Previous     Contents     Index     Next     
iPlanet Directory Server Access Management Edition Installation and Configuration Guide



Chapter 7   Basic Configurations


This chapter describes configurations typically implemented when you initially deploy iPlanet Directory Server Access Management Edition (DSAME).

Topics in this chapter include:



Installing Multiple DSAME Instances Against the Same Directory Server

You can install more than one instance of DSAME against this Directory Server for enhanced performance, to support directory replication, or for agent failover purposes. When you run the DSAME installation program for the first time, you'll typically use Option 1) Install DSAME Policy and Management Services. When you use this option, Directory Server is automatically installed for you. This is the master Directory Server. If you plan to install multiple installations of DSAME against this same master directory, you must configure the second DSAME—as well as all subsequent installations—to use the existing remote Directory Server. You do this during installation.

Figure 7-1    Two DSAME instances installed against a single Directory Server.


To Install Multiple DSAME Instances Against the Same Directory Server

Run the DSAME installation program to install the DSAME services and a master Directory Server. You must have root permissions when you run the DSAME installation program. Be sure all web browsers are closed before starting the installation program.

  1. Install DSAME services for the first time. Use the instructions in Chapter 4 "Simple Installations with No Existing Directory Server" or in Chapter 5 "Using an Existing Directory Server" as appropriate for your needs.

  2. Run the aminstall program a second time to install the second instance of DSAME services.

  3. Read the License Agreement. At the prompt, Do you agree to the license terms? enter y for Yes.

  4. If the following message does not display, then skip to Step 5.
    One or more components that are part of DSAME 5.0 have been detected on this system.
    ...
    If you are going to install components which already exist, you must uninstall them first.

    What would you like to do?
    1)Remove existing components, then continue installation.
    2)Continue installation without removing existing components.
    3)Exit

    • If the message is displayed, and want to re-install components listed in the message, then enter 1 to remove the existing components. After uninstallation, the installation program will automatically start again from the beginning.

    • If the message is displayed, and you want to install components that are not listed in the message, then enter 2 to proceed to the next step.

  5. The following options are displayed.
    1) DSAME Services
    2) DSAME Agent only
    3) iPlanet Directory Server 5.1
    4) iPlanet Directory Server Configuration for DSAME
    5) Exit

    When prompted, provide the following information:

    Select which component to install: Enter 1 to install DSAME Services.

    What directory do you want to install the Services in? Enter the path to the directory where the second instance of DSAME Services will be installed. Plan to install the DSAME Services on a different computer system.

    What is the host name of the machine where the DSAME Services will run? This is the computer system where DSAME components and a dedicated Web Server will be installed together. In the name mycomputer.organization_name.madisonparc.com, the host name is mycomputer.

    What is the sub-domain name ("." for none)? For example, in the name mycomputer.organization_name.madisonparc.com, the sub-domain name is organiation_name. If your host computer does not have a sub-domain, enter a period (.).

    What is the domain name? For example, in the name mycomputer.organization_name.madisonparc.com, the domain name is madisonparc.com.

    What is the DSAME Services port? Enter a port number for the Web Server that runs the DSAME services.

    Web Server Administration user id: This is the server administrator who has access to the Web Server that runs DSAME services.

    Admin password (8 chars minimum): Enter a password for the Web Server Administrator.

    Re-enter Admin password: Re-enter the Administrator password to confirm it.

    What is the Web Server admin port? The default is 8888. You can enter a different port number.

    System User: This is the user the Directory Server will run as. If you have a Directory Server already running, enter the same System User used by that Directory Server. Example: nobody.

    System Group: This is the group the user belongs to. If you have a Directory Server already running, enter the same System Group used by that Directory Server. Example: nobody.

    Do you want to run in iPlanet Compliance mode? In most cases, enter n for No. For more information, see "Compliant vs. Default DIT".

    Will you be using an existing DIT and schema? Enter y for Yes.

