24.2 Migrating Identity Server from Windows to RHEL

24.2.1 Prerequisites for Migrating Identity Server

  • Ensure that the system meets the requirements for Identity Server.

    For information about the requirements, see NetIQ Access Manager System Requirements.

  • Determine if you want to reuse an existing IP address or use a new IP address for the migration process.

  • The time of Identity Server is synchronized with the time of Administration Console.

  • Ensure that Administration Console is running. See Installing Administration Console.

  • If you installed Administration Console on a separate machine, ensure that the DNS names resolve between Identity Server and Administration Console.

  • Ensure that the following ports are open on both Administration Console and Identity Server:

    • 8444
    • 1443
    • 1289
    • 1290
    • 524
    • 636

    For information about ports, see Configuring the Administration Console Firewall.

  • You must establish a static IP address for your Identity Server to reliably connect with other Access Manager components. If the IP address changes, Identity Server can no longer communicate with Administration Console.

  • Ensure that the following RHEL RPMs are installed on the machine:

    • ncurses-libs.i686

    • createrepo

    • yum-utils

    • ntp

    • glibc.i686

    • nss-softokn-freebl.i686

    • libgcc.i686

    • libstdc++.i686

    • rsyslog.x86_64

    • rsyslog-gnutls.x86_64

    • unzip

    • bind-utils

    • net-tools

    • zip

    • net-snmp

    • expat

    For installing RHEL packages manually, see Installing Packages and Dependent RPMs on RHEL for Access Manager.

    NOTE:You can select to install these RPMs automatically along with Access Manager installation. While installing Access Manager, specify N when you get the following prompt:

    Enter the local mount directory if you have the OS ISO mounted locally. This will be used as the local catalog for the additional rpms.
    Do you have a locally mounted ISO (y/n)?

    The Access Manager installer checks the online catalog and then installs the required RPMs automatically.

  • gettext

  • python (interpreter)

  • (Conditional) If the Identity Server cluster has been assigned to delegated administrators, remove them before migration and re-add them after the migration is complete.

    If you do not perform this action, the delegated administrators will not be able to log in and configure devices assigned to them. You must manually re-create these administrators and assign the respective devices.

    For more information about delegated users, Managing Delegated Administrators in the NetIQ Access Manager 5.0 Administration Guide.

  • Physical access to the server or server console (in case of VMWare setups) as a root user and you are familiar with iptables.

  • Back up the customized files.

24.2.2 Supported Migration Scenario

Using the Existing IP Address

  1. Back up the customized files on the Access Manager 4.5.x setup.

  2. Note down the IP address of Windows Identity Server.

  3. Stop and remove Identity Server from the cluster on the Windows machine.

  4. Delete Identity Server that is removed from the Identity Servers cluster.

  5. Switch off the Windows machine.

  6. On the RHEL machine, change the IP address to the IP address of Windows Identity Server that you noted in step 2.

  7. On the RHEL machine, use the NetIQ Access Manager 5.0.x installer to install Identity Server.

  8. Add 5.0.x Identity Server to the existing Identity Server cluster in 5.0.x Administration Console on RHEL.

  9. Update Identity Server and apply changes.

  10. Restore customized files from the backup taken earlier.

Using a New IP Address

  1. Back up the customized files on the Access Manager 4.5.x setup.

  2. Use the NetIQ Access Manager 5.0.x installer to install Identity Server on the RHEL machine.

  3. Add Identity Server to the existing Identity Server cluster in 5.0.x Administration Console on RHEL.

  4. Update Identity Server and apply changes.

  5. Restore any customized files from the backup taken earlier.

  6. Delete older Identity Servers on the Windows machine.

24.2.3 Migrating Identity Server

NOTE:If you are migrating Identity Server using a new IP address, skip Step 1 to Step 5.

  1. (When using the existing IP address)Note down the IP address of Windows Identity Server.

