Sun ONE logo      Previous      Contents      Index      Next     

Sun ONE Portal Server 6.1 Migration Guide

Chapter 12
Migrating Data From Sun ONE Identity Server 5.1a to Sun™ ONE Identity Server 6.0

Note

All instances of the Sun™ ONE Identity Server 5.1 product refer to what was formerly known as the iPlanet™ Directory Server Access Management Edition 5.1 product.

This chapter provides an overview and a description of the process required to migrate Sun ONE Identity Server 5.1 data to Sun ONE Identity Server 6.0 data formats in order to upgrade your Sun™ ONE Portal Server system from the 6.0 software release to the 6.1 software release.

This chapter contains the following sections:

Overview

The Sun ONE Identity Server 5.1a to Sun ONE Identity Server 6.0 migration process involves the following high-level steps:

  1. Backing up all the Sun ONE Identity Server 5.1 data.
  2. Uninstalling Sun ONE Identity Server 5.1 product components and the schema, but not the Sun™ ONE Directory Server 5.1 installation.
  3. Installing the Sun ONE Identity Server 6.0 schema on the existing Directory Server 5.1 installation.
  4. Retaining the top level entry of your Directory Information Tree (DIT)
  5. Installing Sun ONE Identity Server 6.0 component software on the existing Directory Server 5.1 installation and DIT using the method that is appropriate for your Portal Server deployment type (web container).
  6. Migrating Sun ONE Identity Server 5.1 services, policies and authentication entries to the Sun ONE Identity Server 6.0 format.

    Note

    The steps in the process must be performed in the order they are listed here.

It is expected that the person performing the migration procedure is familiar with Sun ONE Directory Server commands, schema semantics, DIT, and the Sun ONE Identity Server schema and DIT structures. In addition, familiarity with XML and Sun ONE Identity Server installation procedure is required. For further information on Sun ONE Directory Server commands or concepts, refer to the Sun ONE Directory Server documentation suite located at http://docs.sun.com

For further information on the process or migrating data from the Sun ONE Identity Server 5.1 to Sun ONE Identity Server 6.0, refer to the Sun ONE Identity Server 6.0 Installation and Configuration Guide.

Backing Up Sun ONE Identity Server 5.1a Data

The Sun ONE Identity Server 5.1a product stores user and service configuration on an associated directory server. Use the directory server db2bak command to back up the Sun ONE Identity Server 5.1a data. This command is available in the slapd-HOSTNAME directory within the base directory of the directory server. For example, if the directory server was installed to the default install directory (/usr/ldap) on the server sesta, the base directory would be /usr/ldap/slapd-sesta.

  1. Create a backup of the database using the db2bak command and specify the backup directory in which to save the backup file. For example, to create a backup of the database on the server and store it in the /usr/DS5.1bak/db2bakup/config directory, type the following:

    2. /DS_BASEDIR/slapd-HOSTNAME/db2bak /usr/DS5.1bak/db2bakup

  2. Create a backup copy of the configuration for the directory server. For example, to copy the configuration and store it in the /usr/DS5.1bak/config directory, type the following:

    3. cp -r /DS_BASEDIR/slapd-HOSTNAME/config/ /usr/DS5.1bak/db2bakup

  3. Run the saveconfig command to save the Admin Server configuration.

    4. /DS_BASEDIR/slapd-HOSTNAME/saveconfig

    This saves the Admin Server configuration to a confbak directory.

  4. Create a backup copy of the Admin Server configuration.

    5. cp -r /DS_BASEDIR/slapd-HOSTNAME/confbak /usr/DS5.1bak

  5. Create backup copies of the web server or application server data. For example, on a web server deployment, copy the data in each of the following directories:

    6. /BASEDIR/SUNWam/web-apps/applications
    /    BASEDIR/SUNWam/web-apps/services
    /    BASEDIR/SUNWam/servers/alias
    /    BASEDIR/SUNWam/config
    /    BASEDIR/SUNWam/lib
    /    BASEDIR/SUNWam/locale

    where BASEDIR is the directory in which Sun ONE Identity Server 5.1product was installed. For example, to backup the /BASEDIR/SUNWam/web-apps/applications directory to /usr/WS6bak, type the following:

    cp -r /BASEDIR/SUNWam/web-apps/applications /usr/WS6bak

    Note

    If SSL is not enabled, the /BASEDIR/SUNWam/servers/alias directory may not exist.

