6.7 Converting a Secondary Console into a Primary Console

In order for a secondary Administration Console to be converted into a primary Administration Console, a recent backup of the Administration Console must be available. For information on how to perform a backup, see Section 2.2, Backing Up the Access Manager Configuration. A backup is necessary in order to restore the certificate authority (CA).

If the failed server holds a master replica of any partition, you must use ndsrepair to designate a new master replica on a different server in the replica list.

WARNING:Perform these steps only if the primary Administration Console cannot be restored. If you have a recent backup, you can restore the primary Administration Console to new hardware. This is an easier configuration task than converting a secondary console into a primary console. See Section 6.6, Moving the Primary Administration Console to New Hardware

This conversion includes the following tasks:

6.7.1 Shutting Down the Administration Console

If your primary Administration Console is running, you must log in as the administrator and shut down the service.

  • Linux: Start YaST, click System > System Services (Runlevel), then select to stop the ndsd service.

  • Windows: Open the Control Panel, click Administrative Tools > Services, then select to stop the NDS Server.

6.7.2 Changing the Master Replica

Changing the master replica to reside on the new primary Administration Console makes this Administration Console into the certificate authority for Access Manager. You need to first designate the replica on the new primary Administration Console as the master replica. Then you need to remove the old primary Administration Console from the replica ring.

Linux Secondary Administration Console

  1. At the secondary Administration Console, log in as root.

  2. Change to the /opt/novell/eDirectory/bin directory.

  3. Run DSRepair with the following options:

    ./ndsrepair -P -Ad

  4. Select the one available replica.

  5. Select Designate this server as the new master replica.

  6. Run ndsrepair -P -Ad again.

  7. Select the one available replica.

  8. Select View replica ring.

  9. Select the name of the failed primary server.

  10. Select Remove this server from replica ring.

  11. Enter the DN of the admin user in leading dot notation. For example:

    .admin.novell

  12. Continue with Section 6.7.3, Restoring CA Certificates.

Windows Secondary Administration Console

  1. At the secondary Administration Console, log in as the administrator.

  2. Change to the C:\Novell\NDS directory.

  3. Start the NDSCons.exe program.

  4. Select dsrepair.dlm.

  5. In the Parameters box, specify -A, then click Start

  6. Click Partitions > Root > Designate This Server As The New Master Replica.

  7. Open Partitions > Root, select the server, and verify that the replica is the master replica.

  8. Run ndsrepair again with -A in the Parameters box.

  9. Click Partitions > Root, then select the name of the failed primary server.

  10. From the menu, click Partitions > Replica Rings > Remove Server From Ring.

  11. Enter the DN of the admin user in leading dot notation. For example:

    .admin.novell

  12. Continue with Section 6.7.3, Restoring CA Certificates.

6.7.3 Restoring CA Certificates

The following steps are performed on the machine that you are promoting to be a primary console.

  1. Copy your most recent Administration Console backup files to your new primary Administration Console.

  2. Change to the backup bin directory:

    Linux: /opt/novell/devman/bin

    Windows Server 2003: \Program Files\Novell\bin

    Windows Server 2008: \Program Files (x86)\Novell\bin

  3. Verify the IP address in the backup file.

    1. Open the backup file:

      Linux: defbkparm.sh

      Windows: defbkparm.properties

    2. Verify that the value in the IP_Address parameter is the IP address of your new primary console.

    3. Save the file

  4. Run the certificate restore script:

    Linux: sh aminst-certs.sh

    Windows: aminst-certs.bat

  5. When prompted, enter the location of the backup files.

  6. Continue with Section 6.7.4, Editing the vcdn.conf File.

6.7.4 Editing the vcdn.conf File

The vcdn.conf file contains the IP address of the failed primary Administration Console.

  1. Change to the Administration Console configuration directory:

    Linux: opt/novell/devman/share/conf

    Windows Server 2003: \Program Files\Novell\Tomcat\webapps\roma\WEB-INF\conf

    Windows Server 2008: \Program Files (x86)\Novell\Tomcat\webapps\roma\WEB-INF\conf

  2. Open the vcdn.conf file.

  3. Search for all occurrences of the old IP address and replace them with the IP address of your new primary console.

  4. Save the file.

  5. Restart the Administration Console by entering the following command from the command line interface:

    Linux: /etc/init.d/novell-tomcat5 restart

    Windows: net stop Tomcat5

    net start Tomcat5

  6. Continue with Section 6.7.5, Deleting Objects from the eDirectory Configuration Store.

6.7.5 Deleting Objects from the eDirectory Configuration Store

Several objects representing the failed primary Administration Console in the configuration store must be deleted.