    What is the root suffix of your directory tree? This is the DSAME root suffix, or the point in your directory where you want DSAME to start managing entries. Enter a relative distinguished name (RDN) that contains at least on naming_Attribute=value pair.

    Examples:

      o=isp

      o=madisonparc

      dc=sun,dc=com,l=us

    If you want the default organization to be the root suffix, enter a period (.).

    What is your organization name? Enter a name for the first organization to be created in your DSAME Directory Information Tree (DIT). This name will be displayed in the DSAME graphical user interface. Examples: madisonparc or madisonparc.com.

    Do you want to install the Agents on this host? If you want to protect web content on the Web Server that runs DSAME services, install the URL access agent now. Enter y for Yes. For more information, see Chapter 6 "Installing URL Policy Agents on page 115.

    Do you want to use an existing iPlanet Directory Server? Enter y for Yes.

    Is the existing iPlanet Directory Server installed on a local host or on a remote host? Enter l for Local if the Directory Server is installed on the same computer system as DSAME (it's "local" relative to DSAME). Enter r for Remote if the Directory System is installed on a different computer system, or remote from, the computer that runs DSAME services.

    What is the Directory Server Instance? Enter the Directory Server instance name. To determine the instance name, look in the directory where Directory Server is installed. You'll find a subdirectory that has a name formed by the prefix slapd- and the server instance name. For example, in the directory name slapd-madisonparc, the instance name is madisonparc.

    What port should the LDAP server use? Enter the port number specified when the existing Directory Server was installed.

    Directory Manager DN: The Directory Server administrative user or Directory Manager is the administrator who has unlimited access to Directory Server data and configuration. The default DN for the Directory Manager is cn=Directory Manager.

    Directory Manager password (8 chars minimum): Enter a password for the Directory Manager.

    Re-enter Directory Manager password: Enter the password again to confirm it.

    What is the deployment URI prefix for the DSAME Services? The Universal Resource Indicator (URI) prefix tells the Web Server where to look for HTML pages associated with a service. For example, an authentication service may store a customized login page for each organization in the enterprise. If you are an employee of the Jones Company, you'll see an HTML login page with the Jones logo. If you are an employee of the Smith Company, you'll see an HTML login page with the Smith logo. The HTML pages for each company should be stored in different locations.

    The default URI prefix is amserver. You can enter a different name.

    What is the deployment URI prefix for the DSAME Agents? The Universal Resource Indicator (URI) prefix tells the Web Server where to look for HTML pages the agent needs to display. For example, when a user attempts to access a URL, but cannot provide proper credentials, the agent must display an "Access denied" message. The URI prefix tells the Web Server where to look for the HTML page that contains this message.

    The default URI prefix is amagent. You can enter a different name.

    The Super Administrator user id is: This is the Administrator who has unlimited access to all entries managed by DSAME. The Super Administrator user id is hardcoded amAdmin. This ensures that the DSAME administrator role and its privileges are created and mapped properly in the Directory Server so that you can log into DSAME product immediately after installation.

    Admin password (8 chars minimum): Enter a password for the Super Administrator.

    Re-enter Admin password: Enter the Super Administrator password again to confirm it.

    Do you want to start the iPlanet Directory Server Access Management Edition Server when installation is complete? If you enter y for Yes, DSAME will automatically start up immediately after installation. If you enter n for No, you must start DSAME manually after installation.

    To start DSAME manually, at the command line enter the following command:

      /etc/init.d/amserver start

    Are all settings correct? If the settings displayed are not correct, enter n for No and the installation program will start again from close to the beginning. If the settings are correct, enter y for Yes to continue with the installation.

    Select which component to install: When you see the following options displayed, enter 5 to exit the installation program.
    1) DSAME Services
    2) DSAME Agent only
    3) iPlanet Directory Server 5.1
    4) iPlanet Directory Server Configuration for DSAME
    5) Exit



Support for Directory Replication and High Availability

Load balancing across replicated servers and locating replicated servers closer to users are two ways to improve server performance and response time in your enterprise. You can implement directory replication agreements in your DSAME deployment to increase the availability and performance of the DSAME servers and services. You can set up DSAME directory servers in single-supplier or multi-supplier configurations. You can also configure load-balancing applications such as iPlanet Directory Access Router to work with DSAME.


