Novell Home

Upgrade Procedure for iChain Servers

Novell Cool Solutions: AppNote
By Joseph Farah

Digg This - Slashdot This

Posted: 9 Aug 2006
 

Introduction

This AppNote describes the procedure for upgrading iChain servers. The process involves backup configuration, re-imaging the iChain Server with iChain 2.3 SP3, upgrading to SP4, and then restoring the configuration. The estimated service time is 1 - 2 hours (minimum), plus time for testing the accelerators.

Requirements

You will need the following items:

Notes on Upgrading

  • This procedure was written for upgrading to iChain 2.3 SP4 (2.3.300), but could also be followed for upgrading to iChain 2.3 SP4IR1 (2.3.314).
  • This procedure was written specically for upgrading HP ProLiant DL360 G3/G4 servers, but is not really hardware-specific.
  • You will need a floppy disk and a floppy drive on your workstation and the server.
  • With the assumption that the server is configured with hardware mirroring, you will need a spare SCSI Drive for the server for backout purposes.
  • You should also have the latest firmware maintenance CD for the server (this document includes the procedure for a DL360 G3/G4/G4p with HP firmware maintenance CD 7.50)
  • This procedure does not take into account any customized startup commands; you may need to back up autoexec.ncf and startup.ncf if they are customized.
  • If you have a customized sys:\etc\proxy\rewrite.cfg, then you should back it up, too (not in this procedure).
  • This procedure describes upgrading iChain on the same hardware. You can minimize downtime by backing up iChain, installing it on a spare server, restoring the config to the spare server, then moving the loaded/configured drive to the production hardware and upgrading the production hardware's firmware. This spare server should be the same hardware as the real server.
  • You can save time by editing the current.nas so the certificates are automatically restored during the import. If you want to automate this process, please include the following commands after the last "Restore Certificate End" command, before the apply:
set certificate name <name> action = restore
set certificate name  action = <password>

where <name> is the name of the certificate, and <password> is the AtLeast6CharacterPassword certificate password. Repeat this for every certificate in the list.

If you do this, then Import the current.nas twice with a manual reboot between the two imports. The first import will restore the accelerators and the certs, but the accelerators will not point to the certs. This is because the certs did not exist when the accelerators were restored. The second restore should point the accelerators to their restored certs.

Preparing for Re-imaging

1. Configure iChain to export the certificates into the NAS file as follows:

a. Access the server console and unlock it.
b. Type "set export certificate = auto" and hit .
c. Type "set export password = AtLeast6CharacterPassword" and hit
d. Type apply and hit
e. Wait for the prompt to say Success.

2. Access the iChain server's GUI
(http://IP-Address-of-iChain-Server:1959/appliance/config.html)

3. At the iChain login prompt, choose "Config" for the user.

4. Type the correct password and click on OK to log in.

5. Once the GUI is loaded, click the System icon.

6. Click the Import/Export tab.

7. Click the Export To (current) button in the Export configuration file to appliance button.

8. Click Export to initiate the export.

9. Click on the Configure icon, then the FTP tab.

10. Verify that the appropriate IP address is checked/marked for the Mini FTP server. If the appropriate IP is not checked, then check/mark the IP address and click Apply to make the change.

11. Click the Home icon, then click Certificate maintenance.

12. Select the first certificate in the Certificate name list.

The details for this certificate will be displayed. If the Organizational Unit is "AutoGenerated", then this certificate does not need to be backed up.

13. If the Organizational Unit is not "AutoGenerated", then this is a real certificate and needs to be backed up as follows:

a. Click the Backup button to flag this certificate for backup.
b. Set the password to the AtLeast6CharacterPassword.
c. Select Disk as the destination and click OK.

14. Repeat steps 12-13 for each certificate.

15. Click on Apply to backup the certificates.

16. Click the Configure icon and then click Web Server Accelerator Tab.

17. Select an accelerator, then click Modify.

18. If the accelerator has a Custom Login Page, then note the Custom Login Page/Directory name. (Use the table at the end of this document)

19. If the accelerator's certificate is not set to Auto, then note the certificate name. (Use the table at the end of this document)

20. Repeat steps 16-19 for each accelerator.

21. Create a directory on your hard drive that can be used to store the configuration files from the iChain server.

22. Connect to the iChain server via FTP, logging in as config with the appropriate password. (A GUI FTP Client such as WS_FTP is much easier than command line FTP, but either can be used.)

a. Make sure your FTP client is set to download binary files as type=Binary. Binary files will be corrupt if they are downloaded using type=ASCII.
b. Copy SYS:/ETC/PROXY/APPLIANCE/CONFIG/USER/current.nas to the directory you created in step 21.
c. Copy the entire backup directory from SYS:/ETC/PROXY/APPLIANCE/CONFIG/USER/cert/ to the directory you created in step 21.
d. Copy all the Custom Login Page directories from SYS:/ETC/PROXY/DATA to the directory you created in step 21.

