In order for a secondary Administration Console to be converted into a primary Administration Console, a recent backup of the Administration Console must be available. For information on how to perform a backup, see Section 2.2, Backing Up the Access Manager Configuration. A backup is necessary in order to restore the certificate authority (CA).
If the failed server holds a master replica of any partition, you must use ndsrepair to designate a new master replica on a different server in the replica list.
WARNING:Perform these steps only if the primary Administration Console cannot be restored. If you have a recent backup, you can restore the primary Administration Console to new hardware. This is an easier configuration task than converting a secondary console into a primary console. See Section 6.6, Moving the Primary Administration Console to New Hardware
This conversion includes the following tasks:
If your primary Administration Console is running, you must log in as the administrator and shut down the service.
Linux: Start YaST, click
> , then select to stop the ndsd service.Windows: Open the Control Panel, click
> then select to stop the NDS Server.Changing the master replica to reside on the new primary Administration Console makes this Administration Console into the certificate authority for Access Manager. You need to first designate the replica on the new primary Administration Console as the master replica. Then you need to remove the old primary Administration Console from the replica ring.
At the secondary Administration Console, log in as root.
Change to the /opt/novell/eDirectory/bin directory.
Run DSRepair with the following options:
./ndsrepair -P -Ad
Select the one available replica.
Select
.Run ndsrepair -P -Ad again.
Select the one available replica.
Select
.Select the name of the failed primary server.
Select
.Enter the DN of the admin user in leading dot notation. For example:
.admin.novell
Continue with Section 6.7.3, Restoring CA Certificates.
At the secondary Administration Console, log in as the administrator.
Change to the C:\Novell\NDS directory.
Start the NDSCons.exe program.
Select dsrepair.dlm.
In the
box, specify -A, then clickClick
> > .Open
> , select the server, and verify that the replica is the master replica.Run ndsrepair again with -A in the box.
Click
> , then select the name of the failed primary server.From the menu, click
> > .Enter the DN of the admin user in leading dot notation. For example:
.admin.novell
Continue with Section 6.7.3, Restoring CA Certificates.
The following steps are performed on the machine that you are promoting to be a primary console.
Copy your most recent Administration Console backup files to your new primary Administration Console.
Change to the backup bin directory:
Linux: /opt/novell/devman/bin
Windows Server 2003: \Program Files\Novell\bin
Windows Server 2008: \Program Files (x86)\Novell\bin
Verify the IP address in the backup file.
Open the backup file:
Linux: defbkparm.sh
Windows: defbkparm.properties
Verify that the value in the IP_Address parameter is the IP address of your new primary console.
Save the file
Run the certificate restore script:
Linux: sh aminst-certs.sh
Windows: aminst-certs.bat
When prompted, enter the location of the backup files.
Continue with Section 6.7.4, Editing the vcdn.conf File.
The vcdn.conf file contains the IP address of the failed primary Administration Console.
Change to the Administration Console configuration directory:
Linux: opt/novell/devman/share/conf
Windows Server 2003: \Program Files\Novell\Tomcat\webapps\roma\WEB-INF\conf
Windows Server 2008: \Program Files (x86)\Novell\Tomcat\webapps\roma\WEB-INF\conf
Open the vcdn.conf file.
Search for all occurrences of the old IP address and replace them with the IP address of your new primary console.
Save the file.
Restart the Administration Console by entering the following command from the command line interface:
Linux: /etc/init.d/novell-tomcat5 restart
Windows: net stop Tomcat5
net start Tomcat5
Continue with Section 6.7.5, Deleting Objects from the eDirectory Configuration Store.
Several objects representing the failed primary Administration Console in the configuration store must be deleted.
Log in to the new Administration Console, then click
> .In the
section, select the old primary Administration Console, then click .Remove traces of the failed primary console from the configuration datastore:
In the iManager menu bar, select
.In the Tree view, select
, and view the objects.Delete all objects that reference the failed primary console.
You should find the following types of objects:
SAS Service object with the hostname of the failed primary console
An object that starts with the last octet of the IP address of the failed primary console
DNS AG object with the hostname of the failed primary console
DNS IP object with the hostname of the failed primary console
SSL CertificateDNS with the hostname of the failed primary console
SSL CertificateIP with the hostname of the failed primary console
Continue with Section 6.7.6, Performing Component-Specific Procedures.
If you have installed the following components, perform the cleanup steps for the component:
If you had an Identity Server installed with your failed primary Administration Console, you need to clean up the configuration database to remove references to this Identity Server.
Log in to the Administration Console.
Remove the Identity Server:
Click
> .Select the Identity Server that was installed with the primary Administration Console.
