The installation and configuration of each Java Enterprise System component is performed sequentially on all necessary servers in the Edge complex. Because of component dependencies, the procedures in this chapter must be performed in the order in which they are presented. The names and numbers of servers identified in prompts are critical to performing commands on the correct servers.
The Java ES binaries, required patches, and silent install state files are transferred to each server as part of the system's jump-start installation. The files are unzipped in the directory /var/bits/ during the procedures for configuration in 3.2 Jump-Starting the Servers. If servers are not jump-started, the Java ES binaries must be downloaded to each server or copied from a CD.
The procedures in this chapter assume that Java ES binaries and files are located in /var/bits/. If binaries are located elsewhere, the paths in the commands should be modified accordingly. Some procedures rely on state files installed in /var/bits/ to provide configuration information during the silent installation of Java ES components. If these files are not present, see Creating a State File in Sun Java Enterprise System 2005Q4 Installation Guide for UNIX or perform an interactive installation to enter information manually.
Procedures often need to be repeated on a certain number of servers. In this case, command prompts and property values in the procedure may contain placeholders. In a prompt, a placeholder shows which servers you should perform that command on. In a property value, you should replace a placeholder with the current cluster or node number. The following placeholders are commonly used:
phys-bedgeN-M means the command must be performed on all servers.
phys-bedgeN-[12] means the command must be performed on both nodes in a procedure that is repeated for all clusters.
phys-bedgeN-1 means the command must be performed only on the first node of all clusters.
phys-bedge[123]-2 means the command must be performed on the second node of clusters 1, 2, and 3.
Perform the following procedure to identify any shared components in the operating system that need to be upgraded before installing Java ES. Perform this procedure on all front-end (FE) and back-end (BE) servers.
Launch the Java ES installer in command-line report-only mode:
# cd /var/bits/ # ./installer -nodisplay -no |
Proceed to the language selection page and select a language, by default en_US. After a language is selected, the installer begins inspection for previously installed components.
If components are detected, a report will be shown. Review the report. If there are outdated versions, exit the installer now by typing “!” and upgrade those shared components.
When all shared components are up-to-date, continue to the Component Selection menu and select the following components:
On FE systems designated as MTA
Sun Java System Messaging Server
On FE systems designated as MMP, MEM, or CE
Sun Java System Messaging Server
Sun Java System Communications Express
Sun Java System Calendar Server
Sun Java System Instant Messaging (Multiplexor and Client Resources)
Sun Java System Web Server
On FE systems designated as Portal Gateway
Sun Java System Portal Server
On BE systems designated as Messaging Store
Sun Java System Messaging Server
Sun Cluster
Sun Java System Directory Server
Sun Java System Access Manager
On BE systems designated as Calendar Store
Sun Java System Calendar Server
Sun Java System Instant Messaging (on one Calendar Server BE instance only)
Sun Java System Web Server (on the same BE instance as Instant Messaging only)
Sun Cluster
The installer now checks for shared component dependencies. If there is a broken dependency, it will display an explanation.
Exit the installer. If there are shared components to be installed/removed, do that before continuing.
Make a copy of the /var/sadm/install/productregistry file on each server.
Verify that the file /etc/resolv.conf exists and that the information it contains is correct.
Verify that the 2nd column in the /etc/hosts file contains only fully-qualified domain names (FQDN) in all lower case (avoids known issue 6330974).
Perform the following procedure on the pair of back-end servers, called nodes, in each cluster. See 1.2.1 Physical System Names for more details.
Edit the /etc/inet/hosts file on both nodes to contain the following lines. Set the IP addresses appropriately for each cluster:
10.2.0.129 phys-bedgeN-1-ic-privateInterface1 10.2.1.1 phys-bedgeN-1-ic-privateInterface2 10.2.193.1 clusternode1-priv 10.2.0.130 phys-bedgeN-2-ic-privateInterface1 10.2.1.2 phys-bedgeN-2-ic-privateInterface2 10.2.193.2 clusternode2-priv |
Enable host-based ssh authentication from the first node to the second node with the following commands:
Copy the public key:
phys-bedgeN-1# cat /etc/ssh/ssh_host_rsa_key.pub phys-bedgeN-1# cp -p /etc/ssh/ssh_host_rsa_key /.ssh/id_rsa |
Establish an ssh connection to create the file /.ssh/know_hosts:
phys-bedgeN-1# ssh phys-bedgeN-2 |
Add the public key of the first node to the end of the list of authorized keys on the second node:
phys-bedgeN-2# vi /.ssh/authorized_keys |
Save a backup of the sshd configuration file, then change the value of PermitRootLogin from no to yes:
phys-bedgeN-2# cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.bak phys-bedgeN-2# vi /etc/ssh/sshd_config |
Restart the ssh daemon on the second node and exit ssh:
phys-bedgeN-2# /etc/init.d/sshd stop; /etc/init.d/sshd start phys-bedgeN-2# exit |
Connect to the second node with the following command to verify whether ssh is configured properly:
phys-bedgeN-1# ssh root@phys-bedgeN-2 -o "BatchMode yes" \ -o "StrictHostKeyChecking yes" -n "uname -a" |
While still connected to the second node, back up the /etc/system file and then edit its contents:
phys-bedgeN-2# cp -p /etc/system /etc/system.bak phys-bedgeN-2# vi /etc/system |
Comment out the following line:
#set c2audit:audit_load = 1 |
On both nodes, perform the following commands:
phys-bedgeN-[12]# touch /etc/cluster/.installed phys-bedgeN-[12]# vi /etc/inet/inetd.conf |
In the /etc/inet/inetd.conf file, uncomment the lines for rpc.metad and rpc.metamedd, if they are commented out.
Run the Sun Cluster installation script on the first node:
phys-bedgeN-1# /usr/cluster/bin/scinstall *** Main Menu *** Please select from one of the following (*) options: -> * 1) Install a cluster or cluster node *** Install Menu *** Please select from any one of the following options: -> 1) Install all nodes of a new cluster *** Installing all Nodes of a New Cluster *** >>> Type of Installation <<< -> 2) Custom >>> Cluster Name <<< -> bedgeN >>> Cluster Nodes <<< -> phys-bedgeN-1, phys-bedgeN-2, Ctrl-D >>> Authenticating Requests to Add Nodes <<< -> Do you need to use DES authentication (yes/no) [no]? Enter >>> Network Address for the Cluster Transport <<< -> Is it okay to accept the default network address (yes/no) [yes]? Enter Is it okay to accept the default netmask (yes/no) [yes]? Enter >>> Point-to-Point Cables <<< -> Does this two-node cluster use transport junctions (yes/no) [yes]? no >>> Cluster Transport Adapters and Cables <<< -> Pick appropriate adapters >>> Software Patch Installation <<< -> Do you want scinstall to install patches for you (yes/no) [yes]? no >>> Global Devices File System <<< -> For node "phys-bedgeN-1", Is it okay to use this default (yes/no) [yes]? Enter For node "phys-bedgeN-2", Is it okay to use this default (yes/no) [yes]? Enter Is it okay to begin the installation (yes/no) [yes]? Enter Interrupt the installation for sccheck errors (yes/no) [no]? Enter |
If both nodes do no reboot automatically after the installation, reboot them starting with the second one first.
Restore the modified files on the second node, and restart its ssh daemon:
phys-bedgeN-2# mv /etc/system.bak /etc/system phys-bedgeN-2# mv /etc/ssh/sshd_config.bak /etc/ssh/sshd_config phys-bedgeN-2# /etc/init.d/sshd stop; /etc/init.d/sshd start |
On the first node only, set the quorum device and reset the install mode flag with the following command:
phys-bedgeN-1# /usr/cluster/bin/scdidadm -L |
Again on the first node, list the DID numbers and select one to use in the following command, for example ld0-00:
phys-bedgeN-1# /usr/cluster/bin/scconf -a -q globaldev=DIDnumber phys-bedgeN-1# /usr/cluster/bin/scconf -c -q reset |
Configure NTP by adding the following lines to the /etc/inet/ntp.conf.cluster file on both nodes. The NTPservers should be those in the same domain as your Edge complex:
peer clusternode1-priv prefer peer clusternode2-priv server NTPserver1 server NTPserver2 |
Then restart NTP with the following command:
phys-bedgeN-[12]# /etc/init.d/xntpd stop; /etc/init.d/xntpd.cluster start |
Configure IPMP on both nodes with the appropriate adapters:
phys-bedgeN-[12]# cp /etc/hostname.publicInterface1 /etc/hostname.publicInterface1.bak phys-bedgeN-[12]# vi /etc/hostname.publicInterface1 |
Modify the file as follows:
phys-bedgeN-[12] netmask + broadcast + group ipmp1 up \ addif monitoringIP1 netmask + broadcast + deprecated -failover up |
Back up and modify the second file on both nodes:
phys-bedgeN-[12]# cp /etc/hostname.publicInterface2 /etc/hostname.publicInterface2.bak phys-bedgeN-[12]# vi /etc/hostname.publicInterface2 |
Modify the file as follows:
monitoringIP2 netmask + broadcast + deprecated group ipmp1 \ -failover standby up |
Configure the public interfaces on both nodes with the following commands:
phys-bedgeN-M# ifconfig publicInterface1 group ipmp1 phys-bedgeN-M# ifconfig publicInterface2 plumb phys-bedgeN-M# ifconfig publicInterface2 group ipmp1 phys-bedgeN-M# ifconfig publicInterface1 addif monitoringIP1 \ netmask + broadcast + deprecated -failover up phys-bedgeN-M# ifconfig publicInterface2 monitoringIP2 netmask \ + broadcast + deprecated -failover standby up |
Setup disksets and file systems on the first node only. The following information should be used as a guide. See 2.2 Storage Area Network (SAN) for further details.
Each cluster has one diskset.
Each disk must be labeled via format, which best to do before creating a metaset. A script can be used to do the format.
Disks ending in 04d0s2 are for LUN mapping and do not belong in a metaset but should be labeled to avoid errors on boot.
Disks ending in 03d0s2 02d0s2 01d0s2 will be the stores starting at metadevice 311.
Disks ending in 00d0s2 are the 20GB partitions and are subpartitioned into 5 and 15GB respectively for s0 and s1.
Disks ending in 00d0s2 use metadevices d300, d301, d302, and d304 (5GB conf, 15GB imta, 5GB var, and 15GB dbbackup respectively).
Reminder: when disks are added into a metaset, metadbs are automatically created and the disk is automatically partitioned.
Mirror across minnows and from the same logical device (ld0 to ld0) using corresponding partition of RAID5 logical drive.
Use the following commands on minnows to get information needed in creating metasets:
# sccli minnow show unique # sccli minnow show logical |
In general once a metaset is created on the first mail cluster, the metastat -p output can be used for clusters 2 and 3; cluster 4 may have differences due to fact it uses all the minnows and does not have LDAP on node 2.
Because there is no data and newfs will be used, the following example attaches both mirrors using metainit instead of using metattach:
# metaset -s bedgeN-ds -a -h phys-bedgeN-1 phys-bedgeN-2 # metaset -s bedgeN-ds -a -m phys-bedgeN-1 phys-bedgeN-2 # metaset -s bedgeN-ds -a /dev/did/dsk/DIDnumber /dev/did/dsk/DIDnumber .. Sample: # metainit -s bedgeN-ds d400 1 1 /dev/did/dsk/dAs0 # metainit -s bedgeN-ds d500 1 1 /dev/did/dsk/dBs0 # metainit -s bedgeN-ds d300 -m d400 d500 # metainit -s bedgeN-ds d401 1 1 /dev/did/dsk/dAs1 # metainit -s bedgeN-ds d501 1 1 /dev/did/dsk/dBs1 # metainit -s bedgeN-ds d301 -m d401 d501 # metainit -s bedgeN-ds d402 1 1 /dev/did/dsk/dCs0 # metainit -s bedgeN-ds d502 1 1 /dev/did/dsk/dDs0 # metainit -s bedgeN-ds d302 -m d402 d502 # metainit -s bedgeN-ds d403 1 1 /dev/did/dsk/dCs1 # metainit -s bedgeN-ds d503 1 1 /dev/did/dsk/dDs1 # metainit -s bedgeN-ds d303 -m d403 d503 ... # newfs /dev/md/bedgeN-ds/d300 # newfs /dev/md/bedgeN-ds/d301 # newfs /dev/md/bedgeN-ds/d302 # newfs /dev/md/bedgeN-ds/d303 # newfs -m 3 -i 4096 -o time /dev/md/bedgeN-ds/d311 # newfs -m 3 -i 4096 -o time /dev/md/bedgeN-ds/d312 ... |
For the messaging clusters, add the following lines to /etc/vfstab on both nodes, then run mkdir on one of the nodes:
/dev/md/disksetName/dsk/d300 /dev/md/disksetName/rdsk/d300 \ /shared/bedgeN/msg/conf ufs 1 no logging,nosuid /dev/md/disksetName/dsk/d301 /dev/md/disksetName/rdsk/d301 \ /shared/bedgeN/msg/imta ufs 1 no logging,nosuid /dev/md/disksetName/dsk/d302 /dev/md/disksetName/rdsk/d302 \ /shared/bedgeN/msg/var ufs 1 no logging,nosuid /dev/md/disksetName/dsk/d303 /dev/md/disksetName/rdsk/d303 \ /shared/bedgeN/msg/dbbackup ufs 1 no logging,nosuid /dev/md/disksetName/dsk/d311 /dev/md/disksetName/rdsk/d311 \ /shared/bedgeN/msg/partition/store001 ufs 2 no logging,nosuid /dev/md/disksetName/dsk/d312 /dev/md/disksetName/rdsk/d312 \ /shared/bedgeN/msg/partition/store002 ufs 2 no logging,nosuid ... |
# mkdir /shared/bedgeN/msg/conf # mkdir /shared/bedgeN/msg/imta # mkdir /shared/bedgeN/msg/var # mkdir /shared/bedgeN/msg/dbbackup # mkdir /shared/bedgeN/msg/partition/store001 # mkdir /shared/bedgeN/msg/partition/store002 |
For the calendar clusters, add the following lines to /etc/vfstab on both nodes, then run mkdir on one of the nodes:
/dev/md/disksetName/dsk/d300 /dev/md/disksetName/rdsk/d300 \ /shared/bedgeN/cal/opt ufs 2 no logging /dev/md/disksetName/dsk/d301 /dev/md/disksetName/rdsk/d301 \ /shared/bedgeN/cal/dbbackup ufs 2 no logging,nosuid |
# mkdir /shared/bedgeN/cal/opt # mkdir /shared/bedgeN/cal/dbbackup |
Directory will be installed only as a standalone service on the second node of each back-end cluster. Each installation will be configured to have a configuration directory branch called CFG and a user directory branch called USR.
Obtain the following state files from your Sun representative and store them in the directory /var/bits/silent of the designated host.
