Sun Java logo     Previous      Contents      Index      Next     

Sun logo
Sun Java(TM) System Administration Server 5.2 2005Q1 Administration Guide 

Chapter 6
Configuring Administration Server From the Console

This chapter describes the configuration options you can use with Sun Java System Administration Server. It contains the following sections:

In addition to the procedures described here, you may also configure settings as a quick task. Start by selecting the Administration Server Tasks tab, then click Configure Admin Server.

Network Settings

Network settings affect the way an instance of Administration Server runs. By default, these settings are configured automatically during installation, but you can modify them if your system configuration changes. You can change the following settings from the Administration Server Console:

The port number specifies where an instance of Administration Server listens for messages. It can be any number between 1 and 65535 but, to avoid conflicts with other resources using reserved ports, it is typically a number greater than 1024.

The IP address you specify is the one Administration Server listens on for requests and messages. If you do not specify an IP address, Administration Server listens for traffic on all IPv4 and IPv6 network interfaces available on the host system.

Connection restrictions enable you to specify which hosts are allowed to connect to Administration Server. You can list these hosts by DNS name, IP address, or both. You can use the * wildcard to specify a group of hosts. For instance, entering *.example.com allows all hosts in the example.com domain to access the instance. Entering 192.168.0.*. allows all hosts whose IP addresses begin with 192.168.0 to access the instance. When specifying IPv4 address restrictions, you must include all three separating dots, otherwise you will receive an error message.

To Configure Network Settings

  1. From the Server Console navigation tree, select the instance of Administration Server that you want to configure.
  2. Click Open to open the Administration Server management window.
  3. Click the Configuration tab, and then click the Network tab.
  4. Enter the network settings:

    5. Port. Enter the port number you want this instance of Administration Server to use.

    IP Address. (Optional) Enter the IP address on which to listen for traffic.

    Server UID. The value of this field is the UID of the user who launched Administration Server. If you launched Administration Server as root, but want to run the process as a user with fewer privileges, you can change the Server UID through the console. Once you have changed the Server UID to a user other than root, you cannot change it again. If you launched Administration Server as a user other than root, you cannot change the Server UID through the console.

    Connection Restrictions. Displays a list of hosts allowed to connect to this instance of Administration Server. Use the drop-down list to specify whether you're adding to the list by DNS name or by IP address. The list is evaluated first by host names, and then by IP addresses.

    Add. Click if you want to display a dialog box for adding a host to the list of computers allowed to connect to this instance of Administration Server.

    Edit. Click if you want to display a dialog box for editing a Host IP address or DNS name on the list of computers allowed to connect to this instance Administration Server.

    Remove. Click if you want to remove a selected entry from the list of allowed hosts.

    Figure 6-1 Configuring Network Settings
    You may configure network settings through the interface.

  5. Click Save.

Access Settings

You can use the Access Settings tab to specify a user name and password for the Administration Server Administrator. The Administration Server Administrator is a special user that has full access to all features in an instance of Administration Server. This user is created during installation for the purpose of starting Server Console if a Directory Server is unavailable. The Administration Server Administrator user name and password are stored in the file ServerRoot/admin-serv/config/admpw.

To Set Administration Server Access Settings

  1. From the Server Console navigation tree, select the instance of Administration Server for which you want to set Access Settings.
  2. Click Open to open the management window for the instance of Administration Server.
  3. Click the Configuration tab, and then click the Access tab.

    4. Figure 6-2 Configuring Access Settings
    You may configure access settings through the interface.

  4. Enter access information:

    5. User name. Enter the user ID for the Administration Server Administrator.

    Password. Enter the Administration Server Administrator's password.

    Confirm Password. Enter the password again to confirm it.

  5. Click OK.

Encryption Settings

All Sun Java System servers support the Secure Sockets Layer (SSL) protocol and PKCS #11 APIs for encryption communication. Encryption protects communication between Administration Server and other servers from eavesdropping and tampering. You need to configure Administration Server for SSL if it communicates with SSL-enabled servers.

Before you can use SSL with Administration Server, you must first request and install a certificate, and then activate SSL on the server. The following procedures walk you through requesting and installing a certificate, as well as activating SSL on an instance of Administration Server.