  1. Log in to the new Administration Console, then click Auditing > Troubleshooting.

  2. In the Other Known Device Manager Servers section, select the old primary Administration Console, then click Remove.

  3. Remove traces of the failed primary console from the configuration datastore:

    1. In the iManager menu bar, select View Objects.

    2. In the Tree view, select novell, and view the objects.

    3. Delete all objects that reference the failed primary console.

      You should find the following types of objects:

      • SAS Service object with the hostname of the failed primary console

      • An object that starts with the last octet of the IP address of the failed primary console

      • DNS AG object with the hostname of the failed primary console

      • DNS IP object with the hostname of the failed primary console

      • SSL CertificateDNS with the hostname of the failed primary console

      • SSL CertificateIP with the hostname of the failed primary console

  4. Continue with Section 6.7.6, Performing Component-Specific Procedures.

6.7.6 Performing Component-Specific Procedures

If you have installed the following components, perform the cleanup steps for the component:

Identity Server Installed with the Failed Primary Administration Console

If you had an Identity Server installed with your failed primary Administration Console, you need to clean up the configuration database to remove references to this Identity Server.

  1. Log in to the Administration Console.

  2. Remove the Identity Server:

    1. Click Devices > Identity Servers.

    2. Select the Identity Server that was installed with the primary Administration Console.

    3. Remove it from the cluster, then delete it.

  3. Remove traces of the failed Identity Server from the configuration datastore:

    1. In the iManager menu bar, select View Objects.

    2. In the Tree view, select novell, and view the objects.

    3. Delete all objects that reference the failed Identity Server.

      You should find the following types of objects:

      • SAS Service object with the hostname of the failed Identity Server

      • An object that starts with the last octet of the IP address of the failed Identity Server

      • DNS AG object with the hostname of the failed Identity Server

      • DNS IP object with the hostname of the failed Identity Server

      • SSL CertificateDNS with the hostname of the failed Identity Server

      • SSL CertificateIP with the hostname of the failed Identity Server

Third Administration Console

If you installed a third Administration Console used for failover, you must manually perform the following steps on that server:

  1. Open the vcdn.conf file.

    Linux: /opt/novell/devman/share/conf

    Windows Server 2003: \Program Files\Novell\Tomcat\webapps\roma\WEB-INF\conf

    Windows Server 2008: \Program Files (x86)\Novell\Tomcat\webapps\roma\WEB-INF\conf

  2. In the file, look for the line that is similar to the following:

    <vcdnPrimaryAddress>10.1.1.1</vcdnPrimaryAddress>

    In this line, 10.1.1.1 represents the failed primary Administration Console IP address.

  3. Change this IP address to the IP address of the new primary Administration Console.

  4. Restart the Administration Console by entering the following command from the command line interface:

    Linux: /etc/init.d/novell-tomcat5 restart

    Windows: Use the following commands:

    net stop Tomcat5

    net start Tomcat5

Linux Access Gateway Appliances

For each Access Gateway Appliance imported into the Administration Console, you must edit the config.xml file and the settings.properties file on the Access Gateway and edit the current config and working config XML documents in the configuration store on the new primary Administration Console.

  1. At the Access Gateway Appliance, log in as the root user.

  2. Open a terminal window and shut down all services by entering the following commands:

    /etc/init.d/novell-jcc stop
    /etc/init.d/novell-tomcat5 stop
    /etc/init.d/novell-vmc stop
    
  3. If you are running SSL VPN, enter the following command to stop SSL VPN:

    /etc/init.d/novell-sslvpn stop
    
  4. Edit the config.xml file:

    1. Enter:

      vi /var/novell/cfgdb/.current/config.xml 
      
    2. Enter /Remote, then press Enter.

      In the IPv4Address field, change the IP address from the failed Administration Console to the new primary Administration Console address.

    3. (Conditional) If your audit server was on the primary Administration Console, enter /NsureAuditSetting, then press Enter.

      In the IPv4Address field, change the IP address from the failed Administration Console to the new primary Administration Console address.