Filename |
Designated Host |
Contents |
---|---|---|
ds.cnf |
All |
Base binaries |
ds-cfg-1.cnf |
ds-amer-01.us |
Master CFG branch configuration state file |
ds-cfg-2.sh |
ds-amer-02.us |
Replica CFG branch configuration in an shell script |
ds-cfg-3.sh |
ds-amer-03.us |
Replica CFG branch configuration in an shell script |
ds-cfg-fe.cnf |
fe-amer-NN.us |
Front-end CFG branch configuration state file |
ds-usr-1.sh |
ds-amer-01.us |
Master USR branch configuration in an shell script |
ds-usr-2.cnf |
ds-amer-02.us |
Replica USR branch configuration state file |
ds-usr-3.cnf |
ds-amer-03.us |
Replica USR branch configuration state file |
Plumb all interfaces. Make sure /etc/netmasks is updated correctly before you proceed.
phys-bedge[123]-2# ifconfig ce1:5 plumb phys-bedge[123]-2# ifconfig ce1:5 129.147.156.132 netmask + broadcast + up phys-bedge[123]-2# echo "ds-amer-N" > /etc/hostname.ce1:5 |
The file /etc/hosts should also be updated with IP address and host mapping for all Directory Server hosts at the site:
phys-bedge[123]-2# grep "ds-" /etc/hosts 129.147.156.132 ds-amer-01 ds-amer-01.us ds-amer-01.us.example.com 129.147.156.133 ds-amer-02 ds-amer-02.us ds-amer-02.us.example.com 129.147.156.134 ds-amer-03 ds-amer-02.us ds-amer-03.us.example.com |
Install the Directory Server binaries with the Java ES installer on BE clusters 1, 2, and 3, and on all FE hosts. Nothing in the silent install state file ds.cnf needs changing.
phys-bedge[123]-2# cd /var/bits/java_es/Solaris_sparc phys-bedge[123]-2# ./installer -noconsole -state /var/bits/silent/ds.cnf fe-amer-NN# cd /var/bits/java_es/Solaris_sparc fe-amer-NN# ./installer -noconsole -state /var/bits/silent/ds.cnf |
Create the configuration branches (CFG) on the BE servers. CFG need to be installed on all servers where USR will be.
phys-bedge1-2# /usr/sbin/directoryserver -u 5.2 configure -noconsole \ -nodisplay -state /var/bits/silent/ds-cfg-1.cnf Update of the Directory Server layout ... done Update of the links between server root and Directory Server Layout ... done [slapd-cfg]: starting up server ... [slapd-cfg]: [26/Jan/2005:14:20:28 -0800] - Sun-ONE-Directory/5.2_Patch_2 B2004.107.0034 (64-bit) starting up [slapd-cfg]: [26/Jan/2005:14:20:31 -0800] - Listening on all interfaces port 34389 for LDAP requests [slapd-cfg]: [26/Jan/2005:14:20:31 -0800] - slapd started. Your new directory server has been started. Created new Directory Server Start Slapd Starting Slapd server configuration. Success Slapd Added Directory Server information to Configuration Server. Configuration of the server(s) succeeded. phys-bedge2-2# /var/bits/silent/ds-cfg-2.sh ... phys-bedge3-2# /var/bits/silent/ds-cfg-3.sh ... |
Create CFG instances on the FE servers with the following commands:
fe-amer-NN# /usr/sbin/directoryserver -u 5.2 configure -noconsole \ -nodisplay -state /var/bits/silent/ds-cfg-fe.cnf |
Create the USR instance on the master directory (phys-bedge1–2), and configure the USR instance on the replicas:
phys-bedge1-2# /var/bits/silent/ds-usr-1.sh [slapd-usr]: starting up server ... [slapd-usr]: [26/Jan/2005:14:21:58 -0800] - Sun-ONE-Directory/5.2_Patch_2 B2004.107.0034 (64-bit) starting up [slapd-usr]: [26/Jan/2005:14:22:01 -0800] - Listening on all interfaces port 389 for LDAP requests [slapd-usr]: [26/Jan/2005:14:22:01 -0800] - slapd started. Your new directory server has been started. Created new Directory Server Start Slapd Starting Slapd server configuration. Success Slapd Added Directory Server information to Configuration Server. phys-bedge2-2# /usr/sbin/directoryserver -u 5.2 configure -noconsole \ -nodisplay -state /var/bits/silent/ds-usr-2.cnf ... phys-bedge3-2# /usr/sbin/directoryserver -u 5.2 configure -noconsole \ -nodisplay -state /var/bits/silent/ds-usr-3.cnf ... |
Bind the Directory Server to specific IP addresses. Replace IPaddress with the virtual IP address on which you want Directory Server to respond. Replace DShostname with the logical service name corresponding to the host you are configuring, for example ds-sfbay-02.sfbay on phys-bedge2–2.
# cd /var/bits/silent For USR server on BE: phys-bedge[123]-2# ./ldap_1.ldif DShostname IPaddress 389 For CFG server on BE: phys-bedge[123]-2# ./ldap_1.ldif DShostname IPaddress 34389 For CFG server on FE: fe-amer-NN# ./ldap_1.ldif DShostname IPaddress 34389 |
Enable the change log on the master replica of the user directory. The following command should create the directory /opt/ds/changelog. If it does not, create it with dsuser:dsgroup permissions and then run this script. This script also updates the schema with the Safeword object class and attribute.
phys-bedge1-2# ./ldap_2.ldif |
Configure Directory Server to start automatically at system boot. Edit the file /etc/init.d/directory on all nodes with directory. Comment out lines 115 and 116:
# Test if we are in a cluster and silently exit if so #is_cluster_mode #[ $? -eq 0 ] && exit 0 |
Change the userRoot db database directory to a different partition:
phys-bedge[123]-2# mkdir /var/ldap/db; chown dsuser:dsgroup /var/ldap/db phys-bedge[123]-2# cd /opt/ds/slapd-usr phys-bedge[123]-2# ./stop-slapd phys-bedge[123]-2# cd /opt/ds/slapd-usr/db phys-bedge[123]-2# mv userRoot /var/ldap/db phys-bedge[123]-2# cd /opt/ds/slapd-usr/config |
Modify the dse.ldif file in order to change the nsslapd-directory parameter to the new userRoot directory:
nsslapd-directory: /var/ldap/db/userRoot |
Start the USR directory instances
phys-bedge[123]-2# cd /opt/ds/slapd-usr phys-bedge[123]-2# ./start-slapd |
Configure ACIs (Access Control Instructions):
aci: (targetattr="mailQuota")(version 3.0; acl "ERL mailQuota"; allow (wr ite) use rdn="ldap:///uid=adminuser,ou=people,dc=example,dc=com";) aci: (targetattr != "userPassword || passwordHistory || passwordExpiratio nTime || passwordExpWarned || passwordRetryCount || retryCountResetTime || accountUnlockTime || passwordAllowChangeTime || sunPortalDesktopDpDoc umentUser || sunPortalDesktopDpDocument || sunMobileAppMailConfig || sun MobileAppABConfig ") (version 3.0; acl "Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) aci: (target = "ldap:///ou=people,dc=example,dc=com")(targetattr = "*")(versi on 3.0; acl "Allow access to all under ou=people,dc=example,dc=com"; allow (all) userdn = "ldap:///uid=itmsgroot,ou=people,dc=example,dc=com";) aci: (target = "ldap:///o=pab")(targetattr = "*")(version 3.0; acl "Allow public ro access to PAB"; allow(read, search, compare) userdn = "ldap: ///anyone";) |
Create a root account:
dn: uid=itmsgroot,ou=people,dc=example,dc=com changetype: add objectclass: top objectclass: person objectclass: account uid: itmsgroot cn: Messaging Server Root sn: Root userpassword: password |
Tune the USR instances to use more cache for their database.
phys-bedge[123]-2# cd /var/bits/silent phys-bedge[123]-2# ./tune-usr.ldif DShostname |
Tune the CFG instances to allow for more lookups at a time, in order for the alluser alias to work:
phys-bedge[123]-2# cd /var/bits/silent phys-bedge[123]-2# ./tune-cfg.ldif DShostname |
Copy the prepared directory schema and restart the USR instances:
phys-bedge[123]-2# cd /opt/ds/slapd-usr phys-bedge[123]-2# ./stop-slapd phys-bedge[123]-2# cd config phys-bedge[123]-2# mv schema schema.old phys-bedge[123]-2# cp /var/bits/silent/schema-usr.tar . phys-bedge[123]-2# tar -xvf schema-usr.tar phys-bedge[123]-2# rm -rf schema-usr.tar schema.old phys-bedge[123]-2# cd ..; ./start-slapd |
Look for errors during the restart:
phys-bedge[123]-2# tail -10 logs/errors |
Copy the prepared directory schema and restart the CFG instances:
phys-bedge[123]-2# cd /opt/ds/slapd-cfg phys-bedge[123]-2# ./stop-slapd phys-bedge[123]-2# cd config phys-bedge[123]-2# mv schema schema.old phys-bedge[123]-2# cp /var/bits/silent/schema-cfg.tar . phys-bedge[123]-2# tar -xvf schema-cfg.tar phys-bedge[123]-2# rm -rf schema-cfg.tar schema.old phys-bedge[123]-2# cd ..; ./start-slapd |
Look for errors during the restart:
phys-bedge[123]-2# tail -10 logs/errors |
Set up the USR instances for Messaging. These steps will mimic running the comms_dssetup.pl script for the slapd-usr instance:
Copy the prepared configuration file:
phys-bedge[123]-2# cd /var/bits/silent phys-bedge[23]-2# cp msg-ds-setup.sh msg-ds-setup.ldif /var/tmp phys-bedge[23]-2# chmod 750 /var/tmp/msg-ds-setup.sh |
Change the IP address in the script to be that of the current USR instance.
phys-bedge[23]-2# vi /var/tmp/msg-ds-setup.sh |
Run the script:
phys-bedge[23]-2# /var/tmp/msg-ds-setup.sh -D "cn=directory manager" -w password ... |
Examine /var/tmp/msg-ds-setup.ldif.rej for any unusual errors. It is normal to see a couple of entries in this file.
phys-bedge[23]-2# ps -ef |grep slapd ; cat /var/tmp/msg-ds-setup.ldif.rej |
Install the password syntax plug-in. This should be done only on the master replica of the URS instance. Saving the dictionary file as /usr/local/etc/words-english-big.txt.disabled will disable dictionary checks if desired.
phys-bedge1-2# cd /var/bits/silent/pass_syntax_plugin-2.30 phys-bedge1-2# mkdir -p /usr/local/etc; mkdir -p /usr/local/lib/64 phys-bedge1-2# cp libpstx-plugin.so /usr/local/lib phys-bedge1-2# cp 64/libpstx-plugin.so /usr/local/lib/64 phys-bedge1-2# cd /var/bits/silent phys-bedge1-2# cp words* /usr/local/etc/words-english-big.txt.disabled phys-bedge1-2# ldapmodify -v -h DShostname -D "cn=directory manager" \ -w password -a -f pass_syntax_plugin-2.30/pass_syntax_plugin.ldif |
Stop and restart the USR instance. Confirm that the plugin started successfully with information displayed on stdout. Fix any errors that are displayed.
Disable the Pass-Through Authentication (PTA) plug-in on CFG instances. Ignore any errors caused when the PTA plug-in is not enabled.
phys-bedge[123]-2# ldapmodify -p 34389 -h DShostname -D \ "cn=directory manager" -w password dn: cn=Pass Through Authentication,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: off |
Setup the Directory Server instances with SSL. Edit the cert.sh file to use the correct virtual IP (VIP) address for the certificate being generated. For each server you do this, the VIP needs to be changed. Use same password every time you are prompted for one.
phys-bedge[123]-2# cd /var/bits/silent phys-bedge[123]-2# ./cert.sh ... phys-bedge[123]-2# ./ldap-ssl.ldif DShostname |
Configure Directory Server to start up without password prompt to accommodate SSL. Create a file that contains the password chosen in the previous step. For USR instances, create /opt/ds/alias/slapd-usr-pin.txt:
Internal (Software) Token:password |
For CFG instances, create /opt/ds/alias/slapd-cfg-pin.txt:
# cp /opt/ds/alias/slapd-usr-pin.txt /opt/ds/alias/slapd-cfg-pin.txt phys-bedge[123]-2# chown dsuser:dsgroup /opt/ds/alias/* phys-bedge[123]-2# chmod 600 /opt/ds/alias/* |
Restart both CFG and USR instances:
phys-bedge[123]-2# cd /opt/ds/slapd-usr; ./stop-slapd; ./start-slapd phys-bedge[123]-2# cd /opt/ds/slapd-cfg; ./stop-slapd; ./start-slapd |
Administration Server will need to be installed on every first node BE for use by Messaging Server. The following state files will be used in this section:
Filename |
Designated Host |
Contents |
---|---|---|
adm.cnf |
all |
State file for silent installation |
ds-adm-1.cnf |
ds-amer-01.us (phys-bedge1–2) |
Administration Server for Directory Server |
ms-adm-1-1.cnf |
phys-bedge1-1.us |
Administration Server for Messaging Server |
ms-adm-2-1.cnf |
phys-bedge2-1.us |
Administration Server for Messaging Server |
ms-adm-3-1.cnf |
phys-bedge3-1.us |
Administration Server for Messaging Server |
ms-adm-4-1.cnf |
phys-bedge4-1.us |
Administration Server for Messaging Server |
ms-adm-fe.cnf |
fe-amer-NN.us |
Administration Server for FE Directory Server |
Copy the base binaries and install the Administration Server on the first node of the messaging clusters and all FE hosts:
phys-bedge[1234]-1# cd /var/bits/Solaris_sparc phys-bedge[1234]-1# ./installer -noconsole -state /var/bits/silent/adm.cnf phys-bedge1-2# cd /var/bits/Solaris_sparc phys-bedge1-2# ./installer -noconsole -state /var/bits/silent/adm.cnf fe-amer-NN# cd /var/bits/Solaris_sparc fe-amer-NN# ./installer -noconsole -state /var/bits/silent/adm.cnf |
Configure Administration Serverfor Messaging Server on all first nodes and FE hosts:
phys-bedge[1234]-1# /usr/sbin/mpsadmserver configure -nodisplay -noconsole \ -state /var/bits/silent/ms-adm-N-1.cnf Checking connection to the Configuration Directory Server... done. Updating Administration Server layout... done. Updating links between Server Root and Administration Server layout... done. Registering Administration Server with Configuration Directory Server... done. Loading Administration Server tasks... done. Loading global Administration Server configuration... done. Generating configuration files ... done. Configuration of the Administration Server succeeded. fe-amer-NN# /usr/sbin/mpsadmserver configure -nodisplay -noconsole \ -state /var/bits/silent/ms-adm-fe.cnf Checking connection to the Configuration Directory Server... done. Updating Administration Server layout... done. Updating links between Server Root and Administration Server layout... done. Registering Administration Server with Configuration Directory Server... done. Loading Administration Server tasks... done. Loading global Administration Server configuration... done. Generating configuration files ... done. Configuration of the Administration Server succeeded. |
Configure Administration Server for Directory Server:
phys-bedge1-2# /usr/sbin/mpsadmserver configure -nodisplay -noconsole \ -state /var/bits/silent/ds-adm-1.cnf Checking connection to the Configuration Directory Server... done. Updating Administration Server layout... done. Updating links between Server Root and Administration Server layout... done. Registering Administration Server with Configuration Directory Server... done. Loading Administration Server tasks... done. Loading global Administration Server configuration... done. Generating configuration files ... done. Configuration of the Administration Server succeeded. |
This deployment example shows the installation of a single Edge complex. However, several complexes are meant to be deployed geographically, and directory information must be shared among them through replication. Each site has a master and two consumer replicas. The master at each site is configured in multi-master replication with the other site masters. The following table shows the Directory Server instances at each site, their type and the unique replica ID chosen for each.
Directory Server Host |
Replica Type |
Value of nsDS5ReplicaId |
---|---|---|
ds-amer-01 |
USR master |
100 |
ds-amer-02 |
USR replica 2 |
200 |
ds-amer-03 |
USR replica 3 |
300 |
ds-euro-01 |
USR master |
101 |
ds-euro-02 |
USR replica 2 |
201 |
ds-euro-03 |
USR replica 3 |
301 |
ds-asia-01 |
USR master |
102 |
ds-asia-02 |
USR replica 2 |
202 |
ds-asia-03 |
USR replica 3 |
302 |
ds-soam-01 |
USR master |
103 |
ds-soam-02 |
USR replica 2 |
203 |
ds-soam-03 |
USR replica 3 |
303 |
Obtain the setup-mmr.ldif and setup-replica.ldif files from your Sun representative. Edit these files to contain the correct host names and replica ID values for your Edge complex.
Set up multi-master replication on the servers designated -01 only. Edit the setup file to contain the suffix name each time prior to running the command:
o=NetscapeRoot
dc=example,dc=com
o=pab
o=PiServerDb
Run the setup command once for each suffix in the directory:
phys-bedge1-2# vi setup-mmr.ldif phys-bedge1-2# ./setup-mmr.ldif |
Set up the consumer replicas on the servers designated -02 and -03. Run the following commands once for each suffix of the same suffixes listed in the previous step. Edit the setup file to contain the suffix name each time prior to running the command:
phys-bedge[23]-2# vi setup-replica.ldif phys-bedge[23]-2# ./setup-replica.ldif |
Web Server is installed on the front-end (FE) servers for mail filters and on the back-end (BE) servers for hosting Access Manager.
Add the runtime userid webservd to the following files:
/etc/passwd: webservd:x:80:80::/home/webservd:/bin/pfsh /etc/shadow: webservd:*LK*::::::: /etc/group: webservd::80: |
Make sure the hostname mail-domain is plumbed and working.
Modify the silent install state file to contain the hostname and IP address of the current server.
# cd /var/bits/silent # vi FEWebServerStateFile |
Run the Java ES installer using the same state file.
# cd /var/bits/Java_es/Solaris_sparc # ./installer -nodisplay -noconsole -state /var/bits/silent/FEWebServerStateFile |
Add the runtime userid webservd to the following files:
/etc/passwd: webservd:x:80:80::/home/webservd:/bin/pfsh /etc/shadow: webservd:*LK*::::::: /etc/group: webservd::80: |
Make sure the hostname of the current server id-amer-NN.us is plumbed and working.
Run the Java ES installer in graphical or command-line mode.
# cd /var/bits/Java_es/Solaris_sparc # ./installer [ -nodisplay ] |
Proceed through the installer, and select Web Server for installation. Then enter the following configuration values when prompted:
Install directory: /apps hostname: id-amer-NN.us http port: 80 Runtime user: webservd Admin Port: 8888 |
Login to the administration port of the server at http://id-amer-NN.domain:8888/
Create virtual server instance ls2 for secure connection on port 443. The silent install file uses following configuration information:
Port: 80 Admin port: 34713 CMN_SYSTEM_USER= webservd CMN_SYSTEM_GROUP=webservd WS_Admin_user=admin CMN_host_name: id-amer-NN |
Edit the server.xml file for the ls1 instance and add the highlighted portion to the line below:
<LS id="ls1" port="92" servername="id-amer-NN.us.example.com" defaultvs="https-id-amer-NN.us.example.com" security="false" ip="IPaddress" blocking="false" acceptorthreads="1"/> |
Restart the Web Server instance.
