Sun Java logo     Previous      Contents      Index      Next     

Sun logo
Sun Java System Portal Server 6 2004Q2 Migration Guide 

Chapter 12
Upgrading from Sun ONE Identity Server 5.1 to Sun™ ONE Identity Server 6.1

Note

All instances of the Sun™ ONE Identity Server 5.1 product refer to what was formerly known as the iPlanet™ Directory Server Access Management Edition 5.1 product.

This chapter provides an overview and a description of the process required to upgrade Sun ONE Identity Server 5.1 software to Sun ONE Identity Server 6.1 software in order to upgrade your Sun™ ONE Portal Server system from the 6.0 software release to the 6.2 software release.

This chapter contains the following sections:

Overview Sun ONE Identity Server Upgrade Process

The Sun ONE Identity Server 5.1 (5.1a for application servers) to Sun ONE Identity Server 6.1 upgrade process involves the following high-level steps:

  1. Backing up the existing installation of the Sun ONE Identity Server 5.1 and the web container.
  2. Running Sun ONE Portal Server 6.2 preupgrade script to remove the Sun ONE Portal Server 6.0 packages and backup any Sun ONE Portal Server modified templates.
  3. Upgrading the web container.
  4. Uninstalling Sun ONE Identity Server 5.1 product components and the schema, but not the Sun™ ONE Directory Server 5.1 installation.
  5. Upgrading the existing Sun ONE Directory Server with the Sun ONE Identity Server 6.1 schema changes.
  6. Retaining the top level entry of your Directory Information Tree (DIT)
  7. Installing Sun ONE Identity Server 6.1 component software on the existing Directory Server 5.1 installation.
  8. Migrating Sun ONE Identity Server 5.1 services, policies, authentication entries, and top level organization data to the Sun ONE Identity Server 6.1 format.

    Note

    The steps in the process must be performed in the order they are listed here.

It is expected that the person performing the upgrade procedure is familiar with Sun ONE Directory Server commands, schema semantics, DIT, and the Sun ONE Identity Server schema and DIT structures. In addition, familiarity with XML and Sun ONE Identity Server installation procedure is required. For further information on Sun ONE Directory Server commands or concepts, refer to the Sun ONE Directory Server documentation suite located at http://docs.sun.com

For further information on the process or migrating data from the Sun ONE Identity Server 5.1 to Sun ONE Identity Server 6.1, refer to the Sun ONE Identity Server 6.1 Installation and Configuration Guide.

Backing Up Existing Installation

The Sun ONE Identity Server 5.1 product stores user and service configuration on an associated directory server. Use the directory server db2bak command to back up the Sun ONE Identity Server 5.1 data. This command is available in the slapd-HOSTNAME directory within the base directory of the directory server. For example, if the directory server was installed to the default install directory (/usr/ldap) on the server sesta, the base directory would be /usr/ldap/slapd-sesta. You must also back up the web container (web server or application server) configuration data.

  1. Create a backup of the database using the db2bak command and specify the backup directory in which to save the backup file. For example, to create a backup of the database on the server and store it in the /export/upgrade_bak/DS5.1bak/db2bakup/config directory, type the following:

    2. /DS_BASEDIR/slapd-HOSTNAME/db2bak /export/upgrade_bak/DS5.1bak/db2bakup

  2. Create a backup copy of the configuration for the directory server. For example, to copy the configuration and store it in the /export/upgrade_bak/DS5.1bak/config directory, type the following:

    3. cp -r /DS_BASEDIR/slapd-HOSTNAME/config/ /export/upgrade_bak/DS5.1bak/db2bakup

  3. Run the saveconfig command to save the Admin Server configuration.

    4. /DS_BASEDIR/slapd-HOSTNAME/saveconfig

    This saves the Admin Server configuration to aconfbak directory.

  4. Create a backup copy of the Admin Server configuration.

    5. cp -r /DS_BASEDIR/slapd-HOSTNAME/confbak /export/upgrade_bak/DS5.1bak

  5. Create backup copies of the web container data for you installation. For example, on a web server deployment, copy the data in each of the following directories:

    6. /BASEDIR/SUNWam/web-apps/applications
    /    BASEDIR/SUNWam/web-apps/services
    /    BASEDIR/SUNWam/servers/alias
    /    BASEDIR/SUNWam/config
    /    BASEDIR/SUNWam/lib
    /    BASEDIR/SUNWam/locale

    where BASEDIR is the directory in which Sun ONE Identity Server 5.1product was installed. For example, to backup the /BASEDIR/SUNWam/web-apps/applications directory to /export/upgrade_bak/WS6bak, type the following:

    cp -r /BASEDIR/SUNWam/web-apps/applications /export/upgrade_bak/WS6bak

    Note

    If SSL is not enabled, the /BASEDIR/SUNWam/servers/alias directory may not exist.