    4. Enter :wq! to save and exit.

  5. Edit the settings.properties file:

    1. Enter:

      vi /opt/novell/devman/jcc/conf/settings.properties
      
    2. Change the IP address in the remotemgmtip list from the IP address of the failed Administration Console to the address of the new primary Administration Console.

    3. Enter :wq! to save and exit.

  6. At the new primary Administration Console, open an LDAP browser and edit the CurrentConfig object of the Access Gateway Appliance.

    IMPORTANT:You should use an LDAP browser for the following steps, rather than iManager. Because iManager is slow at saving large files, your iManager connection might time out before your modifications are saved.

    1. Browse to the following container: novell > accessManagerContainer > VCDN_Root > PartitionsContainer > Partition > AppliancesContainer.

      A list of devices appears. Access Gateways have an ag prefix.

    2. Expand an Access Gateway container, then select the CurrentConfig object.

    3. Select the romaAGConfigurationXMLDoc attribute and open it so you can view its value.

      The value is a large XML file.

    4. Copy the contents of the attribute to a text editor.

    5. (Conditional) To verify which Access Gateway Appliance you are changing, search for the <Local> element.

      The IP address should match the IP address of the Access Gateway Appliance that you are configuring for the new primary Administration Console.

    6. Search for the <Remote> element.

    7. Change the IP address of the <Remote> element so that it matches the IP address of the new primary Administration Console.

    8. (Conditional) If your audit server was on the primary Administration Console, search for the <NsureAuditSetting> element.

      Change the IP address of the <NsureAuditSetting> element so that it matches the IP address of the new primary Administration Console.

    9. Copy the modified document in the text editor to the value field of the romaAGConfigurationXMLDoc attribute.

    10. Save your changes.

  7. At the new primary Administration Console, edit the WorkingConfig object of the Access Gateway Appliance:

    Use an LDAP browser for these steps.

    1. Browse to the following container: novell > accessManagerContainer > VCDN_Root > PartitionsContainer > Partition > AppliancesContainer.

      A list of devices appears. Expand the Access Gateway container.

    2. Select the WorkingConfig object.

    3. Select the romaAGConfigurationXMLDoc attribute and open it so you can view its value.

    4. Copy the contents of the attribute to a text editor.

    5. Search for the <Remote> element.

    6. Change the IP address of the <Remote> element so that it matches the IP address of the new primary Administration Console.

    7. (Conditional) If your audit server was on the primary Administration Console, search for the <NsureAuditSetting> element.

      Change the IP address of the <NsureAuditSetting> element so that it matches the IP address of the new primary Administration Console.

    8. Copy the modified document in the text editor to the value field of the romaAGConfigurationXMLDoc attribute.

    9. Save your changes.

  8. At the Access Gateway Appliance, start all services by entering the following commands:

    /etc/init.d/novell-jcc start
    /etc/init.d/novell-tomcat5 start
    /etc/init.d/novell-vmc start
    /etc/init.d/novell-sslvpn start
    
  9. (Conditional) Repeat this process for each Linux Access Gateway that has been imported into the Administration Console.

Access Gateway Services

For each Access Gateway Service imported into the Administration Console, you must edit the config.xml file and the settings.properties file on the Access Gateway.

  1. At the Access Gateway Service, log in as the root or the Administrator user.

  2. Shut down all Access Gateway services.

    Linux: Enter the following commands:

    /etc/init.d/novell-jcc stop
    /etc/init.d/novell-tomcat5 stop
    /etc/init.d/novell-apache2 stop
    

    Windows: Click Control Panel > Administrative Tools > Services, then stop the following services:

    Apache Tomcat
    JCCServer
    

    Stopping Apache Tomcat causes Apache 2.2 to also stop.

  3. (Conditional) If your audit server was on the primary Administration Console, edit the config.xml file:

    1. Change to the directory and open the file.

      Linux: /var/opt/novell/tomcat5/webapps/agm/WEB-INF/config/current

      Windows: \Program Files\Novell\Tomcat\webapps\agm\ WEB-INF\config\current

    2. Find the NsureAuditSetting entry.

      In the IPv4Address field, change the IP address from the failed Administration Console to the new primary Administration Console address.

