|
| Sun ONE Directory Proxy Server Admistrator's Guide |
Chapter 3 Introducing Directory Proxy Server Consoles
After installing Sun ONE Directory Proxy Server, you first configure it to function with your directory deployment, and then on, closely monitor its activities. In administering Directory Proxy Server, you perform server-specific tasks such as starting, stopping, and restarting the server; creating groups; setting up the server to identify certain events and execute appropriate actions; changing configuration; performing any routine server maintenance tasks; and monitoring logs.
To enable you to accomplish these server-specific tasks quickly and easily, Directory Proxy Server provides GUI-based administration tools, called the Directory Proxy Server Server Console and Directory Proxy Server Configuration Editor Console, both of which are accessible from within the Console. This chapter provides an overview of both Sun ONE and Directory Proxy Server consoles.
The chapter has the following sections:
· Getting Started with Sun ONE Console
· Accessing the Directory Proxy Server Consoles
Note You can use the Sun ONE Console for managing various network resources. However, this chapter's focus is on using the Sun ONE Console for Directory Proxy Server administration only. For complete information about the Sun ONE Console, see Managing Servers with Sun ONE Console, which is included with the Directory Proxy Server documentation. You can also get a copy of this book from this site: http://docs.sun.com/
Getting Started with Sun ONE Console
The Sun ONE Console is a stand-alone Java application that provides a GUI-based front end to all network resources registered in an organization's configuration directory. This unified administration interface simplifies network administration by supplying access points to all Sun ONE version 5.x server instances installed across a network. Similarly, it simplifies basic user and group management by providing a unified administration interface to the user directory.
Figure 3-1 shows the "Servers and Applications" tab of the Sun ONE Console with an Directory Proxy Server instance selected.
Figure 3-1 Sun ONE Console: Servers and Applications Tab
Servers and Applications Tab
For any given instance of the Sun ONE Console, the limits of the network it can administer are defined by the set of resources whose configuration information is stored in the same configuration directory—that is, the maximum set of hosts and servers that can be monitored from the Sun ONE Console. The superadministrator (the person who manages the configuration directory) can set access permissions on all network resources registered in the configuration directory. Thus, for a given administrator using the Sun ONE Console, the actual number of visible hosts and servers may be fewer, depending on the access permissions set by the superadministrator.
The "Servers and Applications" tab displays all servers registered in a particular configuration directory, giving you a consolidated view of all the server software and resources under your control. What you control is determined by the access permissions the superadministrator has set up for you.
From this view, you can perform tasks across arbitrary groups or a cluster of servers in a single operation. In other words, you can use the "Servers and Applications" tab to manage a single server or multiple servers that are installed on different ports on one machine. Also, you can access individual server consoles (or administration interfaces) by double-clicking the icons for the corresponding server instance entries (SIEs).
You can accomplish various Directory Proxy Server-specific tasks from the "Servers and Applications" tab:
· Launch the Directory Proxy Server Server Console.
· Launch the Directory Proxy Server Configuration Editor Console (so that you can configure a group of Directory Proxy Servers).
· Set access permissions for Directory Proxy Server.
· Launch the Administration Server Console (so that you can configure an Administration Server instance for administering Directory Proxy Server).
Users and Groups Tab
The "Users and Groups" tab (shown in Figure 3-2) manages user accounts, group lists, and access control information for individual users and groups. All applications registered within the Sun ONE Console framework share core user and group information in the user directory, which typically is a global directory for corporate wide user data.
Figure 3-2 Sun ONE Console: Users and Groups Tab
From this tab, you can accomplish various user- and group-specific tasks, such as these:
· Add, modify, and delete user and group information in the user directory.
· Search for specific user and group entries in the user directory.
Sun ONE Administration Server
Sun ONE Administration Server is a web-based (HTTP) server that enables you to configure all your Sun ONE servers, including Directory Proxy Server, via the Sun ONE Console. Administration Server (and the configuration directory) must be running before you can configure any of these servers. Administration Server is included with all the Sun ONE servers and is installed when you install your first server in a server group. A server group refers to servers that are installed in a server root directory and that are managed by a single instance of Administration Server.
You access Administration Server by entering its URL in the Sun ONE Console login screen; see . This URL is based on the computer hostname and the port number you chose when you installed Directory Proxy Server. The format for the URL looks like this: http://<machine_name>.<your_domain>.<domain>:<port>
Whenever you try to gain access to Administration Server, you will be prompted to authenticate yourself to the configuration directory by entering your user ID and password. These are the administrator user name and password that you specified when you installed Directory Proxy Server (or the first server in the server group) and Administration Server on your computer. Once Administration Server is running, you can use the Sun ONE Console to administer all servers in that group, including Directory Proxy Server.
