24.1 Migrating Administration Console from Windows to RHEL

24.1.1 Prerequisites for Migrating Administration Console

In addition to the following prerequisites, ensure that you also meet the hardware and software requirements for Administration Console. See NetIQ Access Manager System Requirements.

  • A new IP address that will be used temporarily during the primary Administration Console migration.

  • Timeout Per Protected Resource (TOPPR) is enabled and applied in Access Gateway. In Administration Console, click Devices > Access Gateways > Edit, then click Enable Timeout Per Protected Resource.

    If the Enable Timeout Per Protected Resource option has already been applied, it is not displayed.

  • The time of primary and secondary Administration Consoles time is synchronized. You can ensure this by configuring the machines to use the same network time server for time synchronization.

  • The health status for all devices in Administration Console is green.

    For more information, see Monitoring Server Health in the NetIQ Access Manager 5.0 Administration Guide.

  • Physical access to the server or server console (in case of VMWare setups) as a root user and you are familiar with iptables.

  • The required ports are opened in the firewall. For more information about ports, see Section 1.8.1, Required Ports.

  • Note down the contracts selected under the Satisfies contract list of SAML 2.0 and Liberty identity providers. These are under Devices > Identity Servers > Edit > [Protocol] > [Identity Provider] > Authentication Card.

    You must manually configure these contracts after migration. This configuration will be effective after the Identity Server migration is done.

  • The hostname of the new 5.0.x Administration Console must be different from the existing 4.5.x primary and secondary Administration Consoles.

  • Ensure that the \etc\hosts file of the system where you are installing Access Manager has the hostname and IP address for the new Administration Console server. If the hostname of Administration Console is not listed in DNS, the hosts file is used to resolve the hostname of the machine to a valid IP address.

  • Ensure that the following RHEL RPMs are installed on the machine:

    • ncurses-libs.i686

    • createrepo

    • yum-utils

    • ntp

    • glibc.i686

    • nss-softokn-freebl.i686

    • libgcc.i686

    • libstdc++.i686

    • rsyslog.x86_64

    • rsyslog-gnutls.x86_64

    • unzip

    • bind-utils

    • net-tools

    • zip

    • net-snmp

    • expat

    For installing RHEL packages manually, see Installing Packages and Dependent RPMs on RHEL for Access Manager.

    NOTE:You can select to install these RPMs automatically along with Access Manager installation. While installing Access Manager, specify N when you get the following prompt:

    Enter the local mount directory if you have the OS ISO mounted locally. This will be used as the local catalog for the additional rpms.
    Do you have a locally mounted ISO (y/n)?

    The Access Manager installer checks the online catalog and then installs the required RPMs automatically.

24.1.2 Supported Migration Scenarios

Identify the scenario that best describes your migration environment and review the appropriate steps before you begin the process of migration.

Administration Console, Identity Server, and Access Gateway Service Are Installed on Different Servers

  1. Migrate the primary Administration Consoles.

  2. Migrate Identity Server.

  3. Migrate Access Gateway Service.

Administration Console and Identity Server Are on the Same Server, and Access Gateway Service Is on a Different Server

  1. Migrate the primary Administration Console.

  2. Migrate Identity Server.

  3. Migrate Access Gateway Service.

Secondary Administration Console and Identity Server Are on the Same Server

  1. Migrate the primary Administration Console.

  2. Migrate the secondary Administration Console.

  3. Migrate Identity Server.

Administration Console and Identity Server Are on the Same Server

  1. Migrate Administration Consoles.

  2. Migrate Identity Server.

NOTE:If the device has multiple interfaces, manually configure the primary IP address on each NIC.

To do this run the system-config-network command from the terminal. Use the Device Configuration option to configure the interfaces.

24.1.3 Migrating Primary Administration Console

IMPORTANT:Before you proceed with the migration process, ensure that you have followed the instructions in the Prerequisites for Migrating Administration Console.

If you have multiple components installed on the same server, before starting migration of any component, ensure that the migration prerequisites of all components are met.

  1. Back up the 4.5.x primary Administration Console configuration by using C:\Program Files\Novell\bin\ambkup.bat.

  2. Copy the backup zip file to /tmp or any other folder on the new RHEL machine where you plan to install 5.0.x Administration Console.

  3. Download the installer file from Micro Focus Downloads and extract the tar.gz file using the tar -xzvf <filename> command.

    For example, tar -xzvf novell-access-manager-5.0.1.0-760.tar.gz

  4. Browse to the novell-access-manager folder.

  5. Run the install_and_migrate.sh script from the folder to migrate the primary Administration Console from 4.5.x to 5.0.x.

  6. Accept the license agreement by entering y when the system prompts you.

  7. Type Y and press Enter when the installation confirmation message is displayed.

  8. Specify the following details:

    • Access Manager 4.5.x primary Administration Console IP address

    • Access Manager administration user ID

    • Access Manager administration password. Re-enter the password for verification.

  9. Specify 1 in replica number.

  10. Select the 5th replica option from the list when prompted.

    5. Designate this server as the new master replica

  11. Type I Agree when prompted.

  12. Specify the administrator name and password. The name must be in leading dot notation. For example, .admin.novell

  13. Remove the eDirectory replica ring of the Windows server.

    1. Run the /opt/novell/eDirectory/bin/ndsrepair -P -Ad -a command. This step might take about 5-7 minutes.

    2. Specify 1 when prompted to enter a replica number.

    3. Specify 10 (10. View Replica Ring).

    4. Specify 1 to remove the Windows replica.

    5. Specify 6 (6. Remove this server from replica ring).

    6. Specify the administrator’s username and password. The username must be in leading dot notation. For example, .admin.novell

    7. Specify I Agree when prompted.

      The Windows replica is removed.

    8. Run the - ndsstat -r command and verify whether the Windows replica is removed.

  14. Shut down 4.5.x Administration Console.

  15. Change the IP address of 5.0.x Administration Console to the old primary Administration Console IP address.

    1. On the 5.0.x Administration Console machine, go to /etc/sysconfig/network-scripts/.

    2. Open the ifcfg-Profile_1 file and replace the IP address with the old Windows Administration Console IP address.

    3. Open the /etc/hosts file and replace the IP address with the old Windows Administration Console IP address.

  16. Run the install_and_migrate.sh script from the novell-access-manager folder again to complete the installation.

  17. Specify Y for Would you like to continue this installation (y/n)?.

  18. Specify the location of the 4.5.x backup file with an absolute path. For example, /tmp/<filename>.

  19. Specify the username and password for decrypting the backup file.

  20. Specify Access Manager administration username and password.

  21. Continue with Removing Windows Administration Console Objects.

Removing Windows Administration Console Objects

Remove any traces of Windows Administration Console replicas from the configuration datastore.

  1. In Administration Console Dashboard, click <user name> at the top right of the page and thenclick Configure Console.

  2. Click Objects.

  3. In the tree view, click novell.

  4. Delete all objects that reference Windows Administration Console. You should find the following types of objects:

    • SAS Service object with the hostname of Windows Administration Console

    • An object that starts with the last octet of the IP address of Windows Administration Console

    • DNS AG object with the hostname of Windows Administration Console

    • DNS IP object with the hostname of Windows Administration Console

    • SSL CertificateDNS with the hostname of Windows Administration Console

    • SSL CertificateIP with the hostname of Windows Administration Console

    • NCP server object

  5. Run the /opt/novell/eDirectory/bin/ndsstat -r command to view the list of available replicas. If you still see the replica that you deleted from Other Known Device Manager Servers, continue with Step 6.

  6. (Conditional) Perform the following steps:

    1. Log in to Administration Console as a root user.

    2. Change to the /opt/novell/eDirectory/bin directory.

    3. Run the ndsrepair -P -Ad command.

    4. Select the replica and click View replica ring. Select the name of the replica that is visible and click Remove this server from replica ring.

    5. Specify the DN of the admin user in leading dot notation. For example, .admin.novell.

    6. Specify the password and select I Agree.

24.1.4 Migrating Secondary Administration Console

Perform a fresh installation of Administration Console. See Installing Secondary Administration Console in the NetIQ Access Manager 5.0 Administration Guide.