3.4 Managing General Details of the Access Gateway

The Server Details page allows you to perform general maintenance actions on the selected Access Gateway.

  1. In the Administration Console, click Devices > Access Gateways > [Name of Access Gateway].

  2. Select one of the following options:

    Edit: Click this option to edit the general details of the Access Gateway. See Section 3.4.1, Changing the Name of an Access Gateway and Modifying Other Server Details.

    Upgrade: (Access Gateway Appliance) Click this option to upgrade the software to the newest release. For more information on this process, see Section 3.4.2, Upgrading the Access Gateway Software.

    New NIC: (Access Gateway Appliance) Click this action to trigger a scan to detect a new network interface card that you have added to the machine after installing the Access Gateway Appliance. This might take some time. For more information, see Section 3.9.5, Adding New Network Interfaces to the Access Gateway Appliance.

    New IP: (Access Gateway Service) Click this action to trigger a scan to detect new IP addresses. This might take some time. If you have used a system utility to add an IP address after you have installed the Access Gateway Service, use this option to update the Access Gateway Service to display the new IP address as a configuration option. For more information about this option, see Section 3.9.6, Adding a New IP Address to the Access Gateway Service.

    Configuration: Click this option to export the configuration of this Access Gateway or to import the configuration of a saved configuration file. See Section 3.4.3, Exporting and Importing an Access Gateway Configuration.

  3. Click Close.

3.4.1 Changing the Name of an Access Gateway and Modifying Other Server Details

The default name of an Access Gateway is its IP address. You can change this to a more descriptive name as well as modifying other details that can help you identify one Access Gateway from another.

  1. In the Administration Console, click Devices > Access Gateways > [Name of Access Gateway] > Edit.

    Editing Access Gateway details

  2. Modify the values in the following fields:

    Name: Specify the Administration Console display name for the Access Gateway. This is a required field. The default name is the IP address of the Access Gateway. If you modify the name, the name must use alphanumeric characters and can include spaces, hyphens, and underscores.

    Management IP Address: Specify the IP address used to manage the Access Gateway. Select an IP address from the list. For information on changing the Management IP Address, see Changing the IP Address of the Access Gateway Appliance in the Novell Access Manager 3.1 SP5 Administration Console Guide.

    Port: Specify the port to use for communication with the Administration Console.

    Location: Specify the location of the Access Gateway server. This is optional, but useful if your network has multiple Access Gateway servers.

    Description: Describe the purpose of this Access Gateway. This is optional, but useful if your network has multiple Access Gateways.

  3. Click OK twice, then click Close.

    When you click OK, any changes are immediately applied to the Access Gateway.

3.4.2 Upgrading the Access Gateway Software

In the Administration Console, you can upgrade the software currently running on the Access Gateway Appliance to a newer version without losing configuration information. In addition, down time is limited to the time it takes to copy the new software to the Access Gateway and restart it. The Access Gateway Service cannot currently be upgraded from the Administration Console. For upgrade information for the Access Gateway Service, see Upgrading the Access Gateway Service in the NetIQ Access Manager 3.1 SP5 Installation Guide.

To upgrade the Access Gateway Appliance from the Administration Console:

  1. Click Devices > Access Gateways > [Name of an Access Gateway Appliance] > Upgrade.

  2. Specify the location of the upgrade script in the Upgrade URL text box. The URL must begin with a scheme and end with the filename. For example:

    http://updates.company.com/lag/linux/lagrpms.tar.gz

  3. Select one of the following actions:

    Upgrade Now: Sends the command to upgrade the Access Gateway to the version specified in the Upgrade URL.

    Schedule Upgrade: Allows you to specify the date and time when the upgrade occurs. For more information, see Section 3.3.4, Scheduling a Command.

    View Upgrade Log: Allows you to view the latest upgrade log. Follow the prompts on your browser to view the log or download it.

For more information about this process and for information about other methods for upgrading the Access Gateway Appliance, see Upgrading the Linux Access Gateway Appliance in the NetIQ Access Manager 3.1 SP5 Installation Guide.

3.4.3 Exporting and Importing an Access Gateway Configuration

You can export an existing Access Gateway configuration as well as its dependent policies, and then import this configuration to a new machine. This feature is especially useful for deployments that set up configurations in a staging environment, test and validate the configuration, then want to deploy the configuration on new hardware that exists in the production environment.

IMPORTANT:The export feature is not a backup tool. The export feature is designed to handle configuration information applicable to all members of a cluster, and network IP addresses and DNS names are filtered out during the import. (The server-specific information that is filtered out is the information you set specifically for each member in a cluster.) If you want a copy of all configuration information, including server-specific information, you need to perform a backup. See Backing Up and Restoring in the Novell Access Manager 3.1 SP5 Administration Console Guide

The export feature is not an upgrade tool. You cannot export a configuration from one version of Access Manager and import it into a newer version of Access Manager.