    For application server deployments, copy the data from application server’s instance configuration directory. For example, to back up the default instance configuration directory on the Sun ONE Application Server (/var/opt/SUNWappserver7/domains/domain1/server1/config), type the following:

    cp -r /var/opt/SUNWam/appserver7/domains/domain1/server1/config /usr/AS7bak

  6. Create backup copies of the logs, debug, and install files. Copy the data in each of the following directories:

    7. /var/opt/SUNWam/logs
    /var/opt/SUNWam/debug
    /var/opt/SUNWam/install

    For example, to backup the /var/opt/SUNWam/logs directory to /usr/WS6bak/install_files, type the following:

    cp -r /var/opt/SUNWam/logs /usr/WS6bak/install_files

Uninstalling Sun ONE Identity Server 5.1 Components and Schema

Use the Sun ONE Identity Server 5.1 uninstallation program to remove Policy and Management service and schema components of Sun ONE Identity Server 5.1 product, but DO NOT remove Sun ONE Directory Server 5.1 product.

  1. Change directories to where the Sun ONE Identity Server 5.1 installation program is located. (The installation program is located in the idsame directory on the Sun ONE Portal Server CD or download image.)
  2. Type ksh aminstall
  3. Specify y to accept the license agreement.
  4. Select option 1, “Remove existing components, then continue installation”.
  5. Select option 1, “DSAME Management and Policy Services”.

    6. The program uninstalls the Sun ONE Identity Server 5.1 Policy and Management Services.

  6. At the next prompt, choose option 3, ”iPlanet Directory Server Configuration for DSAME”.

    7. This will remove the Sun ONE Identity Server 5.1 schema configuration for the Directory Server.

  7. Press enter to exit the Sun ONE Identity Server installation program.
  8. Check for the SUNWamjdk package after the uninstallation is complete using the following command:

    9. pkginfo |grep SUNWamjdk

  9. If the SUNWamjdk package is present, remove it using the following command:

    10. pkgrm SUNWamjdk

  10. If you had Sun ONE Identity Server 5.1 SP2 installed on your system, enter the following:

    11. patchrm 113626-01

  11. For Sun ONE Application Server Enterprise Edition deployments, use the pkgrm command to remove the following additional packages:

    12. pkgrm SUNWamsas
    pkgrm SUNWamsac

  12. For IBM Websphere application server deployments, use the pkgrm command to remove the following additional packages:

    13. pkgrm SUNWamwss
    pkgrm SUNWamwsc

  13. For BEA WebLogic application server deployments, use the pkgrm command to remove the following additional packages:

    14. pkgrm SUNWamwls
    pkgrm SUNWamwlc

  14. For application server deployments, go to the application server console, apply the changes, and stop and restart the application server instance.

    15. Use the mechanism appropriate for your application server. For more information on installing into an application server deployment, refer to the Sun ONE Portal Server 6.1 Installation Guide or the documentation specific to your application server.

    Because the Sun ONE Identity Server has been removed but the Portal Server is still installed, exceptions will be logged. You can ignore these exceptions.

  15. On all deployments, stop and restart the Sun ONE Directory Server.

    16. /DS_BASEDIR/slapd-HOSTNAME/stop-slapd
    /DS_BASEDIR/slapd-HOSTNAME/start-slapd

Installing the Sun ONE Identity Server 6.0 Schema on the Existing Directory Server 5.1 Installation

Use the Sun ONE Identity Server 6.0 installation program from the Sun ONE Portal Server image to install the Sun ONE Identity Server 6.0 schema in to the existing directory.

  1. Change directories to where the Sun ONE Identity Server 6.0 installation program is located.
  2. Type ksh setup

    3. To run the Sun ONE Identity Server 6.0 installation program in command line mode, type ksh setup -nodisplay

  3. In the Welcome menu, click Next.
  4. To accept the terms of the License Agreement, click “Yes (Accept License)”.
  5. In the Installation Directory window, enter the path to the Sun ONE Identity Server base directory where you want to install the 6.0 schema, and then click Next.