Access Manager needs to be installed on the back-end servers id-amer-NN.us. Make sure that Web Server has been previously installed on these servers, as described in 4.4 Installing and Configuring Web Server.
Run the Java ES installer using the silent install state file.
id-amer-NN# cd /var/bits/Java_es/Solaris_sparc id-amer-NN# ./installer -nodisplay -noconsole \ -state /var/bits/silent/AccessManagerStateFile |
Verify the installation by accessing the Access Manager console at http://id-amer-NN.us.example.com/amconsole. Log in as amadmin using the password given in AccessManagerStateFile.
On all Access Manager instances except id-amer-01.us, perform the following configuration changes to avoid a service initialization error:
After logging in, select General Properties and edit the Organization alias. Add this server's name to the Organization Alias, for example id-amer-NN.us.example.com. Save the changes.
Select the Service Configuration tab, then select Platform and edit the Server List. Add this server's name and port, for example id-amer-NN.us.example.com:80|02, and save the changes.
Perform this procedure on id-amer-01.us only.
Save a backup copy of the following files:
/etc/opt/SUNWam/config/xml/amAuthSafeWord.xml /opt/SUNWam/locale/amAuthSafeWord.properties /opt/SUNWam/locale/amAdminCLI.properties /etc/opt/SUNWam/config/AMConfig.properties |
Download the Access Manager patch 115766 and install it with the patchadd command.
Load the XML for the new SafeWord authentication module with the following commands:
id-amer-01# cd /opt/SUNWam/bin/ id-amer-01# ./amadmin -u amadmin -w password \ -deleteservice iPlanetAMauthSafeWordService id-amer-01# ./amadmin -u amadmin -w password \ -schema /etc/opt/SUNWam/config/xml/amAuthSafeWord-63p.xml |
Edit the following files so that they use the base DN of dc=example,dc=com and reference URLs of the BE servers in this Edge complex. The AccessManagerPath is the installation path specified in the AccessManagerStateFile.
AccessManagerPath/locale/amAuthUI.properties AccessManagerPath/locale/amAuthSafeWord.properties /apps/http-id-amer-01/is-web-apps/services/config/auth/default/Login.jsp /apps/http-id-amer-01/is-web-apps/services/config/auth/default/aml/Login.jsp /apps/http-id-amer-01/is-web-apps/services/config/auth/default/wml/Login.jsp AccessManagerPath/web-src/services/config/auth/default/LDAP.xml AccessManagerPath/web-src/services/config/auth/default_en/LDAP.xml AccessManagerPath/web-src/services/config/auth/default/SafeWord.xml AccessManagerPath/web-src/services/config/auth/default_en/SafeWord.xml AccessManagerPath/locale/amAuthMobilePass.properties AccessManagerPath/web-src/services/config/auth/default/MobilePass.xml AccessManagerPath/web-src/services/config/auth/default/MobilePass.xml AccessManagerPath/web-src/services/config/auth/default_en/MobilePass.xml AccessManagerPath/lib/am_services.jar /etc/opt/SUNWam/config/amAuthMobilePass-63p.xml /SW/wireless/auth/xml/amAuth_add_mobilepass.xml |
Configure the authentication modules with the following commands:
AccessManagerPath/bin/amadmin -u amadmin -w password -v -t /SW/wireless/auth/xml/amAuth_add_mobilepass.xml AccessManagerPath/bin/amadmin -u amadmin -w password -v -s /etc/opt/SUNWam/config/amAuthMobilePass-63p.xml AccessManagerPath/bin/amadmin -u amadmin -w password -v -t /SW/wireless/auth/xml/SetAuthOrg-63.xml AccessManagerPath/bin/amadmin -u amadmin -w password -v -t /SW/wireless/auth/xml/CreateOrgMobilePassTemplate-63.xml AccessManagerPath/bin/amadmin -u amadmin -w password -v -t /SW/wireless/auth/xml/CreateOrgMobilePassRequests-63.xml AccessManagerPath/bin/amadmin -u amadmin -w password -v -t /SW/wireless/auth/xml/CreateOrgSafeWordTemplate-63.xml AccessManagerPath/bin/amadmin -u amadmin -w password -v -t /SW/wireless/auth/xml/CreateOrgSafeWordRequests-63.xml * |
Some of these commands may take up to several hours to complete. Some may also hang and not terminate. If SetAuthOrg-63.xml, CreateOrgMobilePassTemplate-63.xml, or CreateOrgSafeWordTemplate-63.xml fail to terminate, do the following:
Log into the Access Manager console at http://id-amer-01.us.example.com/amconsoleas amadmin using the password given in AccessManagerStateFile.
Select View->Services and expand the Core service. Then highlight LDAP, MobilePass and SafeWord from the list box entitled Organization Authentication Modules.
Add safewordid to the Alias Search Attribute Name and click Save.
Click Edit beside the Organization Authentication Configuration, and in the dialog window, select all modules and click on Delete.
Add the SafeWord module by selecting it from the Module name list and setting the Enforcement Requirement to REQUIRED. Click OK to save the change.
Modify the Gateway access service by setting the accepted authentication level to 2 with the following command:
AccessManagerPath/bin/amadmin -u amadmin -w password -v -t /SW/wireless/xml/modifyGWAccessService.xml |
Follow the installation instruction on product installation guide to install Remote Access Pack Core, and Mobile Access.
Run the Java ES installer with the silent install file for Portal Server:
/var/bits/Java_es/Solaris_sparc/installer -nodisplay -noconsole -state PortalServerStateFile |
If the runtime userID for Portal Server is not root, you must change ownership of its related directories with the following commands:
# chown -R userID \ AccessManagerPath /var/AccessManagerPath /etc/AccessManagerPath \ PortalServerPath /var/PortalServerPath /etc/PortalServerPath # chgrp -R usergroup \ AccessManagerPath /var/AccessManagerPath /etc/AccessManagerPath \ PortalServerPath /var/PortalServerPath /etc/PortalServerPath |
Change gateway.user from noaccess to userID.
To configure the mail provider, copy the following files from phys-bedge1-1 or phys-bedge3–1. edit them as needed to use the local hostname and the dc=example,dc=com base DN.
/var/opt/SUNWps/instance/portal/web-apps/jsp/default/launchCompose.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/launchInbox.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/launchFolder.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/doNewInbox.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/doInboxCont.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/doInboxStart.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/getfolders.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/getnewmsgs.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/getnewmsg.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/aml/getnewmsgs.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/aml/getnewmsg.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/aml/delete.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/aml/menu.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/aml/moveMsg.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/aml/doNewFd.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/aml/folders.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/aml/getfolders.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/aml/message.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/aml/newFd.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/aml/typeMsg.jsp /var/opt/SUNWps/instance/portal/web-aps/jsp/default/mail/aml/compose.jsp /etc/opt/SUNWps/desktop/default/MailProvider/aml/display-summary.template /etc/opt/SUNWps/desktop/default/MailProvider/aml/display.template |
To configure the calendar provider, copy and edit the following files in the same way:
/var/opt/SUNWps/instance/portal/web-apps/jsp/default/cal/sun-one/aml/event.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/cal/sun-one/aml/task.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/cal/sun-one/aml/dayview.jsp |
To configure the LDAP look-up channel:
Copy ldaplookupprovider.jar from PortalPath/web-src/WEB-INF/lib/ of phys-bedgeN-1.us into /var/opt/SUNWps/instance/portal/web-apps/WEB-INF/lib and PortalPath/web-src/WEB-INF/lib/.
Copy countryAccessCodes.properties, countryShortDial.properties, ldapab.properties, ldapab_en.properties, wireless.properties from PortalPath/web-src/WEB-INF/classes/ of phys-bedgeN-1.us into /var/opt/SUNWps/instance/portal/web-apps/WEB-INF/classes/ and PortalPath/web-src/WEB-INF/classes/.
Copy launchLDAPABook.jsp from PortalPath/web-src/jsp/default/ of phys-bedgeN-1.us into /var/opt/SUNWps/instance/portal/web-apps/jsp/default/ and PortalPath/web-src/jsp/default/.
Copy compose.jsp, doSearch.jsp, search.jsp from PortalPath/web-src/jsp/default/ldapab/aml of phys-bedge-1.us into /var/opt/SUNWps/instance/portal/web-apps/jsp/default/ldapab/aml and PortalPath/web-src/jsp/default/ ldapab/aml.
Copy compose.jsp, doSearch.jsp, search.jsp from PortalPath/web-src/jsp/default/ldapab/wml of phys-bedgeN-1.us into /var/opt/SUNWps/instance/portal/web-apps/jsp/default/ldapab/wml and PortalPath/web-src/jsp/default/ldapab/wml
Add /var/opt/SUNWps/instance/portal/web-apps/WEB-INF/classes to the classpath of the web server.
Modify the value of the PropertyDirectory baseURL attribute in /opt/SUNWps/web-src/WEB-INF/classes/wireless.properties accordingly.
Logon to amconsole as admin. Configure SSO template:
1.Select the tab "Service Configuration" 2.Select SSO Adapter on the right panel 3.Confiture SSO template for each provider |
sso adapter template for mail provider (note: in edge 2, mail provider is configured to use proxy auth and only one mail server existed. Configuration may be different if proxy auth is not to be used and more than one mail server existed in edge 3) update sso adapter template forSUN-ONE-MAIL
* click on the "Edit Properties.." link of SUN-ONE-MAIL under the section "SSO Adapter Templates" * update the following properties accordingly o enableProxyAuth o proxyAdminUid o proxyAdminPassword |
- so adapter template for address book provider (Note: in edge 2, address book provider is configured to use proxy auth and only one mail server existed. Configuration may be different if proxy auth is not to be used or if more than one mail server existed in edge 3) create sso adapter template for SUN-ONE-ADDRESS-BOOK
* click on the "NEW" button under the section "SSO Adapter Templates" * Enter "SUN-ONE-ADDRESS-BOOK" into the field Name * Select "[SUN-ONE-ADDRESS-BOOK]" from the "Existing Template" selection list. * Click OK to create a copy of "SUN-ONE-ADDRESS-BOOK" template * Upon the template successfully created, update the following template properties accordingly o host e.g. edge-ds1.us.example.com o port e.g. 389 o pabSearchBase e.g. ou=people,o=example.com,o=esmi,o=pab o userSearchBase e.g. Ou=people,o=example.com,o=esmi o aid o adminPassword o imapHost e.g. edge-mail1.us.example.com o imapPort e.g. 443 o clientPort e.g. 80 o enableProxyAuth (set to true to enable proxy Auth) o proxyAdminUid (if Poxy Auth is to be enabled) o proxyAdminPassword (if Proxy Auth is to be enabled) |
- update sso adapter template for calendar provider (note: in edge 2, address book provider is configured to use proxy auth and only one calendar server existed. Configuration may be different if proxy auth is not to be used and more than one calendar server existed in edge 3) update sso adapter template for SUN-ONE-CALENDAR
* click on the "Edit Properties.." link of SUN-ONE-CALENDAR under the section "SSO Adapter Templates" * update the following properties accordingly o enableProxyAuth (set to true to enable proxy Auth) o proxyAdminUid (if Poxy Auth is to be enabled) o proxyAdminPassword (if Proxy Auth is to be enabled) |
Configure SSO Adapter Configuration at top organization level
1. Select tab "Identiy Management" 2. Select "services" from the "View" dorp down list on the right panel 3. Select "SSO Adapter" from the Services list on the right panel - sso adapter configuration for mail provider |
- sso adapter configuration for mail provider (Note: in edge 2, only one mail server existed. Configuration may be if more than one mail server existed in edge 3) create sso adapter template for SunOneMail
* click on the "Edit Properties..." link of SunOneMail on the left panel * update the following properties o host: edge-mail1.us.example.com o port e.g. 143 o smtpServer e.g. edge-mail1.us.example.com o clientPort e.g. 80 o smtpServer e.g. 25 |
- sso adapter configuration for calendar provider (note: in edge 2, only one mail server existed. Configuration may be if more than one mail server existed in edge 3) create sso adapter template for SunOneCalendar
* click on the "Edit Properties..." link of SunOneCalendar on the left panel * update the following properties o host: edge-cal1.us.example.com o port e.g. 143 o clientPort e.g. 80 |
Disable authless anonymous portal
* Logon to amconsole * select the "Service Configuration tab * select Portal Desktop under Portal Server Configuration * Check the Disable radio button under Authentication-less Portal Desktop Configuration |
Setup user profile for MAP application access (at/after user loading) (note: this may already covered in user profile loading) add objectclass to pre-selected users (/apps/dirserv/shared/bin/wirelessUserProvision.sh)
* sunmobileappmailpersion * sunmobileappcalendarperson * sunssoadapterperson * sunportaldesktopperson * sunmobileappabperson * sunportalgatewayaccessservice |
Modify AMConfig.properties ref to AMConfig.properties of phys-edge-1 Software installation on edge-fe-n machines
Follow the installation instruction on product installation guide to install remote access pack post-installation configuration on remote access pack
Enable notification and disable polling between IS and gateway and other system tunning
- update platform.conf.default
- update AMConfig*.properties (ref to /var/opt/SUNWam/config/AMConfig*.properties of edge-fe6)
- update gateway script (ref to /apps/SUNWps/bin/gateway.sh of edge-fe6)
The following example is for messaging, substitute appropriate parameters as necessary. Note that certificate names can be anything because they are just nicknames. For example, if you call mail-amer.example.com “Server-Cert”, then “Server-Cert” needs to be in your configuration files. Common certutil commands
# certutil -L -d . # certutil -L -d . -n certificateName # certutil -D -d . -n Server-Cert |
Create certificate directory for setting up the certificates
# mkdir -p /usr/local/cert/SunPKI/app_id (where app_id = mail, cal, etc.) # cd /usr/local/cert/SunPKI/app_id |
Create sslpassword.conf that contains the correct password in the following format:
Internal (Software) Token:password |
Create PW
# sed s/'^.*:'// sslpassword.conf > PW |
Create an empty certificate database:
# certutil -N -d . -f ./PW |
Generate the request for a new PKI certificate, for example:
# certutil -R -d . -s "CN=mail-amer.example.com, OU=messaging server/SSL Server,O=Example Corp." \ -p 3032722269 -o ./cert_req.mail-amer -f ./PW -z /etc/passwd -a |
Order a new PKI certificate on your certificate server and retrieve it according to your corporate policy. Save the certificate in a file.
Copy the certificate chain from your certificate server and save it to a file as well.
Import all the certificates. The following commands assume that copies of certificate chain files are in the parent directory; certificate received for mail in current directory:
# certutil -A -n "ABC Trusted Root" -t "TCu,TCu,TCuw" -d . -a -i ../ABC_chain.cert -f ./passwd # certutil -A -n "Example Corp Root CA - ABC Corporation" -t "C,," -d . -a -i ../Example_Corp.cert -f ./passwd # certutil -A -n "Example Corp CA (Class B) - Example Corp" -t "C,," -d . -a -i ../Example_Corp_cB.cert -f ./passwd # certutil -A -n "Server-Cert" -t "u,u,u" -d . -a -i ./mail.cert -f ./passwd |
List out each certificate and document dates of expiration:
# certutil -L -d . -n "ABC Trusted Root" Expirations related to mail-amer.example.com: ABC Trusted Root: Not After: Thu Feb 23 23:59:00 2007 Example Corp CA ABC: Not After: Thu Feb 23 23:59:00 2007 Example Corp Class B: Not After: Fri Nov 13 19:23:10 2009 mail-amer.example.com: Not After: Tue May 18 19:34:36 2010 cal-amer.example.com: Not After: Tue May 18 19:24:21 2010 |
At a minimum per above output you will need to replace or renew the ABC Trusted Root and Example Corp CA ABC certificates in Feb 2007.
Copy certificates to final destination on each front end mail node.
# cp *.db /opt/SUNWmsgsr/config #tar up the cert dir from d1/fe node on which you generated the certs and copy (scp) same certs to all fe/d1 nodes. #this include the cert8.db, key3.db and secmod.db files. Extract tar file within /usr/local/cert subdir, #and from there copy all certs to /opt/SUNWmsgsr/config and verify perms (600, mailsrv:mailsrv) #Verify password in sslpassword.conf contains PW used during cert generation and replace if necessary. cat /opt/SUNWmsgsr/config/sslpassowrd.conf # should show single line with PW at the end and no spaces after the ":": Internal (Software) Token:password |
Copy same mail certificates to webserver for mail filter use if need to listen on ssl ports (443 or 444):
For webserver certificates go into: /opt/SUNWwbsvr/alias
Create under webserver config directory file: password.conf (perms same as db files) Format of password.conf file is e.g. (assuming real password for mail certificate dbs of: something): internal:something.
Edit under webserver config dir file: magnus.conf and change Security to on.