23. Disconnect/Close your FTP session/client.

24. Browse to the directory that you created in step 21.

a. Verify that you have a copy of all certificate backup files.
b. Verify that you have the current.nas.
c. Verify that you have all of the Custom Login Pages.
d. Copy this directory to a server so that you have redundant copies.
e. Copy the current.nas file to a floppy disk.

25. Copy the SP4 patch to a web server that is accessible by the iChain server, editing the TXT file to include the IP of the web server as described in the patch documentation.

Re-Imaging Process

1. Notify users of the change/outage that is about to occur.

2. Shut down the server and remove one of the server's hot swappable drives, label it, and replace it with a spare drive. (This drive will be used for backout, if needed.)

3. Upgrade the firmware as follows:
(HP ProLiant DL360 G4 specific, but you should probably get your server to the latest firmware)

a. Insert the Firmware Maintenance CD into server's CD-ROM drive.
b. Shut down and reboot the server (the server should boot from the CD-ROM).
c. Select English and click Continue.
d. Click Agree on the license screen.
e. Click Firmware Update and Install Firmware to start scanning the hardware. (Note: It takes a little while for the firmware utility to start.) The ROM Update Utility will scan the hardware for outdated firmware.
f. Verify that the ROM Update Utility discovered that the component required a firmware update.
g. Deselect any unwanted firmware updates.
h. Click Install to begin the firmware updates on the selected components. Wait while the firmware updates. You should see a message stating that the ROM updates were completed successfully.

4. Scramble the Data on the drives (DO NOT SKIP THIS STEP):
(HP ProLiant DL360 G4 specific, but you should be able to accomplish the same task on different hardware.)

a. Power the server off, then power it on.
b. Eject the Firmware Maintenance CD and insert the iChain 2.3 SP3 CD.
c. Enter the SCSI configuration tool by pressing F8 to run the Option ROM Configuration Utility during the POST.
d. Select Delete Logical Drive and press Enter.
e. Press F8 to delete the logical drive.
f. Press F3 to confirm the deletion.
g. Press Enter to continue.
h. Select Create Logical Drive and press Enter.
i. Change the RAID Configuration to RAID 0 and press Enter to create the drive.
j. Press F8 to save the configuration.
k. Press Enter to continue, and Esc to exit.
l. Type "YES" and press Enter to accept the license.
m. Type Y to start the installation. The date/time will be displayed.
n. Press Esc to indicate that the time/date is correct. The Installation will start imaging the drive, then the server will reboot. The entire image process will take about 15 minutes (Steps "n" and "o").
o. Type N at the custom drivers prompt. The server will reboot several times. (Note: the server will automatically select No after a short wait.)
p. Once the server is at the System Console, Evaluation Copy screen, reboot the server (there is no password at this time).

5. Re-image the Server for production:
(steps a-h are DL360 G4 specific, but can and should be accoomplished on other hardware)

a. Enter the SCSI configuration tool by pressing to run the Option ROM Configuration Utility during the POST.
b. Select Delete Logical Drive and press
c. Press to delete the logical drive.
d. Press to confirm the deletion.
e. Press to continue.
f. Select Create Logical Drive and press .
g. The RAID Configuration should be set to RAID 1+0, press to create the drive.
h. Press to save the configuration, to continue, and to exit.
i. Type YES and press to accept the license.
j. Press Y to start the installation.
k. The date/time will be displayed, press to indicate that the time/date is correct l. The Installation will start imaging the drive, then the server will reboot. The entire image process will take about 15 minutes (Steps "l" and "m").
m. Type N at the custom drivers prompt, the server will reboot several times (Note: the server will automatically select No after a short wait).
n. Once the server is at the System Console, Evaluation Copy screen, remove the CD and insert the floppy disk that contains current.nas into the server's drive.

6. Unlock the server console (there is no password at this time).

7. Reboot the server (if you skip this, the server will lockup while importing the NAS file).

8. Once the server is at the System Console, Evaluation Copy screen, unlock the server console (there is no password at this time).

9. Configure iChain to import the certificates from the NAS file (I'm not sure if this step is really necessary):

a. Type "set export certificate = auto" and press Enter.
b. Type "set export password = AtLeast6CharacterPassword" and press Enter.
c. Click "Apply" and press Enter.
d. Wait for the prompt to say Success.

10. Type "import current floppy" and press Enter. The server will import the NAS file and reboot (this might take a while, so be patient).

11. When the server displays "Remove disks or other media", eject the floppy disk and press any key. (i.e. the server is trying to boot from the floppy)

12. Wait for the server to boot to the System Console screen.

13. Access the iChain server's GUI
(http://IP-Address-of-iChain-Server:1959/appliance/config.html)

14. At the iChain login prompt, choose config for the user, leave the password field blank and click on OK to login.

15. Click on the System icon, then the Actions tab.

16. Click the Password button.

17. Select the Config user.

18. Leave the Old Password blank, then enter the appropriate password in the New password and Confirm new password fields.