For complete details about Administration Server, see Managing Servers with Sun ONE Console. To locate an online version of this book in your Directory Proxy Server installation, open this file: <server-root>/manual/en/admin/ag/contents.htm
You can also get the latest version of this book from this site:
http://docs.Sun ONE.com/docs/manuals/console.html
Starting Administration Server
The Directory Proxy Server installation program automatically starts the instance of Administration Server that you identified during installation for monitoring Directory Proxy Server. If you stopped Administration Server after Directory Proxy Server installation, you must start it before you can administer Directory Proxy Server from the Directory Proxy Server Console.
You can start Administration Server from the command line or from the Windows NT Services panel.
· To start Administration Server from the command line:
At the prompt, enter the following line: <server-root>/start-admin
· Administration Server runs as a service in a Windows NT system. You can use the Windows NT Services panel to start the service directly.
All the above-mentioned methods start Administration Server at the port number you specified during installation. Once the server is running, you can use the Sun ONE Console to access Directory Proxy Server.
Stopping Administration Server
It is good security practice to shut down Administration Server when you are not using it. This minimizes the chances of someone else changing your configuration. You can shut down the server from the Sun ONE Console, the command line, or the Windows NT Services panel.
· To shut down Administration Server from the Sun ONE Console:
- Log in to the Sun ONE Console (see ).
- In the "Servers and Applications" tab, locate the Administration Server instance that you want to shut down, and double-click the corresponding entry.
The Administration Server Console appears.
- In the Tasks tab, click Stop the Server.
· To shut down Administration Server from the command line:
At the prompt, enter the following line: <server-root>/stop-admin
· Administration Server runs as a service in a Windows NT system; you can use the Windows NT Services panel to stop the service directly.
Accessing the Directory Proxy Server Consoles
To perform any of the Directory Proxy Server-administration tasks from the Directory Proxy Server consoles, you need to open it first.
· Step 1. Log In to the Sun ONE Console
· Step 2. Open the Appropriate Directory Proxy Server Console
Step 1. Log In to the Sun ONE Console
You can launch and use the Sun ONE Console only when the corresponding configuration directory and Administration Server are running. If the servers are not running, go to the command line and start them. For information on starting Administration Server from the command line, see . For information on starting the configuration directory, check the Sun ONE Directory Server documentation.
When you launch the Sun ONE Console, it displays a login window. You are required to authenticate to the configuration directory by entering your administrator's ID, your password, and the URL (including the port number) of the Administration Server representing a server group to which you have access. You cannot use the Sun ONE Console without having access privileges to at least one server group on your network.
- Open the Sun ONE Console application by using the appropriate option:
- For local access on a UNIX machine, at the command-line prompt, enter the following line: <server-root>/start-console
- For local access on a Windows NT machine, double-click the Sun ONE Console icon on your desktop; this icon was created when you installed your first Sun ONE server.
The Sun ONE Console Login window appears.
- Authenticate yourself to the configuration directory.
User ID. Type the administrator ID you specified when you installed Administration Server on your machine. You installed Administration Server either when you installed your first Sun ONE server or as a part of Directory Proxy Server installation.
Password. Type the administrator password that you specified when you installed Administration Server on your computer during Directory Proxy Server installation.
Administration URL. This field should show the URL to Administration Server. If it doesn't or if it doesn't have the URL of Administration Server that you want, type the URL in this field. The URL is based on the computer host name and the Administration Server port number you chose when you installed Directory Proxy Server. Use this format:
http://<machine_name>.<your_domain>.<domain>:<port_number>
For example, if your domain name is sun and you installed Administration Server on a host machine called myHost and specified port number 12345, the URL would look like this: http://myHost.sun.com:12345
- Click OK.
The Sun ONE Console appears with a list of all the servers and resources under your control.
Step 2. Open the Appropriate Directory Proxy Server Console
In the Sun ONE Console, you will notice that there are two entries for Directory Proxy Server, one for the Directory Proxy Server instance node and another for the Directory Proxy Server Configurations node. The Directory Proxy Server instance node corresponds to the Directory Proxy Server server instance and the Directory Proxy Server Configurations node corresponds to the configuration shared by multiple Directory Proxy Server instances.
Each node is associated with a GUI-based administration interface:
· Directory Proxy Server Console—This administration interface enables you to create, configure and manage an Directory Proxy Server instance, for example to start it, to stop it, to specify configuration, to monitor logs, and so on. You can use the Directory Proxy Server Server Console to access the server locally or remotely. Directory Proxy Server instances created and configured with the Directory Proxy Server Server Console affect all Directory Proxy Server instances that use the configuration.
