Migration Process Of NAM Components From SLES To RHEL

1 Likes
over 1 year ago

Migration Process of NAM Components From SLES to RHEL

This article explains how to migrate NAM components( Primary AC, IDP and AG) from SLES to RHEL on NAM version 4.5SP2. Here I have migrated AG service.

  • Migration is the process in which you will migrate existing data/servers (SLES) onto a new OS (RHEL servers).
  • During the migration process you can provide a new IP address and the hostname or use an existing IP address and hostname.
  • In this document I have reused same IP address and hostname during migration of NAM components (IDP and AG) from SLES to RHEL servers.
  • Steps followed to migrate NAM components (AC, IDP and AG) is described in detail in the below section:

 

Steps followed to Migrate Admin Console (AC) are :

1. Take a backup of admin console configuration and also code promotion export of SLES.

 a.  Steps followed to backup SLES admin console configuration are:

  1. On the SLES primary Administration Console, change to the utility directory.: /opt/novell/devman/bin
  2. Run the following command: ambkup.sh
  3. Specify the Access Manager administration password.
  4. Re-specify the password for verification.
  5. Specify a path for where you want the backup files stored. Press Enter to use the default location. If the specified path does not exist, the backup script displays a message to confirm whether you want to create this location.
  6. Specify a password for encrypting and decrypting private keys, then re-specify it for verification. You must use the same password for both backup and restore.
  7. Press Enter.

NOTE:

  • After running the backup script, check the logs to verify that no errors occurred while running the backup script. The log file location is displayed at the end of the script execution.

Reference Link:

 https://www.netiq.com/documentation/access-manager-45/admin/data/b67rqn4.html

        

b. Steps followed to perform code promotion export on SLES are:

  1. Log in to the SLES Administration Console from where you want to export the configuration data.
  2. In the Administration Console, click Access Manager > Code Promotion.
  3. In the Code Promotion page, click Export Configuration.
  4. Based on your requirements, select the configuration to export:

Identity Server Configuration: Exports all clusters, shared settings, keystores, trust stores, and Identity Server policies. You can also select to export Identity Server customization files, if any.

Access Gateway Configuration: Exports proxy services, protected resources, and Access Gateway policies. You can also select to export Access Gateway customization files, if any. Code Promotion exports all Identity Server dependent configurations, such as contracts assigned to protected resources, even though you selected only Access Gateway configuration to export.

If you want to export customization files, select respective devices to export customization files.

NOTE:

  • If you saved a customization file at a location that is not a default location, ensure that you update the file name, directory name, and path before exporting the file.
  • Code Promotion does not support import or export of only custom files. 

e. Click Next.

f.  (Optional) Specify a password to encrypt the archived configuration data file. You require this password to decrypt the ZIP file while importing configuration data into another environment.

g. Click OK and save on your local system.

NOTE:

  • You can delete the exported configuration data by selecting the required configuration, then clicking Delete.

Reference Link:

https://www.netiq.com/documentation/access-manager-45/admin/data/b17u01zk.html

 

2. Fresh install of secondary admin console (RHEL) and import to primary admin console (SLES)

 

Pre-requisites of installing secondary admin console:

Administration Consoles must have their time synchronized. You can ensure this by configuring the machines to use the same network time server for time synchronization.

Installing RHEL secondary admin console:

  1.  Download the 4.5SP2 software.
  2. Unzip the tar.gz file by using the following command:

            tar -xzvf <filename>

      c. To install a secondary console, answer No to the following prompt:

          Is this the primary administration server in a failover group?

     d. When prompted, specify the IP address of the SLES primary console.

     e. Continue with the installation process.

 After installing a secondary console, you might need to wait from 30 to 60 minutes before using it. The components query the primary console hourly for information about available consoles, and they reject commands from a console that is not in their approved list. You can force components to recognize the secondary console by restarting the Integration Agent on each Identity Server and Access Gateway with the following command:

    /etc/init.d/novell-jcc restart

Reference Link:

https://www.netiq.com/documentation/access-manager-45/admin/data/b13cjxu0.html

 

3. Promote secondary to the primary admin console. Now primary admin console is on RHEL.

 

Converting RHEL secondary admin console as Primary Admin Console:

 

  1. Copy the backup .zip file from SLES Primary Admin Console to /tmp of RHEL secondary admin console vm.
  2. If your SLES primary Administration Console is running, you must log in as the administrator and shutdown the service.

          Start YaST, click System > System Services (Runlevel), then select to stop the  ndsd service.

      3. Changing the master replica by following steps as:

  • At the RHEL secondary Administration Console, log in as root.
  • Change to the /opt/novell/eDirectory/bin directory.
  • Run DSRepair with the following options:

           ndsrepair -P -Ad

  • Select the one available replica.
  • Select Designate this server as the new master replica.
  • Run ndsrepair -P -Ad again.
  • Select the one available replica.
  • Select View replica ring.
  • Select the name of the failed primary server.
  • Select Remove this server from replica ring.
  • Specify the DN of the admin user in leading dot notation. For example:

           admin.novell

  • Specify password.
  • Type I Agree when prompted.

