| |
This section discusses upgrading from the iChain 2.0 software version. The following steps should be considered:
This section also addresses:
Prepare a test scenario with the customer (for each app, identify key profiles). Be aware of what each application requires as input (for example, simple authentication header, parameters passed using the command line).
Test the scenario on the running iChain 2.0 system and confirm that it is working.
You will need to back up both the Authorization Server and the iChain Proxy Server.
Back up eDirectoryTM.
Do an export to LDIF of the iChain objects (Access Control List, iChain Service Object, Communities).
Back up any custom tools or modules that may have been running on the Authorization server.
Rename the ConsoleOne® directory if ConsoleOne version 1.2x is installed (the iChain 2.1 Authorization Server CD ships with version 1.3). If this is not an option, rename the iChain snap-in and lib directories.
Do an export to a NAS file of the Proxy Server configuration and screen shot of all configuration screens.
Export or back up certificates that are being used by the proxy server.
Back up the following files:
Copy any tools or modules that you may have used from the server (for example, LSEARCH.NLM for LDAP testing, NETMON.NLM for taking traces).
NOTE: If possible, add an extra disk into the Proxy Server for the 2.1 install so that the 2.0 install can remain untouched while the 2.1 install is executed. Also, create a clone imagine of the 2.0 iChain build on the server before doing the upgrade.
Make sure you have everything needed to restore a valid iChain 2.0 Proxy Server image.
Please note that 2.1 schema is compatible with 2.0, meaning that if you leave your 2.0 iChain Service Object (ISO) untouched, you could have one proxy server running 2.0 while a second one is being upgraded. (This could help in doing a seamless migration and an easy roll back.)
The install script will generate many BURP errors during this phase that can be ignored. These errors are generated because many of the modifications to the schema that the install script is trying to perform are already in place.
NOTE: If the tree you are upgrading also contains Novell® BorderManager® schema extensions, you will need to manually re-link the "brdsrvsOutgoingAcl" attribute with the object class named "brdsrvsACLRule". This is done easily in ConsoleOne schema manager, after applying the new schema and reloading ConsoleOne.
If it isn't already installed, install Console 1.3 and also install the iChain snap-ins from the Authorization Server CD. This is required for any RADIUS or token-based authentication setup.
Convert and modify existing Access Control List (ACL)/iChain Service Object (ISO) definitions to match new specifications in iChain 2.1.
The ConsoleOne snap-ins that ship with iChain 2.1 can detect iChain 2.0-formatted objects. After upgrading the Authorization Server from 2.0 to 2.1 and selecting properties of the original 2.0 ISO with the new 2.1 snap-ins, the ISO will be automatically extended with the new required attributes.
NOTE: If administrators are creating completely new objects, the following should be considered:
1. The ISO has many new attributes in 2.0. The most important of these involves ACLCHECK dynamic LDAP search attributes.
2. If you decide to recreate the ISO, the corresponding Rule Objects referencing the old ISO's protected resources must be recreated. If this is not done, ACLCHECK will report "old version" errors.
Image the proxy server with iChain 2.1.
Unlock the Proxy Server system console by typing "unlock" at the prompt. You do not need to specify a password. Press Enter.
Import the NAS file by placing the floppy containing the CURRENT.NAS file into the proxy server. Type "import floppy".
Wait until the "completed execution of autoload" is displayed at the server console.
Import the server certificates that were backed up from the 2.0 server.
If problems exist accessing the proxy server GUI, do the following from the Internet Caching System console:
Restore the files backed up in 2-3 and 2-4.
NOTE: The OAC.PROPERTIES file will not be needed unless some non-default parameters were required for functionality in 1.5 (for example, increasing worker threads, synchronization interval).
Using the proxy server GUI, run the health check to make sure that all services are up and running.
Verify if the eDirectory server still has community objects (which shipped with 1.5, but not with 2.0 or 2.1) and rules based on community objects. If this is the case, modify the APPSTART.NCF to load ACLCHECK with the /M option.
Verify that you can access the iChain protected resource from the browser.
Complete an offline test using your defined scenario.
Complete a production test.
Only after you have confirmed that the old features are working should you enable any of the new iChain 2.1 features.
The iChain 2.1 schema file is found on the Authorization Server CD in the \schema subdirectory. This file documents all iChain attributes and lists the new attributes added in version 2.1.
| |