Related Tips & Info

Configuring Business Continuity Cluster (BCC) and IDM for Multiple eDir Trees on OES 2 SP1 Linux

gsanjeev
 
0 Likes

Author : Sanjeev Gupta


This AppNote aims to provide procedure to configure Novell Business Continuity cluster (BCC) and Identity Manager in a multiple eDir tree environment.



Table of Contents



1. Introduction

2. Requirements and assumptions

3. Installing and configuring BCC software in single eDir tree

4. Installing and configuring IDM on second tree

    4.1 Creating Cluster Resource Synchronization driver

    4.2 Creating User Object Synchronization driver

    4.3 Creating certificates for Cluster Resource Synchronization driver and User Object Synchronization driver

    4.4 Starting Drivers and enable BCC on cluster on second tree

5. Add peer cluster credentials

6. Add search-and-replace values to the cluster replacement script

7. References



1. Introduction



BCC: Novell Business Continuity Cluster Services software is an integrated set of tools to automate the setup and maintenance of a business continuity infrastructure.



It automates business continuity cluster configuration, maintenance, and synchronization by adding specialized software.



Novell Business Continuity Cluster software creates a cluster of clusters, which provides the ability to failover selected or all cluster resources from one cluster to other clusters at separate geographic sites.



Note: BCC 1.2 on Linux doesn’t officially support multi tree deployment. Please verify the support from documentation before configuring in your production setup. I did this setup on the beta builds to write this document.



Identity Manager 3.6: Novell Identity Manager 3.6 is a comprehensive identity management suite. It allows organizations to manage the full user lifecycle, from initial hire, through ongoing changes, to ultimate retirement of the user relationship. Identity Manager includes capabilities for automated provisioning and de-provisioning of user accounts, approval workflows, managing passwords, and managing user data throughout your organization's directories, applications, databases, and OS platforms. Through streamlined user administration and processes, Identity Manager helps organizations reduce management costs, increase productivity and security, and comply with government regulations.



2. Requirements and assumptions



  1. Two separate installation of Novell eDirectory tree.

  • At least one OES2 SP1 cluster configured and running in each eDir tree.

  • Each cluster has at least one 32 bit SLES10-OES2 SP1 machine for installing and configuring Identity manager. Note: IDM currently is not supported on 64 bit platform.

  • A shared or mirrored storage is already configured between the clusters in both eDir trees using SAN or iSCSI technologies.

  • BCC software is already installed and configured on each node of clusters in both the eDir trees.

  • Identity Manager software is already installed on one node in each cluster of both the eDir trees.



The setup, I am using to write this application note looks like the diagram below.







Click to view.




3. Installing and configuring BCC software in single eDir tree


To learn about how to configure BCC in single tree environment, you can refer to another "AppNote" available at location:
http://www.novell.com/communities/node/6347/setting-business-continuity-cluster-bcc-single-edirectory-tree-using-oes-2-linux-servers.

4. Installing and configuring IDM on second tree


Configuring BCC for more than one eDir tree requires the following steps.



  1. Setting up clusters on both trees.

  • Install BCC software on all the cluster nodes.

  • Install Identity manager software on one node in each cluster.

  • Create a bcc administrator user and group on each tree.

  • LUM enable the bcc administrator user for all cluster nodes and add the user to ncsgroup.

  • Configure and start bcc service on all the cluster nodes.

  • Create Cluster Resource Synchronization driver on IDM of each tree for synchronizing cluster resources between trees.

  • Create User Object Synchronization driver on IDM of each tree for synchronizing cluster resources between trees.

  • Create NDS-to-NDS certificates for each driver in all the eDir trees.

  • Provide cluster peer credentials.

  • Enable pools and resources for BCC as required.




4.1 Creating Cluster Resource Synchronization driver




  1. In a browser window, load iManager from the 32 bit server in your new tree "BCC2" which has IDM installed. You can access iManager by opening "https://<i.p of server>/nps".

  • Login to "BCC2" by proving admin username, password and tree name in the iManager login window.

  • After logging into the tree using iManager, click on "Identity Manager Administration" icon on the top of window to open identity manager administration page.

  • In the administration section, click on "identity manager overview" link.

  • On "driver sets" tab, click on new to start creating a new driver-set.





    Click to view.




  • Enter a name for driver-set you wish to create and select a container in eDir tree where you wish to create the driver set. I am creating a driver-set with name "provo_driverset" and creating it in the same ou, where my cluster object exists "provo.novell".