  2. (When using the existing IP address)Remove the existing Identity Server from Administration Console on the Windows machine.

    Do not delete the Identity Server cluster as this will be used later.

    1. In Administration Console, click Devices > Identity Servers.

    2. Select the server and click Stop.

    3. Select the server > Actions > Remove from cluster.

    4. Update the cluster configuration.

  3. (When using the existing IP address)Delete Identity Server that is removed from the Identity Servers cluster.

  4. (When using the existing IP address)Switch of the Windows machine on which 4.5.x Identity Server was installed.

  5. (When using the existing IP address) On the RHEL machine, change the IP address.

    1. Go to /etc/sysconfig/network-scripts/.

    2. Open the ifcfg-Profile_1 file and change the IP address to the IP address noted in Step 1.

    3. Open the /etc/hosts file and change the IP address to the IP address noted in Step 1.

    4. Reboot the machine.

    5. SSH to the RHEL machine with the changed IP address.

  6. On the RHEL machine, download the installer file from Micro Focus Downloads, extract the tar.gz file by using the tar -xzvf <filename> command, and change to the novell-access-manager directory.

  7. At the command prompt, run ./install.sh.

  8. When prompted to install a product, specify 2, Install Identity Server, and press Enter.

    The following warning is displayed:

    Warning: If NAT is present between this machine and Administration Console, configure NAT in Administration Console.
    Exit this installation if NAT is not configured in Administration Console.
    Would you like to continue (y/n)? 

    For information about configuring NAT, see Configuring Administration Console Behind NAT.

  9. Specify Y to proceed.

  10. Review and accept the license agreement.

  11. Verify that the required RPMs are of the latest versions. Specify Y to proceed.

  12. Specify the IP address, user ID, and password of 5.0.x Administration Console that is migrated to RHEL.

  13. Specify the IP address of Access Manager Server Communications Local Listener. Specify the local NAT IP address if local NAT is available for Identity Server.

    If the installation program rejects the credentials and IP address, ensure that the correct ports are open on both Administration Console and Identity Server.

  14. Go to the migrated Administration Console and verify whether this Identity Server is added.

  15. Restore customized files from the backup taken earlier. To restore files, add files by using Advanced File Configurator to the locations listed in the following table:

    For information about how to add files by using Advanced File Configurator, see Adding Configurations to a Cluster in the NetIQ Access Manager 5.0 Administration Guide.

    Location on Windows

    Location on RHEL

    C:\Program Files\Novell\Tomcat\conf\server.xml

    /opt/novell/nam/idp/conf/server.xml

    C:\Program Files\Novell\Tomcat\conf\web.xml

    /opt/novell/nam/idp/webapps/nidp/WEBINF/web.xml

    C:\Program Files\Novell\Tomcat\webapps\nidp\config

    /opt/novell/nam/idp/webapps/nidp/config

    C:\Program Files\Novell\Tomcat\webapps\nidp\images

    /opt/novell/nam/idp/webapps/nidp/images

    C:\Program Files\Novell\jre\lib\security\bcsLogin.conf.template

    /opt/novell/java/jre/lib/security/bcslogin.conf

    C:\Program Files\Novell\Tomcat\webapps\nidp\jsp

    /opt/novell/nam/idp/webapps/nidp/jsp

    C:\Program Files\Novell\Tomcat\webapps\nidp\WEB-INF\classes

    /opt/novell/nam/idp/webapps/nidp/WEBINF/classes

  16. Add the newly installed Identity Server to the existing Identity Servers cluster.

    For more information, see Configuring Identity Servers Clusters in the NetIQ Access Manager 5.0 Administration Guide.

    The cluster object stores all the existing Identity Server configurations. The newly added Identity Servers inherit these configurations.

  17. On the newly added Identity Server, restart Tomcat by using the /etc/init.d/novell-idp restart or systemctl restart novell-idp.service command.

  18. Repeat these steps to add other Identity Servers to the Identity Server cluster.