Sun Java System Portal Server 6 2005Q1 Administration Guide |
Chapter 18
Managing the Portal Server SystemThis chapter describes the various administrative tasks associated with maintaining the Sun Java System Portal Server system.
This chapter contains these sections:
Configuring Secure Sockets Layer (SSL)You can configure Secure Sockets Layer (SSL) with Portal Server and associated components in the following ways:
- Sun Java System Directory Server—You can configure SSL for the Sun Java System Directory Server and use a secure connection between Sun Java System Access Manager and the Portal Server. See Chapter 6, “Basic Configurations” in the Sun Java System Access Manager Installation and Configuration Guide at the following URL for information on enabling SSL on the directory server:
To Configure SSL with Portal Server
Use this procedure if you chose to run SSL on your machine during the Portal Server installation.
- Create a trust database for the web server on which you installed Portal Server.
See Chapter 5, “Creating a Trust Database” in the Sun Java System Web Server 6 2004Q2, Enterprise Edition Administration Guide at the following URL for more information:
http://docs.sun.com/source/816-5682-10/index.htm
- Request a certificate for the web server on which you installed Portal Server software and install the certificate on the web server instance.
See Chapter 5, “Requesting and Installing a VeriSign Certificate” or “Requesting and Installing Other Server Certificates” in the Sun Java System Web Server 6 2004Q2, Enterprise Edition Administration Guide for more information.
- Turn on encryption for the Portal Server web server instance.
In the web server administration console, select the Preferences tab, select Add Listen Socket, then select Edit Listen Socket and turn on security.
See Chapter 5, “Turning Security On,” in the Sun Java System Web Server 6 2004Q2, Enterprise Edition Administration Guide for more information,
- Click Apply and Apply Changes in the web server administration console.
- Restart the web container.
See your web container documentation for instructions on starting the web container.
- The system prompts you for the password to get to the certificate database.
- Verify that you can now log on to the Portal Server portal using SSL:
To Modify an Existing Portal Server Installation to Use SSL
Use this procedure if you answered n when asked “Do you want to run SSL on hostname?” during the Portal Server installation. See the Sun Java System Portal Server 6 2004Q2 Installation Guide for more information.
- Log in to the Sun Java System Access Manager admin console as administrator.
By default, Identity Management is selected in the location pane and All created organizations are displayed in the navigation pane.
- Choose Service Configuration in the location pane.
- Click the properties arrow next to Platform.
The Platform attributes appear in the data pane.
- In the server list, change http to https.
- Click Save to save your changes.
- Install the certificate on the web server.
See Step 1 through Step 4 in To Configure SSL with Portal Server for details.
- Copy the server.xml and magnus.conf files from /AccessManager-base/SUNWam/servers/https-hostname-domain/conf_bk directory to the /AccessManager-base/SUNWam/servers/https-hostname-domain/config directory.
- Add the following line to the /AccessManager-base/SUNWam/lib/AMConfig.properties file if the root CA is not installed for your certificate.
com.sun.am.jssproxy.trustAllServerCerts=true
This option tells JSS to trust the certificate.
- In the /AccessManager-base/SUNWam/lib/AMConfig.properties file, change http to https for the following:
com.sun.am.server.protocol
com.sun.am.naming.url
com.sun.am.notification.url
com.sun.am.session.server.protocol
com.sun.services.cdsso.CDCURL
com.sun.services.cdc.authLoginUrl
- Restart the web container.
- The system prompts you for the password to get to the certificate database.
See Chapter 11, “Managing SSL” in the Sun Java System Directory Server Administration Guide for more information.
To Configure a Portal Server Instance to Use SSL
- Log in to the Sun Java System Access Manager admin console as administrator.
By default, Identity Management is selected in the location pane and All created organizations are displayed in the navigation pane.
- Choose Service Configuration in the location pane.
- Click the properties arrow next to Platform.
The Platform attributes appear in the data pane.
- In the server list, change http to https.
- Click Save to save your changes.
- Install the certificate on the web server.
See Step 1 through Step 4 in To Configure SSL with Portal Server for details.
- If this server is part of a multi-instance installation, copy the server.xml and magnus.conf files from /AccessManager-base/SUNWam/servers/https-instance_nickname/conf_bk directory to the /AccessManager-base/SUNWam/servers/https-instance_nickname/config directory.