    Note

    In Sun ONE Application Server deployments, the default base directory is /opt/SUNWappserver7.

  6. In the Components to be Installed/Uninstalled window, click "Configure an Existing Directory Server," and then click Next.
  7. In the Sun ONE Directory Server Information window, provide the following information, and then click Next:

    8. Host: Enter the fully qualified domain name of the computer where Directory Server is installed.

    Port: Enter the Directory Server port number.The default port is 389.

    Directory Manager: Enter the DN of the user who has unrestricted access to Directory Server. This DN was specified when Directory Server was installed. Example: cn=Directory Manager

    Password: Enter the password that was entered for the Directory Manager when Directory Server was installed.

  8. In the Currently Selected Settings window, review the settings you have selected, and then click Next.
  9. In the Ready to Install window, click "Install Now."
  10. When the program is finished, in the Installation Summary window, click Close.

Retaining the Top Level Entry of the Directory Information Tree (DIT)

Before installing Sun ONE Identity Server 6.0 software you will need to verify that the Directory Server 5.1 installation that existed with iPlanet Directory Server Access Management Edition 5.1 is set up to retain the existing DIT structure and ensure proper installation. To retain the Sun ONE Identity Server 5.1 DIT structure, the top level entry must have the iplanet-am-service-status attribute set. Depending on your installation, this attribute may or may not be set at the top level of your DIT. For example, in the default installation of the Sun ONE Portal Server 6.0 release, the DIT might have a hierarchical structure with o=isp at the top of the structure and an organization such as o=sesta.com beneath it, as is shown in Figure 12-1.

Figure 12-1  Hierarchical Directory Structure

This figure illustrates a hierarchical directory structure. See the text preceding the figure for details on the structure.

In this case, isp is not really an organization and as such does not have an iplanet-am-service-status attribute set. To retain the Sun ONE Identity Server 5.1 DIT structure, the top level entry, isp, must be updated before you install Sun ONE Identity Server 6.0. If the Sun ONE Identity Server 5.1 Directory Server has an organization (flat DIT) as top level entry, then this change is not necessary before installing Sun ONE Identity Server 6.0.

To update the top level entry of your DIT:

  1. Set the LD_LIBRARY_PATH variable by appending the existing path with a colon and the path to the LIB directory on the directory server as follows:

    2. LD_LIBRARY_PATH=/usr/ldap/lib:/DS_BASEDIR/lib

  2. Export the LD_LIBRARY_PATH variable as follows:

    3. export LD_LIBRARY_PATH

  3. Use the ldapmodify command from the directory server install directory to update the top level entry, if it is not an organization. For example to update the o=isp

    4. /DS_BASEDIR/shared/bin/ldapmodify -D “cn=directory manager” -w PASSWORD
    dn: o=isp
          changetype: modify
    delete: objectClass
    objectClass: iplanet-am-managed-org
    -
    add: objectClass
    objectClass: sunManagedOrganization
    -
    add: iplanet-am-service-status
    iplanet-am-service-status:iPlanetAMAuthService

  4. Use the ldapsearch command to check the attribute settings. For example, to check the settings for o=sales entry, on hostname myserver with the root suffix of dc=sesta,dc=com

    5. /DS_BASEDIR/shared/bin/ldapsearch -v -h myserver -b "dc=sesta,dc=com" -s one "o=sales"

Installing Sun ONE Identity Server 6.0 Components on the Existing Directory Server 5.1 Installation

The method for installing the Sun ONE Identity Server 6.0 components varies depending on the deployment web container used by the Sun ONE Portal Server. Use the appropriate procedure for you deployment scenario:

To Install Sun ONE Identity Server 6.0 Components for a Web Server Deployment

Run the Sun ONE Identity Server 6.0 installation program to install the Sun ONE Identity Server 6.0 software on a web server deployment.