Edit under webserver config dir file: server.xml and add in/modify listen ports as needed. On Nauticus server.xml should use hostname vs the mail VIP; on Foundry sites mail VIP should be used.
Restart webserver.
If using Nauticus, complete this step (for mail and cal certificates)
pk12util -d . -o /var/tmp/mail_pkcs12.out -n Server-Cert openssl pkcs12 -in /var/tmp/mail_pkcs12.out -out /var/tmp/mail_key.pem rm /var/tmp/mail_pkcs12.out # Provide mail_key.pem to GIS for import into Nauticus. |
Restart mail services so that certificates will be used. Verify SSL is working by connecting using openssl program.
e.g. from Foundry front end: ./openssl s_client -connect mail-amer.example.com:993 e.g. from Nauticus front end: ./openssl s_client -connect d1-sfbay-01.example.com:993 Also check logs for any messages relating to issues with SSL. |
Installing Certificate
# PortalPath/SUNWps/bin/certadmin -n default |
Select 4) Install Certificate From Certificate Authority (CA) on the certificate administration menu
Provide server-cert (or whatever certificate name is to be used) as the certificate name and the certificate file saved in “Order a Certificate From a CA.”
Restart gateway.
Install and configure a web server with the gw dns listen on port 80 from edge-fe6, copy the /apps/SUNWwbsvr/docs/index.html to WebServerPath/docs/ and /apps/SUNWwbsvr/docs/en/index.html to WebServerPath/docs/en/
modify the url in index.html accordingly
Modify /etc/mail/submit.cf and change MTAHost to relay all e-mails through the dedicated MTA VIP.
D{MTAHost}[10.1.82.194] |
Make sure Admin server is already installed.
Create UNIX user/group names: mailsrv/mailsrv if not already done by JumpStart.
Install Messaging Server on both nodes using silent install method:
Verify you are using latest version of the install and configuration files and that you have customized if needed for your hostname.
phys-bedge1-[12]# ./installer -nodisplay -noconsole -state /var/bits/silent/BE/msg-ha-bits.cnf |
Patch Messaging Server on both nodes with the latest patches.
Prepare the LDAP directories
Run comm_dssetup.pl on all CFG directory servers -- master and replicas, FE and BE.
Apply schema to cfgdir (on node 2 of 1st cluster where directory server cfg instance is installed)
phys-bedge1-2# cd /opt/SUNWmsgsr/lib phys-bedge1-2# perl comm_dssetup.pl ... Here is a summary of the settings that you chose: Server Root : /opt/ds Server Instance : slapd-cfg Users/Groups Directory : no Update Schema : yes Schema Type : 2 Directory Manager DN : cn=Directory Manager |
All steps under Solaris Installation and Configuration section must be completed, especially parts pertaining to BE nodes.
Directory Server on port 34389 must be installed and configured.
Administration Server must be installed and configured.
Messaging Server must be installed and patched.
Verify that the SUNWscims package is installed; if not, install it on both nodes.
Set up the cluster resource group and resources:
Clusters 1 and 2 will have 15 stores while clusters 3 & 4 will have only 11 stores. Run commands on primary node.
phys-bedgeN-1# scrgadm -a -t SUNW.HAStoragePlus phys-bedgeN-1# scrgadm -a -t SUNW.ims phys-bedgeN-1# scrgadm -a -g msg1-svc-rg -h phys-bedge1-1,phys-bedge1-2 phys-bedgeN-1# scrgadm -a -L -g msg1-svc-rg -j msg1-addr-rs -l bedge1-mail1 phys-bedgeN-1# scswitch -Z -g msg1-svc-rg phys-bedgeN-1# scrgadm -a -j msg1-storplus1-rs -g msg1-svc-rg -t SUNW.HAStoragePlus \ -x FilesystemMountPoints=/shared/bedge1/msg/partition/store001,\ /shared/bedge1/msg/partition/store002,/shared/bedge1/msg/partition/store003,\ /shared/bedge1/msg/partition/store004,/shared/bedge1/msg/partition/store005,\ /shared/bedge1/msg/partition/store006,/shared/bedge1/msg/conf,\ /shared/bedge1/msg/dbbackup -x AffinityOn=True phys-bedgeN-1# scrgadm -a -j msg1-storplus2-rs -g msg1-svc-rg -t SUNW.HAStoragePlus \ -x FilesystemMountPoints=/shared/bedge1/msg/partition/store007,\ /shared/bedge1/msg/partition/store008,/shared/bedge1/msg/partition/store009,\ /shared/bedge1/msg/partition/store010,/shared/bedge1/msg/partition/store011,\ /shared/bedge1/msg/partition/store012,/shared/bedge1/msg/imta,\ /shared/bedge1/msg/var -x AffinityOn=True phys-bedgeN-1# scrgadm -a -j msg1-storplus3-rs -g msg1-svc-rg -t SUNW.HAStoragePlus \ -x FilesystemMountPoints=/shared/bedge1/msg/partition/store013,\ /shared/bedge1/msg/partition/store014,/shared/bedge1/msg/partition/store015,\ /shared/bedge1/msg/partition/store016,/shared/bedge1/msg/partition/store006,\ /shared/bedge1/msg/partition/store018,/shared/bedge1/msg/db -x AffinityOn=True phys-bedgeN-1# scswitch -e -j msg1-storplus1-rs phys-bedgeN-1# scswitch -e -j msg1-storplus2-rs phys-bedgeN-1# scswitch -e -j msg1-storplus3-rs |
Verify that all messaging partitions are mounted before proceeding. Run configure on primary node interactively:
phys-bedgeN-1# cd /opt/SUNWmsgsr/lib phys-bedgeN-1# ./configure |
Alternatively, use the silent install state file (always check the silent install file before using):
phys-bedgeN-1# ./configure -noconsole -state /var/bits/bedge/BE/bedge1-msg.cnf |
Backup configdir with db2ldif to ensure a good copy is saved
phys-bedgeN-2# cd /opt/ds/slapd-cfg phys-bedgeN-2# ./db2ldif |
On the primary node, run the ha_ip_config command:
phys-bedgeN-1# cd /opt/SUNWmsgsr/sbin phys-bedgeN-1# ./ha_ip_config Logical IP address: 129.146.xx.yy iMS server root: /opt/SUNWmsgsr The iMS server root directory does not contain any slapd-* subdirectories. Skipping configuration of LDAP servers. Logical IP address: 129.146.xx.yy iMS server root: /opt/SUNWmsgsr Do you wish to change any of the above choices (yes/no) [no]? Updating the file /opt/SUNWmsgsr/config/dispatcher.cnf Updating the file /opt/SUNWmsgsr/config/job_controller.cnf Setting the service.listenaddr configutil parameter Setting the service.http.smtphost configutil parameter Setting the local.watcher.enable configutil parameter Setting the local.autorestart configutil parameter Configuration successfully updated |
Copy state files to node 2, then run useconfig on node 2
phys-bedgeN-1# cd /opt/SUNWmsgsr/install phys-bedgeN-1# cp -r configure_20050318142130 /shared/bedge1/msg/var/ |
Switch over services to node 2 OR use scp to copy configure dir locally to node 2
phys-bedgeN-2# /opt/SUNWmsgsr/sbin/useconfig /shared/bedge1/msg/var/configure_20050318142130 |
Set up hostnames
phys-bedgeN-1# configutil -o local.hostname -v "bedge1-mail1.us.example.com" phys-bedgeN-1# configutil -o local.webmail.da.host -v bedge1-mail1.us.example.com phys-bedgeN-1# configutil -o local.servername -v bedge1-mail1.us.example.com |
Set up LDAP (using the following guidelines)
phys-bedgeN-1# configutil -o local.ldapuselocal -v yes phys-bedgeN-1# configutil -o local.ugldaphost -v "stringBelow" phys-bedgeN-1# configutil -o local.ldaphost -v "stringBelow" phys-bedgeN-1# configutil -o local.service.pab.ldaphost -v "localMMR" |
Substitution string:
cluster 1: ds-amer-03.us.example.com ds-amer-02.us.example.com cluster 2: ds-amer-02.us.example.com ds-amer-03.us.example.com cluster 3: ds-amer-03.us.example.com ds-amer-02.us.example.com cluster 4: ds-amer-02.us.example.com ds-amer-03.us.example.com |
Change administrative account names to msg-admin-bedgeN-mail1
Need to also change account name in the LDAP directory and verify that it is in the correct group.
phys-bedgeN-1# configutil -o local.enduseradmindn \ -v "uid=msg-admin-bedge1-mail1,ou=People,dc=example,dc=com" phys-bedgeN-1# configutil -o local.service.pab.ldapbinddn \ -v "uid=msg-admin-bedge1-mail1,ou=People,dc=example,dc=com" phys-bedgeN-1# configutil -o local.ugldapbinddn \ -v "uid=msg-admin-bedge1-mail1,ou=People,dc=example,dc=com" |
Disable POP
phys-bedgeN-1# configutil -o service.pop.enable -v 0 phys-bedgeN-1# configutil -o service.pop.enablesslport -v 0 |
Enable Distributed IMAP Folder Sharing
First server listed in local.service.proxy.serverlist should be the one being installed/configured.
phys-bedgeN-1# configutil -o local.service.proxy.admin -v admin phys-bedgeN-1# configutil -o local.service.proxy.adminpass -v adminPassword phys-bedgeN-1# configutil -o local.service.proxy.serverlist -v \ "nedge1-mail1.sfbay.example.com, \ nedge2-mail1.sfbay.example.com, \ nedge3-mail1.sfbay.example.com, \ bedge1-mail1.us.example.com, \ bedge2-mail1.us.example.com, \ bedge3-mail1.us.example.com \ sedge1-mail1.singapore.example.com, \ sedge2-mail1.singapore.example.com" |
Set up logdir
phys-bedgeN-1# configutil -o logfile.imap.logdir -v /shared/bedge1/msg/var/log/imap phys-bedgeN-1# configutil -o logfile.http.logdir -v /shared/bedge1/msg/var/log/http phys-bedgeN-1# configutil -o logfile.imta.logdir -v /shared/bedge1/msg/var/log/imta |
Verify local.autorestart is true:
phys-bedgeN-1# configutil -o local.autorestart |
Configure stores (repeat for each store partition)
phys-bedgeN-1# configutil -o store.partition.store001.path \ -v "/shared/bedge1/msg/partition/store001" |
Set up log locations:
phys-bedgeN-1# mkdir -p /shared/bedge1/msg/var/log phys-bedgeN-1# chown mailsrv:mailsrv /shared/bedge1/msg/var/log phys-bedgeN-1# cd /shared/bedge1/msg/var/log phys-bedgeN-1# mkdir imap http imta default phys-bedgeN-1# chown mailsrv:mailsrv imap http imta default phys-bedgeN-1# chmod 755 imap http imta default phys-bedgeN-1# cd /opt/SUNWmsgsr/data; mv log log.orig; ln -s /shared/bedge1/msg/var/log |
Edit imta_tailor to place MTA logs into the imta subdir
phys-bedgeN-1# cd /opt/SUNWmsgsr/config phys-bedgeN-1# cp imta_tailor imta_tailor.orig phys-bedgeN-1# sed s/"\/log\/"/"\/log\/imta\/"/ imta_tailor.orig > imta_tailor phys-bedgeN-1# diff imta_tailor.orig imta_tailor |
Other settings including tuning, queue, db snapshots...
phys-bedgeN-1# cd /shared/bedge1/msg/db phys-bedgeN-1# mkdir mboxlist phys-bedgeN-1# chown -R mailsrv:mailsrv * phys-bedgeN-1# cd /shared/bedge1/msg/imta phys-bedgeN-1# mkdir -p queue phys-bedgeN-1# chown -R mailsrv:mailsrv * phys-bedgeN-1# chmod -R 755 * phys-bedgeN-1# cd /opt/SUNWmsgsr/data |
phys-bedgeN-1# rm -r queue db phys-bedgeN-1# ln -s /shared/bedge1/msg/imta/queue queue phys-bedgeN-1# ln -s /shared/bedge1/msg/db db phys-bedgeN-1# cd /opt/SUNWmsgsr/data/store phys-bedgeN-1# ln -s /shared/bedge1/msg/db/mboxlist mboxlist phys-bedgeN-1# cd /opt/SUNWmsgsr/data/store/dbdata phys-bedgeN-1# mkdir -p /shared/bedge1/msg/dbbackup/snapshots phys-bedgeN-1# chown mailsrv:mailsrv /shared/bedge1/msg/dbbackup/snapshots phys-bedgeN-1# chmod 755 /shared/bedge1/msg/dbbackup/snapshots phys-bedgeN-1# ln -s /shared/bedge1/msg/dbbackup/snapshots snapshots |
phys-bedgeN-1# configutil -o local.store.snapshotdirs -v 12 phys-bedgeN-1# configutil -o local.store.snapshotinterval -v 720 |
Verify start of services and proper logging
phys-bedgeN-1# /opt/SUNWmsgsr/sbin/stop-msg phys-bedgeN-1# /opt/SUNWmsgsr/sbin/start-msg |
Set up messaging resource and enable:
phys-bedgeN-1# scrgadm -a -j msg1-svc-rs -g msg1-svc-rg -t SUNW.ims \ -x IMS_serverroot=/opt/SUNWmsgsr \ -y Resource_dependencies=msg1-addr-rs,msg1-storplus1-rs,msg1-storplus2-rs,msg1-storplus3-rs phys-bedgeN-1# /usr/cluster/bin/scswitch -e -j msg1-svc-rs |
Make sure SUNWsndmr SUNWsndmu packages are installed
Stop sendmail if it's running
# /etc/init.d/sendmail stop (for Solaris 9) # svcadmin disable network/smtp:sendmail (for Solaris 10) |
Create or modify /etc/default/sendmail to prevent accidental start of sendmail in daemon mode. Add:
MODE="" |
Edit sjsms-submit.mc and change the line that starts with FEATURE to:
# cd /usr/lib/mail/cf # cp submit.mc sjsms-submit.mc |
FEATURE('msp', `[cookbook-mail1.us.example.com]')dnl |
# /usr/ccs/bin/make sjsms-submit.cf # mv /etc/mail/submit.cf /etc/mail/submit.cf.orig # cp sjsms-submit.cf /etc/mail/submit.cf |
Add patch 113575-05 or the most recent patch that replaces it. Note: future sendmail patches may overwrite submit.cf. You should always check submit.cf after applying such patches.
Start sendmail
# /etc/init.d/sendmail start (for Solaris 9) # svcadmin enable network/smtp:sendmail (for Solaris 10) |
* Repeat the above on the other node(s) if applicable * Test that failover is working properly before proceeding.
Modify the file /opt/SUNWmsgsr/config/imta.cnf and put the IP addresses of all MTAs, including those of other sites, into the tcp_scanner-daemon definition.
! ! IMTA configuration file ! ! part I : rewrite rules ! ! Domain Rewrite Rules. ! Uncomment this line to use domain rewrite rules ! from the configuration file instead of the domain database. ! Please refer to the iMS documentation for details. !<IMTA_TABLE:domains.rules ! ! Rules to select local users $* $A$E$F$U%$H$V$H@bedge1-mail1.us.example.com bedge1-mail1.us.example.com $U%$D@bedge1-mail1.us.example.com phys-bedge1-1.us.example.com $U@bedge1-mail1.us.example.com phys-bedge1-2.us.example.com $U@bedge1-mail1.us.example.com localhost $U@bedge1-mail1.us.example.com ! ! ims-ms .ims-ms-daemon $U%$H.ims-ms-daemon@ims-ms-daemon ! ! lmtp !.lmtp $U%$H@lmtpcs-daemon ! ! lmtpn !.lmtpn $U%$H@lmtpcn-daemon ! ! native .native-daemon $U%$H.native-daemon@native-daemon ! ! pipe .pipe-daemon $U%$H.pipe-daemon@pipe-daemon ! ! tcp_local ! Rules for top level internet domains <IMTA_TABLE:internet.rules ! ! tcp_intranet ! Do mapping lookup for internal IP addresses [] $E$R${INTERNAL_IP,$L}$U%[$L]@tcp_intranet-daemon bedge2-mail1.us.example.com $U%$D@tcp_intranet-daemon bedge3-mail1.us.example.com $U%$D@tcp_intranet-daemon bedge4-mail1.us.example.com $U%$D@tcp_intranet-daemon* $U%$&0.example.com ! ! tcp_example for internal example.com addresses .example.com $U%$H$D@tcp_example-daemon! ! messages returning from MTA must not be re-scanned ! US MTA [10.1.82.175] $E$R$U%[10.1.82.175]@tcp_scanner-daemon [10.1.82.176] $E$R$U%[10.1.82.176]@tcp_scanner-daemon [10.1.82.177] $E$R$U%[10.1.82.177]@tcp_scanner-daemon [10.1.82.178] $E$R$U%[10.1.82.178]@tcp_scanner-daemon [10.1.82.179] $E$R$U%[10.1.82.179]@tcp_scanner-daemon [10.1.82.180] $E$R$U%[10.1.82.180]@tcp_scanner-daemon [10.1.82.183] $E$R$U%[10.1.82.183]@tcp_scanner-daemon [10.1.82.184] $E$R$U%[10.1.82.184]@tcp_scanner-daemon! ! Repeat for MTAs at other EdgeMail complexes as necessary ! ! reprocess reprocess $U%reprocess.bedge1-mail1.us.example.com@reprocess-daemon reprocess.bedge1-mail1.us.example.com $U%reprocess.bedge1-mail1.us.example.com @reprocess-daemon ! ! process process $U%process.bedge1-mail1.us.example.com@process-daemon process.bedge1-mail1.us.example.com $U%process.bedge1-mail1.us.example.com@pro cess-daemon ! ! defragment defragment $U%defragment.bedge1-mail1.us.example.com@defragment-daemon defragment.bedge1-mail1.us.example.com $U%defragment.bedge1-mail1.us.example.c om@defragment-daemon ! ! conversion conversion $U%conversion.bedge1-mail1.us.example.com@conversion-daemon conversion.bedge1-mail1.us.example.com $U%conversion.bedge1-mail1.us.example.c om@conversion-daemon ! ! bitbucket bitbucket $U%bitbucket.bedge1-mail1.us.example.com@bitbucket-daemon bitbucket.bedge1-mail1.us.example.com $U%bitbucket.bedge1-mail1.us.example.com @bitbucket-daemon ! ! deleted deleted-daemon $U%$H@deleted-daemon .deleted-daemon $U%$H@deleted-daemon ! ! inactive inactive-daemon $U%$H@inactive-daemon .inactive-daemon $U%$H@inactive-daemon ! ! hold hold-daemon $U%$H@hold-daemon .hold-daemon $U%$H@hold-daemon ! ! part II : channel blocks ! defaults notices 1 2 4 7 errwarnpost errsendpost postheadonly noswitchchannel im mnonurgent maxjobs 7 logging defaulthost example.com example.com ! ! delivery channel to local /var/mail store l subdirs 20 viaaliasrequired maxjobs 7 pool LOCAL_POOL bedge1-mail1.us.example.com ! ! ims-ms ims-ms defragment threaddepth 20 subdirs 20 notices 1 7 14 21 28 backoff "pt5m" "pt10m" "pt30m" "pt1h" "pt2h" "pt4h" maxjobs 4 pool IMS_POOL fileinto $U+$S@$D ims-ms-daemon ! ! native native defragment subdirs 20 maxjobs 1 native-daemon ! ! pipe pipe single defragment subdirs 20 pipe-daemon ! ! tcp_local tcp_local smtp nomx single_sys remotehost daemon gis-relay.us.example.com inne r switchchannel identnonenumeric subdirs 20 maxjobs 7 sourceblocklimit 10000 poo l SMTP_POOL maytlsserver maysaslserver saslswitchchannel tcp_auth missingrecipie ntpolicy 0 aliasdetourhost tcp_scanner-daemon tcp-daemon ! ! tcp_example tcp_example smtp nomx single_sys remotehost daemon gis-relay.us.example.com inner switchchannel identnonenumeric subdirs 20 maxjobs 7 pool SMTP_POOL maytlsserver maysaslserver saslswitchchannel tcp_auth missingrecipientpolicy 0 tcp_example-daemon ! ! tcp_intranet tcp_intranet smtp nomx single_sys subdirs 20 dequeue_removeroute maxjobs 7 sourceblocklimit 10000 pool SMTP_POOL maytlsserver allowswitchchannel saslswitchchann el tcp_auth missingrecipientpolicy 4 tcp_intranet-daemon ! ! tcp_scanner tcp_scanner smtp mx single_sys subdirs 20 noreverse maxjobs 7 pool SMTP_POOL all owswitchchannel daemon mail-amer-xfr.example.com enqueue_removeroute tcp_scanner-daemon ! ! tcp_submit tcp_submit submit smtp mx single_sys mustsaslserver maytlsserver missingrecipien tpolicy 4 tcp_submit-daemon ! ! tcp_auth tcp_auth smtp mx single_sys mustsaslserver missingrecipientpolicy 4 tcp_auth-daemon |
Modify the /opt/SUNWmsgsr/config/option.dat file:
# cp -p option.dat option.dat.orig_`date +%Y%m%d` # vi option.dat |
#add below MISSING_RECIPIENT_POLICY: ALLOW_RECIPIENTS_PER_TRANSACTION=256 LOG_CONNECTION=3 LOG_USERNAME=1 LOG_TRANSPORTINFO=1 SEPARATE_CONNECTION_LOG=1 LOG_MESSAGE_ID=1 |
Modify /opt/SUNWmsgsr/config/mappings. Use a range with the /NN format that will contain all the physical hosts IPs for your edge site. In the case of bedge, 129.147.156.99/26 spans from 129.147.156.65 to 129.147.156.126.
INTERNAL_IP $(129.147.156.99/##) $Y 127.0.0.1 $Y * $N ORIG_SEND_ACCESS tcp_local|*|tcp_local|* $N$D30|Relaying$ not$ allowed tcp_*|*|native|* $N tcp_*|*|hold|* $N tcp_*|*|pipe|* $N tcp_*|*|ims-ms|* $N ! ! Block "external" submissions of explicitly source-routed "internal" addresses ! tcp_local|*|tcp_intranet|@*:*.* $N$D30|Explicit$ routing$ not$ allowed tcp_local|*|tcp_intranet|*$%*@* $N$D30|Explicit$ routing$ not$ allowed tcp_local|*|tcp_intranet|*.*!*@* $N$D30|Explicit$ routing$ not$ allowed tcp_local|*|tcp_intranet|"*@*"@* $N$D30|Explicit$ routing$ not$ allowed SEND_ACCESS tcp_local|*|tcp_example|* $N$D30|Relaying$ not$ allowed tcp_*|*|*|*@[127.*] $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@localhost.* $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@example.com $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@example.net $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@example.org $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@*.test $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@*.example $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@*.invalid $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@*.localhost $X5.1.2|$NBad$ destination$ system <IMTA_TABLE:mappings.locale |
Modify the /opt/SUNWmsgsr/config/aliases file:
! MTA aliases file ! !root@example.com: postmaster adm@bedge1-mail1.us.example.com: postmast root@bedge1-mail1.us.example.com: postmast postmaster@bedge1-mail1.us.example.com: postmast sunmc-alert: root@bedge1-mail1.us.example.com sunmc-critical: root@bedge1-mail1.us.example.com |
Setup logadm
# mkdir /opt/SUNWmsgsr/log/imta/archive (owner mailsrv:mailsrv) # logadm -f /opt/SUNWmsgsr/config/logadm.conf -w mail -C 28 -p 1d \ -t '/opt/SUNWmsgsr/log/imta/archive/mail.log.$n' -z 6 \ /opt/SUNWmsgsr/log/imta/mail.log # configutil -o local.schedule.logadm -v "10 4 * * * /usr/sbin/logadm \ -f /opt/SUNWmsgsr/config/logadm.conf |
Create the alias smarthost.example.com to the GIS relay VIP in /etc/hosts to ensure a fallback mechanism through the local smarthost:
10.1.97.30 gis-relay.us.example.com smarthost.example.com |
Configure the IMAP parameters
# configutil -o local.ldapconnecttimeout -v 30 # configutil -o service.imap.maxsessions -v 600 # configutil -o service.imap.maxthreads -v 250 # configutil -o service.imap.numprocesses -v 8 # configutil -o store.dbtmpdir -v /tmp/msg-bedge1-mail1 |
Setting to enable MailFilter
# configutil -o local.webmail.sieve.port -v 444 |
Set smtphost to the dedicated MTA host:
# configutil -o service.http.smtphost -v mail-amer-xfr.example.com |
If UWC is not enabled, set local.service.http.cookiename to something, for example webmailsid to prevent sessionid from being visible in the URL. When UWC is enabled, this is set by default.
All steps under in Chapter 3, Solaris Installation and Configuration must be completed, especially parts pertaining to FE nodes.
Directory Server on port 34389 in /opt/ds must be installed and configured.
Admin Server must be installed and configured.
Web Server must be installed for MailFilters.
Messaging Server must be installed and patched.
FOUNDRY: set up loopback for mail-amer.example.com and use mail VIP for install and configuration.
NAUTICUS: use hostname of d1 server for install and configuration: d1-amer-01.example.com.
Run configure Always check the silent install file before using it.
# cd /opt/SUNWmsgsr/sbin # ./configure -nodisplay -noconsole -state /var/bits/silent/BE/FE_RAMESH/d1-msg-configure.cnf |
Backup configdir with db2ldif to ensure a good copy is saved
# cd /opt/ds/slapd-cfg # ./db2ldif |
Disable POP and IMAP
# configutil -o service.pop.enable -v 0 # configutil -o service.pop.enablesslport -v 0 # configutil -o service.imap.enable -v 0 # configutil -o service.imap.enablesslport -v 0 |
Verify msg-admin account for your geo; setup if needed; add to group similar to BE process
1. ldapsearch -h ds-amer-0[123] -b dc=example,dc=com uid=msg-admin-mail-amer.example.com dn |
IF uid is NOT in ldap , create ldap entry for your msg-admin user. Create ldap file .e.g call it msg-admin.ldif with contents (modify contents for your geo):
dn: uid=msg-admin-mail-sfbay.example.com,ou=People, dc=example,dc=com givenName: Messaging End User SFBAY userPassword: {SSHA}ttW9Pash8si8u81XCWAXwV9Hfk9JRBti/yOJMw== objectClass: top objectClass: person objectClass: inetorgperson objectClass: iplanet-am-managed-person objectClass: organizationalPerson cn: Messaging End User SFBAY Administrator sn: Administrator uid: msg-admin-mail-sfbay.example.com |
Add the entry to ldap
ldapmodify -h ds-amer-0[123] -D "cn=Directory Manager" -w password -a -f ./msg-admin.ldif |
IF uid IS in ldap, then verify the msg-admin user for your geo is a uniqueMember in the ou=groups entry for cn=Messaging End User Administrators
ldapsearch -h ds-amer-01 -b dc=example,dc=com cn="Messaging End User Administrators Group" uniqueMember |\ grep msg-admin-mail-amer |
If necessary add in your msg-admin user to the Administrators Group using an ldap browser or ldapmodify command. Note: any entries with long time stamps should probably be removed in a clean up effort. However, it is suggested that you clean up entries only for geo you are configuring.
Change the following:
ImapProxyAservice.cfg default:BindDN "uid=msg-admin-mail-amer.example.com, ou=People, dc=example, dc=com" default:BindPass (verify PW for your msg-admin user and reset if needed) configutil values local.service.pab.ldapbinddn (same DN as above) local.ugldapbinddn (same DN as above) local.ugldapbindcred (same PW as above) local.service.pab.ldappasswd (same PW as above) |
Restart messaging and test. Use e.g. ImapProxy log to see if authentication is working as expected. Edit LDIF or configuration information as needed; it all needs to match.
|
Enable SSL by following the procedures To Request an SSL Certificate and To Install an SSL Certificate. Messaging Server uses the /opt/SUNWmsgsr/config/sslpassword.conf file.
Make sure SUNWsndmr SUNWsndmu packages are installed
Stop sendmail if it's running
# /etc/init.d/sendmail stop (for Solaris 9) # svcadmin disable network/smtp:sendmail (for Solaris 10) |
Create or modify /etc/default/sendmail to prevent accidental start of sendmail in daemon mode. Add:
MODE="" |
Edit sjsms-submit.mc and change the line that starts with FEATURE
# cd /usr/lib/mail/cf # cp submit.mc sjsms-submit.mc |
FEATURE('msp', `[cookbook-mail1.us.example.com]')dnl |
# /usr/ccs/bin/make sjsms-submit.cf # mv /etc/mail/submit.cf /etc/mail/submit.cf.orig # cp sjsms-submit.cf /etc/mail/submit.cf |
Add patch 113575-05. Note: future sendmail patches may overwrite submit.cf. You should always check submit.cf after applying such patches.
