/bin/postapply.sh

    /opt/novell/devman/jcc/scripts/postsysconfig.sh

    server.xml: If you have modified any elements or attributes in the 3.1 SP4 or 3.1 SP5 environment the corresponding changes will need to be applied to the 4.0 /opt/novell/nam/sslvpn/conf/server.xml file.

    Typical changes done to the server.xml in 3.1 SP4 or 3.1 SP5 include modifying the 'Address=' to restrict the IP address the application will listen on, or 'maxThreads=' attributes to modify the number of threads.

    In the following example, the 3.1 SP4 server has customized maxThreads value.

    <Connector port="9029" enableLookups="false" protocol="AJP/1.3" address="127.0.0.1" minSpareThreads="25" maxThreads="300" backlog="0" connectionTimeout="20000", ... ../>

    Make a note of the customizations and copy paste the changed values in the 4.0 server.xml file.

    tomcat5.conf: Copy any elements or attributes that you have customized in the 3.1 SP4 or 3.1 SP5 tomcat5.conf file to the 4.0 tomcat7.conf file

    For example, if you have included the environment variable in the 3.1 SP4 tomcat5.conf file to increase the heap size by using -Xmx/Xms/Xss settings, the variables should be copied to the 4.0 /opt/novell/nam/idp/conf/tomcat7.conf file.

Installing the Key for the High-Bandwidth SSL VPN

You must install the high bandwidth SSL VPN if you want to add the SSL VPN servers to the cluster. Customers who are eligible to install the high bandwidth SSL VPN can install the key for the high bandwidth SSL VPN after they get the clearance to export. This key is installed only once.

In this release you do not have to upgrade the RPM every time the servlet and the server RPMs for SSL VPN are upgraded.

With Access Manager 3.1 or later, you can install the key once and upgrade it to new versions without installing the key again.

  1. After you have ordered the high bandwidth version, log in to the NetIQ Customer Center and click on the link that allows you to download the RPM containing key for the high bandwidth version.

  2. Download the novl-sslvpn-hb-key-3.1.0-0.noarch.rpm high bandwidth RPM.

  3. Log in as root.

  4. Enter the /etc/init.d/novell-sslvpn stop or rcnovell-sslvpn stop command to stop all services.

  5. Enter the rpm -ivh novl-sslvpn-hb-key-3.1.0-0.noarch.rpm command to install the RPM for the high bandwidth version of SSL VPN.

  6. Enter the /etc/init.d/novell-sslvpn start or rcnovell-sslvpn start command to restart all SSL VPN services.

  7. Enter the /etc/init.d/novell-sslvpn status or rcnovell-sslvpn status command to check the status.