  1. Change directories to where the Sun ONE Identity Server installation program is located.
  2. Type ksh setup

    3. To run the Sun ONE Identity Server 6.0 installation program in command line mode, type ksh setup -nodisplay

  3. In the Welcome menu, click Next.
  4. To accept the terms of the License Agreement, click “Yes (Accept License)”
  5. In the Installation Directory window, enter the path to the directory where you want to install the Sun ONE Identity Server software, and then click Next.
  6. In the Components to be Installed/Uninstalled window, click "Sun ONE Identity Server Management and Policy Services," and then click Next.
  7. In Sun ONE Directory Server Information window, provide the following information, and then click Next:
    • Host: Enter the fully qualified domain name of the computer where Directory Server is installed.
    • Port: Enter the Directory Server port number.The default port is 389.
    • Directory Manager: Enter the DN of the user who has unrestricted access to Directory Server. This DN was specified when Directory Server was installed. Example: cn=Directory Manager
    • Password: Enter the password that was entered for the Directory Manager when Directory Server was installed.
  8. In the Currently Selected Settings window, review the settings you have selected, and then click Next.
  9. In the Ready to Install window, click "Install Now."
  10. When the program is finished, in the Installation Summary window, click Close.
  11. Open the amserver scripts located in the /BASEDIR/SUNWam/bin and /etc/init.d directories with a text editor and verify or specify the LDAPDIR and NDS_SERVER variables. For example, to set LDAPDIR to the default install directory of /usr/ldap and NDS_SERVER to the base directory on the server sesta of /usr/ldap/slapd-sesta, edit the values as follows:

    12. LDAPDIR=/usr/ldap
    NDS_SERVER="$LDAPDIR/slapd-sesta"

  12. If you are installing Sun ONE Identity Server 6.0 SP1, enter the following:

    13. patchadd 114772-01

  13. Restart the Sun ONE Identity Server.

    14. /etc/init.d/amserver stop
    /etc/init.d/amserver start

To Install Sun ONE Identity Server 6.0 Components for an Application Server Deployment

Run the Portal Server 6.0 installation program to install the Sun ONE Identity Server 6.0 software on an application server deployment.

  1. Log in to the machine and become superuser.

    2. You will need root access to install the Sun ONE Portal Server.

  2. Change directories to where the installation program is located.
  3. Type ./pssetup
  4. Specify if you accept the license agreement. To accept, type yes.

    Note

    Although this product will run without a license, you must either purchase a Binary Code License from, or accept the terms of a Binary Software Evaluation license with Sun Microsystems, to legally use this product.

  5. Ignore the detected components message and select Continue with install.
  6. Select the Install Identity Server option.
  7. Select the deployment type for the application server in which to deploy.
  8. At the Use these settings? [y]/n prompt, enter n.
  9. Set the appropriate setting for the configuration.

    10. The following entries specified should match the values that were set for the original Sun ONE Identity Server 5.1 installation:

    directory root suffix
    directory manager password
    admin user
    admin password
    directory server host
    directory server port

    Refer to the AMConfig.properties file from the Sun ONE Identity Server 5.1 installation backup for any values of which you are not sure. Also, retain the Sun ONE Identity Server 5.1 values for organization object class, organization naming attribute, user object class and user naming attribute.

  10. Open the amserver scripts located in the /BASEDIR/SUNWam/bin and /etc/init.d directories with a text editor and verify or specify the LDAPDIR and NDS_SERVER variables. For example, to set LDAPDIR to the default install directory of /usr/ldap and NDS_SERVER to the base directory on the server sesta of /usr/ldap/slapd-sesta, edit the values as follows:

    11. LDAPDIR=/usr/ldap
    NDS_SERVER="$LDAPDIR/slapd-sesta"

  11. For application server deployments, go to the application server console, apply the changes, and stop and restart the application server instance.

    12. Use the mechanism appropriate for your application server. For more information on installing into an application server deployment, refer to the Sun ONE Portal Server 6.1 Installation Guide or the documentation specific to your application server.

    Because the Sun ONE Identity Server data has not been updated yet, exceptions will be logged. You can ignore these exceptions.

Migrating Sun ONE Identity Server 5.1 Services, Policies, and Authentication Entries

Once Sun ONE Identity Server 6.0 is installed and the Sun ONE Directory Server schema is updated, the directory server data must be modified to Sun ONE Identity Server 6.0 format. In Sun ONE Identity Server 6.0, policy, authentication and console components have changed significantly from Sun ONE Identity Server 5.1 release and hence need to be migrated.

