NAM Open Lab 3: Configuring Identity Server, LDAP User Store, Device Manager
Novell Cool Solutions: AppNote
By Chris Van Den Abbeele
Digg This -
Posted: 21 Feb 2007
In this Open Lab we will configure the Identity Server, the LDAP user store, and the Device Manager (iManager + embedded eDirectory).
This Open Lab builds on the configured NAM_all_in_one (see previous Open Labs 1 and 2).
NAM Open Lab, Part1
NAM Open Lab, Part 2
What You Need
A configured NAM_all_in_one (see previous Open Labs 1 and 2)
1. Go to the NAM_all_in_one virtual machine.
2. If you have not already done so, adapt the /etc/hosts file on the host and guest to contain the dns names of the systems in use, as follows:
127.0.0.1 localhost 172.17.2.111 www.utopia.com NAMbox1 NAMbox1.Utopia.com 172.17.2.91 core.sim.utopia.novell.com core (optional)
3. Open a browser and go to: http://www.utopia.com:8080/nps.
Devicemanager (a dedicated version of iManager) should come up. It will automatically redirect to https://www.utopia.com:8443/nps/servlet/webacc
The SSLVPN should be green. The Access Gateway should turn green after a few minutes, and the Identity Server will be red because it is not configured yet.
Figure 1 - Access Manager status lights
4. Click Identity Servers > Setup > New.
5. Set the Name as "utopia-IDPa".
6. Set the Base URL to "http://www.utopia.com:8080/nidp".
7. Click Next.
8. Specify the Organization (mandatory, but for reference only).
9. Set both the Name and the Display Name to "utopia-IDPa".
10. Set the URL to "www.utopia.com".
11. Specify the initial User Store. If you have enough hardware, you can use the Identity Vault of the Utopia system. If you prefer to keep it slim, then you can use the embedded eDirectory of Novell Access Manager.
Name: Embedded user store Admin name: cn=admin,o=novell Admin password: novell Confirm pw: novell Directory Type: eDirectory
12. Specify the server replicas:
New Name: Utopia User Store IP Address: 172.17.2.111 Check: Use Secure LDAP connections
Figure 2 - Server replica information
13. Select "Auto import trusted root" and click OK.
14. Name it Utopia_LDAP_troot and click OK twice.
15. Specify the search contexts:
New Search context: o=novell Scope: Subtree
16. Click Finish.
17. Go to the Servers tab.
18. Specify 172.17.2.111 and select Actions > Assign to configuration.
19. In the next screen, select "utopia-IDPA".
Figure 3 - Selecting the utopia-IDPA server
20. Click Assign.
Figure 3a - Assigning the utopia-IDPA server to the configuration
1. From a terminal connection to 172.17.2.111, stop Tomcat. Or, you can first open a separate terminal to trace Tomcat by running "tail -f /var/opt/novell/tomcat4/logs/catalina.out" at that terminal.
NAMbox1:~ # /etc/init.d/novell-tomcat4 stop Stopping tomcat4: Using CATALINA_BASE: /var/opt/novell/tomcat4 Using CATALINA_HOME: /var/opt/novell/tomcat4 Using CATALINA_TMPDIR: /var/opt/novell/tomcat4/temp Using JAVA_HOME: /opt/novell/java waiting for processes to exit NAMbox1:~ # /etc/init.d/novell-tomcat4 stop Stopping tomcat4: /etc/init.d/novell-tomcat4: line 143: success: command not found
2. Verify whether there were any errors while stopping Tomcat:
Errors may be ignored, because the configuration was not done yet.
3. If catalina.out reports "Device Manager license manager stopped", then restart Tomcat:
/etc/init.d/novell-tomcat4 start Starting tomcat4: Using CATALINA_BASE: /var/opt/novell/tomcat4 Using CATALINA_HOME: /var/opt/novell/tomcat4 Using CATALINA_TMPDIR: /var/opt/novell/tomcat4/temp Using JAVA_HOME: /opt/novell/java
4.. Verify whether there were any errors while starting Tomcat:
I always see the following error; it might have to do with the fact that we run everything on one box, and that is not supported:
ServerLifecycleListener: createMBeans: Throwable javax.management.InstanceAlreadyExistsException: Catalina:type=Connector,service=Tomcat-Standalone,port=0,address=null
5. Verify your Access Manager status by going to the Device Manager console and selecting Access Manager > Overview. The Identity Server should be green.
6. Test the IDP by checking the IDP login: browse to "http://www.utopia.com:8080/nidp".
Figure 4 - Testing the IDP
You should be able to log in with any user from the users' container in Utopia (e.g.: ablake / novell). What you see is the so-called "user application" of Access Manager.
Figure 5 - Access Manager "user application"
Note that the admin user is in o=system, and that is out of the search scope that we defined.
7. Check the IDP's metadata by browsing to "http://www.utopia.com:8080/nidp/idff/metadata". You should see an XML blob that is the IDP's metadata.
Figure 6 - Checking the IDP metadata
Problem 1: Unable to complete request at this time. Cause/Code: 300101037
If this condition persists, please contact your network administrator.
Figure 7 - Error: Unable to complete request
Solution: Slow down, close the browser, wait a moment, and try again.
Problem 2: The Identity Server does turn green.
Solution: Click on the red cross and check the error.
Figure 8 - Checking the error
In this example we used the Utopia user store, but there seems to be an error in the communication.
Figure 9 - Communication error
a) Using an LDAP browser, can you login to the eDirectory that runs on the Utopia VM?
Figure 10 - Checking eDirectory login for Utopia VM
b) Check the IDP configuration: did you make any typos?
c) Go to Identity servers > Utopia-IDPa > Local tab > Utopia User Store > Check IP addresses, ports. Did you import the trusted root certificate, and are the admin user, his context, and his password OK?
d) Set up tracing on eDirectory (see previous lab) and find the error message.
Problem 3: The Identity Server may not be current. The status says "Update Servers".
Figure 11 - Identity Server is not current
When the Identity Server is up to date, the status will say "Current," and the text will not be clickable.
Figure 12 - Identity Server is current
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com