- Add the following line to the /AccessManager-base/SUNWam/lib/AMConfig-instance_nickname.properties file if the root CA is not installed for your certificate.
com.sun.am.jssproxy.trustAllServerCerts=true
This option tells JSS to trust the certificate.
- In the /AccessManager-base/SUNWam/lib/AMConfig-instance_nickname.properties file, change http to https for the following:
com.sun.am.server.protocol
com.sun.am.naming.url
com.sun.am.notification.url
com.sun.am.session.server.protocol
com.sun.services.cdsso.CDCURL
com.sun.services.cdc.authLoginUrl
- Restart the web container.
- The system prompts you for the password to get to the certificate database.
See Chapter 11, “Managing SSL” in the Sun Java System Directory Server Administration Guide for more information.
Backing Up and Restoring Portal Server ConfigurationThe Portal Server user and service configuration is stored on the directory server in an LDAP Directory Information Tree (DIT). This allows you to back up and restore configuration information via a Lightweight Directory Interchange Format (LDIF) file.
To Back Up a Portal Server Configuration
To back up Portal Server configuration information use the db2ldif command. This command is available in the slapd-hostname directory within the base directory of the directory server. For example, if the directory server was installed to the default install directory (/usr/ldap) on the server sesta, the base directory would be /usr/ldap/slapd-sesta.
- Change directories to the directory server base directory containing the db2ldif command.
cd DirectoryServer-base/slapd-HOSTNAME
- Save the configuration to an LDIF file using the db2ldif command with the -s option specifying the top level of the DIT for Portal Server. For example, to save a configuration in which the top level of the DIT is isp, type the following:
./db2ldif -s "o=isp"
The data are saved to an LDIF file. The command saves the file to a the current directory. The following format is used to name the file:
YYYY_MM_DD_HHMMSS.ldif
After the file is saved, the following example output displays:
[16/May/2002:14:11:25 -0700] - Backend Instance: userRoot
ldiffile: /usr/ldap/slapd-sesta/ldif/2002_05_16_141122.ldif
[16/May/2002:14:11:28 -0700] - export userRoot: Processed 178 entries (100%).
To Restore a Portal Server Configuration
You can restore the Portal Server configuration information you have backed up via the db2ldif command using the ldif2db command. This command is available in the slapd-hostname directory within the base directory of the directory server. For example, if the directory server was installed to the default install directory (/usr/ldap) on the server sesta, the base directory would be /usr/ldap/slapd-sesta.
- Change directories to the Directory Server base directory containing the ldif2db command by entering:
cd DirectoryServer-base/slapd-HOSTNAME
- Stop the directory server by entering:
./stop-slapd
- Restore the configuration from the LDIF file to the directory server using the ldif2db command with the -s option specifying the top level of the DIT for Portal Server and the -i option specifying the file name. For example, to restore the LDIF file saved in the previous procedure to the top level of the DIT of isp, type the following:
./ldif2db -s "o=isp" -i /usr/ldap/slapd-sesta/ldif/2002_05_16_141122.ldif
After the configuration is restored, the following example output displays:
importing data ...
[16/May/2002:16:37:02 -0700] - Backend Instance: userRoot
[16/May/2002:16:37:03 -0700] - import userRoot: Index buffering enabled with bucket size 13
[16/May/2002:16:37:03 -0700] - import userRoot: Beginning import job...
[16/May/2002:16:37:03 -0700] - import userRoot: Processing file "/usr/ldap/slapd-sesta/ldif/2002_05_16_141122.ldif"
[16/May/2002:16:37:04 -0700] - import userRoot: Finished scanning file "/usr/ldap/slapd-sesta/ldif/2002_05_16_141122.ldif" (178 entries)
[16/May/2002:16:37:05 -0700] - import userRoot: Workers finished; cleaning up...
[16/May/2002:16:37:08 -0700] - import userRoot: Workers cleaned up.
[16/May/2002:16:37:08 -0700] - import userRoot: Cleaning up producer thread...
[16/May/2002:16:37:08 -0700] - import userRoot: Indexing complete. Post-processing...
[16/May/2002:16:37:08 -0700] - import userRoot: Flushing caches...
[16/May/2002:16:37:08 -0700] - import userRoot: Closing files...