Replication Considerations

Configure your directory servers for replication before you install DSAME. This ensures that the supplier and consumer databases are synchronized from the beginning, and gives you a chance to verify that referrals and updates are working properly. The information must be identical in each DSAME database.

When you install DSAME for replication purposes, in each instance of Directory Server and in each instance of DSAME, specify the same values for the following:

  • Directory Manager

  • Directory Manager Password

  • Directory Server Administrator ID

  • Server Administrator Password

  • Base suffix

  • Default organization

There may be situations in which you cannot implement directory replication in a DSAME deployment. For example, authentication server host names or IP addresses must be the same. This precludes using geographically separated replicated DSAME servers. The remote servers would not be able to perform authentication against servers that are only local to their respective LANs.

For comprehensive information on planning and implementing Directory Server replication, see the Deployment Guide and the Installation Guide for iPlanet Directory Server. You can access these guides on the Internet at:

  http://docs.iplanet.com/docs/manuals/directory.html


Configuring DSAME to Support Directory Replication

You can configure DSAME to work with single-supplier or multi-supplier replication. For each of the configurations pictured in this section, follow the same instructions. See "To Configure DSAME to Work with Directory Replication" of this manual.

Figure 7-2 illustrates a single-supplier configuration where the Consumer is a read-only database. Requests for write operations are referred to the supplier database. This configuration provides some measure of enhanced server performance by distributing the workload to more than one directory.

Figure 7-2    Single-supplier Replication.

Figure 7-3 illustrates a multi-supplier configuration using multiple instances of DSAME. This configuration provides failover protection as well as high availability, resulting in further enhanced server performance.

Figure 7-3    Multi-supplier configuration. Also known as Multi-Master Replication (MMR)

Figure 7-4 illustrates a multi-supplier configuration that includes iPlanet Access Router. This configuration takes full advantage of DSAME support for failover, high availability, and managed load-balancing.

Figure 7-4    Multi-supplier replication with load-balancing application.


To Configure DSAME to Work with Directory Replication

Use the following steps to configure replication at the root or top level of the DSAME directory tree. You can also use these steps to configure replication at the default organization level.

  1. Install your supplier and consumer Directory Servers (version 5.1). See the Directory Server Installation Guide for detailed instructions.

  2. Set up replication agreements between your supplier and consumer Directory Servers, and then verify that the directory referrals and updates are working properly. See the Directory Server Administrator's Guide for detailed instructions.

  3. If you plan to use DSAME with user data from an existing, pre-5.1 Directory Server, you must migrate the user data and make Directory Tree Information (DIT) changes before proceeding. Follow the detailed instructions in Chapter 5 "Using an Existing Directory Server" on page 65 of this manual. Then skip to step 5.

  4. If you are deploying DSAME and Directory Server for the first time, or if you simply do not plan to use existing user data with DSAME, then run the DSAME installation program to install the DSAME Management and Policy services.

    During installation, you'll be asked if you're using an existing Directory Server. You'll answer "yes," and then you'll specify the host name and port number for a supplier Directory Server you installed in step 1.

    For detailed instructions, see "Installing Multiple DSAME Instances Against the Same Directory Server".

  5. In the Web Server where DSAME Management and Policy services are installed, modify the following file:

      
    DSAME_root    /SUNWam/web-apps/services/WEB-INF/classes/
        AMConfig.properties

    1. Modify the following properties to reflect the host and port number of a consumer Directory Server you installed in step 1.

      • com.iplanet.am.directory.host

      • com.iplanet.am.directory.port

    2. Modify the following properties:

      • replica.enabled=true

      • com.iplanet.am.replica.retries

        Specify the number of times DSAME should continue to make the same request when the requested entry is not found.

