24.3 Migrating Access Gateway from Windows to RHEL

24.3.1 Prerequisites for Migrating Access Gateway

  • Ensure that the system meets the requirements for Access Gateway.

    For information about the requirements, see NetIQ Access Manager System Requirements.

  • Timeout Per Protected Resource (TOPPR) is enabled and applied in the Access Gateway. In the Administration Console, click Devices > Access Gateways > Edit, then click Enable Timeout Per Protected Resource.

    If the Enable Timeout Per Protected Resource option has already been applied, it will not be displayed on the screen.

  • You have physical access to the server or server console (in case of VMWare setups) as a root user and are familiar with firewall configurations. The required ports must be opened in the firewall. For more information about the ports, see Section 1.8.1, Required Ports.

  • Ensure that you have migrated all Administration Consoles and Identity Servers before migrating Access Gateway Service.

  • Back up all customized files.

  • Verify that the time on the machine is synchronized with the time on Administration Console. If the times differ, Access Gateway Service is not imported to Administration Console.

  • If a firewall separates the machine and Administration Console, ensure that the required ports are opened. See Table 1-3.

  • Because Access Gateway Service runs as a service, the default ports (80 and 443) that Access Gateway Service uses might conflict with the ports of other services running on the machine. If there is a conflict, you need to decide which ports each service can use.

  • Ensure that the following RHEL RPMs are installed on the machine:

    • ncurses-libs.i686

    • createrepo

    • yum-utils

    • ntp

    • glibc.i686

    • nss-softokn-freebl.i686

    • libgcc.i686

    • libstdc++.i686

    • rsyslog.x86_64

    • rsyslog-gnutls.x86_64

    • unzip

    • bind-utils

    • net-tools

    • zip

    • net-snmp

    • expat

    For installing RHEL packages manually, see Installing Packages and Dependent RPMs on RHEL for Access Manager.

    NOTE:You can select to install these RPMs automatically along with Access Manager installation. While installing Access Manager, specify N when you get the following prompt:

    Enter the local mount directory if you have the OS ISO mounted locally. This will be used as the local catalog for the additional rpms.
    Do you have a locally mounted ISO (y/n)?

    The Access Manager installer checks the online catalog and then installs the required RPMs automatically.

  • 2 to 10 GB hard disk space per reverse proxy that requires caching and for log files. The amount varies with rollover options and the logging level that you configure.

  • A static IP address and a DNS name. The ActiveMQ module of Access Gateway Service must be able to resolve the machine’s IP address to a DNS name. If the module can’t resolve the IP address, the module does not start.

  • Other Access Manager components must not be installed on the same machine.

24.3.2 Supported Migration Scenario

Migrating Access Gateway Using an Existing IP Address

  1. Back up the customized files on the Access Manager 4.5.x setup.

  2. Note down the IP address and hostname of Windows Access Gateway.

  3. Switch off the Windows device.

  4. On the RHEL machine, change the IP address and hostname to the IP address and hostname of Windows Access Gateway that you noted in step 2.

  5. On the RHEL machine, use the NetIQ Access Manager 5.0.x installer to install Access Gateway using the existing IP address you noted in step 2.

  6. On the Administration Console RHEL machine, go to the novell-access-manager folder and run sh scripts/migrate_post_ag.sh.

  7. Provide the username and password of the Administration Console administrator.

  8. Restart Access Gateway.

  9. Restart Administration Console.

  10. Update Access Gateway and apply changes.

  11. Restore any customized files from the backup taken earlier.

Migrating Access Gateway Using a New IP Address

  1. Back up the customized files on the Access Manager 4.5.x setup.

  2. Use the NetIQ Access Manager 5.0.x installer to install Access Gateway on RHEL.

  3. Add the newly installed Access Gateway with a new IP address to the existing Access Gateway cluster in the migrated Administration Console.

  4. Update Access Gateway and apply changes.

  5. Restore any customized files from the backup taken earlier.

  6. Convert the newly added Access Gateway node to the master node.

  7. Delete the older Access Gateway on Windows.

24.3.3 Migrating Access Gateway

  1. (When using the existing IP address) Note down the IP address and hostname of 4.5.x Access Gateway on the Windows machine.

  2. (When using the existing IP address) Switch of the Windows machine on which 4.5.x Access Gateway is installed.