· Directory Proxy Server Configuration Editor Console—The logic and system configurations can be shared by multiple Directory Proxy Server instances. The ability of Directory Proxy Server instances to share configuration information simplifies the task of managing a cluster of Directory Proxy Servers. The Directory Proxy Server Configuration Editor Console is an administration interface that enables you to configure and manage a cluster of Directory Proxy Servers. Edits made via this interface affect all Directory Proxy Server instances that use the edited configuration.
Opening the Directory Proxy Server Server Console
Once you have logged in to the Sun ONE Console, you can open the Directory Proxy Server Server Console: in the navigation tree of the Sun ONE Console, expand the hostname that contains the server group to which the Directory Proxy Server instance belongs, expand the Server Group node, select the entry that corresponds to the Directory Proxy Server instance of your interest, and click Open. The Directory Proxy Server Console opens (Figure 3-3).
Figure 3-3 Directory Proxy Server Server Console: Tasks Tab
The Directory Proxy Server Console to has two tabs—Tasks and Configuration—each addressing specific administrative areas.
The Tasks tab enables you to perform common tasks such as starting, stopping, restarting, and reloading the server, distributing or balancing load among various LDAP directories and manage certificates. For details about starting, stopping, and restarting Directory Proxy Server, see Chapter 4 "Starting, Restarting, and Stopping Directory Proxy Server." For details about load balancing, see Chapter 7 "Defining and Managing Property Objects." For details about Managing certificates, see Chapter 11 "Configuring Security."
The Configuration tab (Figure 3-4) enables you to view and modify the configuration for a particular instance.
Figure 3-4 Directory Proxy Server Server Console: Configuration Tab Settings Tab
The Settings and Encryptions tabs are related to how this specific instance of Directory Proxy Server is configured.
The Settings Tab (Figure 3-4) allows you to configure the following parameters:
Network. Displays the Host Name, Port, and SSL Port for this instance of Directory Proxy Server.
SSL/TLS. Displays the currently selected configuration from which Directory Proxy Server sends to and requires from SSL certificates from servers and clients. It also identifies the SSL/TLS versions for client to Directory Proxy Server and Directory Proxy Server to backend communication.
Connections. Displays the Directory Proxy Server connection backlog value, allows you to specify a maximum number of connections, and set connection pool timeout values.
Unix. Displays the UNIX user ID and working directory for this instance of Directory Proxy Server.
Settings saved as. Allows you to specify a Directory Proxy Server name value for the editing session currently displayed in the list box. You may also create a new or delete an old Directory Proxy Server configuration.
The Configuration tab encryption tab (Figure 3-5) enables you to view and modify the encryption settings.
Figure 3-5 Directory Proxy Server Server Console: Configuration Tab Encryption Tab
The Encryption Tab allows you to configure the following parameters:
Refresh. Allows you to refresh the current screen values to see newly added certificates.
Enable SSL for this server. Enables SSL encryption for this instance of Directory Proxy Server.
Use the cipher family RSA. Enables you to set the Security Device, Certificate, and cipher settings for this instance of Directory Proxy Server.
See "Creating System Configuration Instances" for more information on setting encryption for your system.
Opening the Directory Proxy Server Configuration Editor Console
Once you have logged in to the Console, you can open the Directory Proxy Server Configuration Editor Console. In the navigation tree of the Console, expand the Directory Proxy Server Configurations node, select the entry, and click Open. The Directory Proxy Server Configuration Editor Console opens (Figure 3-6).
Figure 3-6 Directory Proxy Server Configuration Editor Console
The navigation tree on the left side contains nodes for each of Directory Proxy Server's basic configuration objects. Expanding one of the main nodes shows tree nodes for each of object subtype. Clicking a tree node displays a table on the right side containing all current objects of the type indicated by the selected tree node. Object tables whose ordering is important, for example, Network Groups, have a set of up and down buttons that allow individual objects to be raised or lowered in precedence.
Table 3-1 lists the configuration object types shown in the navigation tree.
Table 3-1 Configuration Objects in the Directory Proxy Server Configuration Editor Console
Configuration Object Type
Description
Network Groups
Each Network Group object identifies a specific client community, and specifies the restrictions to enforce on clients that match that group.
For details, see Chapter 6 "Creating and Managing Groups."
Events
Event objects are used to specify conditions that occur at predetermined states. Conditions can be attached to certain events, on which, if satisfied, Directory Proxy Server can take certain actions.
For details, see Chapter 8 "Creating and Managing Event Objects."
Actions
Actions are used to specify actions to take when an event occurs. For details, see Chapter 9 "Creating and Managing Action Objects."
Properties
Properties are used to describe more specialized restrictions on the client. Each group object may include a set of properties defined by property objects.
For details, see Chapter 7 "Defining and Managing Property Objects."