      • com.iplanet.am.replica.delay.between.retries

        Specify the number of milliseconds DSAME should allow to elapse between retries.

  6. In each DSAME Authentication module you've enabled, you must specify the consumer directory that you installed in step 1. In the following substeps, the LDAP Authentication module is used as an example:

    1. In the DSAME console, in the View field, choose Service Management.

    2. In the Service Name column, under Authentication, locate the module you need to reconfigure. In the Properties column, click the arrow that corresponds to module you need to reconfigure.

    3. In the right pane, there are two fields named LDAP Server and Port.

      • In the first field named LDAP Server and Port, enter the host name and port number for your primary (consumer) Directory Server.
        Example: consumer1.madisonparc.com:389

      • In the second field named LDAP Server and Port, enter the host name and port number for your secondary or (supplier) directory.
        Example: supplier1.madisonparc.com:399

    4. Click Submit.

  7. In the following file: DSAME_root/SUNWam/web-apps/services/WEB-INF/config/ums/serverconfig.xml, specify the host name and port number of the consumer directory you installed in step1. Example:

    <iPlanetDataAccessLayer>

    <ServerGroup name="default" minConnPool="1"              maxConnPool="10">

    <Server name="Server1"                      host="consumer1.madisonparc.com" port="389"                            type="SIMPLE" />

  8. Restart DSAME with the following command:

      /etc/init.d/amserver start


Configuring a Load-Balancing Application to Work With DSAME

You can configure load-balancing applications such as iPlanet Directory Access Router (iPlanet DAR) to work with DSAME. iPlanet DAR dynamically performs proportional load balancing of LDAP operations across a set of configured directory servers. If one or more directory servers should become unavailable, the load is proportionally redistributed among the remaining servers. When a directory server comes back on line, the load is proportionally—and dynamically—reallocated.

Figure 7-5    Multi-Master Replication with Managed Load-Balancing.

Using a load-balancing application adds a layer of high availability and directory failover protection beyond the basic level that comes with DSAME. For example, when you configure iPlanet DAR, you can specify what percentage of the load gets redistributed to each of your servers when one server becomes unavailable. iPlanet DAR continues to manage request traffic, and begins rejecting client queries when all back-end LDAP servers become unavailable.

By comparison, the DSAME high availability feature cannot be configured or managed as precisely. But when you add a load-balancing application such as iPlanet DAR, DSAME seamlessly directs all requests to the application for total management.

If you choose to install a load-balancing application, you must configure DSAME to recognize the application.


To Configure DSAME to Work With a Load-Balancing Application

  1. Before you can perform the following steps, you must:

    • Set up your Directory Servers for replication. For comprehensive information about directory replication and for detailed setup instructions, see "Managing Replication" in the iPlanet Directory Server Administrator's Guide.

    • Install and configure your load-balancing application. Follow the instructions in the documentation that comes with the product.

  2. In the file, DSAME_root/SUNWam/web-apps/services/WEB-INF/classes/AMconfig.properties

    modify the following properties to reflect the host and port number of a consumer Directory Server you installed in step 1.

    • com.iplanet.am.directory.host

    • com.iplanet.am.directory.port

  3. For each DSAME Authentication module you've enabled, specify the consumer directory that you installed in step 1. In the following substeps, the LDAP Authentication module is used as an example:

    1. In the DSAME console, in the View field, choose Service Management.

    2. In the Service Name column, under Authentication, locate the module you need to reconfigure. In the Properties column, click the arrow that corresponds to module you need to reconfigue.

    3. In the right pane, there are two fields named LDAP Server and Port.

      • In the first field named LDAP Server and Port, enter the host name and port number for your primary (consumer) Directory Server using the form:

          iPlanet_DAR_host.domain_name.com:port_number

      • In the second field named LDAP Server and Port, enter nothing.

    4. Click Submit.

  4. In the DSAME_root/SUNWam/web-apps/services/WEB-INF/config/ums/serverconfig.xml, specify the host name and port number of the consumer directory you installed in step1.

