Application Delivery Management
Application Modernization & Connectivity
CyberRes
IT Operations Management
Migration Process of NAM Components From SLES to RHEL
This article explains how to migrate NAM components( Primary AC, IDP and AG) from SLES to RHEL on NAM version 4.5SP2. Here I have migrated AG service.
Steps followed to Migrate Admin Console (AC) are :
1. Take a backup of admin console configuration and also code promotion export of SLES.
a. Steps followed to backup SLES admin console configuration are:
NOTE:
Reference Link:
https://www.netiq.com/documentation/access-manager-45/admin/data/b67rqn4.html
b. Steps followed to perform code promotion export on SLES are:
Identity Server Configuration: Exports all clusters, shared settings, keystores, trust stores, and Identity Server policies. You can also select to export Identity Server customization files, if any.
Access Gateway Configuration: Exports proxy services, protected resources, and Access Gateway policies. You can also select to export Access Gateway customization files, if any. Code Promotion exports all Identity Server dependent configurations, such as contracts assigned to protected resources, even though you selected only Access Gateway configuration to export.
If you want to export customization files, select respective devices to export customization files.
NOTE:
e. Click Next.
f. (Optional) Specify a password to encrypt the archived configuration data file. You require this password to decrypt the ZIP file while importing configuration data into another environment.
g. Click OK and save on your local system.
NOTE:
Reference Link:
https://www.netiq.com/documentation/access-manager-45/admin/data/b17u01zk.html
2. Fresh install of secondary admin console (RHEL) and import to primary admin console (SLES)
Pre-requisites of installing secondary admin console:
Administration Consoles must have their time synchronized. You can ensure this by configuring the machines to use the same network time server for time synchronization.
Installing RHEL secondary admin console:
tar -xzvf <filename>
c. To install a secondary console, answer No to the following prompt:
Is this the primary administration server in a failover group?
d. When prompted, specify the IP address of the SLES primary console.
e. Continue with the installation process.
After installing a secondary console, you might need to wait from 30 to 60 minutes before using it. The components query the primary console hourly for information about available consoles, and they reject commands from a console that is not in their approved list. You can force components to recognize the secondary console by restarting the Integration Agent on each Identity Server and Access Gateway with the following command:
/etc/init.d/novell-jcc restart
Reference Link:
https://www.netiq.com/documentation/access-manager-45/admin/data/b13cjxu0.html
3. Promote secondary to the primary admin console. Now primary admin console is on RHEL.
Converting RHEL secondary admin console as Primary Admin Console:
Start YaST, click System > System Services (Runlevel), then select to stop the ndsd service.
3. Changing the master replica by following steps as:
ndsrepair -P -Ad
admin.novell
4. Steps followed to restore CA certificates are:
/opt/novell/devman/bin
Open the backup file defbkparm.sh. Verify that the value in the IP_Address parameter is the IP address of your new primary console. And save the file.
5. Verify whether the vcdn.conf file contains IP address of the new Administration Console. If it contains IP address of the failed primary Administration Console, replace it with the new IP address.
Change to the Administration Console configuration directory:
opt/novell/devman/share/conf
Run the following command in the command line interface to restart the Administration Console:
/etc/init.d/novell-ac restart or rcnovell-ac restart
6. Steps followed to delete objects from edirectory Configuration Store
7. On IDP and AG vm edit the settings.properties to show new Primary Admin Console IP(RHEL)
/opt/novell/devman/jcc/conf/settings.properties
Change the IP address in the remotemgmtip list from the IP address of the failed Administration Console to the address of the new primary Administration Console.
Reference Link:
https://www.netiq.com/documentation/access-manager-45/admin/data/b5jjez3.html#b6uey7n
4. If there are other Secondary Admin Console in the system(SLES), delete them from Primary Admin Console.
1. Log in to the new Administration Console(RHEL), then click Auditing > Troubleshooting.
2. In the Other Known Device Manager Servers section, select other Secondary Admin Console in the system(SLES), then click Remove.