    3. Save and exit.

  4. Edit the settings.properties file:

    1. Change to the directory and open the file.

      Linux: /opt/novell/devman/jcc/conf

      Windows: \Program Files\Novell\devman\jcc\conf

    2. Change the IP address in the remotemgmtip list from the IP address of the failed Administration Console to the address of the new primary Administration Console.

    3. Save and exit.

  5. At the Access Gateway Service, start all services by entering the following commands:

    Linux: Enter the following commands:

    /etc/init.d/novell-jcc start
    /etc/init.d/novell-tomcat5 start
    /etc/init.d/novell-apache2 start
    

    Windows: Click Control Panel > Administrative Tools > Services, then start the following services:

    Apache Tomcat
    JCCServer
    

    Starting Apache Tomcat causes Apache 2.2 to also start.

  6. (Conditional) Repeat this process for each Access Gateway Service that has been imported into the Administration Console.

Linux Identity Server

For each Linux Identity Server imported into the Administration Console, perform the following steps:

  1. Log in as the root user.

  2. Open a terminal window and shut down all services by entering the following commands:

    /etc/init.d/novell-jcc stop
    /etc/init.d/novell-tomcat5 stop
    
  3. Edit the settings.properties file:

    1. Enter:

      vi /opt/novell/devman/jcc/conf/settings.properties
      
    2. Change the IP address in the remotemgmtip list from the IP address of the failed Administration Console to the address of the new primary Administration Console.

    3. Enter :wq! to save and exit.

  4. Start the services by entering the following commands:

    /etc/init.d/novell-jcc start
    /etc/init.d/novell-tomcat5 start
    

Windows Identity Server

For each Windows Identity Server imported into the Administration Console, perform the following steps:

  1. Open a terminal window and shut down all services by entering the following commands:

    net stop JCCServer

    net stop Tomcat5

  2. Edit the settings.properties file:

    1. Change to the following directory:

      Windows Server 2003: \Program Files\Novell\devman\jcc\conf

      Windows Server 2008: \Program Files (x86)\Novell\devman\jcc\conf

    2. Open the settings.properties file.

    3. Change the IP address in the remotemgmtip list from the IP address of the failed Administration Console to the address of the new primary Administration Console.

    4. Save your changes.

  3. Start the services by entering the following commands:

    net start JCCServer

    net start Tomcat5

Linux J2EE Agents

For each Linux J2EE agent imported into the Administration Console, perform the following steps:

  1. Log in as the root user.

  2. Open a terminal window and shut down all services by entering

    /etc/init.d/novell-jcc stop
    
  3. Edit the settings.properties file:

    1. Enter:

      vi /opt/novell/devman/jcc/conf/settings.properties
      
    2. Change the IP address in the remotemgmtip list from the IP address of the failed Administration Console to the address of the new primary Administration Console.

    3. Enter :wq! to save and exit.

  4. Start the services by entering

    /etc/init.d/novell-jcc start
    

Windows J2EE Agents

For each Windows J2EE agent imported into the Administration Console, you must perform the following steps:

  1. Log in as a user with administration rights.

  2. In the Control Panel, click Administrative Tools > Services.

  3. Select the JCCServer, then click Stop.

  4. In a text editor, open the settings.properties file in the JCC configuration directory:

    Windows Server 2003: \Program Files\Novell\devman\jcc\conf

    Windows Server 2008: \Program Files (x86)\Novell\devman\jcc\conf

  5. Change the IP address in the remotemgmtip list from the IP address of the failed Administration Console to the address of the new primary Administration Console.

  6. Save your changes and exit.

  7. In the Control Panel, click Administrative Tools > Services.

  8. Select the JCCServer, then click Start.

SSL VPN

For each SSL VPN component imported into the Administration Console, you must edit the config.xml file and the settings.properties file on the SSL VPN server and edit the current config and working config XML documents in the configuration store on the new primary Administration Console.

  1. At the SSL VPN machine, log in as the root user.

  2. Open a terminal window and shut down all services by entering the following commands:

    /etc/init.d/novell-jcc stop
    /etc/init.d/novell-tomcat5 stop
    /etc/init.d/novell-sslvpn stop
    
  3. Edit the config.xml file:

    1. Enter:

      vi /etc/opt/novell/sslvpn/config.xml
      
    2. Enter /DeviceManagerAddress, then press Enter.

    3. Change the IP address to that of the new primary Administration Console.

    4. Enter :wq! to save and exit.

  4. Edit the settings.properties file:

    1. Enter:

      vi /opt/novell/devman/jcc/conf/settings.properties
      
    2. Change the IP address in the remotemgmtip list from the IP address of the failed Administration Console to the address of the new primary Administration Console.