    Example:

    <iPlanetDataAccessLayer>

    <ServerGroup name="default" minConnPool="1" maxConnPool="10">

    <Server name="Server1" host="iDAR_hostname.madisonparc.com" port="389"                        type="SIMPLE" />

  5. Restart DSAME with the following command:

      /etc/init.d/amserver start



Secure Sockets Layer (SSL)

You can use the Secure Sockets Layer (SSL) protocol to provide secure connections between Directory Server and the DSAME services you use in your enterprise. The SSL protocol consists of rules governing server authentication, client authentication, and encrypted communication between servers and clients. When you enable SSL to work with DSAME, the requests and transactions between Directory Server and the DSAME console are encrypted and protected from intrusion by unauthorized entities.

Figure 7-6    How SSL Works in DSAME.

Enabling SSL for DSAME is a three-step process:

This section explains how to enable SSL for DSAME services and URL access agents. It references the following resources for SSL information, which are appended to this manual for your convenience:

  • iPlanet Directory Server Administrator's Guide

    Chapter 11, "Managing SSL"

  • iPlanet Web Server Administrator's Guide

    Chapter 5, "Securing Your Web Browser"

For comprehensive information on SSL and on determining your SSL needs, see Chapter 7, "Designing a Secure Directory" in iPlanet Directory Server Deployment Guide. This guide comes with iPlanet Directory Server, and is also available on the Internet at
  http://docs.iplanet.com/docs/manuals/directory.html.


Step 1: Enable LDAP Over SSL

  1. Install a Server Certificate in Directory Server.

    Follow the detailed instructions in "Obtaining and Installing Server Certificates" of this manual to perform the following steps. Or access the iPlanet Directory Server documentation on the Internet at http://docs.iplanet.com/docs/manuals/directory.html.

  2. Activate SSL in the Directory Server.

    Follow the detailed instructions in "Activating SSL" of this manual.

  3. In the Web Server that runs DSAME services is installed, in the Web Server console, create a trust database.

    Follow the detailed instructions "Creating a Trust Database".

  4. In the Web Server that runs DSAME services, install the root CA Certificate for Directory Server's server certificate.

    Follow the detailed instructions in "Requesting and Installing Other Server Certificates".

  5. Edit the following DSAME configuration file:

    DSAME_root/SUNWam/web-apps/services/WEB-INF/config/ums/serverconfig.xml

    For the server corresponding to the Directory Server configured for SSL, provide the following values:

    port. Enter the SSL port number you specified in Step 2.

    type. Enter SSL.

    Example:

    <?xml version="1.0" encoding="ISO-8859-1" standalone="yes"?>

    <iPlanetDataAccessLayer>

    <ServerGroup name="default" minConnPool="1" maxConnPool="10">

    <Server name="Server1" host="adam.red.madisonparc.com"

                           port="636" type="SSL" />

    <User name="User1" type="proxy">

    <DirDN>

    cn=puser,ou=People,o=isp

    </DirDN>

    <DirPassword>

    AQAA5Q9jwkb4pAJ2LGFYRDlqWxXxId+5v4nU

    </DirPassword>

    </User>

    ...

  6. Restart DSAME with the following command:

      /etc/init.d/amserver start

  7. If the Directory Server is not yet running, you are prompted for the internal key. Enter the key (password) you specified when creating the trust database in Step 3.

When DSAME starts up, its connection to Directory Server will be secured with SSL.


Step 2: Enable DSAME to Run in SSL Mode

When you enable DSAME to run in SSL mode, requests and transactions between the DSAME console and other SSL-configured Web Servers are encrypted and protected from intrusion by unauthorized entities.

  1. Login to DSAME as Super Administrator.

  2. In the View field, choose Service Management.

    1. In the Service Name column, locate the service named Naming. In the Properties column, click the arrow that corresponds to Naming.