Start sendmail
# /etc/init.d/sendmail start (for Solaris 9) # svcadmin enable network/smtp:sendmail (for Solaris 10) |
Repeat the above on the other node(s) if applicable
Edit imta.cnf (changes are marked in bold)
! ! IMTA configuration file ! ! part I : rewrite rules ! ! Domain Rewrite Rules. ! Uncomment this line to use domain rewrite rules ! from the configuration file instead of the domain database. ! Please refer to the iMS documentation for details. !<IMTA_TABLE:domains.rules ! ! Rules to select local users $* $A$E$F$U%$H$V$H@mail-amer.example.com mail-amer.example.com $U%$D@mail-amer.example.com example.com $U%$D@mail-amer.example.com fe-amer-09.example.com $U@mail-amer.example.com phys-bedge5-1.us.example.com $U@mail-amer.example.com phys-bedge5-2.us.example.com $U@mail-amer.example.com localhost $U@mail-amer.example.com! ! ims-ms .ims-ms-daemon $U%$H.ims-ms-daemon@ims-ms-daemon ! ! lmtp !.lmtp $U%$H@lmtpcs-daemon ! ! lmtpn !.lmtpn $U%$H@lmtpcn-daemon ! ! native .native-daemon $U%$H.native-daemon@native-daemon ! ! pipe .pipe-daemon $U%$H.pipe-daemon@pipe-daemon ! ! tcp_local ! Rules for top level internet domains %lt;IMTA_TABLE:internet.rules ! ! tcp_intranet ! Do mapping lookup for internal IP addresses [] $E$R${INTERNAL_IP,$L}$U%[$L]@tcp_intranet-daemon !.example.com $U%$H.example.com@tcp_intranet-daemon ! b complex back-end servers bedge1-mail1.us.example.com $U%$D@tcp_intranet-daemon bedge2-mail1.us.example.com $U%$D@tcp_intranet-daemon bedge3-mail1.us.example.com $U%$D@tcp_intranet-daemon bedge4-mail1.us.example.com $U%$D@tcp_intranet-daemon ! add back=end servers for global complexes aedge1-mail1.eu.example.com $U%$D@tcp_intranet-daemon ! ...* $U%$&0.example.com ! ! tcp_example for internal example.com addresses .example.com $U%$H$D@tcp_example-daemon! ! reprocess reprocess $U%reprocess.mail-amer.example.com@reprocess-daemon reprocess.mail-amer.example.com $U%reprocess.mail-amer.example.com@reprocess-daemon ! ! process process $U%process.mail-amer.example.com@process-daemon process.mail-amer.example.com $U%process.mail-amer.example.com@process-daemon ! ! defragment defragment $U%defragment.mail-amer.example.com@defragment-daemon defragment.mail-amer.example.com $U%defragment.mail-amer.example.com@defragment-daemon ! ! conversion conversion $U%conversion.mail-amer.example.com@conversion-daemon conversion.mail-amer.example.com $U%conversion.mail-amer.example.com@conversion-daemon ! ! bitbucket bitbucket $U%bitbucket.mail-amer.example.com@bitbucket-daemon bitbucket.mail-amer.example.com $U%bitbucket.mail-amer.example.com@bitbucket-daemon ! ! deleted deleted-daemon $U%$H@deleted-daemon .deleted-daemon $U%$H@deleted-daemon ! ! inactive inactive-daemon $U%$H@inactive-daemon .inactive-daemon $U%$H@inactive-daemon ! ! hold hold-daemon $U%$H@hold-daemon .hold-daemon $U%$H@hold-daemon ! ! part II : channel blocks ! defaults notices 1 2 4 7 errwarnpost errsendpost postheadonly noswitchchannel im mnonurgent maxjobs 7 logging defaulthost example.com example.com ! ! delivery channel to local /var/mail store l subdirs 20 viaaliasrequired maxjobs 7 pool LOCAL_POOL mail-amer.example.com ! ! ims-ms ims-ms defragment subdirs 20 notices 1 7 14 21 28 backoff "pt5m" "pt10m" "pt30m" "pt1h" "pt2h" "pt4h" maxjobs 2 pool IMS_POOL fileinto $U+$S@$D ims-ms-daemon ! ! native native defragment subdirs 20 maxjobs 1 native-daemon ! ! pipe pipe single defragment subdirs 20 pipe-daemon ! ! tcp_local tcp_local smtp nomx single_sys remotehost daemon gis-relay.us.example.com inne r switchchannel identnonenumeric subdirs 20 maxjobs 7 pool SMTP_POOL musttlsserv er mustsaslserver saslswitchchannel tcp_auth missingrecipientpolicy 0 dequeue_removeroute tcp-daemon ! ! tcp_example tcp_example smtp nomx single_sys remotehost daemon gis-relay.us.example.com inner switchchannel identnonenumeric subdirs 20 maxjobs 7 pool SMTP_POOL authrewrite 1 musttlsserver mustsaslserver saslswitchchannel tcp_auth missingrecipientpolicy 0 dequeue_removeroute tcp_example-daemon ! ! tcp_iplanet tcp_iplanet smtp nomx single_sys remotehost daemon gis-relay.us.example.com in ner switchchannel identnonenumeric subdirs 20 maxjobs 7 pool SMTP_POOL authrewri te 1 musttlsserver mustsaslserver saslswitchchannel tcp_auth missingrecipientpol icy 0 dequeue_removeroute tcp_iplanet-daemon ! ! tcp_intranet tcp_intranet smtp nomx single_sys sourceblocklimit 10000 subdirs 20 maxjobs 7 po ol SMTP_POOL maytlsserver allowswitchchannel saslswitchchannel tcp_auth missingr ecipientpolicy 4 tcp_intranet-daemon ! ! tcp_submit tcp_submit submit smtp mx single_sys sourceblocklimit 10000 authrewrite 1 mustsa slserver musttlsserver missingrecipientpolicy 4 tcp_submit-daemon ! ! tcp_auth tcp_auth smtp mx single_sys authrewrite 1 sourceblocklimit 10000 musttlsserver m ustsaslserver missingrecipientpolicy 4 tcp_auth-daemon ! ! tcp_tas tcp_tas smtp mx single_sys allowswitchchannel mustsaslserver maytlsserver delive ryflags 2 tcp_tas-daemon ! ! tcp_lmtpss (LMTP server - store) !tcp_lmtpss lmtp subdirs 20 !tcp_lmtpss-daemon ! ! tcp_lmtpsn (LMTP server - native) !tcp_lmtpsn lmtp subdirs 20 !tcp_lmtpsn-daemon ! ! tcp_lmtpcs (LMTP client - store) !tcp_lmtpcs defragment lmtp port 225 nomx single_sys subdirs 20 maxjobs 7 pool S MTP_POOL dequeue_removeroute !lmtpcs-daemon ! ! tcp_lmtpcn (LMTP client - native) !tcp_lmtpcn defragment lmtp port 226 nomx single_sys subdirs 20 maxjobs 7 pool S MTP_POOL dequeue_removeroute !lmtpcn-daemon ! ! reprocess reprocess reprocess-daemon ! ! process process process-daemon ! ! defragment defragment defragment-daemon ! ! conversion conversion threaddepth 100 maxjobs 10 pool CONVERSION_POOL conversion-daemon ! ! bitbucket bitbucket bitbucket-daemon |
Edit option.dat
! MTA configuration options ! ! This sets the alias resolution order ! 8 = Use ALIAS_URL0 ! 7 = Use ALIAS_URL1 ! 6 = Use ALIAS_URL2 ! 4 = Use the alias file ALIAS_MAGIC=8764 ALIAS_URL0=ldap:///$V?*?sub?$R USE_REVERSE_DATABASE=4 REVERSE_URL=ldap:///$V?$N?sub?$R USE_DOMAIN_DATABASE=0 ! MISSING_RECIPIENT_POLICY controls how illegal headers that don't ! contain any To:, Cc:, or Bcc: fields are handled for channels that ! do not have their own explicit missingrecipientpolicy keyword set. ! The default of 0 means that the envelope addresses are used to ! construct a valid To: header field. This default behavior tends ! to be especially appropriate for the tcp_local channel. MISSING_RECIPIENT_POLICY=0 MISSING_RECIPIENT_GROUP_TEXT=Undisclosed recipients ALIAS_DOMAINS=6 ! LDAP_SCHEMALEVEL=2 ! VACATION_TEMPLATE=file:///opt/SUNWmsgsr/data/vacation/$3I/$1U/$2U/$U.vac ! ! custom add-ons below ALLOW_RECIPIENTS_PER_TRANSACTION=256 LOG_CONNECTION=3 LOG_MESSAGE_ID=1 LOG_TRANSPORTINFO=1 LOG_USERNAME=1 SEPARATE_CONNECTION_LOG=1 !LOG_PROCESS=1 |
Edit mappings
! MTA mappings file ! for access control and other table lookups PORT_ACCESS *|*|*|*|* $C$|INTERNAL_IP;$3|$Y$E * $YEXTERNAL INTERNAL_IP $(10.1.82.183/24) $Y (129.147.156.0/24) $Y 127.0.0.1 $Y * $N ORIG_SEND_ACCESS tcp_local|*|tcp_local|* $N$D30|Relaying$ not$ allowed tcp_*|*|native|* $N tcp_*|*|hold|* $N tcp_*|*|pipe|* $N tcp_*|*|ims-ms|* $N ! ! Block "external" submissions of explicitly source-routed "internal" addresses ! tcp_local|*|tcp_intranet|@*:*.* $N$D30|Explicit$ routing$ not$ allowed tcp_local|*|tcp_intranet|*$%*@* $N$D30|Explicit$ routing$ not$ allowed tcp_local|*|tcp_intranet|*.*!*@* $N$D30|Explicit$ routing$ not$ allowed tcp_local|*|tcp_intranet|"*@*"@* $N$D30|Explicit$ routing$ not$ allowed SEND_ACCESS tcp_*|*|*|*@[127.*] $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@localhost.* $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@example.com $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@example.net $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@example.org $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@*.test $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@*.example $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@*.invalid $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@*.localhost $X5.1.2|$NBad$ destination$ system CONVERSIONS in-chan=tcp_intranet;out-chan=tcp_example;CONVERT No in-chan=tcp_*;out-chan=*;CONVERT Yes in-chan=l;out-chan=*;CONVERT Yes <IMTA_TABLE:mappings.locale |
Install the scan-attachment.sh script and make sure its permission and ownership are correct:
fe-amer-N# cd /opt/SUNWmsgsr/config fe-amer-N# ls -ld scripts/ drwxr-xr-x 2 mailsrv mailsrv 512 Apr 20 00:37 scripts/ fe-amer-N# ls -ld scripts/scan-attachment.sh -rwxr--r-- 1 mailsrv mailsrv 5330 Apr 20 00:35 scripts/scan-attachment.sh |
Create the conversions file:
! Scan attachments for banned prefixes that often contain viruses in-channel=*; out-channel=*; in-type=*; in-subtype=*; parameter-symbol-0=NAME; parameter-copy-0=*; dparameter-symbol-0=FILENAME; dparameter-copy-0=*; message-header-file=2; original-header-file=1; override-header-file=1; command="/opt/SUNWmsgsr/config/scripts/scan-attachment.sh" |
Edit the dispatcher.cnf file with the following highlighted changes:
! VERSION=1.1 ! IMTA default dispatcher configuration file ! ! Global defaults ! MIN_PROCS=1 MAX_PROCS=10 MIN_CONNS=30 MAX_CONNS=50 MAX_SHUTDOWN=2 MAX_LIFE_TIME=86400 MAX_LIFE_CONNS=10000 MAX_IDLE_TIME=600 HISTORICAL_TIME=0 ! ! multithreaded SMTP server ! [SERVICE=SMTP] PORT=25,12196 ! Uncomment the following line if you want to support SSL on the alternate ! port 465 TLS_PORT=465 IMAGE=IMTA_BIN:tcp_smtp_server LOGFILE=IMTA_LOG:tcp_smtp_server.log STACKSIZE=2048000 ! Uncomment the following line and set INTERFACE_ADDRESS to an appropriate ! host IP (dotted quad) if the dispatcher needs to listen on a specific ! interface (e.g. in a HA environment). INTERFACE_ADDRESS=10.1.82.187,127.0.0.1 ! ! rfc 2476 Submit server ! [SERVICE=SMTP_SUBMIT] PORT=587 IMAGE=IMTA_BIN:tcp_smtp_server LOGFILE=IMTA_LOG:tcp_smtp_server.log PARAMETER=CHANNEL=tcp_submit STACKSIZE=2048000 ! Uncomment the following line and set INTERFACE_ADDRESS to an appropriate ! host IP (dotted quad) if the dispatcher needs to listen on a specific ! interface (e.g. in a HA environment). INTERFACE_ADDRESS=10.1.82.187 ! ! rfc 2033 LMTP server - store ! ![SERVICE=LMTPSS] !PORT=225 !IMAGE=IMTA_BIN:tcp_lmtp_server !LOGFILE=IMTA_LOG:tcp_lmtpss_server.log !PARAMETER=CHANNEL=tcp_lmtpss !STACKSIZE=2048000 ! Uncomment the following line and set INTERFACE_ADDRESS to an appropriate ! host IP (dotted quad) if the dispatcher needs to listen on a specific ! interface (e.g. in a HA environment). !INTERFACE_ADDRESS= ! ! rfc 2033 LMTP server - native ! ![SERVICE=LMTPSN] !PORT=226 !USER=root !IMAGE=IMTA_BIN:tcp_lmtpn_server !LOGFILE=IMTA_LOG:tcp_lmtpsn_server.log !PARAMETER=CHANNEL=tcp_lmtpsn !STACKSIZE=2048000 ! Uncomment the following line and set INTERFACE_ADDRESS to an appropriate ! host IP (dotted quad) if the dispatcher needs to listen on a specific ! interface (e.g. in a HA environment). !INTERFACE_ADDRESS= ! |
Edit the job_controller.cnf file:
[POOL=SMTP_POOL] job_limit=10 ! [POOL=CONVERSION_POOL] job_limit=10 ! !Channel definitions ! |
Edit aliases
! MTA aliases file ! !root@example.com: postmast adm@mail-amer.example.com: postmast root@mail-amer.example.com: postmast postmaster@mail-amer.example.com: postmast examplemc-alert: root@mail-amer.example.com examplemc-critical: root@mail-amer.example.com |
Add BE relay host to /etc/hosts (different site uses different BE relay host, refer to EdgeProfile):
fe-amer-N# grep gis-relay /etc/hosts 10.1.99.30 amerea-mail.example.com gis-relay.us.example.com |
Create symbolic link for the certmap.conf file to workaround known issue 5008768:
fe-amer-N# cd /opt/SUNWmsgsr/config fe-amer-N# ls -l certmap* lrwxrwxrwx 1 root other 34 Apr 20 00:16 certmap.conf -> /opt/ds/shared/config/certmap.conf |
Edit the imta_tailor file to place MTA logs into the imta subdirectory:
fe-amer-N# cd /opt/SUNWmsgsr/config fe-amer-N# cp imta_tailor imta_tailor.orig_`date +%Y%m%d` fe-amer-N# sed s/"\/log\//\/log\/imta\/"/ imta_tailor.orig_`date +%Y%m%d` > imta_tailor |
Compile this new configuration and restart the dispatcher with the following commands:
fe-amer-N# imsimta cnbuild fe-amer-N# imsimta restart dispatcher |
Configure the logadm utility:
fe-amer-N# mkdir /opt/SUNWmsgsr/log/imta/archive (owner mailsrv:mailsrv) fe-amer-N# logadm -w mail -C 28 -p 1d -t \ '/opt/SUNWmsgsr/log/imta/archive/mail.log.$n' \ -z 6 /opt/SUNWmsgsr/log/imta/mail.log fe-amer-N# logadm -w attach -C 28 -c -t \ '/opt/SUNWmsgsr/log/imta/archive/attachment.log.$n' -z 6 \ /opt/SUNWmsgsr/log/imta/attachment.log_current fe-amer-N# logadm -w virus -C 28 -c -t \ '/opt/SUNWmsgsr/log/imta/archive/virus.log.$n' \ -z 6 /opt/SUNWmsgsr/log/imta/virus-attachment.log_current fe-amer-N# logadm -w connection -C 28 -t \ '/opt/SUNWmsgsr/log/imta/archive/connection.log.$n' \ -z 6 /opt/SUNWmsgsr/log/imta/connection.log |
If there is a dedicated queue partition, relocate imta/queue
fe-amer-N# stop-msg smtp fe-amer-N# mkdir -p /imta/queue fe-amer-N# chown mailsrv:mailsrv /imta/queue fe-amer-N# cd /opt/SUNWmsgsr/data fe-amer-N# ln -s /imta/queue queue fe-amer-N# start-msg smtp |
Create an alias called smarthost.example.com to the GIS relay VIP in /etc/hosts to ensure a fallback mechanism through the local smarthost vs a single GIS relay VIP.
10.1.99.30 gis-relay.us.example.com smarthost.example.com |
Make backups of the original MMP configuration files AService.cfg and ImapProxyAService.cfg:
# cd /opt/SUNWmsgsr/config # cp AService.cfg AService.cfg.orig_`date +%Y%m%d` # cp ImapProxyAService.cfg ImapProxyAService.cfg.orig_`date +%Y%m%d` |
Edit the AService.cfg file:
default:ServiceList /opt/SUNWmsgsr/lib/ImapProxyAService@10.1.82.187:143|10.1.82.187:993 default:LogDir /opt/SUNWmsgsr/data/log/mmp default:NumThreads 2 |
Edit the ImapProxyAService.cfg file. For odd-numbered FE, use Directory Servers in the following order: –03, -02, -01. For even-numbered FE use Directory Servers in the following order: –02, -03, -01.
default:LdapUrl "ldap://ds-amer-03.us.example.com ds-amer-02.us.example.com ds-amer-01.us.example.com/dc=example,dc=com" default:LogDir /opt/SUNWmsgsr/data/log/mmp default:LogLevel 10 default:BindDN "uid=msg-admin-mail-amer.example.com, ou=People, dc=example, dc=com" default:BindPass "password" default:BacksidePort 143 default:SearchFormat (uid=%s) default:SSLEnable yes default:SSLPorts 993 default:SSLCertNicknames Server-Cert default:SSLKeyPasswdFile /opt/SUNWmsgsr/config/sslpassword.conf default:SSLCacheDir /opt/SUNWmsgsr/config default:SSLSecmodFile secmod.db default:SSLCertPrefix "" default:SSLKeyPrefix "" default:SSLBacksidePort 0 default:RestrictPlainPasswords yes default:ConnLimits 129.0.0.0|255.0.0.0:10000,0.0.0.0|0.0.0.0:500 default:LdapCacheSize 10000 default:LdapCacheTTL 900 |
Create log directory
# mkdir /opt/SUNWmsgsr/data/log/mmp # chown mailsrv:mailsrv /opt/SUNWmsgsr/data/log/mmp # chmod 755 /opt/SUNWmsgsr/data/log/mmp |
Restart service and verify IMAP is working properly. If so, and assuming certificates have been configured, turn on SSL by uncommenting the following lines in ImapProxyAService.cfg
default:SSLEnable yes default:RestrictPlainPasswords yes |
Validate that webmail is working properly and that you can connect to the back end server via the front end webmail connection.
Set up configutil
# configutil -o service.http.ipsecurity -v yes # configutil -o local.service.http.proxy -v 1 |
Restart webmail
# stop-msg http # start-msg http |
Verify that when you connect that the url displayed does not change to that of the back end server.
Complete steps for configuring *MailFilters*
Verify BE/D2 mail servers are configured for port 444 for mail filters.
# configutil -o local.webmail.sieve.port -v 444 |
dd ports 92 and/or 444 to webserver server.xml file on FE/D1 nodes. */opt/SUNWwbsvr/https-mail-amer.example.com/config* Add/replace series of LS sections as follows replacing your GEO and your IP and modifying ports as needed: Note: each *LS* section is a single line; each *SSLPARAMS* section is a single line.
Port 92 is not required for Foundry Sites; ports 80, 443, 444 required. Port 443 not needed for Nauticus sites; one of port 92, 444 will be used for mail filters; need to test to confirm.
<LS id="ls1" port="80" servername="mail-amer.example.com" defaultvs="https-mail-am er.example.com" security="false" ip="10.1.82.187" blocking="false" acceptorthread s="1" /> <LS id="ls2" port="92" servername="mail-amer.example.com" defaultvs="https-mail-am er.example.com" security="false" ip="10.1.82.187" blocking="false" acceptorthread s="1" /> <LS id="ls3" port="444" servername="mail-amer.example.com" defaultvs="https-mail-a mer.example.com" security="true" blocking="false" acceptorthreads="1" ip="10.1.82 .187"> <SSLPARAMS servercertnickname="Server-Cert" ssl2="off" ssl2ciphers="-rc4,-rc 4export,-rc2,-rc2export,-desede3,-des" ssl3="on" tls="on" ssl3tlsciphers="+rsa_r c4_128_sha,+rsa_rc4_128_md5,-rsa_rc4_56_sha,-rsa_rc4_40_md5,+rsa_3des_sha,-rsa_d es_sha,-rsa_des_56_sha,-rsa_rc2_40_md5,-rsa_null_md5,-fortezza,-fortezza_rc4_128 _sha,-fortezza_null,+fips_3des_sha,-fips_des_sha" tlsrollback="on" clientauth="o ff"/> </LS> |
Restart Web server and verify it is listening on correct ports and no errors messages in logs
# /opt/SUNWwbsvr/https-mail-amer.example.com/ {stop,start} |
Deploy the MailFilter war file
# /opt/SUNWwbsvr/bin/https/httpadmin/bin/wdeploy deploy \ -u /MailFilter -i https-mail-amer.example.com \ -v https-mail-amer.example.com /opt/SUNWmsgsr/SUNWmsgmf/MailFilter.war |
Test Mail Filters from a webmail connection on the corporate network.