If your Access Gateway is not a member of a cluster and you have configured it to use multiple IP addresses, be aware that the export feature filters out multiple IP addresses and uses only eth0. You need to use the backup utility to save this type of information. If you need to reinstall the machine, leave the Access Gateway configuration in the Administration Console and reinstall the Access Gateway. If you use the same IP address for the Access Gateway, it imports into the Administration Console and inherits the configuration.

When exporting the file, you can select to password-protect the file, which encrypts the file. If you are using the exported file to move an Access Gateway from a staging area to a production area and you need to change the names of the proxy services and DNS names from a staging name to a to a production area and you need to change the names of the proxy services and DNS names from a staging name to a production name, do not select to encrypt the file. You need a simple text file so you can search and replace these names. If you select not to encrypt the file, remember that the file contains sensitive information and protect it accordingly production name, do not select to encrypt the file. You need a simple text file so you can search and replace these names. If you select not to encrypt the file, remember that the file contains sensitive information and protect it accordingly.

The following sections explain this process:

Exporting the Configuration

  1. In the Administration Console, click Devices > Access Gateway > [Name of Access Gateway].

  2. Click Configuration > Export.

  3. (Conditional) If you want to encrypt the file, fill in the following fields:

    Password protect: Select this option to encrypt the file.

    Password: Specify a password to use for encrypting the file. When you import the configuration onto another device, you are prompted for this password.

  4. Click OK, then select to save the configuration to a file.

    The filename is the name of the Access Gateway with an xml extension.

  5. (Conditional) If you want to change the names of the proxy services and their DNS names from a staging name to a production name, complete the following:

    1. Open the configuration file in a text editor.

    2. Search and remove the staging suffix.

      If you have specified DNS names with a staging suffix (for example, innerwebstaging.provo.novell.com), you can search for staging.provo.novell.com and remove staging from the name.

      In particular, you need to change the following:

      • Any fully qualified DNS names from the staging name to the production name (DNSName elements in the file)

      • The cookie domains associated with each proxy service (AuthenticationCookieDomain elements in the file)

      • The URL masks in pin lists that contain fully qualified names (URLMask elements in the file)

      Depending upon your naming standards, you might want to change the names of the following:

      • UserInterfaceID elements (proxy service, pin list, and protected resource user interface ID's)

      • Description elements (proxy service, pin list, and protected resource descriptions)

      • Name (proxy service, pin list, and protected resource names)

      • SubServiceID elements

      • MultiHomeMasterSubserviceIDRef elements

      • LogDirectoryName elements

      • ProfileIDRef elements

      • ProtectedResourceID elements

      • ProfileID elements (TCP Listen options name)

    3. (Conditional) If your Web servers in the staging area have different IP addresses and hostnames than the Web Servers in the production area, you can search and replace them in the configuration file or wait until after the import and modify them in the Administration Console.

  6. Export the policies used by the Access Gateway. In the Administration Console, click Policies > Policies, then either select Name to include all policies or individually select the policies to export.

    You need to export all Access Gateway policies and any Role policies used by the Access Gateway policies.

  7. Click Export and modify the proposed filename if needed.

  8. Click OK, then select to save the policy configurations to a file.

  9. (Conditional) If you have created multiple policy containers, select the next policy container in the list, and repeat Step 6 through Step 8.

    The policies for each container must be saved to a separate export file.

  10. (Conditional) If your policies redirect users to staging URLs when they are denied access, search and replace these URLs with the production URLs. Open the policy file with a text editor and search for your staging name.

  11. Copy the Access Gateway and policy configuration files to a place accessible by the new Access Gateway.

  12. Continue with Importing the Configuration.

Importing the Configuration

  1. Verify that the Access Gateway meets the conditions for an import:

    • The Access Gateway should not be a member of a cluster. If it is a member of a cluster, remove it from the cluster before continuing.

      In the Administration Console, click Devices > Access Gateways, select the Access Gateway, then click Actions > Remove from Cluster.

      You can create a cluster and add this machine to the cluster as the primary server after you have completed the import.

    • The Access Gateway should be an unconfigured machine. If it contains reverse proxies, delete them before continuing.

      In the Administration Console, click Devices > Access Gateways > Edit > Reverse Proxies / Authentication. In the Reverse Proxy List, select Name, then click Delete. Update the Access Gateway and the Identity Server.

  2. In the Administration Console, click Policies > Policies.

    The policies that the Access Gateway is dependent upon must be imported first.

  3. (Conditional) If you have exported policies from more than one container, create the policy containers. Click the Containers tab; in the Container List, click New, specify the name for the container, then click OK.

  4. (Conditional) If your system already contains policies, delete them if they aren’t being used.