19. Click the Change button twice (the second time is to confirm).

20. Close and re-open your browser.

21. Access the iChain server's GUI
(http://IP-Address-of-iChain-Server:1959/appliance/config.html)

22. At the iChain login prompt, choose Config for the user.

23. Enter the appropriate password and click on OK to log in.

24. Click on the Home icon, then the Certificate Maintenance tab.

25. Click the Restore button.

26. Type the name of a certificate that needs to be restored (filename without the extension).

27. Enter the AtLeast6CharacterPassword in the Password and confirm password fields, then click OK.

28. Repeat steps 26-27 for each certificate.

29. Click Apply to restore the certificates.

30. Click the Configure icon and then the Web Server Accelerator Tab.

31. Select an accelerator, then click Modify.

32. Compare the Custom Login Page setting to the setting that was recorded in Table 1. The value should match; if not, correct any errors.

33. Compare the accelerator's certificate to what was recorded in Table 1. Point the accelerator to the correct certificate.

34. Repeat steps 31-33 for each accelerator.

35. Click Apply to save the changes.

36. Connect to the iChain server via FTP, logging in as config with the appropriate password.

37. Copy all the Custom Login Page directories back to SYS:/ETC/PROXY/DATA
(I used WS_FTP, but it could only copy one folder at a time. So I copied one folder, disconnected from the iChain FTP site, reconnected, and repeated for each folder ...still faster than command line FTP)

38. Reboot the server; wait for the server to boot to the System Console screen.

39. Install SP4 patch as follows:

a. Access the iChain server's GUI
(http://IP-Address-of-iChain-Server:1959/appliance/config.html)
b. At the iChain login prompt, choose config for the user. c. Enter the appropriate password and click OK to log in.
d. Click on the System icon and Upgrade.
e. Check Enable Download and Enable Install; both should be set to "Immediately".
f. Enter the URL to the SP4 patch in the Install from URL field. It should look like this:
http://x.x.x.x/ichain23sp4.txt
g. Click Apply. The upgrade will take about 10 minutes.
h. Watch the server console to verify that the patch is being processed.
i. The server will reboot twice.
j. Reboot the server again after it is up.

40. If you already have a session broker key, then skip to step 41; otherwise:
(The session broker key needs to be the same for all iChain servers in a particular session brokered environment, but I created the session broker key once and used it in each of my independent environments. This allows me to save one (iChain version specific) session broker key so that I can add iChain servers to any of my enviroments easily ...using the one session broker key.)

a. Format a floppy disk that can be used to store the session broker key.
b. Insert the floppy disk into the iChain server.
c. Connect to the server console and unlock it.
d. Type "createsessionbrokerkey" on the console and press Enter. The iChain box should be running version 2.3.300, SP4.
(It is recommended that SB key be receated anytime sb.nlm is updated/patched)
e. Enter the AtLeast6CharacterPassword and press Enter.
f. Enter the AtLeast6CharacterPassword again to confirm it, and press Enter.
g. Wait for the server console to display success.
h. Create an appropriately named folder on a file server and copy SESSION.DAT from the floppy disk to the folder (so that the session broker key is available to be installed on new servers in the future).

41. Install the session broker key (even if you created it on this server):

a. Insert the floppy disk that contains the session broker key into the iChain server.
b. Connect to the server console and unlock it.
c. Type installsessionbrokerkey on the console and press Enter.
d. Type the AtLeast6CharacterPassword and press Enter.
e. Wait for the server console to display success.
f. Reboot the server.
g. If this is not the Primary Session Broker server, load tcpcon > protocol information > TCP > TCP connections, then confirm that there is a connection to the session broker on port 5001/5002 in the list. (The session broker key obviously needs to be installed on the brokered iChain servers and the session broker before you will see their connections)

42. If this server is a primary or secondary session broker, then:

a. Connect to the server console and unlock it.
b. Type "set authentication sessionbrokerenable = yes" and press Enter.
c. Type apply and press Enter.
d. Reboot the server.
e. Connect to the server console and unlock it.
f. Type "debug" and press Enter.
g. Type "proxydebug" for the password and press Enter.
h. Press CTRL-ESC.
i. Press 1, then press Enter to get to the system console.
j. To confirm that it is running and is initialized on the primary Session Broker server, load tcpcon > protocol information > TCP > TCP connections, then confirm that port 5001 exists in the list. (The session broker key obviously needs to be installed on the brokered iChain servers and the session broker before you will see their connections.)

43. Reboot the server again.

44. Test the accelerators.

45. Notify users that the change/outage is complete.

Backout Plan

1. Power down the server and remove both drives.

2. Insert the backout drive and power up the server.

3. Press F2 to fail drives that are not responding, and F1 to continue. (hardware specific)

4. Once the server is booted, insert a second drive.

5. Test the accelerators.

Accelerator Information

Use this table to record the Custom Login Page and Certificate information for each accelerator.

Accelerator name Custom Login Page Certificate
. . .
. . .
. . .
. . .
. . .
. . .


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell