To convert a secondary Access Manager Appliance into a primary Access Manager Appliance, a recent backup of Access Manager Appliance must be available. For information about how to perform a backup, see Section 2.2, Backing Up the Access Manager Appliance Configuration. A backup is necessary to restore the certificate authority (CA).
If the failed server holds a master replica of any partition, you must use ndsrepair to designate a new master replica on a different server in the replica list.
This conversion includes the following tasks:
If your primary Access Manager Appliance is running, you must log in as the administrator and shut down the service.
Start YaST, click System > System Services (Runlevel), then select to stop the ndsd service.
Changing the master replica to reside on the new primary Access Manager Appliance makes this Access Manager Appliance into the certificate authority for Access Manager. You need to first designate the replica on the new primary Access Manager Appliance as the master replica. Then you need to remove the old primary Access Manager Appliance from the replica ring.
At the secondary Access Manager Appliance, log in as root.
Change to the /opt/novell/eDirectory/bin directory.
Run DSRepair with the following options:
./ndsrepair -P -Ad
Select the one available replica.
Select Designate this server as the new master replica.
Run ndsrepair -P -Ad again.
Select the one available replica.
Select View replica ring.
Select the name of the failed primary server.
Select Remove this server from replica ring.
Specify the DN of the admin user in leading dot notation. For example:
.admin.novell
Specify password.
Type I Agree when prompted.
Continue with Section 8.5.3, Restoring CA Certificates.
The following steps are performed on the machine that you are promoting to be a primary Appliance.
Copy your most recent Access Manager Appliance backup files to your new primary Access Manager Appliance.
Change to the backup bin directory:
/opt/novell/devman/bin
Verify the IP address in the backup file. The IP_Address parameter value should be the IP address of the new Primary Administration Console.
Open the backup file:
defbkparm.sh
Verify that the value in the IP_Address parameter is the IP address of your new primary console.
Save the file.
Run the certificate restore script:
sh aminst-certs.sh
When prompted, specify the administrator’s password and location of the backup files.
Continue with Section 8.5.4, Verifying the vcdn.conf File.
Verify whether the vcdn.conf file contains IP address of the new Administration Console. If it contains IP address of the failed primary Administration Console, replace it with the new IP address.
Change to the Appliance configuration directory:
opt/novell/devman/share/conf
Run the following command in the command line interface to restart Access Manager Appliance:
/etc/init.d/novell-ac restart OR rcnovell-ac restart
Continue with Section 8.5.5, Deleting Objects from the eDirectory Configuration Store.
Objects representing the failed primary Access Manager Appliance in the configuration store must be deleted.
Log in to the new Administration Console, then click Access Gateways.
If the failed primary Appliance's Access Gateway is the primary server (has the red icon next to it), then change the primary Access Gateway server.
Click [Access Gateway cluster name] > Edit.
Select a different primary Access Gateway > click Ok > click Close.
Ignore any trust store related warnings.
Click Update All.
Wait until the status becomes current for all except the failed primary Appliance.
Click Auditing > Troubleshooting.
In the Other Known Device Manager Servers section, select the old primary Appliance, then click Remove.
Remove traces of the failed primary Access Manager Appliance from the configuration datastore:
In the NetIQ Access Manager menu bar, select View Objects.
In the Tree view, select novell.
Delete all objects that reference the failed primary Access Manager Appliance.
You should find the following types of objects:
SAS Service object with the hostname of the failed primary console
An object that starts with the last octet of the IP address of the failed primary console
DNS AG object with the hostname of the failed primary console
DNS IP object with the hostname of the failed primary console
SSL CertificateDNS with the hostname of the failed primary console
SSL CertificateIP with the hostname of the failed primary console
Continue with Section 8.5.6, Performing Component-Specific Procedures.
If you have installed the following components, perform the cleanup steps for the component:
If you installed a third Appliance used for failover, you must manually perform the following steps on that server:
Open the vcdn.conf file.
/opt/novell/devman/share/conf
In the file, look for the line that is similar to the following:
<vcdnPrimaryAddress>10.1.1.1</vcdnPrimaryAddress>
In this line, 10.1.1.1 represents the failed primary Appliance IP address.
Change this IP address to the IP address of the new primary Appliance.
Restart the Access Manager Appliance by entering the following command from the command line interface:
/etc/init.d/novell-ac restart OR rcnovell-ac restart
For each Access Gateway Service imported into the Administration Console, edit the settings.properties file on the Access Gateway if the primary Administration Console was not configured as the Audit Server.
If the primary Administration Console was configured as an Audit Server, you must edit the config.xml file and the settings.properties file on the Access Gateway and edit the CurrentConfig and WorkingConfig XML documents in the configuration store on the new primary Administration Console.