[16/May/2002:16:37:09 -0700] - import userRoot: Import complete. Processed 178 entries in 6 seconds. (29.67 entries/sec)
- Restart the directory server by entering:
./start-slapd
Changing Portal Server Network SettingsTo physically move a server running Portal Server software from one network to another, you need only change the fully qualified domain name mapping the IP address in the /etc/hosts file. There are no other hardcoded addresses that need to be changed.
Managing a Multiple UI Node InstallationWhen you install Portal Server software onto multiple UI nodes, you need to make a configuration change to the Platform attributes in the Sun Java System Access Manager administration console. You edit the Server List attribute to include the URLs for each UI node.
The Sun Java System Access Manager naming service reads the Server List attribute at initialization time. This list contains the Sun Java System Access Manager session servers in a single Sun Java System Access Manager configuration. For example, if two Sun Java System Access Manager servers are installed and should work as one, they must both be included in this list. If the host specified in a request for a service URL is not in this list, the naming service will reject the request. The first value in the list specifies the host name and port of the server specified during installation. Additional servers can be added using the format protocol://server:port.
To Add Additional Portal Servers to the Server List
- Log in to the Sun Java System Access Manager admin console as administrator.
By default, Identity Management is selected in the location pane and All created organizations are displayed in the navigation pane.
- Choose Service Configuration in the location pane.
The global services appear in the navigation pane.
- Click the properties arrow next to Platform.
The Platform attributes appear in the data pane.
- Edit the Server List attribute.
For each server functioning as a UI node, type the server URL, for example, http://host1.sesta.com:80 and then click the Add button. The URL then appears in the Server List.
- Click Save.
- Restart the web container.
Configuring a Portal Server Instance to Use an HTTP ProxyIf the Portal Server software is installed on a host that cannot directly access certain portions of the Internet or your intranet, you might want to configure the instance to use an HTTP proxy.
The Portal Server is configured to use an HTTP proxy by setting the http.proxyHost and http.proxyPort Java Virtual Machine (JVM) system properties in the web container that is running the Portal Server web application. The method for setting JVM system properties varies on different web containers. The procedure described in this section is specifically for configuring the Sun Java System Web Server instance to use an HTTP proxy.
- Change directories to the Web Server base directory containing the configuration for the instance by entering:
cd /WebServer-base/SUNWam/servers/https-hostname-domain/config
- Edit the server.xml file within this directory and add the following lines:
<JVMOPTIONS>-Dhttp.proxyHost=proxy_host</JVMOPTIONS>
<JVMOPTIONS-Dhttp.proxyPort=proxy_port</JVMOPTIONS>
where proxy_host is the fully-qualified domain name of the proxy host and proxy_port is the port on which the proxy is run.
Managing Portal Server LogsYou can configure Portal Server logging to log information to a flat file or to a database. When logging to a database, the JDBC protocol is used.
To Configure Logging to a File
- Log in to the Sun Java System Access Manager admin console as administrator.
By default, Identity Management is selected in the location pane and All created organizations are displayed in the navigation pane.
- Choose Service Configuration in the location pane.
The global services appear in the navigation pane.
- Click the properties arrow next to Logging.
The Logging attributes appear in the data pane.
- Select File as the Logging Type attribute.
- Specify the directory path for the log files in the Log Location attribute.
- Specify the maximum file size in bytes for the log file in the Max Log Size attribute.
- Specify the number of backup logs in the Number of History Files attribute.
- Click Save.
To Configure Logging to a Database
- Log in to the Sun Java System Access Manager admin console as administrator.
By default, Identity Management is selected in the location pane and All created organizations are displayed in the navigation pane.
- Choose Service Configuration in the location pane.
The global services appear in the navigation pane.
- Click the properties arrow next to the Logging service in the navigation pane.
The Logging attributes appear in the data pane.
- Select DB as the Logging Type attribute.
- Specify a user name and password with which to connect to the database in the Database User Name and Database User Password attributes.
- Specify the driver to use for logging in the Database Driver Name attribute.
- Click Save.
Debugging Portal ServerThis section describes how to set the debug level to help you troubleshoot various Portal Server components.
To Set the Debug Level for Sun Java System Access Manager
The debug level allows you to define the types of messages sent to the debug log. The following levels are supported:
By default, debug messages are sent to log files in the /var/opt/SUNWam/debug directory.
To set the debug level: