Anonymous_User Absent Member.
Absent Member.
419 views

Replacing an access manager admin server


Hi,

I am running access manager 3.0.4 (yes, I know it' s old 🙂 )

Anyway, I'm required to move our access manager setup into a DMZ, which
means changing IPs. Everything I read says changing the IP on a machine
running edirectory (as the admin server does) is bad, and that you can't
do it. I tried it anyway and came to the same conclusion. So I figure
I'm just going to rebuild the machine.

My plan was to build a SUSE machine, install access manager admin on it,
and restore a backup from my current access manager admin server. The
only thing I'm not sure about is how to get my access manager servers to
communicate with the new admin server on it's new IP.

Any help would be appreciated.


--
jeynon
------------------------------------------------------------------------
jeynon's Profile: https://forums.netiq.com/member.php?userid=3378
View this thread: https://forums.netiq.com/showthread.php?t=48321

0 Likes
6 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Replacing an access manager admin server


jeynon;232195 Wrote:
> Hi,
>
> I am running access manager 3.0.4 (yes, I know it' s old 🙂 )
>
> Anyway, I'm required to move our access manager setup into a DMZ, which
> means changing IPs. Everything I read says changing the IP on a machine
> running edirectory (as the admin server does) is bad, and that you can't
> do it. I tried it anyway and came to the same conclusion. So I figure
> I'm just going to rebuild the machine.
>
> My plan was to build a SUSE machine, install access manager admin on it,
> and restore a backup from my current access manager admin server. The
> only thing I'm not sure about is how to get my access manager servers to
> communicate with the new admin server on it's new IP.
>
> Any help would be appreciated.


On the IDP, there is a reimport script that you can use:

/opt/novell/devman/jcc/conf/reimport_nidp.sh jcc
and
/opt/novell/devman/jcc/conf/reimport_nidp.sh nidp

On the MAG, you would do the same two steps, except the script is named
reimport_ags.sh. I have done this successfully with the MAG but have
never tried it with the IDP.

If the other components are keeping their IP address, the device manager
should recognize them as the same device and that will be it. However,
if this doesn't work, you will need to delete the devices out of your
devman configuration and then import them as new devices.


--
MatthewEhle
------------------------------------------------------------------------
MatthewEhle's Profile: https://forums.netiq.com/member.php?userid=4
View this thread: https://forums.netiq.com/showthread.php?t=48321

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Replacing an access manager admin server


Sorry, I just realized that you are running a very old version of AM.
My solution may not apply for you. However, this may be the excuse you
need to upgrade :cool:


--
MatthewEhle
------------------------------------------------------------------------
MatthewEhle's Profile: https://forums.netiq.com/member.php?userid=4
View this thread: https://forums.netiq.com/showthread.php?t=48321

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Replacing an access manager admin server


jeynon;232195 Wrote:
> Hi,
>
> I am running access manager 3.0.4 (yes, I know it' s old 🙂 )
>
> Anyway, I'm required to move our access manager setup into a DMZ, which
> means changing IPs. Everything I read says changing the IP on a machine
> running edirectory (as the admin server does) is bad, and that you can't
> do it. I tried it anyway and came to the same conclusion. So I figure
> I'm just going to rebuild the machine.
>
> My plan was to build a SUSE machine, install access manager admin on it,
> and restore a backup from my current access manager admin server. The
> only thing I'm not sure about is how to get my access manager servers to
> communicate with the new admin server on it's new IP.
>
> Any help would be appreciated.


In addition to what Matthew mentioned, you COULD (if you don't have 2
Admin servers), install the 2nd admin server with the "new IP",
(adjusting firewall holes as necessary) and then everything should
"know" about it and then you can remove the other one and change things
accordingly (there's a spot somewhere in the GUI that tells you which
admin console to point at or something). But that may be way overkill.

IF I may ask:
Why put the admin console in the DMZ? I'd think it would maybe be more
secure to keep it in your private LAN and just open the holes in the
firewall for communication to the IDP/LAG/MAG. IF it's in the DMZ, it's
possible it could be compromised and then it can be used to actually
change your configuration (unless you also want to run the SuseFirewall
on the Admin console server itself to harden it so that only the
IDP/LAg/MAG in the DMZ can talk to it--but at that point, I say put it
on the LAN and not in the DMZ).

But that's me.

And yes, you DEFINITELY want to upgrade first (well upgrade to 3.1.4 and
then migrate to 3.2. Although now I can't remember if you also had to
migrate to 3.1.4 from 3.0.4).


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=48321

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Replacing an access manager admin server


Hi,

Sorry for taking a bit to respond to this. I got taken off of the
project for a week or so but I'm back on.

Here's some background to answer your "why the DMZ" question.

Currently we have a single tier DMZ. Access manager components
(gateway, IDP) are in the DMZ, along with web and application servers.
Admin server and eDirectory are in our core (private network). I work
at a fairly large insurance and financial company and we have a risk
council that is continuously assessing our company's security
infrastructure. Our single tier DMZ has been identified as a risk
because if a server was compromised, it's only one hop from the core.
We've been asked to create a two tier DMZ where our public facing
servers (access gateway and IDP) would go in the first tier and
everything else that supports our web application (web server, app
server, edirectory, and admin server) would go in the second tier. The
first tier must no longer have access to the core, except for a few well
defined ports like DNS, NTP, etc. So leaving the admin server in our
core is not an option because there would still be one hop from a public
facing server (AG and IDP) to the core.

Also, we cannot upgrade 🙂 That's a long story about politics and money
and the fact that, at some point, we are migrating this web application
off of access manager, but the bottom line is we can't upgrade.

So what I tried was to build a new access manager admin server in our
second DMZ tier. I then imported my configuration and it looked like
the admin server could see the AG and IDP in the other tier (I had the
firewall rules opened). However, it's my understanding that this isn't
enough. The components (AG and IDP), need to know what the new admin
server is, right. That's what I don't understand how to change. I
tried re-importing the AG into the new admin server, but either I did
something wrong or there was a firewall rule missing, but that just
created a mess and I had to rebuild the AG just to get it back into the
current admin server. I know I could install the new admin server as a
secondary to the current (primary) server, but is there then a way to
promote the secondary to primary and tell all the components about it?
I think that's what you're mentioning below but I don't see a section in
the GUI to do that.

Any further help would be appreciated.

kjhurni;232577 Wrote:
> In addition to what Matthew mentioned, you COULD (if you don't have 2
> Admin servers), install the 2nd admin server with the "new IP",
> (adjusting firewall holes as necessary) and then everything should
> "know" about it and then you can remove the other one and change things
> accordingly (there's a spot somewhere in the GUI that tells you which
> admin console to point at or something). But that may be way overkill.
>
> IF I may ask:
> Why put the admin console in the DMZ? I'd think it would maybe be more
> secure to keep it in your private LAN and just open the holes in the
> firewall for communication to the IDP/LAG/MAG. IF it's in the DMZ, it's
> possible it could be compromised and then it can be used to actually
> change your configuration (unless you also want to run the SuseFirewall
> on the Admin console server itself to harden it so that only the
> IDP/LAg/MAG in the DMZ can talk to it--but at that point, I say put it
> on the LAN and not in the DMZ).
>
> But that's me.
>
> And yes, you DEFINITELY want to upgrade first (well upgrade to 3.1.4 and
> then migrate to 3.2. Although now I can't remember if you also had to
> migrate to 3.1.4 from 3.0.4).



--
jeynon
------------------------------------------------------------------------
jeynon's Profile: https://forums.netiq.com/member.php?userid=3378
View this thread: https://forums.netiq.com/showthread.php?t=48321

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Replacing an access manager admin server

jeynon wrote:


> So what I tried was to build a new access manager admin server in our
> second DMZ tier. I then imported my configuration and it looked like
> the admin server could see the AG and IDP in the other tier (I had the
> firewall rules opened). However, it's my understanding that this
> isn't enough. The components (AG and IDP), need to know what the new
> admin server is, right. That's what I don't understand how to
> change. I tried re-importing the AG into the new admin server, but
> either I did something wrong or there was a firewall rule missing,
> but that just created a mess and I had to rebuild the AG just to get
> it back into the current admin server.


I would lab this first if I were you rather than playing in production.

> I know I could install the
> new admin server as a secondary to the current (primary) server, but
> is there then a way to promote the secondary to primary and tell all
> the components about it?


There is (and that would the preferred way to do this), it is
documented in the manual.
https://www.netiq.com/documentation/novellaccessmanager31/adminconsolehe
lp/data/b6uey7n.html


That is the NAM 3.1 doco so you would want to make sure you lab this
first (!) before you try this on NAM 3.0. I reckon it'll work but I'm
not 100% sure. I'll try to find the NAM 3.0 doco as I'm pretty sure it
is documented in there as well.



--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Replacing an access manager admin server

jeynon wrote:



That was pretty easy to find:
http://www.novell.com/documentation/novellaccessmanager/adminguide/data/
b6uey7n.html



--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.