All the migration scripts needed for this are located under the directory BASEDIR/SUNWam/migration/51to60. The scripts contain additional information, which you must read before running the scripts. It will help you set some variables in each script or check the values of the variables.

  1. Set the LD_LIBRARY_PATH environment variable to /BASEDIR/SUNWam/ldaplib/solaris/sparc/ldapsdk:$LD_LIBRARY_PATH
  2. In each of the migration script, verify or specify that the path to the LDAP_MODIFY, and LDAP_SEARCH variables points to the appropriate directory for your deployment. For example, in a Sun ONE Application Server installed in the default base directory, set the variables to point to /opt/SUNWappserver7/SUNWam/bin/
  3. Run the /BASEDIR/SUNWam/migration/51to60/update-schema.pl script to migrate the schema data.

    4. This script generates an input file, 51entries.ldif and an output file, 60entries.ldif.

  4. Run the ldapmodify command on the output file generated in Step 3 to update the schema. For example, type

    5. /BASEDIR/SUNWam/bin/ldapmodify -h HOSTNAME -p 389 -D “cn=Directory Manager” -w PASSWORD -c -f 60entries.ldif

  5. Run the /BASEDIR/SUNWam/migration/51to60/update-policies.pl script to migrate the policy data.

    6. This script creates an xml file for each organization containing policies. For example, if the organization is o=sesta.com,o=sales, then the script creates a file named o=sesta.com-o=sales.xml.These files will be used later.

  6. Run the /BASEDIR/SUNWam/migration/51to60/update-auth.pl script to migrate the authentication data.

    7. The script generates an input file, 51auth-entries.dn, and an output file, 51to60auth-entries.ldif. It also generates an input file 51auth-entries.dn. These files will be used later.

    Tip

    This script will only migrate the Sun ONE Identity Server provided authentication modules. Any customized authentication modules must implement the Authentication Service Provider Interface (SPI) (which provides the authentication framework) and need to be rewritten using com.sun.identity.authentication.spi.AMLoginModule class. In addition, you must also do the following:

    • Create or update the XML service file for the authentication module. For example, amAuthLDAP.xml defines the LDAP service parameters. If this file existed in Sun ONE Identity Server 5.1 implementation, it is migrated automatically by the Sun ONE Identity Server 6.0 migration script.
    • Create or update the authentication module configuration file. This file specifies the authentication module credentials by the defining the user authentication screens. In Sun ONE Identity Server 5.1, this file was a .properties file (for example, LDAP.properties). In Sun ONE Identity Server 6.0, this file is a .xml file (for example, LDAP.xml).
    • Create or update the localization properties file. For example, amAuthLDAP.properties defines the LDAP properties.
    • Update the iplanet-am-authenticators authentication attribute in the amAuth.xml file by adding a value that specifies the fully qualified class name of the custom authentication module. This can be done by manually editing the attribute in the amAuth.xml file and then importing the file.

    Refer to Appendix F, "Authentication Framework Changes Between Sun ONE Portal Server 6.0 and Sun ONE Portal Server 6.1" for details on the changes to the authentication framework service that you need to know for migration purposes. For detailed information on writing and implementing custom authentication modules, refer to the Sun ONE Identity Server 6.0 Programmer’s Guide.

Note

The authentication menu attribute provided by Sun ONE Identity Server 5.1 admin console is not supported in Sun ONE Identity Server 6.0 release. If you need to configure a selectable list of valid authentication modules, use the admin console to set each authentication module with the same level in the authentication level attribute. Users can access a page with all the authentication modules for a specific authentication level by specifying the authlevel in the login URL. For example, a user performs a login with the following syntax:

http://HOSTNAME:PORT/DEPLOY_URI/UI/Login?authlevel=N

Refer to the Sun ONE Portal Server 6.1 Administrator’s Guide for information on configuring authentication modules.

  1. Use Directory Server console to remove the following Sun ONE Identity Server 5.1 services:

    Note

    If you added other services to Sun ONE Identity Server, don’t remove them. If you have not added any additional services, you can remove the entire services branch under the top level entry.