    2. In the right pane, edit the Profile Service URL to reflect the https protocol.

      Profile Service URL. Change http to https.

    3. If you want to change the port too (default port is 8080), modify the port number in the Profile Service URL.

    4. Click Submit.

  3. In Service Name column, choose DSAME Platform.

  4. In the Server List box:

    1. Remove this DSAME server from the list. First select its name in the list, and then click Remove.

    2. Change Protocol to https (instead of http).

    3. To add the same server with https, click Add.

  5. Edit the following DSAME configuration file: DSAME_root/SUNWam/web-apps/services/WEB-INF/classes/AMConfig.properties

    Modify values for the following to reflect the HTTPS protocol and new port number (if the port number was changed):

    • com.iplanet.am.server.protocol

    • com.iplanet.am.server.port

    • com.iplanet.am.profile.port

    • com.iplanet.am.naming.url

    • com.iplanet.am.notification.url

  6. In the Web Server that runs DSAME services, using the Web Server console, obtain and install a server certificate if one is not already installed.


    Note

    In the following substeps, the following warning message might display:

      Warning: Manual edits not loaded.

    In this case, first click the Apply link in the upper right corner of the console, and then click Load Configuration Files


    1. To obtain a server certificate, follow the detailed instructions for "Requesting Other Server Certificates".

    2. To install the server certificate, follow the detailed instructions for "Installing Other Server Certificates".

  7. In the Web Server console, select the Web Server that runs DSAME services, and click Manage.

    1. In the Web Server instance, choose Preferences.

    2. Click Add Listen Sockets.

    3. In the Security field for the default DSAME port, enter On.

    4. Click OK to save the change.

    5. Click Apply.

    6. To save changes to Web Server configuration files, click Apply Changes.

  8. Restart DSAME with the following command:

      /etc/init.d/amerserver start


Step 3: (Optional) Install and Configure a URL Policy Agent for SSL

  1. Follow the detailed instructions in "Protecting Content on Remote Web Servers" to install a URL access agent on a remote Web Server. In this documentation, a "remote" Web Server is one other that the Web Server that runs DSAME Policy and Management Services.

  2. Edit file the following DSAME configuration file:

      DSAME_root/SUNWam/web-apps/agent/config/AMConfig.properties

    Modify values for the following to reflect https protocol and new port number (if the port number was changed):

    • com.iplanet.am.policy.agents.url.protocol

    • com.iplanet.am.policy.agents.url.port

    • com.iplanet.am.policy.agents.notenforcedlist

    • com.iplanet.am.server.protocol

    • com.iplanet.am.server.port

    • com.iplanet.am.profile.port

    • com.iplanet.am.naming.url

    • com.iplanet.am.notification.url

  3. In the Web Server that runs DSAME services, obtain and install a server certificate if one is not already installed.


    Note

    In the following substeps, the following warning message may display:

      Warning: Manual edits not loaded.

    In this case, first click the Apply link in the upper right corner of the console, and then click Load Configuration Files


    1. To obtain a server certificate, follow the detailed instructions for "Requesting Other Server Certificates".

    2. To install the server certificate, follow the detailed instructions for "Installing Other Server Certificates".

  4. In the Web Server, the URL policy agent is installed, use the Web Server console to perform the following substeps:

    1. In the Web Server instance, choose Preferences.

    2. Click Add Listen Sockets.

    3. In the Security field for the default DSAME port, enter On.

    4. Click OK to save the change.

    5. Click Apply.

    6. To save changes to webserver configuration files, click Apply Changes.

  5. Restart the Web Server where the URL policy agent is installed.

    • If the agent is installed on the Web Server that runs the DSAME Policy and Management services, at the command line, enter the following:

        /etc/init.d/amserver start

    • If the agent is installed on a remote Web Server, at the command line, enter the following:

        cd Web_Server_root/https-hostname

        start


Previous     Contents     Index     Next     
Copyright 2002 Sun Microsystems, Inc. All rights reserved.

Last Updated March 27, 2002