4. Steps followed to restore CA certificates are:

  • Copy the backup .zip file from SLES Primary Admin Console to /tmp of RHEL secondary admin console vm.
  • Change to the backup bin directory in RHEL vm:

             /opt/novell/devman/bin

  • Verify the IP address in the backup file. The IP Address parameter value should be the IP address of the new Primary Administration Console(RHEL).

           Open the backup file defbkparm.sh. Verify that the value in the IP_Address parameter is the IP               address of your new primary console. And save the file.

  • Run the certificate restore script: sh aminst-certs.sh
  • When prompted, specify the administrator’s password and location of the backup files.

5. Verify whether the vcdn.conf file contains IP address of the new Administration Console. If it       contains IP address of the failed primary Administration Console, replace it with the new IP address.

    Change to the Administration Console configuration directory:

    opt/novell/devman/share/conf

    Run the following command in the command line interface to restart the Administration Console:

    /etc/init.d/novell-ac restart or rcnovell-ac restart

 

6. Steps followed to delete objects from edirectory Configuration Store

  • Log in to the new Administration Console(RHEL), then click Auditing > Troubleshooting.
  • In the Other Known Device Manager Servers section, select the old primary Administration Console(SLES), then click Remove.
  • Remove traces of the failed primary Administration Console from the configuration datastore:
  1.     In the NetIQ Access Manager menu bar, select View Objects.
  2.     In the Tree view, select novell.
  3.     Delete all objects that reference the failed primary Administration Console(SLES).

7.  On IDP and AG vm edit the settings.properties to show new Primary Admin Console IP(RHEL)

  • On Access gateway service vm run command : /etc/init.d/novell-appliance stop
  • Change to the directory and open the file.

           /opt/novell/devman/jcc/conf/settings.properties

  • Change the IP address in the remotemgmtip list from the IP address of the failed Administration Console to the address of the new primary Administration Console.
  • Start the service by running command: /etc/init.d/novell-appliance start.
  • On IDP vm stop the service by running command: /etc/init.d/novell-jcc stop and /etc/init.d/novell-idp stop.
  • Goto file /opt/novell/devman/jcc/conf/settings.properties

           Change the IP address in the remotemgmtip list from the IP address of the failed Administration             Console to the address of the new primary Administration Console.

  • Start the service by running command: /etc/init.d/novell-jcc start and /etc/init.d/novell-idp start

Reference Link:

 https://www.netiq.com/documentation/access-manager-45/admin/data/b5jjez3.html#b6uey7n

 

4. If there are other Secondary Admin Console in the system(SLES), delete them from Primary Admin Console.

1. Log in to the new Administration Console(RHEL), then click Auditing > Troubleshooting.

2. In the Other Known Device Manager Servers section, select other Secondary Admin Console in the system(SLES), then click Remove.

 

5.  Uninstall the Secondary Admin Console.

1.  Unzip the 4.5SP2 downloaded tar.gz file by using the following command:

      tar -xzvf <filename>

2.   Log in as the root user or equivalent.

3.  At the command prompt of the Access Manager directory, enter the following:

    ./uninstall.sh

4.  Specify option 6 to uninstall all products or specify Q to quit without uninstalling.

Reference Link:

 https://www.netiq.com/documentation/access-manager-45/install_upgrade/data/b4gzy75.html

 

Steps followed to Migrate Identity Server (IDP) are :

1. Take backup of the customized files.

Already taken in step1. Of Steps followed to Migrate Admin Console.

(Take a backup of admin console configuration and also code promotion export of SLES.)

 

2. Remove one of the Identity servers (SLES) from the cluster and shut it down.

 Follow the below process on new Primary Administration Console (RHEL). Current Identity Server will be installed on SLES.

 a. Deleting Identity Server References

  • In Administration Console, click Devices > Identity Servers.
  • Select Identity Server that you want uninstalled, then click Stop.
  • Wait for its health to turn red, then select the server and click Actions > Remove from Cluster.
  • Update the cluster configuration.
  • Select Identity Server that you are going to uninstall, then click Actions > Delete.

 b.Shut down the Identity Server on SLES

Just Power Off the SLES IDP vm from vSphere client so that we can utilize same IP and hostname during IDP fresh installation on RHEL vm.

Reference Link:

https://www.netiq.com/documentation/access-manager-45/install_upgrade/data/b6fxuma.html

 

3. Do a fresh install of Identity Server on RHEL with same IP address and hostname of SLES vm.

  •   Open a terminal window.
  • Log in as a root user.
  • Change the hostname same as that of IDP SLES vm.
  • Change the IP address same as that of IDP SLES vm.
  • Download the 4.5SP2 tar.gz file, unzip the file by using the following command:

           tar -xzvf <filename>

  • Change to the novell-access-manager directory.
  • At the command prompt, run the following install script:

          ./install.sh

  • Refer the reference link for the installation process of IDP server.

Reference Link:

https://www.netiq.com/documentation/access-manager-45/install_upgrade/data/b13cvadg.html

 

4. Add Identity Server to the existing Identity Server Cluster in the Admin Console.

  • Click Devices > Identity Servers.
  • On the Servers page, select the server’s check box.