  6. Create backup copies of the logs, debug, and install files. Copy the data in each of the following directories:

    7. /var/opt/SUNWam/logs
    /var/opt/SUNWam/debug
    /var/opt/SUNWam/install

    For example, to backup the /var/opt/SUNWam/logs directory to /export/upgrade_bak/WS6bak/logs, type the following:

    cp -r /var/opt/SUNWam/logs /export/upgrade_bak/WS6bak/logs

  7. For application server deployments, create backup copies of the application server’s instance configuration directory. For example, to back up the default instance configuration directory on the Sun ONE Application Server (/var/opt/SUNWappserver7/domains/domain1/server1/config) to /export/upgrade_bak/s1as7_bak/var_bak, type the following:

    8. cp -r /var/opt/SUNWam/appserver7/domains/domain1/server1/config /export/upgrade_bak/s1as7_bak/var_bak

Removing Sun ONE Portal Server 6.0 Packages and Backing Up Templates

The Sun ONE Portal Server 6.2 software includes a script (preupgrade) that backups up any modified templates and removes all the Sun ONE Portal Server 6.0 packages. This script is located on the Sun Java™ Enterprise System media. For example, the Solaris SPARC version of this script is located in /orion/pointproducts/Solaris_sparc/Product/portal_svr/Tools directory.

  1. Log in to the machine and become superuser.

    2. You will need root access to uninstall the Sun ONE Portal Server.

  2. Change directories to where the preupgrade script is located. For example,

    3. cd /orion/pointproducts/Solaris_sparc/Product/portal_svr/Tools

  3. Type:

    4. ./preupgrade

    The script processes each Sun ONE Portal Server 6.0 installed package for user modifications, saves any modifications to /tmp/ps_backup, and then removes each Sun ONE Portal Server 6.0 package.

Upgrading the Web Container

Sun ONE Identity Server 6.1 and Sun ONE Portal Server 6.2 software can be deployed into a variety of web containers including the Sun™ ONE Web Server 6.1, the Sun™ ONE Application Server 7.0 Update 1, the IBM Websphere Application Server, and the BEA WebLogic Application Server; however, when upgrading your Sun ONE Portal Server 6.0 installation into a Sun ONE Portal Server 6.2 installation you must deploy it into the same brand of web container. The Sun ONE Web Server 6.1 software and the Sun ONE Application Server 7 update 1 software is included with the Sun Java™ Enterprise System product. If you are upgrading to one of these web containers, use the Sun Java™ Enterprise System installer program to install the software.

Upgrading to Sun ONE Web Server 6.1 Software

You can upgrade to the Sun ONE Web Server 6.1 software using the Sun Java™ Enterprise System installer program located on the Sun Java™ Enterprise System media. For example, the Solaris SPARC version of the installer is located in /orion/s9orion/orion1of2_sparc.s9_orion/latest/Solaris_sparc directory.

  1. If you have not already done so, log in to the machine and become superuser.

    2. You will need root access to install the Sun ONE Web Server.

  2. If you are not already working in the directory where you downloaded the product, use the cd command to change to that directory. For example,

    3. cd /orion/s9orion/orion1of2_sparc.s9_orion/latest/Solaris_sparc

  3. If you used the su command to become root on your system, use the xhost command to grant access to your display. For example, use the following command to grant access to all users:

    4. xhost +

  4. Type the following command to launch the installer:

    5. ./installer

  5. At the Welcome screen, click Next.
  6. Review the Software License Agreement and click Yes, Accept License to accept.
  7. Specify the appropriate language support for the system and click Next.
  8. On the Select Components tab, check the checkbox for the Sun ONE Web Server 6.1 component, uncheck all the other checkboxes, and click Next.
  9. Check the Upgrade existing J2SE SDK radio button and click OK.
  10. On the Shared Component Upgrades Required panel, review the list of shared components that must be upgraded and click Next.
  11. Verify the target installation directories and click Next.
  12. If the Checking System Requirements panel indicates that any patches are needed, cancel the install and add any required patches. Otherwise, click Next to continue.
  13. On the Configuration Type Panel, select Custom Configuration and click Next.
  14. A series of configuration panels will display. Verify the settings on each of these panels and accept the settings by clicking Next. Make sure to specify the same admin server port and web server port as they were there for Sun ONE Identity Server 5.1 web server as well as the same user/admin passwords.
  15. On the Ready to Install panel, click Next.
  16. On the Installation Complete panel, select the appropriate button to view the Summary or the Install Log and click Close.