  3. (When using the existing IP address) On the RHEL machine, change the IP address and hostname.

    1. Go to /etc/sysconfig/network-scripts/.

    2. Open the ifcfg-Profile_1 file and change the IP address to the IP address that you noted in Step 1.

    3. Open the /etc/hosts file and change the IP address and hostname to the IP address and hostname that you noted in Step 1.

    4. Open the /etc/hostname file and change the hostname to the hostname you noted in Step 1.

    5. Reboot the machine.

    6. SSH to the RHEL machine with the changed IP address.

  4. On the RHEL machine, download the installer file from Micro Focus Downloads, extract the tar.gz file by using the tar -xzvf <filename> command, and change to the novell-access-manager directory.

  5. At the command prompt, run ./ag_install.sh.

  6. Review and accept the License Agreement.

  7. (Optional) Specify the local NAT IP address if the local NAT is available for Access Gateway.

  8. Specify the IP address, user ID, and password of the migrated Administration Console.

  9. (When using the existing IP address)Specify the existing IP address of Access Gateway that you noted in Step 1.

    (When using a new IP address)Specify the IP address of Access Gateway.

  10. Go to the migrated Administration Console and verify whether this Access Gateway is added.

  11. Add the newly installed Access Gateway to the existing Access Gateway cluster.

    For more information, see Access Gateways Clusters in the NetIQ Access Manager 5.0 Administration Guide.

    The cluster object stores all the existing Access Gateway configurations. The newly added Access Gateway inherits these configurations.

  12. Convert the newly added Access Gateway node to the master node.

    1. Click Devices > Access Gateways > [Name of Cluster] > Edit.

    2. In the Primary Server list, select Access Gateway and click OK.

  13. Delete the older Access Gateway on Windows.

  14. (When using the existing IP address) Perform the following steps on the Administration Console RHEL machine:

    1. Run sh scripts/migrate_post_ag.sh.

    2. Specify the username and password of the Administration Console administrator.

    3. Restart Access Gateway by running the /etc/init.d/novell-appliance restart command.

    4. Restart Administration Console by running the /etc/init.d/novell-ac restart command.

  15. Restore customized files from the backup taken earlier. To restore files, add files by using Advanced File Configurator to the locations listed in the following table.

    For information about how to add files by using Advanced File Configurator, see Adding Configurations to a Cluster in the NetIQ Access Manager 5.0 Administration Guide.

    Location on Windows

    Location on RHEL

    C:\Program Files\Novell\Tomcat\conf\web.xml

    /opt/novell/nam/mag/conf/web.xml

    C:\Program Files\Novell\Tomcat\webapps\nesp\WEB-INF\web.xml

    /opt/novell/nam/mag/webapps/nesp/WEB-INF/web.xml

    C:\Program Files\Novell\Tomcat\webapps\nesp\jsp

    /opt/novell/nam/mag/webapps/nesp/jsp

    C:\Program Files\Novell\Tomcat\webapps\nesp\html

    /opt/novell/nam/mag/webapps/nesp/html

    C:\Program Files\Novell\Tomcat\webapps\nesp\images

    /opt/novell/nam/mag/webapps/nesp/images

    C:\Program Files\Novell\Tomcat\webapps\agm\WEB-INF\config\current

    /opt/novell/nam/mag/webapps/agm/WEB-INF/config/current

    C:\Program Files\Novell\Tomcat\webapps\nesp\config

    /opt/novell/nam/mag/webapps/nesp/config

Repeat these steps to add other Access Gateways to the Access Gateway cluster.

IMPORTANT:When you configure more than 60 proxy services, Apache fails to start. RHEL has 128 semaphore arrays by default, which is inadequate for more than 60 proxy services. Apache 2.4 requires a semaphore array for each proxy service.

You must increase the number of semaphore arrays depending on the number of proxy services you are going to use. Perform the following steps to increase the number of semaphore arrays to the recommended value:

  1. Open /etc/sysctl.conf.

  2. Add kernel.sem = 250 256000 100 1024

    This creates the following:

    Maximum number of arrays = 1024 (number of proxy services x 2)

    Maximum semaphores per array = 250

    Maximum semaphores system-wide = 256000 (Maximum number of arrays x Maximum semaphores per array)

    Maximum ops per semop call = 100

  3. Use the sysctl -p command to update changes.

  4. Start Apache.