  • Un-check the "create a new partition on this driver set" and click OK.

  • You would be taken to a new window showing the contents of newly created driver-set "provo_driverset". On this page, click Drivers and Click on Add Driver from the pop-up menu.

  • On the next page which loads, select the driver set you just created if not selected automatically in "an existing driver set" text box and click Next.

  • Click on the object selector button to specify the DN of the server in this cluster that has IDM 3.6 installed on it and click Next to continue.





    Click to view.




  • Click on the "Show" drop-down menu and select "All Configurations" and Select the "BCCClusterResourceSynchronization.xml" option from the Configurations drop-down menu. Click Next.





    Click to view.




  • On the import configuration page, enter values for various fields, as below.


    • Driver name: You can choose a name for your driver e.x tree2-tree1-sync.

  • Name of SSL Certificate: This certificate can be seen as follows-click on View Object and click on Organization Object, in the right side pane we can see the certificate object with this name. e.g SSL CertificateDNS.

  • DNS name of other IDM node: Enter i.p address of the master IDM server with which you wish this driver to synchronize. In my setup it is "164.99.182.20" in my first eDir tree i.e "BCC1"

  • Port number for this driver: Each driver pair in IDM sync should use a common port number for synchronization. Use an unused port which by default is 2002.
    Note: Make sure that you open this port number in firewall of IDM node.


  • Full Distinguished Name (DN) of the cluster this driver services: Specify or just browse using object selector button and select the current cluster i.e the cluster this IDM node is part of ex: cluster_provo.provo.novell

  • Fully Distinguished Name (DN) of the landing zone container: Enter the container where the cluster pool and volume objects from the other cluster would be placed when they are synchronized to this cluster. Generally it’s best to use the same container where your cluster objects and nodes exist on the eDir. In my case it is "provo.novell".







Click to view.






  • Wait for some time and you would be displayed the next screen where you need to configure security equivalence for the driver.

  • Click on "define security equivalences" button to bring up Security Equals wizard.

  • Select the bcc-administrator user created earlier "bccadmin" for security equivalence or any other desired user and click Apply. Click OK to come back to the Import Configuration page.

  • Click Next and Click Finish to complete the configuration and exit IDM configuration Wizard and get the next page "Driver Set Overview".

  • Click the icon of just created "IDM driver" to get a window, asking you to convert the driver to new architecture. Click OK to accept it.




    Click to view.



    Important: Repeat all the above steps on first eDir tree i.e "BCC1" using IDM-Master node and create a similar driver on "BCC1" tree. Make sure that you use the same port number for this pair of drivers.







4.2 Creating User Object Synchronization driver



For multi tree setups, we need to add a BCC user synchronization driver too. This driver will take care of synchronizing users between both eDir trees and ensure that users can access the resources even when resources failover between trees.



To create this driver on our new tree "BCC2", launch iManager from the server hosting IDM on "BCC2" and login to the tree.




  1. Load iManager of IDM server in your second tree "BCC2" and login by proving admin username, password and tree-name in the iManager login window.

  • On the top of iManager window, click on "Identity Manager Administration" icon to open identity manager administration page.

  • In the administration section, click on "identity manager overview link"

  • Click on the driver-sets tab to see the already existing driver sets in the tree (The one we created above).

  • Click on the driver-set to view the driver we created above.

  • From the "drivers" drop down menu, click on "add driver".

  • Choose the option "In an existing driver set" to create a new driver in the existing driver set and click next.

  • Click on the Show drop down menu and select All Configurations and Select the BCCUserObjectSynchronization.xml file in the Configurations drop-down menu. Click Next.

  • On the eDirectory Driver page, enter values for various fields"


    • Driver name: Provide a unique name for your new driver for easy identification. I’ve given the driver name as bcc2-bcc1-usersync

  • Remote Tree Address and Port: Enter the dns name or i.p address of the IDM node in first eDir tree and an unused port number for this communication e.g 2008.
    Note: Make sure that you open this port number in firewall of IDM node.


  • Base Container: Enter the base container for synchronization in the local tree where the synchronized uses from other eDir tree would be placed in. For Dept, this is the parent of the departmental containers. I am using the "ou" in the eDir where I keep all my users e.g users-bcc2

  • Password Failure Notification User: enter the details of administrator who should get emails regarding password updates failures.


    Keep the default values for all other fields.







Click to view.





  • Click Next.

  • On next page, you would be asked to enter the base container for synchronization in the remote tree "Remote Base Container". This is the container (ou) in other eDir tree where all users are created.

  • Enter it in "Users.MyOrganization" format. e.g users-bcc1.novell in my case.





    Click to view.




  • On the Next page use "Define Security Equivalences" button to select the desired user with required rights. I generally choose bcc-administrator user ( created for BCC admin) and tree admin user.

  • Clicking Next would display the summary of your configuration.

  • Click next again to finish the wizard and reach "Driver Set Overview" page with the icon of your currently created driver displayed on it.

  • Click on the driver "bcc2-bcc1-usersync" and click OK on the popup window to convert the driver according to new architecture.





    Click to view.





Important: Repeat all the above steps on first eDir tree i.e "BCC1" using IDM-Master node and create a similar "BCC User Object Synchronization" driver on "BCC1" tree. Make sure that you use the same port number for this pair of drivers.







Click to view.






Example Driver Set Summary for a Multiple-Tree, Four-Cluster Business Continuity Cluster.





Driver Instance

Driver Set for Cluster One

Driver Set for Cluster Two

Driver Set for Cluster Three

Driver Set for Cluster Four



Cluster Resource

C1 to C2, port 2002

C2 to C1, port 2002

C3 to C1, port 2003

C4 to C3, port 2004



Cluster Resource

C1 to C3, port 2003



C3 to C4, port 2004





User Object

C1 to C3, port 2001



C3 to C1, port 2001






4.3 Creating certificates for Cluster Resource Synchronization driver and User Object Synchronization driver.



For multi tree IDM drivers, there should be NDS-to-NDS SSL certificates created for the drivers so they can communicate with each other. Here are the steps to create the required certificates.



Lets start with creating certificate for Cluster Resource Synchronization driver.




  1. In a browser window, open iManager from the server in your new tree "BCC2" which has IDM 32 bit installed. You can access iManager by opening https://<i.p of server>/nps.

  • Login to your new tree "BCC2" by proving admin username, password and tree name in the iManager login window.

  • On the top of iManager window, click on the "Identity Manager Administration" icon to open identity manager administration page.

  • In the administration section, click on the "identity manager overview link".





    Click to view.




  • Click on NDS-to-NDS Driver Certificates link to start the certificate creation wizard.

  • On the page, enter the details of the driver in your first eDir tree (current eDir tree) which you want to communicate with the similar driver in other tree.

  • Provide following details for your driver:


    • Driver DN: Provide the DN of the driver in format: drivername.driverset.ou.o . For my setup, it is tree2-tree1-sync.provo_driverset.provo.novell

  • Tree: Enter the name of current tree. E.g "BCC2"

  • Username: username of user with required privileges. E.g "admin".

  • Password: Password of above user.

  • Context: Context in eDir where the user exists. E.g "Novell".





    Click to view.







  • Click Next to reach next page of wizard.

  • You would be provided with a similar window as was there in step-7 above where we need to provide the details of similar driver we had created in other eDir tree "BCC1".

  • Provide following details for your driver:

    • Driver DN: Provide the DN of similar driver in other treedriver in format: drivername.driverset.ou.o. For my setup, it is tree1-tree2-sync.sydney_driverset.sydney.novell

  • Tree: Enter the name of other eDir tree. E.g "BCC1"

  • Username: Username of user in "BCC1" eDir tree with required privileges. E.g "admin".

  • Password: Password of above user.

  • Context: Context in eDir where the user exists. E.g "Novell".





    Click to view.





  • Click the Next button.

  • You would be shown the parameters which the wizard has taken for creation of certificate. Click Finish to accept the displayed settings and continue with creation of certificates.





    Click to view.










    Click to view.






  • On clicking Finish, you will be asked if you wish to restart the drivers after the certificate is applied to them. Click ok to accept and you will be taken to Main Identitity Manager Administration window.
    Important: You will need to repeat the above steps 1-13 on the same iManager window/server to create a NDS-to-NDS certificate for our other driver pair i.e BCC User Object Synchronization driver.



  • After you have created NDS-to-NDS certificate for both the drivers in your current eDir tree "BCC2", we have completed creation of NDS certificates on our second tree.

    Very Important: For our drivers in first tree to communicate to second tree ie BCC1-to-BCC2, we would need to create similar pairs of Driver certificate, as created above in steps 1-14, by logging on to the iManager of our first eDir tree "BCC1".


    This way we would be creating total four no’s of certificates. Two certificates in each server or in other words one certificate for each driver pair in each eDir tree.