Upgrading to Sun ONE Application Server 7.0 Update 1 Software

Before upgrading to the Sun ONE Application Server 7.0 Update 1 software, you must manually make copies of the application server data in the /etc/opt and /var/opt directories and perform the uninstall using the Sun ONE Application Server 7.0 uninstaller. Once that is completed, you can upgrade using the Sun Java™ Enterprise System installer program located on the Sun Java™ Enterprise System media. For example, the Solaris SPARC version of the installer is located in /orion/s9orion/orion1of2_sparc.s9_orion/latest/Solaris_sparc directory.

  1. Create backup copies of the existing application server data from the following directories:

    2. /etc/opt/SUNWappserver7
    /var/opt/SUNWappserver7

    For example, to backup the /etc/opt/SUNWappserver7 directory to /export/upgrade_bak/s1as7_bak/etc_bak, type the following command:

    cp -r /etc/opt/SUNWappserver7 /export/upgrade_bak/s1as7_bak/etc_bak

  2. Use the cd command to change directories to the directory containing the Sun ONE Application Server 7.0 uninstaller.

    3. cd /opt/SUNWappserver7

  3. Type the following command to launch the Sun ONE Application Server uninstaller:

    4. ./uninstall

    When the uninstall is complete, install the Sun ONE Application Server 7.0 Update 1 software.

  4. If you are not already working in the directory where you downloaded the Sun Java Enterprise System product, use the cd command to change to that directory. For example,

    5. cd /orion/s9orion/orion1of2_sparc.s9_orion/latest/Solaris_sparc

    Note

    Make sure that no appservd or imq processes are running.

  5. If you used the su command to become root on your system, use the xhost command to grant access to your display. For example, use the following command to grant access to all users:

    6. xhost +

  6. Type the following command to launch the installer:

    7. ./installer

  7. At the Welcome screen, click Next.
  8. Review the Software License Agreement and click Yes, Accept License to accept.
  9. Specify the appropriate language suppport for the system and click Next.
  10. On the Select Components tab, check the checkbox for the Sun ONE Application Server 7.0 component, uncheck all the other checkboxes, and click Next.
  11. On the Shared Component Upgrades Required panel, review the list of shared components that must be upgraded and click Next.
  12. Verify the target installation directories and click Next.
  13. If the Checking System Requirements panel indicates that any patches are needed, cancel the install and add any required patches. Otherwise, click Next to continue.
  14. On the Configuration Type Panel, select Minimal Configuration and click Next.
  15. A series of configuration panels will display. Verify the settings on each of these panels and accept the settings by clicking Next. Accept the default locations.
  16. On the Ready to Install panel, click Next.
  17. On the Installation Complete panel, select the appropriate button to view the Summary or the Install Log and click Close.
  18. When the installation completes, delete the content in the domains.bin and /etc/opt/SUNWappserver7 directory and /var/opt/SUNWappserver7/domains directory. For example, to delete the content in the /etc/opt/SUNWappserver7/domains.bin directory, type the following command:

    19. rm -r /etc/opt/SUNWappserver7domains.bin

  19. Copy back the backed up /etc/opt and /var/opt directories from Step 1.

    20. cp -r /export/upgrade_bak/s1as7_bak/etc_bak/* /
    etc/opt/SUNWappserver7/.
    cp -r /export/upgrade_bak/s1as7_bak/var_bak/* /
    var/opt/SUNWappserver7/.

  20. Verify that you can access the Sun ONE Application Server 7.0 administration console. For example, use the following URL to access the administration console:

    21. http://hostname:4848.

Uninstalling Sun ONE Identity Server 5.1 Components and Schema

Use the Sun ONE Identity Server 5.1 uninstallation program to remove Policy and Management service and schema components of Sun ONE Identity Server 5.1 product, but DO NOT remove Sun ONE Directory Server 5.1 product.

  1. Change directories to where the Sun ONE Identity Server 5.1 installation program is located. (The installation program is located in the idsame directory on the Sun ONE Portal Server CD or download image.)
  2. Type ksh aminstall
  3. Specify y to accept the license agreement.
  4. At the “What would you like to do?“prompt, select option 1, “Remove existing components, then continue installation”.
  5. At the “Please select one of the bundles to remove from ...” prompt, select option 1, “DSAME Management and Policy Services”.

    6. The program uninstalls the Sun ONE Identity Server 5.1 Policy and Management Services.

  6. At the “Please select one of the bundles to remove from ...”prompt, select option 3, ”iPlanet Directory Server Configuration for DSAME”.