    If they are in use and you have policies with the same names as the policies you are going to import, you need to manually reconcile the duplicate policies. See Step 5 in Cleaning Up and Verifying the Configuration.

  5. In the Policy List, click Import.

  6. Browse to the location of the policy configuration file, select the file, then click OK.

  7. (Conditional) If you exported multiple policy configuration files, repeat Step 5 and Step 6.

  8. Enable all new Role policies. Click Identity Servers > Edit > Roles.

  9. Either select Name to enable all policies or individually select the policies, then click Enable.

  10. Click OK, then click Update.

  11. To import the Access Gateway configuration, click Access Gateways > [Name of Access Gateway] > Configuration > Import.

  12. Browse to the location of the configuration file, select the file, enter a password if you specified one on export, then click OK.

  13. Continue with Cleaning Up and Verifying the Configuration.

Cleaning Up and Verifying the Configuration

  1. When the configuration import has finished, verify the configuration for your reverse proxies.

    1. Click Access Gateways > Edit > [Name of Reverse Proxy].

    2. Verify the listening address.

      This is especially important if your Access Gateway has multiple network adapters. By default, the IP address of eth0 is always selected as the listening address.

    3. Verify the certificates assigned to the reverse proxy.

      The Subject Name of the certificate should match the published DNS name of the primary proxy service in the Proxy Service List.

    4. Verify the Web Server configuration. In the Proxy Service List, click the Web Server Addresses link. Check the following values:

      • Web Server Host Name: If this name has a staging prefix or suffix, remove it.

      • IP addresses in the Web Server List: If the IP addresses in the production area are different from the IP addresses in the staging area, modify the IP addresses to match the production area.

      • Certificates: If you have configured SSL or mutual SSL between the proxy service and the Web servers, configure the Web Server Trusted Root and SSL Mutual Certificate options. The export and import configuration option does not export and import certificates.

    5. Click OK twice.

  2. (Conditional) If you have multiple reverse proxies, repeat Step 1 for each proxy service.

  3. On the Configuration page, click Reverse Proxy / Authentication, then select the Identity Server Cluster configuration.

  4. If you have multiple reverse proxies, verify that the Reverse Proxy value in the Embedded Service Provider section is the reverse proxy you want to use for authentication, then click OK twice.

  5. (Conditional) If the Administration Console already contained some policies, verify that you do not have policies with duplicate names. Click Policies > Policies.

    Policies with duplicate names have Copy-n appended to the end of the name, with n representing a number. If you have duplicates, reconcile them:

    • If they contain the same rules, you need to reconfigure the resources that use one policy to use the other policy before you can delete the duplicate policy.

    • If they contain different rules, rename the duplicate policies.

  6. (Conditional) Apply any policy configuration changes.

  7. Click Access Gateways > Update.

  8. Click Identity Servers > Update.

    If your Identity Server does not prompt you for an update, complete the following steps to trigger the update:

    1. In the Administration Console, click Devices > Access Gateways > Edit > Reverse Proxy / Authentication.

    2. Set the Identity Server Cluster field to None, then click OK.

    3. Click Reverse Proxy / Authentication.

    4. Set the Identity Server Cluster field to the correct value, then click OK.

    5. Update the Access Gateway.

    6. Update the Identity Server.

  9. Configure the keystores for the Access Gateway.

    If you have configured the Access Gateway for SSL between the Identity Server and the Access Gateway and between the Access Gateway and the browsers, verify that the trust stores and the keystores contain the correct certificates.

    1. In the Administration Console, click Security > Certificates.

    2. Find the certificate for the Access Gateway.

      The subject name of this certificate should match the DNS name of the Access Gateway. If this certificate is not in the list, you need to create it or import it.

      This certificate should be in use by the ESP Mutual SSL and Proxy Key Store of the Access Gateway.

    3. If the certificate is not in use by the required keystores, select the certificate, then click Actions > Add Certificate to Keystores.

    4. Click the Select Keystore icon, select ESP Mutual SSL and Proxy Key Store of the Access Gateway, then click OK twice.

  10. Configure the trust stores for the Access Gateway.

    1. In the Administration Console, click Security > Certificates > Trusted Roots.

      The trusted root certificate of the CA that signed the Access Gateway certificate needs to be in the NIDP-truststore.

      The trusted root certificate of the CA that signed the Identity Server certificate, needs to be in the ESP Trust Store of the Access Gateway.

    2. If you need to add a trusted root to a trust store, select the trusted root, click Add Trusted Roots to Trust Stores.

    3. Click the Trust Store icon, select the required trust store, then click OK twice.

  11. If you made any keystore or trust store modifications, update the Access Gateway and the Identity Server.

  12. (Optional) Create a cluster configuration and add this server as the primary server.