    • iPlanetAMAdminConsoleService
    • iPlanetAMAuthService
    • iPlanetAMAuthAnonymousService
    • iPlanetAMAuthCertService
    • iPlanetAMAuthLDAPService
    • iPlanetAMAuthMembershipService
    • iPlanetAMAuthNTService
    • iPlanetAMAuthRadiusService
    • iPlanetAMAuthSafewordService
    • iPlanetAMAuthUnixService
    • iPlanetAMClientDetectionService
    • iPlanetAMDomainURLAccessService
    • iPlanetAMEntrySpecificService
    • iPlanetAMLoggingService
    • iPlanetAMNamingService
    • iPlanetAMPlatformService
    • iPlanetAMPolicyService
    • iPlanetAMSessionService
    • iPlanetAMUserService
    • iPlanetAMWebAgentService
    • DAI
  2. Use Directory Server console to remove the Sun ONE Identity Server 5.1 user’s default login URL attribute (iplanet-am-user-default-url) from your user entries as this attribute is no longer available in Sun ONE Identity Server 6.0.

    Note

    If you do not remove the iplanet-am-user-default-url attribute, you will get object class violation errors.

  3. In the /BASEDIR/SUNWam/migration/51to60/load-services.pl script, verify or specify that the path to the $base_dir variable points to the appropriate directory for your deployment. For example, in a Sun ONE Application Server installed in the default base directory, set the variable to point to /opt/SUNWappserver7
  4. Run the /BASEDIR/SUNWam/migration/51to60/load-services.pl script to load the services data.

    5. This script loads all Sun ONE Identity Server 6.0 services. It uses the services XML /BASEDIR/SUNWam/config/ums/ums.xml and the XML files under /BASEDIR/SUNWam/config/xml.

  5. Run the ldapmodify command on the output file generated in Step 6 to update the authentication data. For example, type

    6. /BASEDIR/SUNWam/bin/ldapmodify -h HOSTNAME -p 389 -D “cn=Directory Manager” -w PASSWORD -a -c -f 51to60authentries.ldif

  6. Run the /BASEDIR/SUNWam/migration/51to60/update-services.pl script to update the services data.Run the ldapmodify command on the output file generated in Step 12 to update the services data. For example, type

    7. /BASEDIR/SUNWam/bin/ldapmodify -h HOSTNAME -p 389 -D “cn=Directory Manager” -w PASSWORD -c -f 60services.ldif

  7. Replace the ROOT_SUFFIX in the liberty_services.ldif file.

    8. Sun ONE Identity Server 6.0 supports Liberty Alliance Federation Management. This file registers two services (iPlanetAMAuthenticationDomainConfigService and iPlanetAMProviderConfigService) to support the Sun ONE Identity Server 6.0 Liberty Alliance Federation Management.

  8. Run the ldapmodify command from Step 13 to update the Liberty Services data in the schema. For example, type

    9. /BASEDIR/SUNWam/bin/ldapmodify -h HOSTNAME -p 389 -D “cn=Directory Manager” -w PASSWORD - a -c -f liberty_services.ldif

  9. Restart the Sun ONE Identity Server. For servers deployed on an application server, use the mechanism appropriate for your application server. For servers deployed on a web server, enter the following:

    10. /etc/init.d/amserver start

  10. Log into the Sun ONE Identity Server 6.0 administration console.

    11. If the default login URL of Sun ONE Identity Server 5.1 in the core authentication service is not modified (PROTOCOLl://HOST:PORT/amserver/login), you can use default login URL of Sun ONE Identity Server 6.0 (PROTOCOLl://HOST:PORT/amserver/UI/Login) to login to Sun ONE Identity Server 6.0 console. There is a known issue in Sun ONE Identity Server 5.1, where the default login url is set to /amserver/login sometimes instead of PROTOCOL://HOST/amserver/login in core authentication service. In such cases, you can’t use 6.0 default login URL to login. You need to modify the associated domain attribute of the default org to the 6.0 default login URL(PROTOCOLl://HOST/amserver/UI/Login) to access the console using 6.0 default login URL. Use the fully qualified domain name for host and use the correct deployment descriptor in the URL. Note that the associated domain attribute value does not have port number in it but while accessing the console, need to specify the port. You can also use the URL of the form PROTOCOLl://HOST:PORT/amserver/UI/Login?org=ORG_RDN.