    7. This will remove the Sun ONE Identity Server 5.1 schema configuration for the Directory Server.

  7. At the “Please select one of the bundles to remove from ...” prompt, select option 7 to exit the Sun ONE Identity Server installation program.
  8. Check for the SUNWamjdk package after the uninstallation is complete using the following command:

    9. pkginfo |grep SUNWamjdk

  9. If the SUNWamjdk package is present, remove it using the following command:

    10. pkgrm SUNWamjdk

  10. If you had Sun ONE Identity Server 5.1 SP2 installed on your system, enter the following:

    11. patchrm 113626-01

  11. For Sun ONE Application Server Enterprise Edition deployments, use the pkgrm command to remove the following additional packages:

    12. pkgrm SUNWamsas
    pkgrm SUNWamsac

  12. For IBM Websphere application server deployments, use the pkgrm command to remove the following additional packages:

    13. pkgrm SUNWamwss
    pkgrm SUNWamwsc

  13. For BEA WebLogic application server deployments, use the pkgrm command to remove the following additional packages:

    14. pkgrm SUNWamwls
    pkgrm SUNWamwlc

  14. For application server deployments, go to the application server console, apply the changes, and stop and restart the application server instance.

    15. Use the mechanism appropriate for your application server. For more information on installing into an application server deployment, refer to the Sun ONE Portal Server 6.2 Installation Guide or the documentation specific to your application server.

    Because the Sun ONE Identity Server has been removed but the Portal Server is still installed, exceptions will be logged. You can ignore these exceptions.

  15. On all deployments, stop and restart the Sun ONE Directory Server.

    16. /DS_BASEDIR/slapd-HOSTNAME/stop-slapd
    /DS_BASEDIR/slapd-HOSTNAME/start-slapd

Upgrading the Existing Directory Server Installation with the Sun ONE Identity Server 6.1 Schema

Use the ldapmodify command to upgrade the existing directory with the Sun ONE Identity Server 6.1 schema formats and data. There are two LDIF files with updated schema information (sunone_schema2.ldif and ds_remote_schema.ldif). These files are located on the Sun Java Enterprise System media. For example, the Solaris SPARC versions are located in /orion/pointproducts/Solaris_sparc/Product/portal_svr/Tools directory.

  1. Change directories to where the Sun ONE Identity Server 6.1 updated schema files are located.
  2. Use the ldapmodify command from the directory server install directory to load the sunone_schema2.ldif file to directory server.

    3. /DS_BASEDIR/shared/bin/ldapmodify -h HOSTNAME -p 389 -D “cn=Directory Manager” -w PASSWORD -c -f sunone_schema2.ldif

  3. Use the ldapmodify command from the directory server install directory to load the ds_remote_schema.ldif file to directory server.

    4. /DS_BASEDIR/shared/bin/ldapmodify -h HOSTNAME -p 389 -D “cn=Directory Manager” -w PASSWORD -c -f ds_remote_schema.ldif

Retaining the Top Level Entry of the Directory Information Tree (DIT)

Before installing Sun ONE Identity Server 6.1 software you will need to verify that the Directory Server 5.1 installation that existed with iPlanet Directory Server Access Management Edition 5.1 is set up to retain the existing DIT structure and ensure proper installation. To retain the Sun ONE Identity Server 5.1 DIT structure, the top level entry must have the iplanet-am-service-status attribute set. Depending on your installation, this attribute may or may not be set at the top level of your DIT. For example, in the default installation of the Sun ONE Portal Server 6.0 release, the DIT might have a hierarchical structure with o=isp at the top of the structure and an organization such as o=sesta.com beneath it, as is shown in Figure 12-1.

Figure 12-1  Hierarchical Directory Structure

This figure illustrates a hierarchical directory structure. See the text preceding the figure for details on the structure.

In this case, isp is not really an organization and as such does not have an iplanet-am-service-status attribute set. To retain the Sun ONE Identity Server 5.1 DIT structure, the top level entry, isp, must be updated before you install Sun ONE Identity Server 6.1. Use the ldapmodify command to load an LDIF file (top_entry.ldif)with the updated top level entry. This file is located on the Sun Java Enterprise System media. For example, the Solaris SPARC version is located in /orion/pointproducts/Solaris_sparc/Product/portal_svr/Tools directory. If the Sun ONE Identity Server 5.1 Directory Server has an organization (flat DIT) as top level entry, then this change is not necessary before installing Sun ONE Identity Server 6.1.

To update the top level entry of your DIT:

  1. Change directories to where the Sun ONE Identity Server 6.1 top_entry.ldif file is located.
  2. Use a text editor to edit the LDIF file and set the ROOT_SUFFIX variable to the top level entry per your DIT.
  3. Use the ldapmodify command from the directory server install directory to load the top_entry.ldif file to directory server.

    4. /DS_BASEDIR/shared/bin/ldapmodify -h HOSTNAME -p 389 -D “cn=Directory Manager” -w PASSWORD -c -f top_entry.ldif

  4. Load the entry and aci for amldapuser into directory server using the ldapmodify command. Use amldapuser.ldif and amldapuser-aci.ldif files.