At the Access Gateway Service, log in as the root or the Administrator user.
Shut down all Access Gateway Services.
/etc/init.d/novell-appliance stop OR rcnovell-appliance stop
(Conditional) If your audit server was on the primary Administration Console, edit the config.xml file:
Change to the directory and open the file.
/opt/novell/nam/adminconsole/webapps/agm/WEB-INF/config/current
Find the NsureAuditSetting entry.
In the IPv4Address field, change the IP address from the failed Administration Console to the new primary Appliance address.
Save and exit.
Edit the settings.properties file:
Change to the directory and open the file.
/opt/novell/devman/jcc/conf
Change the IP address in the remotemgmtip list from the IP address of the failed Appliance to the address of the new primary Appliance.
Save and exit.
At the Access Gateway Service, start all services by entering the following command:
/etc/init.d/novell-appliance start OR rcnovell-appliance start
(Conditional) Repeat this process for each Access Gateway Service that has been imported into the Administration Console.
For each SSL VPN component imported into the Administration Console, you must edit the config.xml file and the settings.properties file on the SSL VPN server and edit the current config and working config XML documents in the configuration store on the new primary Appliance.
Log in as the root user.
Open a terminal window and shut down all services by entering the following commands:
/etc/init.d/novell-jcc stop OR rcnovell-jcc stop
/etc/init.d/novell-sslvpn stop OR rcnovell-sslvpn stop
Edit the config.xml file:
Enter: vi /etc/opt/novell/sslvpn/config.xml
Enter /DeviceManagerAddress, then press Enter.
Change the IP address to that of the new primary Appliance.
Enter :wq! to save and exit.
At the new primary Appliance, open an LDAP browser and edit the CurrentConfig object of the SSL VPN.
IMPORTANT:You should use an LDAP browser for the following steps, rather than iManager. iManager is slow at saving large files, and your iManager connection might time out before your modifications are saved.
Browse to the following container: novell > accessManagerContainer > VCDN_Root > PartitionsContainer > Partition > AppliancesContainer.
A list of devices appears. SSL VPN devices have an sslvpn prefix.
Expand an SSL VPN container, then select the CurrentConfig object.
Select the romaSSLVPNConfigurationXMLDoc attribute and open it.
Copy the contents of the attribute to a text editor.
Search for the <DeviceManagerAddress> element.
Change the IP address of the <DeviceManagerAddress> element so that it matches the IP address of the new primary Administration Console.
Copy the modified document in the text editor to the value field of the romaSSLVPNConfigurationXMLDoc attribute.
Save your changes.
At the new primary Appliance, edit the WorkingConfig object of the SSL VPN container:
Use an LDAP browser for these steps.
Browse to the SSL VPN object by expanding the following containers: novell > accessManagerContainer > VCDN_Root > PartitionsContainer > Partition > AppliancesContainer.
A list of devices appears.
Expand the SSL VPN container, then select the WorkingConfig object.
Select the romaSSLVPNConfigurationXMLDoc attribute and open it.
Copy the contents of the attribute to a text editor.
Search for the <DeviceManagerAddress> element.
Change the IP address of the <DeviceManagerAddress> element so that it matches the IP address of the new primary Administration Console.
Copy the modified document in the text editor to the value field of the romaSSLVPNConfigurationXMLDoc attribute.
Save your changes.
Start all services by entering the following commands:
/etc/init.d/novell-jcc start OR rcnovell-jcc start
/etc/init.d/novell-sslvpn start OR rcnovell-sslvpn start
(Conditional) If the SSL VPN server is still not functioning, restart the Linux server by entering reboot.
(Conditional) Repeat this process for each SSL VPN server that has been imported into the Administration Console.
On the new primary Appliance, change to the /opt/novell/devman/bin directory.
Open the defbkparm.sh file and find the following lines:
EDIR TREE=<tree_name> EDIR CA=<CA name>
These lines contain values using the hostname of the Appliance you are on.
Modify these lines to use the hostname of the failed Appliance.
When you install the primary Appliance, the EDIR TREE parameter is set to the hostname of the server with _tree appended to it. The EDIR CA parameter is set to the hostname of the server with _tree CA appended to it.
If the failed Appliance had amlab as its hostname, you would change these lines to have the following values:
EDIR TREE="amlab_tree" EDIR CA="amlab_tree CA"
Save your changes.
Take a backup from your new primary Appliance.
WARNING:After configuring the secondary Appliance to be the new primary Appliance and performing all the cleanup steps, you cannot restore an old backup from the primary Appliance.
Take a new backup as soon as your new primary Appliance is functional.