  11. From the administration console, enable the user management service.
    1. Navigate to the top-level organization for your implementation.

      2. By default, Identity is selected in the location pane and Organizations is selected in the Navigation pane.

    2. Select the Service Configuration tab.
    3. Click the properties arrow icon next to Administration, check Enable User Management, and click Save.
  12. Create the amldapuser entity.

    13. The Sun ONE Identity Server 6.0 release has introduced a new user, amldapuser. This user is used to bind and search the directory for LDAP, Membership authentication modules. This user is also used in the Policy Configuration service. Once the LDAP, Membership or Policy Configuration Service is registered to an organization, password for this user must be explicitly entered in those services. The password is the amldapuser password entered during Sun ONE Identity Server 6.0 installation. Run the following two commands to create this user and to set access rights to this user.

    /BASEDIR/SUNWam/bin/ldapmodify -h HOSTNAME -p 389 -D “cn=Directory Manager” -w PASSWORD
    dn: cn=amldapuser,ou=DSAME Users,ROOT_SUFFIX
    changetype: add
    objectclass: inetuser
    objectclass: organizationalperson
    objectclass: person
    objectclass: top
    cn: amldapuser
    sn: amldapuser
    userPassword: <password>

    /BASEDIR/SUNWam/bin/ldapmodify -h HOSTNAME -p 389 -D “cn=Directory Manager” -w PASSWORD
    dn: ROOT_SUFFIX
    changetype: modify
    add: aci
    aci: (target="ldap:///ROOT_SUFFIX")(targetattr="*")(version 3.0; acl "special ldap auth user rights"; allow (read,search) userdn = "ldap:///cn=amldapuser,ou=DSAME Users,ROOT_SUFFIX";)

  13. From the administration console, check the users listed for each organization to verify that all the users have been migrated.
  14. Run the /BASEDIR/SUNWam/migration/51to60/delete-policies.pl script to generate the policies data to delete.
  15. Run the ldapdelete command on the output file generated in Step 20 to delete the policies data. For example, type

    16. /BASEDIR/SUNWam/bin/ldapdelete -h HOSTNAME -p 389 -D “cn=Directory Manager” -w PASSWORD -f delete-policies.ldif

  16. Register and create templates for the Policy Configuration service at the top-level organization for your implementation.
    1. From the administration console, navigate to the top-level organization for your implementation.
    2. Select the Services from the View menu.
    3. Click Register.
    4. Check Policy Configuration checkbox and then click Register.
    5. Click the properties arrow icon next to the Policy Configuration service and click Create.
    6. Enter the password for the user amldapuser and click Save.
  17. Create referral policies at the top-level organization for your implementation and add rules for each service.
    1. From the administration console, navigate to the top-level organization for your implementation.
    2. Select Policies from the View menu in the navigation pane.
    3. Click Create New.
    4. For Type of Policy, select Referral.
    5. For Name, type either SubOrgReferral_organization or PeerOrgReferral_organization where organization is the name of the organization for the referral and click Create.
    6. Click Rules from the View menu data pane, select the rules for the policy and click Save.
    7. Click Referrals from the View menu data pane and click Add.
    8. Verify that the name of the peer or suborganization is selected for Value and click Create.
    9. Click Save in the data pane to save the referral policy.
  18. Run the amadmin command for each of the output files generated in Step 5 to update the policies data. For example, if the output file was named o=sesta.com-o=sales.xml,type

    19. /BASEDIR/SUNWam/bin/amadmin -u “uid=amAdmin,ou=People,o=sesta.com,o=isp” -w PASSWORD -t o=sesta.com-o=sales.xml

  19. Manually set the defaultOrg and amAdmin distinguished names in AMConfig.properties file. For example

    20. com.iplanet.am.defaultOrg=o=iplanet.com com.sun.identity.authentication.super.user=uid=amAdmin,ou=
    People,o=iplanet.com,o=isp

This completes the basic migration. For additional information on migrating iPlanet Directory Server Access Management Edition 5.1 data to Sun ONE Identity Server 6.0 formats, refer to Appendix A of the Sun ONE Identity Server 6.0 Installation and Configuration Guide.



Previous      Contents      Index      Next     

Copyright 2003 Sun Microsystems, Inc. All rights reserved.