    5. Note

    The password set in the amldapuser.ldif file is 111111111. You may want to change it according to your DIT but make sure that it is different from Admin password.

    1. Type:

      2. /usr/ldap/shared/bin/ldapmodify -h pikes -p 389 -D ’cn=directory manager’ -w iplanet3 -c -f /net/storage/export/images/orion/s9orion/orion1of2_sparc.s9_orion/latest/Solaris_sparc/portal_svr/Tools/amldapuser.ldif

    2. Type:

      3. /usr/ldap/shared/bin/ldapmodify -h pikes -p 389 -D ’cn=directory manager’ -w iplanet3 -c -f /net/storage/export/images/orion/s9orion/orion1of2_sparc.s9_orion/latest/Solaris_sparc/portal_svr/Tools/amldapuser-aci.
      ldif

Installing Sun ONE Identity Server 6.1 Components on the Existing Directory Server Installation

Install the Sun ONE Identity Server 6.1 software using the Sun Java™ Enterprise System installer program located on the Sun Java™ Enterprise System media. For example, the Solaris SPARC version of the installer is located in /orion/s9orion/orion1of2_sparc.s9_orion/latest/Solaris_sparc directory.

  1. If you have not already done so, log in to the machine and become superuser.

    2. You will need root access to install the Sun ONE Identity Server.

  2. If you are not already working in the directory where you downloaded the Sun Java Enterprise System product, use the cd command to change to that directory. For example,

    3. cd /orion/s9orion/orion1of2_sparc.s9_orion/latest/Solaris_sparc

  3. If you used the su command to become root on your system, use the xhost command to grant access to your display. For example, use the following command to grant access to all users:

    4. xhost +

  4. Type the following command to launch the installer:

    5. ./installer

  5. At the Welcome screen, click Next.
  6. Review the Software License Agreement and click Yes, Accept License to accept.
  7. Specify the appropriate lanquage suppport for the system and click Next.
  8. On the Select Components tab, check the checkbox for the Sun ONE Identity Server 6.1 component, uncheck all the other checkboxes, and click Next.
  9. A warning message displays indicating that the Sun ONE Identity Server requires the Sun ONE Directory Server be installed or that Sun ONE Identity Server be configured to access a remote Directory Server. Click Continue.
  10. Check the Upgrade existing J2SE SDK radio button and click OK.
  11. On the Shared Component Upgrades Required panel, review the list of shared components that must be upgraded. Accept the upgrading of the SUNWicu package and click Next.
  12. Verify the target installation directories and click Next.
  13. If the Checking System Requirements panel indicates that any patches are needed, cancel the install and add any required patches. Otherwise, click Next to continue.
  14. On the Configuration Type Panel, select Custom Configuration and click Next.
  15. A series of configuration panels will display depending on the type of Web Container you chose to upgrade to. Verify the settings on each of these panels and accept the settings by clicking Next. Unselect Sun ONE Directory Server 5.2 and Administration Server 5.2 and Root in Directory Server as o=isp and the amldapuser password is 111111111 (or the password used in Step 4 of Retaining the Top Level Entry of the Directory Information Tree (DIT).

    16. The following entries specified should match the values that were set for the original Sun ONE Identity Server 5.1 installation:

    directory root suffix
    directory manager password
    admin user
    admin password
    directory server host
    directory server port
    console deployment descriptor
    services deployment descriptor

    Refer to the AMConfig.properties file from the Sun ONE Identity Server 5.1 installation backup for any values of which you are not sure.

  16. On the Identity Server (1 of 6) panel,
    1. Verify the settings for the Administrator User ID, Administrator Password, LDAP User ID.
    2. Enter the Identity Server Internal LDAP Authentication User Password and retype password to confirm.
    3. Enter the Password Encryption Key value:

      4. KmhUnWR1MYWDYW4xuqdF5nbm+CXIyOVt

    4. Click Next to continue.
  17. On the Identity Server (2 of 6) panel, select the appropriate Web Container for your implementation and click Next.
  18. On the Identity Server (3 of 6) panel, verify the settings for the Web Container and click Next.
  19. On the Identity Server (4 of 6) panel, verify the configuration settings and click Next.
  20. On the Identity Server (5 of 6) panel,
    1. Verify the Directory Server Host, the Identity Server Directory Root Suffix, and the Directory Manager DN. Directory Server Port: 389
    2. Enter 389 as the Directory Server Port and enter the correct Directory Manager Password.
    3. Click Next to continue.
  21. On the Identity Server (6 of 6) panel, at the “Is Directory Server provisioned with user data?” query specify Yes.
  22. Verify the Organization Marker Object Class, the Organization Naming Attribute, the User Marker Object Class, and the User Naming Attribute and click Next.
  23. Click No in response to the following Info message:

    24. This Directory Server does not have Identity Server 6.1 DIT. Do you want the installation program to load the DIT into your Directory Server?

  24. On the Ready to Install panel, click Next.
  25. On the Installation Complete panel, select the appropriate button to view the Summary or the Install Log and click Close.
  26. For application server deployments, go to the application server console, apply the changes, and stop and restart the application server instance.

    27. Use the mechanism appropriate for your application server. For more information on installing into an application server deployment, refer to the Sun ONE Portal Server 6.2 Installation Guide or the documentation specific to your application server.

Migrating Sun ONE Identity Server 5.1 Services, Policies, Authentication Entries, and Top Level Organization Data

Once Sun ONE Identity Server 6.1 is installed and the Sun ONE Directory Server schema is updated, the directory server data must be modified to Sun ONE Identity Server 6.1 format. In Sun ONE Identity Server 6.1, policy, authentication and console components have changed significantly from Sun ONE Identity Server 5.1 release and hence need to be migrated.

All the migration scripts needed for this are located on the Sun Java Enterprise System media. For example, the Solaris SPARC version is located in /orion/pointproducts/Solaris_sparc/Product/portal_svr/Tools directory. The scripts contain additional information, which you must read before running the scripts. It will help you set some variables in each script or check the values of the variables.

  1. Set the LD_LIBRARY_PATH environment variable to /usr/iplanet/servers/lib/. For example,

    2. setenv LD_LIBRARY_PATH=/usr/iplanet/servers/lib/

  2. In each of the migration scripts, verify or specify that the path to the LDAP_SEARCH variable points to /usr/iplanet/servers/shared/bin/ldapsearch or a value appropriate for your deployment.
  3. Run the /orion/pointproducts/Solaris_sparc/Product/portal_svr/Tools/
    update-schema.pl     script to migrate the schema data. At the following script prompts, verify or specify the appropriate values and press Enter:

    4. Enter Host name [DIRECTORY_SERVER]:<hostname>
    Enter Bind User name [cn=directory manager]:
    Enter Bind password:<password>
    Enter port number [389]:
    Enter root suffix [o=sun.com]:o=isp

    This script generates an output file, 60entries.ldif.

  4. Set the LD_LIBRARY_PATH environment variable to /usr/ldap/lib:$LD_LIBRARY_PATH. For example,

    5. setenv LD_LIBRARY_PATH /usr/ldap/lib:$LD_LIBRARY_PATH

  5. Run the ldapmodify command on the output file generated in Step 3 to update the schema. For example, type

    6. /DS_BASEDIR/shared/bin/ldapmodify -h HOSTNAME -p 389 -D “cn=Directory Manager” -w PASSWORD -c -f 60entries.ldif

  6. Run the /orion/pointproducts/Solaris_sparc/Product/portal_svr/Tools/
    update-policies.pl     script to migrate the policy data. At the update-policies.pl script prompts, verify or specify the appropriate values and press Enter.

    7. This script creates an xml file for each organization containing policies. For example, if the organization is o=sesta.com,o=sales, then the script creates a file named o=sesta.com-o=sales.xml.These files will be used later.

  7. Run the /orion/pointproducts/Solaris_sparc/Product/portal_svr/Tools/
    update-auth.pl     script to migrate the authentication data. At the update-auth.pl script prompts, verify or specify the appropriate values and press Enter. In addition to the standard prompts listed in Step 3, the following prompt also displays.

    8. In IS 6.x a new attribute iplanet-am-auth-cert-gw-cert-auth-enabled is added to the iPlanetAMAuthCertService. Please find the value of an attribute com.iplanet.authentication.modules.cert.gwAuthEnable in your IS 5.1 AMConfig.properties and enter it here. (enter no if the attribute is not there) [no]:

    The script generates an input file, 51auth-entries.dn, and an output file, 51to60auth-entries.ldif. These files will be used later.

    Tip

    This script will only migrate the Sun ONE Identity Server provided authentication modules. Any customized authentication modules must implement the Authentication Service Provider Interface (SPI) (which provides the authentication framework) and need to be rewritten using com.sun.identity.authentication.spi.AMLoginModule class. In addition, you must also do the following:

    • Create or update the XML service file for the authentication module. For example, amAuthLDAP.xml defines the LDAP service parameters. If this file existed in Sun ONE Identity Server 5.1 implementation, it is migrated automatically by the Sun ONE Identity Server 6.1 migration script.
    • Create or update the authentication module configuration file. This file specifies the authentication module credentials by the defining the user authentication screens. In Sun ONE Identity Server 5.1, this file was a .properties file (for example, LDAP.properties). In Sun ONE Identity Server 6.1, this file is a .xml file (for example, LDAP.xml).
    • Create or update the localization properties file. For example, amAuthLDAP.properties defines the LDAP properties.
    • Update the iplanet-am-authenticators authentication attribute in the amAuth.xml file by adding a value that specifies the fully qualified class name of the custom authentication module. This can be done by manually editing the attribute in the amAuth.xml file and then importing the file.

    Refer to Appendix F, "Authentication Framework Changes Between Sun ONE Portal Server 6.0 and Sun ONE Portal Server 6.2" for details on the changes to the authentication framework service that you need to know for migration purposes. For detailed information on writing and implementing custom authentication modules, refer to the Sun ONE Identity Server 6.1 Programmer’s Guide.

Note

The authentication menu attribute provided by Sun ONE Identity Server 5.1 admin console is not supported in Sun ONE Identity Server 6.1 release. If you need to configure a selectable list of valid authentication modules, use the admin console to set each authentication module with the same level in the authentication level attribute. Users can access a page with all the authentication modules for a specific authentication level by specifying the authlevel in the login URL. For example, a user performs a login with the following syntax:

http://HOSTNAME:PORT/DEPLOY_URI/UI/Login?authlevel=N

Refer to the Sun ONE Portal Server 6.2 Administrator’s Guide for information on configuring authentication modules.

  1. Run the /orion/pointproducts/Solaris_sparc/Product/portal_svr/Tools/
    update-toporg-services.pl     script to migrate the top level organization data. At the update-toporg-services.pl script prompts, verify or specify the appropriate values and press Enter.

    2. This script generates an input file, 51toporg-template.dn and an output file, 51to60toporg-template.ldif.

  2. Use Directory Server console to remove the following Sun ONE Identity Server 5.1 services:

    Note

    If you added other services to Sun ONE Identity Server, don’t remove them. If you have not added any additional services, you can remove the entire services branch under the top level entry.

    • iPlanetAMAdminConsoleService
    • iPlanetAMAuthService
    • iPlanetAMAuthAnonymousService
    • iPlanetAMAuthCertService
    • iPlanetAMAuthLDAPService
    • iPlanetAMAuthMembershipService
    • iPlanetAMAuthNTService
    • iPlanetAMAuthRadiusService
    • iPlanetAMAuthSafewordService
    • iPlanetAMAuthUnixService
    • iPlanetAMClientDetectionService
    • iPlanetAMDomainURLAccessService
    • iPlanetAMEntrySpecificService
    • iPlanetAMLoggingService
    • iPlanetAMNamingService
    • iPlanetAMPlatformService
    • iPlanetAMPolicyService
    • iPlanetAMSessionService
    • iPlanetAMUserService
    • iPlanetAMWebAgentService
    • DAI
  3. Use Directory Server console to remove the Sun ONE Identity Server 5.1 user’s default login URL attribute (iplanet-am-user-default-url) from your user entries as this attribute is no longer available in Sun ONE Identity Server 6.1.

    Note

    If you do not remove the iplanet-am-user-default-url attribute, you will get object class violation errors.

  4. In the /orion/pointproducts/Solaris_sparc/Product/portal_svr/Tools/
    load-services.pl     script, verify or specify that the path to the $PROD_DIR variable points to SUNWam.
  5. Run the /orion/pointproducts/Solaris_sparc/Product/portal_svr/Tools/
    load-services.pl     script to load the services data. At the load-services.pl script prompts, verify or specify the appropriate values and press Enter
  6. Run the ldapmodify command on the output file generated in Step 7 to update the authentication data. For example, type

    7. /DS_BASEDIR/shared/bin/ldapmodify -h HOSTNAME -p 389 -D “cn=Directory Manager” -w PASSWORD -a -c -f 51to61auth-entries.ldif

  7. Run the /orion/pointproducts/Solaris_sparc/Product/portal_svr/Tools/
    update-services.pl     script to update the services data. At the update-services.pl script prompts, verify or specify the appropriate values and press Enter.

    8. This script generates an an output file, 60services.ldif.

  8. Run the ldapmodify command on the output file generated in Step 14 to update the services data. For example, type

    9. /DS_BASEDIR/shared/bin/ldapmodify -h HOSTNAME -p 389 -D “cn=Directory Manager” -w PASSWORD -c -f 60services.ldif

  9. Replace the ROOT_SUFFIX in the liberty_services.ldif file.

    10. Sun ONE Identity Server 6.1 supports Liberty Alliance Federation Management. This file registers two services (iPlanetAMAuthenticationDomainConfigService and iPlanetAMProviderConfigService) to support the Sun ONE Identity Server 6.1 Liberty Alliance Federation Management.