Remove Password option from Messenger Express:
--- /opt/SUNWmsgsr/config/html/opts_fs.html.orig Thu Mar 31 16:04:17 2005 +++ /opt/SUNWmsgsr/config/html/opts_fs.html Wed Aug 10 10:00:26 2005 @@ -131,8 +131,6 @@ 'javascript:parent.toggle(\'summary\')') + getToggle(main.i18n['personal'], 'personal', 'javascript:parent.toggle(\'personal\')') + - getToggle(main.i18n['password'], 'password', - 'javascript:parent.toggle(\'password\')') + (main.cfgFrame.mbox.length == 0 ? : getToggle(main.i18n['settings'], 'settings', 'javascript:parent.toggle(\'settings\')')) + |
Calendar Server is installed on all the FE systems where Communications Express will be installed. Calendar Server is also installed on all of the BE clusters designated for calendaring usage. Perform the following procedures in the order they are listed here:
Create the icsuser userid and icsgroup groupid.
/etc/passwd: icsuser:x:503:503::/home/icsuser:/bin/pfsh /etc/shadow: icsuser:NP::::::: /etc/group: icsgroup::503: /etc/group: nobody::60001: (Needed for installing patches later on) |
Verify that the calmaster account and attributes already exist in ldap:
phys-bedgeN-1# ldapsearch -h ds-amer-01 -b dc=example,dc=com uid=calmaster |
Ensure that the hostname cal-amer.example.com is plumbed and working
Install Calendar Server using the JES installer (select all languages and the Configure Later option during the installation):
fe-amer-N# cd /var/bits/java_es/Solaris_sparc fe-amer-N# ./installer -nodisplay Sun Java(TM) System Calendar Server 6 2004Q2 (via JES installer) |
This procedure first configures HA on the server. Use /shared/bedge5/cal/opt as the CalendarServerPath.
Make sure the appropriate mountpoints are in the /etc/vfstab files
/dev/md/bedge5-ds/dsk/d300 /dev/md/bedge5-ds/rdsk/d300 /shared/bedge5/cal/opt ufs 2 no logging /dev/md/bedge5-ds/dsk/d301 /dev/md/bedge5-ds/rdsk/d301 /shared/bedge5/cal/dbbackup ufs 2 no logging,nosuid |
Add IP and hostname for logical host (bedge5-cal1) in /etc/hosts of both nodes.
Run the HA commands for calendar (this assumes that the cluster software was installed in accordance to this document)
phys-bedgeN-1# scrgadm -a -t SUNW.HAStoragePlus phys-bedgeN-1# scrgadm -a -t SUNW.scics phys-bedgeN-1# scrgadm -a -g cal1-svc-rg -h phys-bedgeN-1,phys-bedgeN-2 phys-bedgeN-1# scrgadm -a -L -g cal1-svc-rg -j cal1-addr-rs -l bedge5-cal1 phys-bedgeN-1# scrgadm -a -j cal1-storplus-rs -g cal1-svc-rg \ -t SUNW.HAStoragePlus -x FilesystemMountPoints=/shared/bedge5/cal/opt,/shared/bedge5/cal/dbbackup \ -x AffinityOn=True |
Enable the resource to mount the shared filesystems prior to installing calendar
phys-bedgeN-1# scswitch -Z -g cal1-svc-rg phys-bedgeN-1# scswitch -e -j cal1-storplus-rs |
Verify that the directories /shared/bedge5/cal/opt and /shared/bedge5/cal/dbbackup directories are mounted on node 1 where Calendar Server will be installed.
Install Calendar Server on node 1 using the Java ES installer:
phys-bedgeN-1# cd /var/bits/java_es/Solaris_sparc phys-bedgeN-1# ./installer -nodisplay |
When prompted, select all languages and the Configure Later option. When you select Calendar Server for installation, Directory Server is automatically selected, but you must deselect it before proceeding.
On node 2, install the following software: SUNWicu, SUNWldk, SUNWpr, SUNWsasl, and SUNWtls
phys-bedgeN-2# cd /var/bits/java_es/Solaris_sparc/Product/shared_components/Solaris_9/Packages phys-bedgeN-2# pkgadd -d . SUNWicu SUNWpr SUNWsasl SUNWtls phys-bedgeN-2# cd /var/bits/java_es/Solaris_sparc/Product/shared_components/Packages phys-bedgeN-2# pkgadd -d . SUNWldk |
Make sure directory server is configured and hostname is in /etc/hosts on both nodes. Know the Bind DN password and login (cn=directory manager) for ldap and the calmaster password.
Run the calendar configurator on node 1, the active calendar node:
phys-bedgeN-1# cd /shared/bedge5/cal/opt/SUNWics5/cal/sbin phys-bedgeN-1# sh ./csconfigurator.sh -nodisplay Provide the following information during the configuration Sample: LDAP Server Name: ds-amer-02.us.example.com LDAP Port: 389 Directory Manager Bind DN: cn=Directory Manager Directory Manager Bind Password: xxxxxxxx Base DN: dc=example,dc=com Calendar Administrator Username: calmaster Calendar Administrator Password: xxxxxxxx Email Alarms: Enabled Administrator Email Address: wwcs-csg-if@example.com SMTP Hostname: mail-amer.example.com Service Port: [80] Maximum Sessions: [5000] Maximum Threads: [20] Number of server processes: [4] Runtime Username: icsuser Runtime Usergroup: icsgroup Start after successful installation: No Start on system startup: No Config Directory: /etc/opt/SUNWics5/config Database location: /shared/bedge5/cal/opt/csdb Logs: /shared/bedge5/cal/opt/logs Temporary Files: /shared/bedge5/cal/opt/tmp |
Move the config directory to the shared filesystem
phys-bedgeN-1# cd /shared/bedge5/cal/opt/SUNWics5/cal phys-bedgeN-1# rm config phys-bedgeN-1# cp -pr /etc/opt/SUNWics5/config . phys-bedgeN-1# cd /shared/bedge5/cal/opt/SUNWics5/cal/lib phys-bedgeN-1# rm config phys-bedgeN-1# ln -s ../config config phys-bedgeN-1# cd /shared/bedge5/cal/opt/SUNWics5/cal/sbin phys-bedgeN-1# rm config phys-bedgeN-1# ln -s ../config config |
Create the hotbackup and archive directories for database backups:
phys-bedgeN-1# cd /shared/bedge5/cal/dbbackup phys-bedgeN-1# mkdir hotbackup archive phys-bedgeN-1# chown icsuser:icsgroup hotbackup phys-bedgeN-1# chown icsuser:icsgroup archive |
Edit the ics.conf file and add the following to the end of the file. Change shared paths and add IP for logical host.
phys-bedgeN-1# cd /share/bedge5/cal/opt/SUNWics5/cal/config phys-bedgeN-1# cp ics.conf ics.conf.orig |
! Configure hotbackups and archiving ! caldb.berkeleydb.archive.path = "/shared/bedge5/cal/dbbackup/archive" caldb.berkeleydb.archive.enable = "yes" caldb.berkeleydb.archive.mindays = "3" caldb.berkeleydb.archive.maxdays = "5" caldb.berkeleydb.archive.threshold = "70" ! Interval between hotbackup or archivebackup in seconds caldb.berkeleydb.archive.interval = "120" ! caldb.berkeleydb.hotbackup.enable = "yes" caldb.berkeleydb.hotbackup.path = "/shared/bedge5/cal/dbbackup/hotbackup" caldb.berkeleydb.hotbackup.mindays = "3" caldb.berkeleydb.hotbackup.maxdays = "5" caldb.berkeleydb.hotbackup.threshold = "70" logfile.store.logname = "store.log" ! ! End -- Hotbackup/Archiving section ! local.server.ha.enabled = "yes" local.server.ha.agent = "SUNWscics" service.http.listenaddr = "logicalHostIP" |
Modify the ics.conf file with the following parameters. When adding parameters to the ics.conf file that don't already exist, add them in the alphabetical order of the parameter name.
caldb.berkeleydb.circularlogging = "no" caldb.serveralarms.contenttype = "text/xml" caldb.serveralarms.url = "enp:///ics/customalarm" service.calendarsearch.ldap = "y" caldb.cld.type = "directory" logfile.loglevel = "Information" service.dwp.enable = "yes" service.dwp.port = "9779" service.ens.port = "7997" local.hostname = "bedge5-cal1.us.example.com" local.servername = "bedge5-cal1.us.example.com" service.ens.host = "bedge5-cal1.us.example.com" service.http.calendarhostname = "bedge5-cal1.us.example.com" |
Uncomment the following two lines:
caldb.serveralarms.url = "enp:///ics/customalarm" caldb.serveralarms.contenttype = "text/xml" |
Comment out this line:
!service.listenaddr = "INADDR_ANY" |
Locate the first line below and add the second one after it:
service.siteadmin.userid = "" service.store.enable = "yes" |
Uncomment the default DWP server entry and set it appropriately:
! Default DWP server (LDAP CLD only), used if user's icsDWPhost value does not exist. ! caldb.dwp.server.default = "bedge5-cal1.us.example.com" |
Update all existing ics.conf files (FEs and BEs) with new calendar backend server information. In order for all of the frontend calendar servers to be able to communicate with all of the backend database servers, all backend servers must be listed in all ics.conf files. Services must be restarted in order for this change to take effect.
The following parameter must be uncommented in the ics.conf files and parameters changed on all servers (front and back ends) when a new backend server is brought on line:
caldb.dwp.server.bedge5-cal1.us.example.com.ip = "bedge5-cal1.us.example.com" |
The fully qualified name for the calendar server MUST be the first entry in /etc/hosts files on all systems for this to work and the /etc/nsswitch.conf MUST be set up correctly. Example /etc/hosts file entry for BRM:
10.1.82.143 bedge5-cal1.us.example.com bedge5-cal1.us.example.com bedge5-cal1 |
For reference, a copy of the current ics.conf file from the Broomfield BE calendar cluster is in the appendix of this cookbook.
Create the cal1-svc resource and define dependencies.
phys-bedgeN-1# mkdir /shared/bedge5/cal/opt/opt phys-bedgeN-1# cd /shared/bedge5/cal/opt/opt phys-bedgeN-1# ln -s ../SUNWics5 SUNWics5 phys-bedgeN-1# scrgadm -a -j cal1-svc-rs -g cal1-svc-rg -t SUNW.scics \ -x Confdir_list=/shared/bedge5/cal/opt -y \ Resource_dependencies=cal1-storplus-rs,cal1-addr-rs -y Port_list=80/tcp phys-bedgeN-1# scswitch -e -j cal1-svc-rs |
Verify that cal1-svc-rg, cal1-addr-rs, cal1-storplus-rs, and cal1-svc-rs are online and calendar processes running on node 1.
phys-bedgeN-1# scstat -g phys-bedgeN-1# ps -ef | grep icsuser |
Verify services can be switched over to Node 2 successfully, and back again
phys-bedgeN-1# scswitch -z -g cal1-svc-rg -h phys-bedge5-2 phys-bedgeN-1# scstat -g phys-bedgeN-1# scswitch -z -g cal1-svc-rg -h phys-bedge5-1 phys-bedgeN-1# scstat -g |
Duplicate the contents of /var/sadm/pkg/SUNWics5 on the other node. This is primarily for monitoring so that SunMC can determine if the package exists and set $serverroot. On the node that calendar was installed:
phys-bedgeN-1# mkdir /global/.devices/node@1/tmp phys-bedgeN-1# cd /var/sadm/pkg phys-bedgeN-1# tar cf /global/.devices/node@1/tmp/ics5.tar SUNWics5 |
On the other node:
phys-bedgeN-2# cd /var/sadm/pkg phys-bedgeN-2# tar xf /global/.devices/node@1/tmp/ics5.tar phys-bedgeN-2# rm -r /global/.devices/node@1/tmp |
Make sure directory server is configured and has an entry in the /etc/hosts file.
The following ports must be open for communication between the D1/FE servers and the D2/BE calendar servers (including cross-geo communication): 7997, 9779.
Know the Bind DN password and login (cn=directory manager) for ldap and the calmaster password.
Run the calendar configuration script:
fe-amer-N# cd /opt/SUNWics5/cal/sbin fe-amer-N# sh ./csconfigurator.sh -nodisplay Provide the following information during the configuration Sample: LDAP Server Name: ds-amer-02.us.example.com LDAP Port: 389 Directory Manager Bind DN: cn=Directory Manager Directory Manager Bind Password: xxxxxxxx Base DN: dc=example,dc=com Calendar Administrator Username: calmaster Calendar Administrator Password: xxxxxxxx Email Alarms: Enabled SMTP Hostname: mail-amer.example.com http Port: 80 (Port 81 for Nauticus sites) Runtime Username: icsuser Runtime Usergroup: icsgroup Start after successful installation: No Start on system startup: Yes Database location: /var/opt/SUNWics5/csdb Temporary Files: /var/opt/SUNWics5/tmp Logs: /var/opt/SUNWics5/logs |
Follow the procedure To Request an SSL Certificate, and retrieve PKI certificates for the Calendar Server.
Import the certificate chain:
# certutil -A -n "ABC Trusted Root" -t "TCu,TCu,TCuw" -d . -a -i \ ../ABC_chain.cert -f ./PW # certutil -A -n "Example Corp Root CA - ABC Corporation" \ -t "C,," -d . -a -i ../Example_Corp.cert -f ./PW # certutil -A -n "Example Corp CA (Class B) - Example Corp" \ -t "C,," -d . -a -i ../Example Corp_cB.cert -f ./PW # certutil -A -n "Server-Cert" -t "u,u,u" -d . -a -i ./cal.cert -f ./PW |
Create the certificate directory for calendar in the /etc/opt/SUNWics5/config directory:
# cd /etc/opt/SUNWics5/config # mkdir alias # chown icsuser:icsgroup alias |
Copy the certificates to the calendar directory. Example for BRM:
# cd /etc/opt/SUNWics5/config/alias # cp /usr/local/cert/SunPKI/cal/cert8.db cert8.db # cp /usr/local/cert/SunPKI/cal/key3.db key3.db # cp /usr/local/cert/SunPKI/cal/secmod.db secmod.db # cp /usr/local/cert/SunPKI/cal/sslpassword.conf sslpassword.conf |
Verify the certificates directory and files have the appropriate permissions:
# cd /etc/opt/SUNWics5/config # ls -ld alias drwxr-xr-x 2 icsuser icsgroup 512 Mar 24 11:52 alias/ # ls -l alias drwxr-xr-x 2 icsuser icsgroup 512 Mar 24 11:52 ./ drwxr-xr-x 16 icsuser icsgroup 1024 Jun 3 11:05 ../ -rw------- 1 icsuser icsgroup 65536 May 23 10:23 cert8.db -rw------- 1 icsuser icsgroup 32768 May 23 10:23 key3.db -rw------- 1 icsuser icsgroup 32768 May 23 10:23 secmod.db -rw-r--r-- 1 icsuser icsgroup 36 Mar 24 11:53 sslpassword.conf |
Verify the following parameters are set correctly for SSL in the ics.conf file:
encryption.rsa.nssslactivation = "on" encryption.rsa.nssslpersonalityssl = "Server-Cert" encryption.rsa.nsssltoken = "internal" service.http.tmpdir = "/var/opt/SUNWics5/tmp" service.http.uidir.path = "html" service.http.ssl.cachedir = "." service.http.ssl.cachesize = "10000" service.http.ssl.certdb.password = "CertPassword" service.http.ssl.certdb.path = "/etc/opt/SUNWics5/config/alias" service.http.ssl.port.enable = "yes" service.http.ssl.port = "443" service.http.ssl.securelogin = "yes" service.http.ssl.sourceurl = "https://cal-amer.example.com:443" service.http.ssl.ssl2.ciphers = "" service.http.ssl.ssl2.sessiontimeout = "0" service.http.ssl.usessl = "yes" |
Modify /opt/SUNWics5/cal/html/*/default.html (for ALL languages) to setup the redirect to port 443 by adding the following code to each file:
<script> if (window.location.protocol != 'https:') window.location = 'https://' + window.location.host </script> |
Modify the ics.conf file with the following parameters. When adding parameters to the ics.conf file that don't already exist, add them in the alphabetical order of the parameter name.
caldb.berkeleydb.circularlogging = "yes" caldb.dwp.server.default = "bedge5-cal1.us.example.com" (should be set to the FQHN of the BE calendar server for the same geo as the FE systems. Example: sedge5-cal1.singapore.example.com) caldb.dwp.server.bedge5-cal1.us.example.com.ip = "bedge5-cal1.us.example.com" |
NOTE: the fully qualified name for the BE calendar server MUST be the first entry in /etc/hosts files on all systems for this to work and the /etc/nsswitch.conf MUST be set up correctly.
service.calendarsearch.ldap = "y" service.dwp.enable = "no" service.dwp.port = "9779" service.ens.enable = "no" service.notify.enable = "no" alarm.msgalarmnoticercpt = "gsdm-collector@example.com" alarm.msgalarmnoticesender = "gsdm-collector@example.com" caldb.calmaster = "gsdm-collector@example.com" caldb.cld.type = "directory" csapi.plugin.calendarlookup = "y" local.servername = "cal-amer.example.com" logfile.loglevel = "Information" service.admin.port = "21840" service.ens.host = "xxx.xxx.xxx.xxx" (should be IP addr of the BE calendar server for that geo) service.ens.port = "7997" service.http.calendarhostname = "cal-amer.example.com" service.http.listenaddr = "xxx.xxx.xxx.xxx" (should be IP address of the FE for the geo, i.e. cal-amer.example.com) !service.listenaddr = "INADDR_ANY" service.store.enable = "no" |
The following parameter must be added to the ics.conf files of all servers (front and back ends) when a new backend server is brought on line.
caldb.dwp.server.bedge5-cal1.us.example.com.ip = "bedge5-cal1.us.example.com" |
There will be at least four entries of this type in ics.conf files -- one each for Broomfield, Newark, Singapore and Gilmont Park. For example, once all of the Edge-3 sites are online, all ics.conf files will have the following entries:
caldb.dwp.server.bedge5-cal1.us.example.com.ip = "bedge5-cal1.us.example.com" caldb.dwp.server.sedge3-cal1.singapore.example.com.ip = "sedge3-cal1.singapore.example.com" caldb.dwp.server.nedge5-cal1.sfbay.example.com.ip = "nedge5-cal1.sfbay.example.com" caldb.dwp.server.gedge5-cal1.uk.example.com.ip = "gedge5-cal1.uk.example.com" |
NOTE: For reference, a copy of the current ics.conf file from the Broomfield FE calendar servers is in the appendix of this cookbook.