           You can select all displayed servers by selecting the top-level Server check box.

  • Click Actions > Assign to Cluster.
  • Select the configuration’s check box, then click Assign.

          You are prompted to restart Tomcat. The status icon for Identity Server must turn green. It might take several seconds for Identity Server to start and for the system to display the green icon.

  • Update the Identity Server and apply changes.

Reference Link:

https://www.netiq.com/documentation/access-manager-45/admin/data/b13e0zob.html#b1in6ego

NOTE:

  • The above steps should be performed until all the Identity Servers are moved to RHEL.
  • Restoring process we will do after we migrate Access Gateway Service (AG) as well.
  • Check after IDP migration from SLES to RHEL you were able to do IDP login/logout successfully.
  • Check after IDP migration if you are making any configuration change in IDP whether you were able to update the changes as well as able to retain them in the Admin Console UI.

 

Steps followed to Migrate Access Gateway Service (AG) are :

1. Backup any files you have customized and note down the IP Address and the hostname of the Access Gateway Service vm(SLES).

Already taken in step1. Of Steps followed to Migrate Admin Console.

(Take a backup of admin console configuration and also code promotion export of SLES.)

 

2. Shutdown Access Gateway Service (SLES).

Goto vSphere client and Power Off the Access Gateway Service vm since we are going to utilize same IP during fresh installation of AG service on RHEL vm.

 

3. Install the Access Gateway Service(RHEL) with the SLES IP Address and hostname noted earlier.

  • Change hostname of RHEL AG vm as same as of SLES vm,
  • Change IP Address of RHEL AG vm as same as of SLES vm.
  • Now perform fresh install of AG service on RHEL vm as:.
  1.       Download and extract the 4.5SP2 NAM on the AG vm.
  2.       Start installation by running the following script:

                ./ag_install.sh

      c.      Follow the reference link for installation of AG service.

Reference Link:

 https://www.netiq.com/documentation/access-manager-45/install_upgrade/data/b13cxe6h.html

 

4. Restore customized files.

Will explain this in detail in the next section.

NOTE:

  • Check after migration of AG service from SLES to RHEL you were able to access the Protected Resource.
  • Check after migration of AG service from SLES to RHEL if you make any configuration change in the AG then you were able to update the AG service as well as able to retain those changes in Admin Console UI.

 

Steps followed to Restore customized files for Identity Server and Access Gateway Service are :

You can import the configuration data either for Identity Server or for Access Gateway at one time. You need to repeat the process to import the configuration data of each component.

Import the configuration data only on the primary Administration Console. Importing the configuration data includes the following actions:

1. Uploading Configuration File to Import

  • Log in to Administration Console where you want to import the configuration data.
  • In Administration Console Dashboard, click <user name> at the top right of the page and then click Code Promotion.
  • In the Code Promotion page, click Import Configuration.
  • Click Browse to import the configuration file.
  • In Decryption Password, specify the password that you used to encrypt the configuration data file. You need this password to extract the contents of the configuration file.
  • (Optional) Select Backup current configuration before import and Backup customization files. This backup helps to roll back your changes if needed.
  • Click Next.

2.  Selecting the component to import the configuration data

  • Under Select Configuration To Import, select the option you need based on your requirements.
  • Identity Server Configuration: Select this option to import Identity Server configuration data. Also Select Customization Files on Devices to import Identity Server customization files.
  • Access Gateway Configuration: Select this option to import Access Gateway configuration data. Also Select Customization Files on Devices to import Access Gateway customization files.
  • Click Next.

3. Importing Identity Server Configuration data

  • In a Clusters To Import, select a cluster to configure import settings.
  • Select an action for the selected cluster from Import Action.

          Import As New Cluster: Select this option if you want to import the cluster as a new cluster. Ensure that the new cluster name is different from the existing cluster names defined on that system.

         Overwrite Existing Cluster: Select this option if you want to overwrite the existing cluster with the selected cluster. [ Basically will go with this option ]

NOTE: You need to configure the import action for each cluster separately. If the cluster you want to import has only one user store, Code Promotion maps the user store to the default user store of the existing cluster. If the cluster you are importing has multiple user stores, then you must specify how to map them to the user stores of the existing cluster.

  • Click Next.
  • Update IDP.
  • Check custom files are pushed on the RHEL IDP server.
  • Also check IDP is configured properly with all the configurations it has as in SLES IDP vm.

 

4. Importing Access Gateway Configuration data

  • The Code Promotion page displays the entire list of proxy services and protected resources from the source setup. Select proxy services and protected resources that you want to import. In this case since we have just used the same IP and hostname of the SLES vm so we will select all since configuration will already be there.
  • Click Next.
  • Just verify the configuration without overwriting anything.
  • Wait for import to complete.
  • Update AG service vm. In response IDP vm as well.
  • Check customized files got pushed to the RHEL AG service vm.
  • Also check all the configurations for Access gateway is intact.

Reference Link:

https://www.netiq.com/documentation/access-manager-45/admin/data/b17u01zl.html

 

 

 

Labels:

How To-Best Practice
Comment List
Anonymous
Related Discussions
Recommended