In this Open Lab we will configure the Identity Server, the LDAP user store, and the Device Manager (iManager embedded eDirectory).
This Open Lab builds on the configured NAM_all_in_one (see previous Open Labs 1 and 2).
NAM Open Lab, Part1
http://www.novell.com/coolsolutions/feature/18441.html
NAM Open Lab, Part 2
http://www.novell.com/coolsolutions/appnote/18605.html
What You Need
A configured NAM_all_in_one (see previous Open Labs 1 and 2)
1. Go to the NAM_all_in_one virtual machine.
2. If you have not already done so, adapt the /etc/hosts file on the host and guest to contain the dns names of the systems in use, as follows:
127.0.0.1 localhost
172.17.2.111 www.utopia.com NAMbox1 NAMbox1.Utopia.com
172.17.2.91 core.sim.utopia.novell.com core (optional)
3. Open a browser and go to: http://www.utopia.com:8080/nps.
Devicemanager (a dedicated version of iManager) should come up. It will automatically redirect to https://www.utopia.com:8443/nps/servlet/webacc
The SSLVPN should be green. The Access Gateway should turn green after a few minutes, and the Identity Server will be red because it is not configured yet.
Figure 1 - Access Manager status lights
4. Click Identity Servers > Setup > New.
5. Set the Name as "utopia-IDPa".
6. Set the Base URL to "http://www.utopia.com:8080/nidp".
7. Click Next.
8. Specify the Organization (mandatory, but for reference only).
9. Set both the Name and the Display Name to "utopia-IDPa".
10. Set the URL to "www.utopia.com".
11. Specify the initial User Store. If you have enough hardware, you can use the Identity Vault of the Utopia system. If you prefer to keep it slim, then you can use the embedded eDirectory of Novell Access Manager.
Name: Embedded user store
Admin name: cn=admin,o=novell
Admin password: novell
Confirm pw: novell
Directory Type: eDirectory
12. Specify the server replicas:
New
Name: Utopia User Store
IP Address: 172.17.2.111
Check: Use Secure LDAP connections
Figure 2 - Server replica information
13. Select "Auto import trusted root" and click OK.
14. Name it Utopia_LDAP_troot and click OK twice.
15. Specify the search contexts:
New
Search context: o=novell
Scope: Subtree
16. Click Finish.
17. Go to the Servers tab.
18. Specify 172.17.2.111 and select Actions > Assign to configuration.
19. In the next screen, select "utopia-IDPA".
Figure 3 - Selecting the utopia-IDPA server
20. Click Assign.
Figure 3a - Assigning the utopia-IDPA server to the configuration
1. From a terminal connection to 172.17.2.111, stop Tomcat. Or, you can first open a separate terminal to trace Tomcat by running "tail -f /var/opt/novell/tomcat4/logs/catalina.out" at that terminal.
NAMbox1:~ # /etc/init.d/novell-tomcat4 stop
Stopping tomcat4: Using CATALINA_BASE: /var/opt/novell/tomcat4
Using CATALINA_HOME: /var/opt/novell/tomcat4
Using CATALINA_TMPDIR: /var/opt/novell/tomcat4/temp
Using JAVA_HOME: /opt/novell/java
waiting for processes to exit
NAMbox1:~ # /etc/init.d/novell-tomcat4 stop
Stopping tomcat4: /etc/init.d/novell-tomcat4: line 143: success: command not found
2. Verify whether there were any errors while stopping Tomcat:
cat /var/opt/novell/tomcat4/logs/catalina.out
Errors may be ignored, because the configuration was not done yet.
3. If catalina.out reports "Device Manager license manager stopped", then restart Tomcat:
/etc/init.d/novell-tomcat4 start
Starting tomcat4: Using CATALINA_BASE: /var/opt/novell/tomcat4
Using CATALINA_HOME: /var/opt/novell/tomcat4
Using CATALINA_TMPDIR: /var/opt/novell/tomcat4/temp
Using JAVA_HOME: /opt/novell/java
4.. Verify whether there were any errors while starting Tomcat:
cat /var/opt/novell/tomcat4/logs/catalina.out
I always see the following error; it might have to do with the fact that we run everything on one box, and that is not supported:
ServerLifecycleListener: createMBeans: Throwable
javax.management.InstanceAlreadyExistsException: Catalina:type=Connector,service=Tomcat-Standalone,port=0,address=null
5. Verify your Access Manager status by going to the Device Manager console and selecting Access Manager > Overview. The Identity Server should be green.
6. Test the IDP by checking the IDP login: browse to "http://www.utopia.com:8080/nidp".
Figure 4 - Testing the IDP
You should be able to log in with any user from the users' container in Utopia
(e.g.: ablake / novell). What you see is the so-called "user application" of Access Manager.
Figure 5 - Access Manager "user application"
Note that the admin user is in o=system, and that is out of the search scope that we defined.
7. Check the IDP's metadata by browsing to "http://www.utopia.com:8080/nidp/idff/metadata". You should see an XML blob that is the IDP's metadata.
Figure 6 - Checking the IDP metadata
Problem 1: Unable to complete request at this time. Cause/Code: 300101037
If this condition persists, please contact your network administrator.
Figure 7 - Error: Unable to complete request
Solution: Slow down, close the browser, wait a moment, and try again.
Problem 2: The Identity Server does turn green.
Solution: Click on the red cross and check the error.
Figure 8 - Checking the error
In this example we used the Utopia user store, but there seems to be an error in the communication.
Figure 9 - Communication error
a) Using an LDAP browser, can you login to the eDirectory that runs on the Utopia VM?
Figure 10 - Checking eDirectory login for Utopia VM
b) Check the IDP configuration: did you make any typos?
c) Go to Identity servers > Utopia-IDPa > Local tab > Utopia User Store > Check IP addresses, ports. Did you import the trusted root certificate, and are the admin user, his context, and his password OK?
d) Set up tracing on eDirectory (see previous lab) and find the error message.
Problem 3: The Identity Server may not be current. The status says "Update Servers".
Figure 11 - Identity Server is not current
When the Identity Server is up to date, the status will say "Current," and the text will not be clickable.
Figure 12 - Identity Server is current
Support
Documentation
Learning Services
Partner Programs