Remove it from the cluster, then delete it.
Remove traces of the failed Identity Server from the configuration datastore:
In the iManager menu bar, select
.In the Tree view, select
, and view the objects.Delete all objects that reference the failed Identity Server.
You should find the following types of objects:
SAS Service object with the hostname of the failed Identity Server
An object that starts with the last octet of the IP address of the failed Identity Server
DNS AG object with the hostname of the failed Identity Server
DNS IP object with the hostname of the failed Identity Server
SSL CertificateDNS with the hostname of the failed Identity Server
SSL CertificateIP with the hostname of the failed Identity Server
If you installed a third Administration Console used for failover, you must manually perform the following steps on that server:
Open the vcdn.conf file.
Linux: /opt/novell/devman/share/conf
Windows Server 2003: \Program Files\Novell\Tomcat\webapps\roma\WEB-INF\conf
Windows Server 2008: \Program Files (x86)\Novell\Tomcat\webapps\roma\WEB-INF\conf
In the file, look for the line that is similar to the following:
<vcdnPrimaryAddress>10.1.1.1</vcdnPrimaryAddress>
In this line, 10.1.1.1 represents the failed primary Administration Console IP address.
Change this IP address to the IP address of the new primary Administration Console.
Restart the Administration Console by entering the following command from the command line interface:
Linux: /etc/init.d/novell-tomcat5 restart
Windows: Use the following commands:
net stop Tomcat5
net start Tomcat5
For each Access Gateway Appliance imported into the Administration Console, you must edit the config.xml file and the settings.properties file on the Access Gateway and edit the current config and working config XML documents in the configuration store on the new primary Administration Console.
At the Access Gateway Appliance, log in as the root user.
Open a terminal window and shut down all services by entering the following commands:
/etc/init.d/novell-jcc stop /etc/init.d/novell-tomcat5 stop /etc/init.d/novell-vmc stop
If you are running SSL VPN, enter the following command to stop SSL VPN:
/etc/init.d/novell-sslvpn stop
Edit the config.xml file:
Enter:
vi /var/novell/cfgdb/.current/config.xml
Enter /Remote, then press Enter.
In the IPv4Address field, change the IP address from the failed Administration Console to the new primary Administration Console address.
(Conditional) If your audit server was on the primary Administration Console, enter /NsureAuditSetting, then press Enter.
In the IPv4Address field, change the IP address from the failed Administration Console to the new primary Administration Console address.
Enter :wq! to save and exit.
Edit the settings.properties file:
Enter:
vi /opt/novell/devman/jcc/conf/settings.properties
Change the IP address in the remotemgmtip list from the IP address of the failed Administration Console to the address of the new primary Administration Console.
Enter :wq! to save and exit.
At the new primary Administration Console, open an LDAP browser and edit the CurrentConfig object of the Access Gateway Appliance.
IMPORTANT:You should use an LDAP browser for the following steps, rather than iManager. Because iManager is slow at saving large files, your iManager connection might time out before your modifications are saved.
Browse to the following container: novell > accessManagerContainer > VCDN_Root > PartitionsContainer > Partition > AppliancesContainer.
A list of devices appears. Access Gateways have an ag prefix.
Expand an Access Gateway container, then select the CurrentConfig object.
Select the romaAGConfigurationXMLDoc attribute and open it so you can view its value.
The value is a large XML file.
Copy the contents of the attribute to a text editor.
(Conditional) To verify which Access Gateway Appliance you are changing, search for the <Local> element.
The IP address should match the IP address of the Access Gateway Appliance that you are configuring for the new primary Administration Console.
Search for the <Remote> element.
Change the IP address of the <Remote> element so that it matches the IP address of the new primary Administration Console.
(Conditional) If your audit server was on the primary Administration Console, search for the <NsureAuditSetting> element.
Change the IP address of the <NsureAuditSetting> element so that it matches the IP address of the new primary Administration Console.
Copy the modified document in the text editor to the value field of the romaAGConfigurationXMLDoc attribute.
Save your changes.
At the new primary Administration Console, edit the WorkingConfig object of the Access Gateway Appliance:
Use an LDAP browser for these steps.
Browse to the following container: novell > accessManagerContainer > VCDN_Root > PartitionsContainer > Partition > AppliancesContainer.
A list of devices appears. Expand the Access Gateway container.
Select the WorkingConfig object.
Select the romaAGConfigurationXMLDoc attribute and open it so you can view its value.
Copy the contents of the attribute to a text editor.
Search for the <Remote> element.
Change the IP address of the <Remote> element so that it matches the IP address of the new primary Administration Console.
(Conditional) If your audit server was on the primary Administration Console, search for the <NsureAuditSetting> element.
Change the IP address of the <NsureAuditSetting> element so that it matches the IP address of the new primary Administration Console.
Copy the modified document in the text editor to the value field of the romaAGConfigurationXMLDoc attribute.
Save your changes.
At the Access Gateway Appliance, start all services by entering the following commands:
/etc/init.d/novell-jcc start /etc/init.d/novell-tomcat5 start /etc/init.d/novell-vmc start /etc/init.d/novell-sslvpn start
(Conditional) Repeat this process for each Linux Access Gateway that has been imported into the Administration Console.
For each Access Gateway Service imported into the Administration Console, you must edit the config.xml file and the settings.properties file on the Access Gateway.
At the Access Gateway Service, log in as the root or the Administrator user.
Shut down all Access Gateway services.
Linux: Enter the following commands:
/etc/init.d/novell-jcc stop /etc/init.d/novell-tomcat5 stop /etc/init.d/novell-apache2 stop
Windows: Click
> > , then stop the following services:Apache Tomcat JCCServer
Stopping Apache Tomcat causes Apache 2.2 to also stop.
(Conditional) If your audit server was on the primary Administration Console, edit the config.xml file:
Change to the directory and open the file.
Linux: /var/opt/novell/tomcat5/webapps/agm/WEB-INF/config/current
Windows: \Program Files\Novell\Tomcat\webapps\agm\ WEB-INF\config\current
Find the NsureAuditSetting entry.
In the IPv4Address field, change the IP address from the failed Administration Console to the new primary Administration Console address.
Save and exit.
Edit the settings.properties file:
Change to the directory and open the file.
Linux: /opt/novell/devman/jcc/conf
Windows: \Program Files\Novell\devman\jcc\conf
Change the IP address in the remotemgmtip list from the IP address of the failed Administration Console to the address of the new primary Administration Console.
Save and exit.
At the Access Gateway Service, start all services by entering the following commands:
Linux: Enter the following commands:
/etc/init.d/novell-jcc start /etc/init.d/novell-tomcat5 start /etc/init.d/novell-apache2 start
Windows: Click
> > , then start the following services:Apache Tomcat JCCServer
Starting Apache Tomcat causes Apache 2.2 to also start.
(Conditional) Repeat this process for each Access Gateway Service that has been imported into the Administration Console.
For each Linux Identity Server imported into the Administration Console, perform the following steps:
Log in as the root user.
Open a terminal window and shut down all services by entering the following commands:
/etc/init.d/novell-jcc stop /etc/init.d/novell-tomcat5 stop
Edit the settings.properties file:
Enter:
vi /opt/novell/devman/jcc/conf/settings.properties
Change the IP address in the remotemgmtip list from the IP address of the failed Administration Console to the address of the new primary Administration Console.
Enter :wq! to save and exit.
Start the services by entering the following commands:
/etc/init.d/novell-jcc start /etc/init.d/novell-tomcat5 start
For each Windows Identity Server imported into the Administration Console, perform the following steps:
Open a terminal window and shut down all services by entering the following commands:
net stop JCCServer
net stop Tomcat5
Edit the settings.properties file:
Change to the following directory:
Windows Server 2003: \Program Files\Novell\devman\jcc\conf
Windows Server 2008: \Program Files (x86)\Novell\devman\jcc\conf
Open the settings.properties file.
Change the IP address in the remotemgmtip list from the IP address of the failed Administration Console to the address of the new primary Administration Console.
Save your changes.
Start the services by entering the following commands:
net start JCCServer
net start Tomcat5
For each Linux J2EE agent imported into the Administration Console, perform the following steps:
Log in as the root user.
Open a terminal window and shut down all services by entering
/etc/init.d/novell-jcc stop
Edit the settings.properties file:
Enter:
vi /opt/novell/devman/jcc/conf/settings.properties
Change the IP address in the remotemgmtip list from the IP address of the failed Administration Console to the address of the new primary Administration Console.
Enter :wq! to save and exit.
Start the services by entering
/etc/init.d/novell-jcc start
For each Windows J2EE agent imported into the Administration Console, you must perform the following steps:
Log in as a user with administration rights.
In the Control Panel, click
> .Select the JCCServer, then click
.In a text editor, open the settings.properties file in the JCC configuration directory:
Windows Server 2003: \Program Files\Novell\devman\jcc\conf
Windows Server 2008: \Program Files (x86)\Novell\devman\jcc\conf
Change the IP address in the remotemgmtip list from the IP address of the failed Administration Console to the address of the new primary Administration Console.
Save your changes and exit.
In the Control Panel, click
>Select the JCCServer, then click
.For each SSL VPN component imported into the Administration Console, you must edit the config.xml file and the settings.properties file on the SSL VPN server and edit the current config and working config XML documents in the configuration store on the new primary Administration Console.
At the SSL VPN machine, log in as the root user.
Open a terminal window and shut down all services by entering the following commands:
/etc/init.d/novell-jcc stop /etc/init.d/novell-tomcat5 stop /etc/init.d/novell-sslvpn stop
Edit the config.xml file:
Enter:
vi /etc/opt/novell/sslvpn/config.xml
Enter /DeviceManagerAddress, then press Enter.
Change the IP address to that of the new primary Administration Console.
Enter :wq! to save and exit.
Edit the settings.properties file:
Enter:
vi /opt/novell/devman/jcc/conf/settings.properties
Change the IP address in the remotemgmtip list from the IP address of the failed Administration Console to the address of the new primary Administration Console.
Enter :wq! to save and exit.
At the new primary Administration Console, open an LDAP browser and edit the CurrentConfig object of the SSL VPN.
IMPORTANT:You should use an LDAP browser for the following steps, rather than iManager. iManager is slow at saving large files, and your iManager connection might time out before your modifications are saved.
Browse to the following container: novell > accessManagerContainer > VCDN_Root > PartitionsContainer > Partition > AppliancesContainer.
A list of devices appears. SSL VPN devices have an sslvpn prefix.
Expand an SSL VPN container, then select the CurrentConfig object.
Select the romaSSLVPNConfigurationXMLDoc attribute and open it.
Copy the contents of the attribute to a text editor.
Search for the <DeviceManagerAddress> element.
Change the IP address of the <DeviceManagerAddress> element so that it matches the IP address of the new primary Administration Console.
Copy the modified document in the text editor to the value field of the romaSSLVPNConfigurationXMLDoc attribute.
Save your changes.
At the new primary Administration Console, edit the WorkingConfig object of the SSL VPN container:
Use an LDAP browser for these steps.
Browse to the SSL VPN object by expanding the following containers: novell > accessManagerContainer > VCDN_Root > PartitionsContainer > Partition > AppliancesContainer.
A list of devices appears.
Expand the SSL VPN container, then select the WorkingConfig object.
Select the romaSSLVPNConfigurationXMLDoc attribute and open it.
Copy the contents of the attribute to a text editor.
Search for the <DeviceManagerAddress> element.
Change the IP address of the <DeviceManagerAddress> element so that it matches the IP address of the new primary Administration Console.
Copy the modified document in the text editor to the value field of the romaSSLVPNConfigurationXMLDoc attribute.
Save your changes.
At the SSL VPN machine, start all services by entering the following commands:
/etc/init.d/novell-jcc start /etc/init.d/novell-tomcat5 start /etc/init.d/novell-sslvpn start
(Conditional) If the SSL VPN server is still not functioning, restart the Linux server by entering reboot.
(Conditional) Repeat this process for each SSL VPN server that has been imported into the Administration Console.
After the secondary console has been promoted to be the primary console, uninstall the Administration Console software of the old primary Administration Console. Before uninstalling, make sure the machine is disconnected from the network. For instructions, see Uninstalling the Administration Console
in the Novell Access Manager 3.1 SP2 Installation Guide.
If you want to use the old primary console as a secondary console, you need to first uninstall the Administration Console software. Connect the machine to the network, then reinstall the software, designating this console as a secondary console.
If you installed your Administration Consoles using the 3.1 version of Access Manager, the backup utility is properly configured.
If you have upgraded the Linux Administration Consoles from 3.0 SP4 to 3.1, you need to modify the defbkparm.sh file before performing a backup.
On the new primary Administration Console, change to the /opt/novell/devman/bin directory.
Open the defbkparm.sh file and find the following lines:
EDIR TREE=<tree_name> EDIR CA=<CA name>
These lines contain values using the hostname of the Administration Console you are on.
Modify these lines to use the hostname of the failed Administration Console.
When you install the primary Administration Console, the EDIR TREE parameter is set to the hostname of the server with _tree appended to it. The EDIR CA parameter is set to the hostname of the server with _tree CA appended to it.
If the failed Administration Console had amlab as its hostname, you would change these lines to have the following values:
EDIR TREE="amlab_tree" EDIR CA="amlab_tree CA"
Save your changes.
Make a backup from your new primary Administration Console.
WARNING:After configuring the secondary console to be the new primary console and performing all the cleanup steps, you cannot restore an old backup from the primary console.
Make a new backup as soon as your new primary console is functional.