  10. Run the ldapmodify command to the liberty_services.ldif file from Step 16 to update the Liberty Services data in the schema. For example, type

    11. /DS_BASEDIR/shared/bin/ldapmodify -h HOSTNAME -p 389 -D “cn=Directory Manager” -w PASSWORD - a -c -f liberty_services.ldif

  11. Run the /orion/pointproducts/Solaris_sparc/Product/portal_svr/Tools/
    delete-policies.pl     script to generate the policies data to delete. At the delete-policies.pl script prompts, verify or specify the appropriate values and press Enter.

    12. This script generates an an output file, delete-policies.ldif.

  12. Run the ldapdelete command on the output file generated in Step 18 to delete the policies data. For example, type

    13. /DS_BASEDIR/shared/bin/ldapdelete -h HOSTNAME -p 389 -D “cn=Directory Manager” -w PASSWORD -f delete-policies.ldif

  13. Manually set the amAdmin distinguished names in AMConfig.properties file. For example

    14. com.sun.identity.authentication.super.user=uid=amAdmin,ou=
    People,o=iplanet.com,o=isp

  14. Run the /orion/pointproducts/Solaris_sparc/Product/portal_svr/Tools/
    scripts/UpgradeDIT     script to generate the policies data to delete. At the script prompts, verify or specify the appropriate values and press Enter.

    15. You will need to provide the directory manager and amAdmin passwords. Refer to the AMConfig.properties file from the Sun ONE Identity Server 5.1 installation.

  15. Replace the ROOT_SUFFIX in the auth_entries.ldif file.
  16. Run the ldapmodify command to the auth_entries.ldif file from Step 22 to update the Liberty Services data in the schema. For example, type

    17. /DS_BASEDIR/shared/bin/ldapmodify -h HOSTNAME -p 389 -D “cn=Directory Manager” -w PASSWORD - a -c -f auth_entries.ldif

  17. Stop and restart the Sun ONE Directory Server.

    18. /DS_BASEDIR/slapd-HOSTNAME/stop-slapd
    /DS_BASEDIR/slapd-HOSTNAME/start-slapd

  18. Stop and start the web container. For example, on a Sun ONE Web Server, type the following commands to change directories to the web server script location and run the start and stop scripts:

    19. cd /opt/SUNWwbsvr/https-HOSTNAME
    ./stop
    ./start

    For servers deployed on an application server, use the mechanism appropriate for your application server.

  19. Log into the Sun ONE Identity Server 6.1 administration console.

    Note

    If the error “Internal Authentication Error” displays, manually set the login.configuration.provider line in the JDR_DIR/jre/lib/security/java.security file as follows:

    login.configuration.provider=com.sun.identity.
    authentication.config.AMConfiguration

    Restart the web container.

  20. From the administration console, enable the user management service.
    1. Navigate to the top-level organization for your implementation.

      2. By default, Identity is selected in the location pane and Organizations is selected in the Navigation pane.

    2. Select the Service Configuration tab.
    3. Click the properties arrow icon next to Administration, check Enable User Management, and click Save.
  21. Create referral policies at the top-level organization for your implementation and add rules for each service.
    1. From the administration console, navigate to the top-level organization for your implementation.
    2. Select Policies from the View menu in the navigation pane.
    3. Click Create New.
    4. For Type of Policy, select Referral.
    5. For Name, type either SubOrgReferral_organization or PeerOrgReferral_organization where organization is the name of the organization for the referral and click Create.
    6. Click Rules from the View menu data pane, select the rules for the policy and click Save.
    7. Click Referrals from the View menu data pane and click Add.
    8. Verify that the name of the peer or suborganization is selected for Value and click Create.
    9. Click Save in the data pane to save the referral policy.
  22. Register and create templates for the Policy Configuration service at the top-level organization for your implementation.
    1. From the administration console, navigate to the top-level organization for your implementation.
    2. Select the Services from the View menu.
    3. Click Register.
    4. Check Policy Configuration checkbox and then click Register.
    5. Click the properties arrow icon next to the Policy Configuration service and click Create.
    6. Enter the password for the user amldapuser and click Save.
  23. Run the amadmin command for each of the output files generated in Step 6 to update the policies data. For example, if the output file was named o=sesta.com-o=sales.xml,type

    24. /BASEDIR/SUNWam/bin/amadmin -u “uid=amAdmin,ou=People,o=sesta.com,o=isp” -w PASSWORD -t o=sesta.com-o=sales.xml

  24. From the administration console, check the users listed for each organization to verify that all the users have been migrated.

This completes the basic migration. For additional information on migrating iPlanet Directory Server Access Management Edition 5.1 data to Sun ONE Identity Server 6.1 formats, refer to Appendix A of the Sun ONE Identity Server 6.1 Installation and Configuration Guide.



Previous      Contents      Index      Next     

Copyright 2004 Sun Microsystems, Inc. All rights reserved.