5. Uninstall the Secondary Admin Console.
1. Unzip the 4.5SP2 downloaded tar.gz file by using the following command:
tar -xzvf <filename>
2. Log in as the root user or equivalent.
3. At the command prompt of the Access Manager directory, enter the following:
./uninstall.sh
4. Specify option 6 to uninstall all products or specify Q to quit without uninstalling.
Reference Link:
https://www.netiq.com/documentation/access-manager-45/install_upgrade/data/b4gzy75.html
Steps followed to Migrate Identity Server (IDP) are :
1. Take backup of the customized files.
Already taken in step1. Of Steps followed to Migrate Admin Console.
(Take a backup of admin console configuration and also code promotion export of SLES.)
2. Remove one of the Identity servers (SLES) from the cluster and shut it down.
Follow the below process on new Primary Administration Console (RHEL). Current Identity Server will be installed on SLES.
a. Deleting Identity Server References
b.Shut down the Identity Server on SLES
Just Power Off the SLES IDP vm from vSphere client so that we can utilize same IP and hostname during IDP fresh installation on RHEL vm.
Reference Link:
https://www.netiq.com/documentation/access-manager-45/install_upgrade/data/b6fxuma.html
3. Do a fresh install of Identity Server on RHEL with same IP address and hostname of SLES vm.
tar -xzvf <filename>
./install.sh
Reference Link:
https://www.netiq.com/documentation/access-manager-45/install_upgrade/data/b13cvadg.html
4. Add Identity Server to the existing Identity Server Cluster in the Admin Console.
You can select all displayed servers by selecting the top-level Server check box.
You are prompted to restart Tomcat. The status icon for Identity Server must turn green. It might take several seconds for Identity Server to start and for the system to display the green icon.
Reference Link:
https://www.netiq.com/documentation/access-manager-45/admin/data/b13e0zob.html#b1in6ego
NOTE:
Steps followed to Migrate Access Gateway Service (AG) are :
1. Backup any files you have customized and note down the IP Address and the hostname of the Access Gateway Service vm(SLES).
Already taken in step1. Of Steps followed to Migrate Admin Console.
(Take a backup of admin console configuration and also code promotion export of SLES.)
2. Shutdown Access Gateway Service (SLES).
Goto vSphere client and Power Off the Access Gateway Service vm since we are going to utilize same IP during fresh installation of AG service on RHEL vm.
3. Install the Access Gateway Service(RHEL) with the SLES IP Address and hostname noted earlier.
./ag_install.sh
c. Follow the reference link for installation of AG service.
Reference Link:
https://www.netiq.com/documentation/access-manager-45/install_upgrade/data/b13cxe6h.html
4. Restore customized files.
Will explain this in detail in the next section.
NOTE:
Steps followed to Restore customized files for Identity Server and Access Gateway Service are :
You can import the configuration data either for Identity Server or for Access Gateway at one time. You need to repeat the process to import the configuration data of each component.
Import the configuration data only on the primary Administration Console. Importing the configuration data includes the following actions:
1. Uploading Configuration File to Import
2. Selecting the component to import the configuration data
3. Importing Identity Server Configuration data
Import As New Cluster: Select this option if you want to import the cluster as a new cluster. Ensure that the new cluster name is different from the existing cluster names defined on that system.
Overwrite Existing Cluster: Select this option if you want to overwrite the existing cluster with the selected cluster. [ Basically will go with this option ]
NOTE: You need to configure the import action for each cluster separately. If the cluster you want to import has only one user store, Code Promotion maps the user store to the default user store of the existing cluster. If the cluster you are importing has multiple user stores, then you must specify how to map them to the user stores of the existing cluster.
4. Importing Access Gateway Configuration data
Reference Link:
https://www.netiq.com/documentation/access-manager-45/admin/data/b17u01zl.html