This section discusses upgrading from the iChain 2.0 and 2.1 software versions. The following steps should be considered:
NOTE: This step is only required if upgrading from iChain 2.0.
NOTE: This step is only required if upgrading from iChain 2.0.
This section also addresses:
Prepare a test scenario with the customer (for each app, identify key profiles). Be aware of what each application requires as input (for example, simple authentication header, parameters passed using the command line).
Test the scenario on the running iChain 2.0/2.1 system and confirm that it is working.
You will need to back up both the Authorization Server and the iChain Proxy Server.
Back up eDirectoryTM.
Do an export to LDIF of the iChain objects (Access Control List, iChain Service Object, Communities).
Back up any custom tools or modules that might have been running on the Authorization server.
Rename the ConsoleOne® directory if ConsoleOne version 1.2x is installed (iChain 2.2 Authorization Server CD ships with version 1.34). If this is not an option, rename the iChain snap-in and lib directories.
Do an export to a NAS file of the Proxy Server configuration and screen shot of all configuration screens.
Export or back up certificates that are being used by the proxy server.
Back up the following files:
Copy any tools or modules that you might have used from the server (for example, LSEARCH.NLM for LDAP testing, NETMON.NLM for taking traces).
NOTE: If you want to save your configuration so you can quickly revert back to it, the fastest way to do this is to pull SCSI drive 0 (if you have a multi-drive system) and replace it with another drive, such as the highest numbered drive from your SCSI sub-system, or better yet, use a spare you have on a shelf. Label the original "Drive 0," and set it aside. Then proceed with the install as normal.
Make sure you have everything needed to restore a valid iChain 2.0/2.1 Proxy Server image.
The 2.1/2.2 schema is compatible with 2.0, meaning that if you leave your 2.0 iChain Service Object (ISO) untouched, you could have one proxy server running 2.0 while a second one is being upgraded. (This could help in doing a seamless migration and an easy roll back.)
NOTE: This step is only required if upgrading from iChain 2.0. No schema changes exist between iChain 2.1 and 2.2.
The install script will generate many BURP errors during this phase that can be ignored. These errors are generated because many of the modifications to the schema that the install script is trying to perform are already in place.
NOTE: If the tree you are upgrading also contains Novell® BorderManager® schema extensions, you will need to manually re-link the "brdsrvsOutgoingAcl" attribute with the object class named "brdsrvsACLRule". This is done easily in ConsoleOne schema manager, after applying the new schema and reloading ConsoleOne.
If it isn't already installed, install Console 1.34 and also install the iChain snap-ins from the Authorization Server CD. This is required for any RADIUS or token-based authentication setup.
NOTE: This step is only required if upgrading from iChain 2.0.
Convert and modify existing Access Control List (ACL)/iChain Service Object (ISO) definitions to match new specifications in iChain 2.1/2.2.
The ConsoleOne snap-ins that ship with iChain 2.1 and 2.2 can detect iChain 2.0-formatted objects. After upgrading the Authorization Server from 2.0 to 2.2 and selecting properties of the original 2.0 ISO with the new 2.2 snap-ins, the ISO will be automatically extended with the new required attributes.
NOTE: If administrators are creating completely new objects, the following should be considered:
1. The ISO has many new attributes in 2.0. The most important of these involves ACLCHECK dynamic LDAP search attributes.
2. If you decide to recreate the ISO, the corresponding Rule Objects referencing the old ISO's protected resources must be recreated. If this is not done, ACLCHECK will report "old version" errors.
Image the proxy server with iChain 2.2.
WARNING:
When installing from a CD, both the original drive and the clone drive will be overwritten. You cannot restore from clones in such a case, but can only do so when you put a drive aside.
Unlock the Proxy Server system console by typing "unlock" at the prompt. You do not need to specify a password. Press Enter.
Import the NAS file by placing the floppy containing the CURRENT.NAS file into the proxy server. Type "import floppy". (If autoload does not exist, type "import current floppy".)
Wait until "completed execution of current" is displayed at the server console.
Import the server certificates that were backed up from the 2.0/2.1 server.
If problems exist accessing the proxy server GUI, do the following from the Internet Caching System console:
Restore the files backed up in 2-3 and 2-4.
Do not copy in APPSTART.NCF and TUNE.NCF from your old 2.0 or 2.1 server. Make a note of the changes, and edit the APPSTART.NCF and TUNE.NCF on your new 2.2 iChain server.
Some default settings have been changed and we recommend that you do not overwrite the existing 2.2 files.
NOTE: The OAC.PROPERTIES file will not be needed unless some non-default parameters were required for functionality in 1.5 (for example, increasing worker threads, synchronization interval).
Using the proxy server GUI, run the health check to make sure that all services are up and running.
Verify if the eDirectory server still has community objects (which shipped with 1.5, but not with 2.x) and rules based on community objects. If this is the case, modify the APPSTART.NCF to load ACLCHECK with the /M option.
Verify that you can access the iChain protected resource from the browser.
Only after you have confirmed that the old features are working should you enable any of the new iChain 2.2 features.
The iChain 2.2 schema file is found on the Authorization Server CD in the \schema subdirectory. This file documents all iChain attributes and lists the new attributes added in version 2.1. No schema changes were made between iChain 2.1 and iChain 2.2.