Anonymous_User Absent Member.
Absent Member.
244 views

Options for moving to version 3.2


Hi,
I believe support for Access Manager 3.1 SP5 expires at the end of this
month. Looks like I'll have to move to Access Manager 3.2, so I am
considering my options. The official documentation indicates that I may
have to "migrate" rather than "upgrade" because all of my servers are on
SLES. However, there is the option of building a completely new system
in parallel and when it is ready, switching from the old to the new. If
I choose this path, I will lose all the credentials in secret store
(because I store these with the configuration and not in the user store
- I can't remember where I configured this or why!). I am also
concerned that I may have issues with the SAML2 service providers I have
set up. For example, if the Meta data changes as this is a new system,
then the service providers will need to be re-configured I imagine.
Does any one have any advice about these particular issues and are there
any other "gotchas" I should be aware of when building a new system? Or
would you recommend migration instead? Another reason for building a
brand new system is that I may have a corruption within the
configuration store and I do not want to migrate this as well. But
then, perhaps the migration would not "migrate" the corruption.
Any advice would be welcome.
Regards
Steve Tennant


--
sttennant
------------------------------------------------------------------------
sttennant's Profile: https://forums.netiq.com/member.php?userid=389
View this thread: https://forums.netiq.com/showthread.php?t=49099

0 Likes
10 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Options for moving to version 3.2

On 10/30/2013 11:14 AM, sttennant wrote:
> Does any one have any advice about these particular issues and are there
> any other "gotchas" I should be aware of when building a new system? Or
> would you recommend migration instead? Another reason for building a


The migration works quite well. I honestly think it will be less painful for you to do than trying
to completely forklift. If you are using the secrets very much that is quite a loss.

> brand new system is that I may have a corruption within the
> configuration store and I do not want to migrate this as well. But
> then, perhaps the migration would not "migrate" the corruption.
> Any advice would be welcome.


Make your config store healthy first. You can run dsrepair on it just like other eDirectories.
When it migrates it is basically doing a replica add and then a master start so in theory corruption
shouldn't replicate but you might have issues with the above operations if your tree isn't healthy
to start with. Or you could make them worse. eDir is pretty easy to heal if it is wounded.




0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Options for moving to version 3.2


Hi Descent,
Incidentally, I have run dsrepair but there is still an issue. It does
not seem to affect users though. This is why I was thinking of
rebuilding.
Regards
Steve


--
sttennant
------------------------------------------------------------------------
sttennant's Profile: https://forums.netiq.com/member.php?userid=389
View this thread: https://forums.netiq.com/showthread.php?t=49099

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Options for moving to version 3.2

sttennant wrote:

>
> Hi Descent,
> Incidentally, I have run dsrepair but there is still an issue. It
> does not seem to affect users though. This is why I was thinking of
> rebuilding.
> Regards
> Steve


Whats the issue if I may ask?

--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Options for moving to version 3.2


Hi Edward,
The issue is that policies have a blank "Used By" column when I refresh
references. I get some weird XML error in the app_sc.log file. If I
enable and disable any policies though , the column gets properly
populated again. At the moment roles are not showing anything in the
Used By column while other policies are showing something. Users do not
seem to be affected.
Regards
Steve


--
sttennant
------------------------------------------------------------------------
sttennant's Profile: https://forums.netiq.com/member.php?userid=389
View this thread: https://forums.netiq.com/showthread.php?t=49099

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Options for moving to version 3.2

sttennant wrote:

>
> Hi Edward,
> The issue is that policies have a blank "Used By" column when I
> refresh references. I get some weird XML error in the app_sc.log
> file. If I enable and disable any policies though , the column gets
> properly populated again. At the moment roles are not showing
> anything in the Used By column while other policies are showing
> something. Users do not seem to be affected.
> Regards
> Steve


Whats the weird error in the log you see? Can you provide the log by
any chance? What version are you running?

--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Options for moving to version 3.2


Hi Edward,
Here is the last section of app_cc.0.log:

2584(D)2013-10-07T08:14:36Z(L)application.cc(T)32(C)com.volera.vcdn.application.cc.util.PolicyLogging(M)A(Msg)PolicyCollectionManager:
endPolicyCollectionEdit(): Successfully edited PolicyCollection object
2585(D)2013-10-07T08:14:36Z(L)webui.cc(T)32(C)com.volera.vcdn.webui.cc.handler.CreatePolicyHandler(M)updatePolicyUsageList(E)Error
validating policy document. Please check the logs for detailed
information. Please cancel your changes and try again.<!-- y:777
VCDNException::ErrorCode=ContentException.Collection.XMLDocValidationError,ResourceBundle=resources.application.cc.ContentControllerApplication,MessageKey=ContentException.Collection.XMLDocValidationError
--> :: Error on line 3: cvc-complex-type.2.4.b: The content of element
'xpeml:PoliciesDefinitionList' is not complete. One of
'{"urn:novell:schema:xpeml:2.0:policy":Policy}' is expected. :: Detailed
Exception:org.jdom.input.JDOMParseException: Error on line 3:
cvc-complex-type.2.4.b: The content of element
'xpeml:PoliciesDefinitionList' is not complete. One of
'{"urn:novell:schema:xpeml:2.0:policy":Policy}' is expected.
at
com.volera.vcdn.application.cc.core.PolicyCollectionInfo.setXMLDocument(y:777)
at
com.volera.vcdn.webui.cc.handler.CreatePolicyHandler.updatePolicyUsageList(y:259)
at
com.volera.vcdn.webui.cc.handler.CreatePolicyHandler.doUpdatePolicyUsage(y:1538)
at
com.volera.vcdn.webui.cc.handler.CreatePolicyHandler.processRequest(y:3117)
at com.volera.roma.servlet.GenericController.doPost(y:394)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:563)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
at
com.novell.accessmanager.tomcat.SynchronizationValve.invoke(y:671)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:879)
at
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
at java.lang.Thread.run(Thread.java:662)
(Msg)Unable to update policy references
2586(D)2013-10-07T08:14:36Z(L)application.cc(T)32(C)com.volera.vcdn.application.cc.util.PolicyLogging(M)A(Msg)PolicyCollectionManager:
startPolicyCollectionCreate(): PolicyContainerId: mastercdn
2587(D)2013-10-07T08:14:36Z(L)application.cc(T)32(C)com.volera.vcdn.application.cc.util.PolicyLogging(M)A(Msg)PolicyCollectionManager:
getPolicyCollectionsInfos(): filter: *, contentPublisherId:mastercdn
babbage:/opt/volera/roma/logs #

This is what is produced after selection "Refresh References".
Regards
Steve


--
sttennant
------------------------------------------------------------------------
sttennant's Profile: https://forums.netiq.com/member.php?userid=389
View this thread: https://forums.netiq.com/showthread.php?t=49099

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Options for moving to version 3.2

sttennant wrote:

> information. Please cancel your changes and try again.<!-- y:777
> VCDNException::ErrorCode=ContentException.Collection.XMLDocValidationE
> rror,ResourceBundle=resources.application.cc.ContentControllerApplicat
> ion,MessageKey=ContentException.Collection.XMLDocValidationError -->
> :: Error on line 3: cvc-complex-type.2.4.b: The content of element
> 'xpeml:PoliciesDefinitionList' is not complete. One of
> '{"urn:novell:schema:xpeml:2.0:policy":Policy}' is expected. ::
> Detailed Exception:org.jdom.input.JDOMParseException: Error on line
> 3: cvc-complex-type.2.4.b: The content of element
> 'xpeml:PoliciesDefinitionList' is not complete. One of
> '{"urn:novell:schema:xpeml:2.0:policy":Policy}' is expected.


You have a corrupt policy document I reckon. You probably need a
dial-in from NTS to get this fixed.

--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Options for moving to version 3.2

sttennant wrote:

>
> Hi,
> I believe support for Access Manager 3.1 SP5 expires at the end of
> this month. Looks like I'll have to move to Access Manager 3.2, so I
> am considering my options. The official documentation indicates that
> I may have to "migrate" rather than "upgrade" because all of my
> servers are on SLES. However, there is the option of building a
> completely new system in parallel and when it is ready, switching
> from the old to the new. If I choose this path, I will lose all the
> credentials in secret store (because I store these with the
> configuration and not in the user store - I can't remember where I
> configured this or why!). I am also concerned that I may have issues
> with the SAML2 service providers I have set up. For example, if the
> Meta data changes as this is a new system, then the service providers
> will need to be re-configured I imagine. Does any one have any
> advice about these particular issues and are there any other
> "gotchas" I should be aware of when building a new system? Or would
> you recommend migration instead? Another reason for building a brand
> new system is that I may have a corruption within the configuration
> store and I do not want to migrate this as well. But then, perhaps
> the migration would not "migrate" the corruption. Any advice would
> be welcome. Regards
> Steve Tennant


I agree with Will, the migrate option isn't as hard as it sounds. Build
yourself a lab and maybe run through it twice so you get familiar with
it before you do your production environment.

--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Options for moving to version 3.2


So, you recommend migration rather than building a new system? Will
migration cause a service disruption?
Regards
Steve


--
sttennant
------------------------------------------------------------------------
sttennant's Profile: https://forums.netiq.com/member.php?userid=389
View this thread: https://forums.netiq.com/showthread.php?t=49099

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Options for moving to version 3.2

sttennant wrote:

>
> So, you recommend migration rather than building a new system? Will
> migration cause a service disruption?
> Regards
> Steve


There will be a short outage for the admin console when you change the
IP and restart the new admin console. For the access gateways and
identity providers it depends on how you do it and how large your
environment is. If you have multiple of each you should be fine, if you
only have one of each then yeah, there will be a service interuption.

--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.