4.4 Starting Drivers and enable BCC on cluster on second tree



  1. Restart all the four drivers on both the trees. For this click all the drivers one by one from Identity Manager Overview page and choose start/restart.

  • Now we need to enable BCC for our cluster in new tree.

  • Launch iManager and login to our second tree ie. "BCC2".

  • Click on clusters > cluster manager and use browse to find and select the cluster object from eDir.

  • The cluster information is displayed in a GUI.

  • Now click on the cluster options link and click the properties button below the selected DN of cluster.

  • Click on the Business continuity tab and enable the check box "enable business continuity features".




5. Add peer cluster credentials



As you can see in the above screenshot, in Connections, all the clusters from both the trees are visible but with "invalid credentials" state. For the clusters to communicate correctly, we need to provide the peer cluster credentials on all the clusters.



To add the peer cluster credentials, do the following for each node of every cluster in the business continuity cluster:




  1. Open a terminal console on the cluster node where you want to add peer credentials, then log in as the root user.

  • At the terminal console prompt, enter

  • cluster connections

  • Verify that all clusters are present in the list.

    If the clusters are not present, the Identity Manager drivers are not synchronized.

    If synchronization is in progress, wait for it to complete, then try cluster connections again.

  • For each cluster in the list, enter the following command at the server console prompt, then enter the bccadmin username and password when prompted.

  • cluster credentials <cluster_name>

  • Repeat this on one node on all the clusters for each cluster displayed with invalid credentions.

  • To verify the communication, wait for some time after you save the credentials and run cluster connections again.

  • Invalid_credentials should have changed to "OK" state now.





    Click to view.






6. Add search-and-replace values to the cluster replacement script



To enable a resource for business continuity, certain values (such as IP addresses) specified in resource load and unload scripts need to be changed in corresponding resources in the peer clusters. This is due to fact that different clusters specially in different trees in different networks would be using their own network configurations and i.p address schemes for networking. You need to add the search-and-replace strings that are used to transform cluster resource load and unload scripts from another cluster to the one where you create the replacement script. His will ensure that strings like i.p address pool names etc are replaced with required names and i.p addresses when they move to new network environment. Replacement scripts are for inbound changes to scripts for objects being synchronized from other clusters, not outbound.



IMPORTANT: The search-and-replace data is cluster-specific, and it is not synchronized via Identity Manager between the clusters in the business continuity cluster.



To add search-and-replace values to the cluster replacement script:




  1. In iManager, click Clusters > Cluster Options, select the Cluster object, click Properties, then select the Busines Continuity.

  • In the Resource Replacement Script section of the Business Continuity Cluster Properties page, click New.

  • Add the desired search-and-replace values.


    The search-and-replace values you specify here apply to all resources in the cluster that have been enabled for business continuity.


    For example, if you specified 10.1.1.1 as the search value and 192.168.1.1 as the replace value, the resource with the 10.1.1.1 IP address in its scripts is searched for in the primary cluster and, if found, the 192.168.1.1 IP address is assigned to the corresponding resource in the secondary cluster.


    You can also specify global search-and-replace addresses for multiple resources in one line. This can be done only if the last digits in the IP addresses are the same in both clusters. For example, if you specify 10.1.1. as the search value and 192.168.1. as the replace value, the software finds the 10.1.1.1, 10.1.1.2, 10.1.1.3 and 10.1.1.4 addresses, and then replaces them with the 192.168.1.1, 192.168.1.2, 192.168.1.3, and 192.168.1.4 addresses, respectively.
    IMPORTANT: Make sure to use a trailing dot in the search-and-replace value. If a trailing dot is not used, 10.1.1 could be replaced with an IP value such as 192.168.100 instead of 192.168.1.


  • Optionally select the Use Regular Expressions check box to use wildcard characters in your search-and-replace values. The following links provide information on regular expressions and wildcard characters:

  • Click Apply to save your changes.

  • Clicking OK does not apply the changes to the directory.

  • Verify that the change has been synchronized with the peer clusters by the Identity Vault.



7. References



After finishing the above configuration, you can see the property of each BCC enabled resource and add the new cluster in the "Resource Preferred Clusters-Assigned" list. This will ensure that the resource can be failed over to the new cluster as well.



For more information on BCC you can visit the links mentioned below:





Tags:

Comment List
Related
Recommended

Resources

Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
The opinions expressed above are the personal opinions of the authors, not of OpenText. By using this site, you accept the Terms of Use. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of January 31, 2023, the Material is now offered by OpenText, a separately owned and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks is historical in nature and the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks are the property of their respective owners.