    3. Enter :wq! to save and exit.

  5. At the new primary Administration Console, open an LDAP browser and edit the CurrentConfig object of the SSL VPN.

    IMPORTANT:You should use an LDAP browser for the following steps, rather than iManager. iManager is slow at saving large files, and your iManager connection might time out before your modifications are saved.

    1. Browse to the following container: novell > accessManagerContainer > VCDN_Root > PartitionsContainer > Partition > AppliancesContainer.

      A list of devices appears. SSL VPN devices have an sslvpn prefix.

    2. Expand an SSL VPN container, then select the CurrentConfig object.

    3. Select the romaSSLVPNConfigurationXMLDoc attribute and open it.

    4. Copy the contents of the attribute to a text editor.

    5. Search for the <DeviceManagerAddress> element.

    6. Change the IP address of the <DeviceManagerAddress> element so that it matches the IP address of the new primary Administration Console.

    7. Copy the modified document in the text editor to the value field of the romaSSLVPNConfigurationXMLDoc attribute.

    8. Save your changes.

  6. At the new primary Administration Console, edit the WorkingConfig object of the SSL VPN container:

    Use an LDAP browser for these steps.

    1. Browse to the SSL VPN object by expanding the following containers: novell > accessManagerContainer > VCDN_Root > PartitionsContainer > Partition > AppliancesContainer.

      A list of devices appears.

    2. Expand the SSL VPN container, then select the WorkingConfig object.

    3. Select the romaSSLVPNConfigurationXMLDoc attribute and open it.

    4. Copy the contents of the attribute to a text editor.

    5. Search for the <DeviceManagerAddress> element.

    6. Change the IP address of the <DeviceManagerAddress> element so that it matches the IP address of the new primary Administration Console.

    7. Copy the modified document in the text editor to the value field of the romaSSLVPNConfigurationXMLDoc attribute.

    8. Save your changes.

  7. At the SSL VPN machine, start all services by entering the following commands:

    /etc/init.d/novell-jcc start
    /etc/init.d/novell-tomcat5 start
    /etc/init.d/novell-sslvpn start
    
  8. (Conditional) If the SSL VPN server is still not functioning, restart the Linux server by entering reboot.

  9. (Conditional) Repeat this process for each SSL VPN server that has been imported into the Administration Console.

Old Primary Administration Console

After the secondary console has been promoted to be the primary console, uninstall the Administration Console software of the old primary Administration Console. Before uninstalling, make sure the machine is disconnected from the network. For instructions, see Uninstalling the Administration Console in the Novell Access Manager 3.1 SP4 Installation Guide.

If you want to use the old primary console as a secondary console, you need to first uninstall the Administration Console software. Connect the machine to the network, then reinstall the software, designating this console as a secondary console.

6.7.7 Enabling Backup on the New Primary Administration Console

If you installed your Administration Consoles using the 3.1 version of Access Manager, the backup utility is properly configured.

If you have upgraded the Linux Administration Consoles from 3.0 SP4 to 3.1, you need to modify the defbkparm.sh file before performing a backup.

  1. On the new primary Administration Console, change to the /opt/novell/devman/bin directory.

  2. Open the defbkparm.sh file and find the following lines:

    EDIR TREE=<tree_name>
    EDIR CA=<CA name>
    

    These lines contain values using the hostname of the Administration Console you are on.

  3. Modify these lines to use the hostname of the failed Administration Console.

    When you install the primary Administration Console, the EDIR TREE parameter is set to the hostname of the server with _tree appended to it. The EDIR CA parameter is set to the hostname of the server with _tree CA appended to it.

    If the failed Administration Console had amlab as its hostname, you would change these lines to have the following values:

    EDIR TREE="amlab_tree"
    EDIR CA="amlab_tree CA"
    
  4. Save your changes.

  5. Make a backup from your new primary Administration Console.

    WARNING:After configuring the secondary console to be the new primary console and performing all the cleanup steps, you cannot restore an old backup from the primary console.

    Make a new backup as soon as your new primary console is functional.