To Request and Install a Certificate for Administration Server

  1. In the Server Console navigation tree, select the instance of Administration Server that you want to install a certificate on.
  2. Click Open to open the management window for the instance of Administration Server.
  3. In the Administration Server management window, open the Console menu, and choose Security > Manage Certificates.
  4. Click the Request button, and then provide information as prompted.

    5. See Obtaining and Installing a Server Certificate for detailed information.

  5. Once you have a certificate, click the Install button, and then provide information as prompted.

Once you've installed a certificate, activate SSL as described in the next procedure.

To Activate SSL on Administration Server

  1. In the Server Console navigation tree, select the instance of Administration Server that you want to activate SSL encryption on.
  2. Click Open to open the management window for the instance of Administration Server.
  3. Click the Configuration tab.
  4. Click the Encryption tab.
  5. Select "Enable SSL for this server."

    6. The options in the following steps become available only when you turn on SSL encryption.

  6. Select "Use this cipher family: RSA."
  7. Choose the security device where your key is stored:

    8. If the key is stored in the local key database, select "Internal (Software-based)." If the key is stored on an external device (such as a SmartCard), select that device.

  8. Choose the certificate you want to use with SSL.

    9. Certificate information is stored in the certificate database. If you're not sure which certificate to use, view the Certificate Management dialog box for more information. To view the Certificate Management dialog box, from the File menu, choose Certificate Management.

  9. Click the Settings button.
  10. Set the ciphers that this instance of Administration Server should accept when communicating securely with Server Console, or other servers.

    11. First, click a tab for a version of SSL or TLS. Then, choose the ciphers that you want this instance of Administration Server to accept when communicating over that version of SSL or TLS.

  11. Select Require Client Authentication if the server must force the client to provide a certificate to authenticate during the SSL handshake.
  12. Click Save.

Directory Settings

Administration Server uses the directory settings to locate the configuration directory and the user directory.

The Configuration Directory

When you install a Sun Java System server, you are prompted for the location of an instance of Directory Server in which to store configuration data. Depending on the way your organization uses directories, you specify either an instance of Directory Server that contains only configuration data or an instance of Directory Server that contains both user and configuration data.

Configuration data is stored under o=NetscapeRoot in the instance of Directory Server that you specify during installation. This subtree is called the configuration directory and contains server settings such as network topology information and server instance entries. When you install a server or change its configuration, the new settings are stored in the configuration directory subtree.

Changing the Host or Port Number

You can designate a different host or port number for the instance of Directory Server containing the configuration directory subtree.

Caution

Changing the Directory Server host name or port number affects the rest of the servers in the server group. If you change a setting here, you must make the same change in every server in the server group.

To Change the Host or Port Number

  1. In the Server Console navigation tree, select an instance of Administration Server. This is the server for which you may change the configuration directory.
  2. Click Open to open the management window for the instance of Administration Server.
  3. Click the Configuration tab.
  4. Click the Configuration DS tab.
  5. Modify settings as appropriate:

    6. LDAP Host. Enter the host name of the configuration Directory Server this instance of Administration Server uses.

    LDAP Port. Enter the port number for the configuration Directory Server this instance of Administration Server uses.

    Secure Connection. Check this box if you want to connect securely with the configuration Directory Server. Before choosing this option, make sure the configuration Directory Server running on the specified LDAP Host and LDAP Port already has SSL activated on it.

  6. Click Save.

The User Directory

The user directory is stored in a Directory Server subtree that you create. The user directory is used for authentication, user management, and access control. It stores all user and group data, account data, group lists, and access control instructions (ACIs).

You can have more than one user directory in your enterprise. For example, to increase directory performance, one company might deploy three user directories, one in each of three geographic regions. Another company might deploy five user directories, one for each of five mail servers. You can configure an instance of Administration Server to authenticate users against multiple user directories.

If the user and configuration directory subtrees are in different instances of Directory Server, you need to activate pass-through authentication.

User Directory Settings

When you're installing a Sun Java System server, you are prompted to specify a user directory that is associated with the administration domain in which the server is located. By default, this association is inherited at all levels beneath the administration domain. Server groups and the individual servers within them use the same user directory as the domain.

There may be times when you need to override default user directory settings at the server group or domain level. For example, you may need to change the user directory for a domain when you upgrade to a new Directory Server. Alternatively, you might want to temporarily change the user directory for a server group when you are testing a new instance of Directory Server and do not want to use your existing user directory with it.

User Authentication and Directory Failover Support

When a user logs in to Server Console, the user enters a user ID that is checked against the user directory. If the user ID cannot be authenticated in a user directory, the user cannot successfully log in to Server Console.

You can employ more than one user directory for authenticating user IDs. This is useful when the instance of Directory Server containing your primary user directory is not accessible. If the user directory has been replicated on other hosts, Server Console continues to check the user ID against each user directory in the list until authentication succeeds or there are no more entries in the list. This ability to check multiple instances of Directory Server is called failover support.

To list the user directories to use for failover support, follow the instructions for To Change the User Directory Settings for a Domainor To Change User Directory Settings for a Server Group

Changing User Directory Settings for a Domain

If you are the configuration administrator, you can change the user directory settings for a domain.

Caution

Changing the Directory Server host name or port number affects the rest of the servers in the administration domain. If you change a setting here, you must restart all the servers in the administration domain.

To Change the User Directory Settings for a Domain

  1. In the Server Console navigation tree, select the administration domain whose directory settings you want to change.
  2. In the right-hand panel of the main Server Console window, click Edit.
  3. Modify domain information as appropriate.

    4. Domain name. Enter a domain name. Example: example.com

    Description. Enter a name that helps you identify this domain.

    User directory host and port. Specify the location of the new user directory using the host computer's fully qualified domain name and port number. For authentication purposes, you can enter more than one user directory location separated by spaces. Example:

    eastcoast.example.com:389 westcoast.example.com:389

    See User Authentication and Directory Failover Support for more information.

    If you specified more than one location in the "User directory host and port" field, the settings for the remaining fields apply to them all.

    Secure connection. Check this box if you want to connect securely with the user directory. Before choosing this option, make sure the instance of Directory Server is running on the specified user directory host and port already has SSL activated on it.

    User directory subtree. Enter the location of the new user directory. Example: dc=example,dc=com

    This subtree must contain the user directory in all the locations specified in the "User directory host and port" field.

    Bind DN. (Optional) Enter the distinguished name for a user who can access the new user directory. Example: uid=john, ou=people, dc=example,dc=com.

    Bind password. (Optional) Enter the password of the user specified by the Bind DN.

    Figure 6-3 User Directory Settings
    You may change user directory settings through the interface.

  4. Click Save.

To Change User Directory Settings for a Server Group

  1. In the Server Console navigation tree, expand the server group that you want to change user directory settings for.
  2. Select the instance of Administration Server in the server group.
  3. Click Open to open the management window for the instance of Administration Server.
  4. Click the Configuration tab.
  5. Click the User DS tab.

    6. Figure 6-4 User Directory Settings For a Group
    You may change user directory settings for a group through the interface.

  6. Modify settings as appropriate.

    7. Use Default User Directory. Select this option if you want to use the default user directory associated with the domain.

    Set User Directory. Select this option if you want to use a user directory other than the default associated with the domain.

    LDAP Host and Port. Specify the location of the user directory using the host computer's fully qualified domain name and port number. For authentication purposes, you can enter more than one user directory location separated by spaces. Example:

    eastcoast.example.com:389 westcoast.example.com:389

    See User Authentication and Directory Failover Supportfor more information.

    If you specified more than one location in the "LDAP Host and Port" field, the settings for the remaining fields apply to them all.

    Secure Connection. Check this box if you want to connect securely with the user directory. Before choosing this option, make sure the instance of Directory Server is running on the specified user directory host and port already has SSL activated on it.

    User Directory Subtree. Enter the location of the new user directory. Example: dc=example,dc=com

    This subtree must contain the user directory in all the locations specified in the "LDAP Host and Port" field.

    Bind DN. (Optional) Enter the distinguished name for a user who can access the new user directory. Example: uid=john, ou=people, dc=example,dc=com.

    Bind Password. (Optional) Enter the password of the user specified by the Bind DN.

  7. Click Save.



Previous      Contents      Index      Next     

Part No: 817-7612-10.   Copyright 2005 Sun Microsystems, Inc. All rights reserved.