The patches are currently on fe-amer-01.example.com in /var/tmp/cal_patches and are: 118099-01-2864962307.zip, T116577-11.tar.gz, and T118477-07.tar.gz. They should be applied in the above order. This includes the latest patch for calendar. Copy patches to the management station under /export/puppet/world/Calendar/patches.
Unzip/Untar the patches (example assumes the tarfiles are in /var/tmp/cal_patches)
# mount -F nfs mgmt-amer-01:/export/puppet/world /mnt # mkdir /var/tmp/cal_patches # cd /var/tmp/cal_patches # cp /mnt/Calendar/patches/118099-01-2864962307.zip . # cp /mnt/Calendar/patches/T116577-11.tar.gz . # cp /mnt/Calendar/patches/T118477-07.tar.gz . # unzip 118099-01-2864962307.zip # gzcat T116577-11.tar.gz | tar xf - # gzcat T118477-07.tar.gz | tar xf - |
Shutdown the calendar service:
# /usr/cluster/bin/scswitch -n -j cal1-svc-rs |
Apply the patches. nobody must have an /etc/group entry. /etc/group: nobody::60001:
# cd /var/tmp/cal_patches # /usr/sbin/patchadd -d 118099-01 # /usr/sbin/patchadd -d 116577-11 # /usr/sbin/patchadd -d 118477-07 |
Restart the calendar resources:
# /usr/cluster/bin/scswitch -e -j cal1-svc-rs # umount /mnt |
Unzip/Untar the patches (example assumes the tarfiles are in /var/tmp/cal_patches)
# mount -F nfs mgmt-amer-01:/export/puppet/world /mnt # mkdir /var/tmp/cal_patches # cd /var/tmp/cal_patches # cp /mnt/Calendar/patches/118099-01-2864962307.zip . # cp /mnt/Calendar/patches/T116577-11.tar.gz . # cp /mnt/Calendar/patches/T118477-07.tar.gz . # unzip 118099-01-2864962307.zip # gzcat T116577-11.tar.gz | tar xf - # gzcat T118477-07.tar.gz | tar xf - |
Shutdown the calendar service:
# cd /opt/SUNWics5/cal/sbin # ./stop-cal # ps -ef | grep icsuser |
Apply the patches. The user nobody must have an /etc/group entry: /etc/group: nobody::60001:
# cd /var/tmp/cal_patches # /usr/sbin/patchadd -d 118099-01 # /usr/sbin/patchadd -d 116577-11 # /usr/sbin/patchadd -d 118477-07 |
Restart the calendar service:
# cd /opt/SUNWics5/cal/sbin # ./start-cal # ps -ef | grep icsuser icsuser 12047 1 0 18:29:06 ? 0:07 /opt/SUNWics5/cal/lib/cshttpd -d 3 -D 4 icsuser 12041 1 0 18:29:04 ? 0:01 /opt/SUNWics5/cal/lib/csadmind icsuser 12048 12047 0 18:29:06 ? 0:07 /opt/SUNWics5/cal/lib/cshttpd -0 -d 0 -D 1 -b 1 # umount /mnt |
Check that the front end is connecting with the backends:
# cd /var/opt/SUNWics5/logs # grep cdwp_login http.log [10/May/2005:18:29:06 -0600] fe-amer-01 cshttpd[12047]: General Notice: caldb: cdwp_login: ctx for host:10.1.82.143 and port:9779 is authenticated and the sessionid is q6l05rw9x9eee8u [10/May/2005:18:29:07 -0600] fe-amer-01 cshttpd[12048]: General Notice: caldb: cdwp_login: ctx for host:10.1.82.143 and port:9779 is authenticated and the sessionid is bu9hbbv6t9ebn0 |
There should be at least two of these entries (for the local backend) -- more, if there are multiple BE calendar servers configured in the ics.conf file.
Instant Messaging client resources and multiplexor will be installed on two dedicated FE systems: fe-amer-11.example.com and fe-amer-12.example.com. Instant Messaging (server configuration) will be installed on a single BE system in Broomfield: phys-bedge6-2.us.example.com. A pre-requisite for installation of Instant Messaging and Web Server (for IM) is that the im-amer.example.com interface must be plumbed and ifconfig'd up as an entry in the /etc/rc3.d/S80loopbacks file on the FEs. Example entry:
ifconfig lo0:1 plumb ifconfig lo0:1 inet 10.1.82.193 netmask 255.255.255.255 up |
On the BE (phys-bedge6-2.us), the file /etc/hostname.ce1:10 must exist and contain im-amer-01. The ce1:10 interface must be plumbed and up. On all servers, update /etc/passwd, /etc/shadow and /etc/group with the following information:
/etc/passwd: iimuser:x:504:504::/home/iimuser:/bin/pfsh /etc/passwd: webservd:x:80:80::/home/webservd:/bin/pfsh /etc/shadow: iimuser:NP::::::: /etc/shadow: webservd:*LK*::::::: /etc/group: iimgroup::504: /etc/group: webservd::80: |
cd to the directory that contains the JES3 software
# cd /var/tmp/im/java_es_05Q1_im/Solaris_sparc |
Start JES installer
# ./installer -nodisplay |
Select the following options
Select all languages Select the software components: Sun Java(TM) System Web Server 6.1 SP4 2005Q1 (60.58 MB) Sun Java(TM) System Instant Messaging 7 2005Q1 (11.40 MB) Component Selection will be: 1. Instant Messaging Server Core 2. Instant Messenger Resources 3. Access Manager Instant Messaging Service Install directories: Instant Messaging: /opt Web Server: /opt/SUNWwbsvr Select: Configure Later |
Patch IM
# cd /var/tmp/im # /usr/sbin/patchadd -d T118786-05 # /usr/sbin/patchadd -d T118789-06/ |
Run the Instant Messaging configurator:
# cd /opt/SUNWwbsvr # ./configure Sun Java(TM) System Web Server 6.1 2005Q1 SP4 Enter the hostname for this machine [fe-amer-11.us.example.com]: im-amer.example.com Enter your Sun Java System Web Server server port [80]: 80 Enter a content root [/opt/SUNWwbsvr/docs]: Would you like the Web Server to start on system boot (n/y): [y] Enter a valid system user for the Administration Server [root]: (NOTE: USE THE SAME ADMIN PASSWD AS IN THE OTHER WEB INSTALLATIONS FOR EDGE3) Administration Server User Name [admin]: Enter your Administration Server Password : Enter (again) your Administration Server Password : Enter your Administration Server Port [8888]: |
Modify the /opt/SUNWwbsvr/https-im-amer.example.com/config/server.xml file for the newly created web server:
<PROPERTY name="docroot" value="/opt/SUNWwbsvr/docs/im"/> <LS id="ls1" port="80" servername="im-amer.example.com" defaultvs="https-im-amer.example.com" ip="10.1.82.193" security="false" acceptorthreads="1" blocking="false"> <PROPERTY name="docroot" value="/opt/SUNWwbsvr/docs/im"/> |
Create the new docroot for the IM client services:
# cd /opt/SUNWwbsvr/docs # ln -s /opt/SUNWiim/html/ im |
Start the webserver:
# /etc/init.d/webserver01 start |
Run the Instant Messaging configurator:
# cd /opt/SUNWwbsvr # ./configure Sun Java(TM) System Web Server 6.1 2005Q1 SP4 Enter the hostname for this machine [fe-amer-11.us.example.com]: im-amer-01.c entral.example.com Enter your Sun Java System Web Server server port [80]: 80 Enter a content root [/opt/SUNWwbsvr/docs]: Would you like the Web Server to start on system boot (n/y): [y] n Enter a valid system user for the Administration Server [root]: (NOTE: USE THE SAME ADMIN PASSWD AS IN THE OTHER WEB INSTALLATIONS FOR EDGE3) Administration Server User Name [admin]: Enter your Administration Server Password : Enter (again) your Administration Server Password : Enter your Administration Server Port [8888]: |
Modify the /opt/SUNWwbsvr/https-im-amer.example.com/config/server.xml file for the newly created web server:
<PROPERTY name="docroot" value="/opt/SUNWwbsvr/docs-im"/> <LS id="ls1" port="80" servername="im-amer-01.us.example.com" defaultvs="http s-im-amer-01.us.example.com" ip="10.1.82.137" security="false" acceptorth reads="1" blocking="false"/> <PROPERTY name="docroot" value="/opt/SUNWwbsvr/docs-im"/> |
Create the new docroot for the IM client services:
# cd /opt/SUNWwbsvr/ # ln -s /opt/SUNWiim/html/ docs-im |
Start the webserver:
# /etc/init.d/webserver01 start |
Configure Instant Messaging services on two of the FE systems, fe-amer-11.example.com and fe-amer-12.example.com.
Run the Instant Messaging configurator:
# cd /opt/SUNWiim # ./configure -nodisplay Components to configure: Sun Java System Instant Messaging Server Sun Java System Instant Messenger Resources Host name: im-amer DNS Domain name: example.com User ID: iimuser Group ID: iimgroup Instant Messaging Server runtime files directory: /var/opt/SUNWiim Instant Messaging Server Configuration: Domain Name: example.com IM Server port: 9999 Multiplexor port: 9909 Disable Server: yes Remote Server Hostname: im-amer-01.us.example.com Messenger Resources Code Base URL: http://im-amer.example.com:80 Start Instant Messaging Services after successful configuration: no Start Instant Messaging Services on system startup: yes |
Add the SSL certificates
# cd /usr/local/cert/SUN_PKI.cert/im-amer # cp cert8.db /opt/SUNWwbsvr/alias/https-im-amer-cert8.db # cp key3.db /opt/SUNWwbsvr/alias/https-im-amer-key3.db # cp secmod.db /opt/SUNWwbsvr/alias/secmod.db # cp cert8.db /etc/opt/SUNWiim/default/config/https-im-amer-cert8.db # cp key3.db /etc/opt/SUNWiim/default/config/https-im-amer-key3.db # cp secmod.db /etc/opt/SUNWiim/default/config/secmod.db # cp PW /etc/opt/SUNWiim/default/config/PW # cd /opt/SUNWwbsvr/alias # chmod 644 * # cd /etc/opt/SUNWiim/default/config # mv PW sslpassword.conf # chown iimuser:iimgroup * |
Edit the /etc/opt/SUNWiim/default/config/sslpassword.conf file and change it to the following format:
Internal (Software) Token:password_from_PW_file |
Edit the /etc/opt/SUNWiim/default/config/iim.conf file and verify the following parameters:
iim.smtpserver = "mail-amer-xfr.example.com" iim.instancedir = "/opt/SUNWiim" iim.instancevardir = "/var/opt/SUNWiim/default" iim.user = "iimuser" iim.group = "iimgroup" iim_ldap.host = "empldap1.us.example.com:389" iim_ldap.searchbase = "dc=example,dc=com" iim_ldap.usergroupbinddn = "" iim_ldap.usergroupbindcred = "" iim.log.iim_server.severity = "INFO" iim.log.iim_mux.severity = "INFO" iim.log.iim_wd.severity = "INFO" iim_server.domainname = "example.com" iim_server.useport = "True" iim_server.port = "5269" iim_server.usesslport = "False" iim_server.enable = "false" iim_server.clienttimeout = "15" iim_server.usesso = "0" iim.policy.modules = "iim_ldap" iim.userprops.store = "file" iim_mux.listenport = "im-amer.example.com:9909" iim_mux.serverport = "im-amer-01.us.example.com:9999" iim_mux.enable = "true" iim_mux.numinstances = "4" iim_mux.maxthreads = "10" iim_mux.maxsessions = "1000" ! SSL settings iim_mux.usessl = "on" iim_mux.secconfigdir = "/etc/opt/SUNWiim/default/config" iim_mux.keydbprefix = "https-im-amer-" iim_mux.certdbprefix = "https-im-amer-" iim_mux.secmodfile = "secmod.db" iim_mux.certnickname = "Server-Cert" iim_mux.keystorepasswordfile = "sslpassword.conf" iim_wd.enable = "true" iim_wd.period = "300" iim_wd.maxRetries = "3" ! Calendar agent stuff - disable on the FEs iim_agent.enable = "false" iim_agent.agent-calendar.enable = "false" |
Edit the IM client resources to force the use of SSL (all language files must be edited
Edit /opt/SUNWiim/html/index.html, search for and change all instances of the following:
im.html to imssl.html im.jnlp to imssl.jnlp |
Perform the same edits on the index.html files for all languages. The index.html file is found in the following directories:
/opt/SUNWiim/html/de /opt/SUNWiim/html/es /opt/SUNWiim/html/fr /opt/SUNWiim/html/ja /opt/SUNWiim/html/ko /opt/SUNWiim/html/zh /opt/SUNWiim/html/zh_TW |
Configure Instant Messaging on the BE server phys-bedge6-2.us.
Run the Instant Messaging configurator:
# cd to the IM installation directory # cd /opt/SUNWiim # ./configure -nodisplay |
Components to configure: Sun Java System Instant Messaging Server Sun Java System Instant Messenger Resources Host name: im-amer-01 DNS Domain name: central.example.com User ID: iimuser Group ID: iimgroup Instant Messaging Server runtime files directory: /var/opt/SUNWiim Instant Messaging Server Configuration: Domain Name: example.com IM Server port: 9999 Multiplexor port: 9909 Disable Server: no LDAP Host Name: empldap1.us.example.com LDAP Port Number: 389 Base DN: dc=example,dc=com Bind DN: cn=directory manager Bind Password: (enter directory manager password here) SMTP Server Host Name: mail-amer-xfr.example.com Messenger Resources Code Base URL: http://im-amer-01.us.example.com:80 Start Instant Messaging Services after successful configuration: no Start Instant Messaging Services on system startup: yes |
Edit the /etc/opt/SUNWiim/default/config/iim.conf file and verify the following parameters:
iim.smtpserver = "mail-amer-xfr.example.com" iim.instancedir = "/opt/SUNWiim" iim.instancevardir = "/var/opt/SUNWiim/default" iim.user = "iimuser" iim.group = "iimgroup" ! iim_ldap.host = "ds-amer-01.us.example.com:389" iim_ldap.host = "empldap1.us.example.com:389" iim_ldap.searchbase = "dc=example,dc=com" iim_ldap.usergroupbinddn = "" iim_ldap.usergroupbindcred = "" iim.log.iim_server.severity = "INFO" iim.log.iim_mux.severity = "INFO" iim.log.iim_wd.severity = "INFO" iim.log.agent-calendar.severity = "INFO" iim_server.domainname = "example.com" iim_server.useport = "True" iim_server.port = "5269" iim_server.usesslport = "False" iim_server.enable = "true" iim_server.clienttimeout = "15" iim_server.usesso = "0" iim.policy.modules = "iim_ldap" iim.userprops.store = "file" iim_mux.listenport = "im-amer-01.us.example.com:9909" iim_mux.serverport = "im-amer-01.us.example.com:9999" iim_mux.enable = "true" iim_mux.numinstances = "4" iim_mux.maxthreads = "10" iim_mux.maxsessions = "1000" iim_wd.enable = "true" iim_wd.period = "300" iim_wd.maxRetries = "3" |
If you are deploying EdgeMail complexes in multiple locations, each must have local calendar agent to communicate with the other complexes. For each remote complex, such as the one serving Asia located in Japan for this example, perform the following steps:
Create a directory for the calendar agent:
# cd /var/opt/SUNWiim # mkdir cal-agent2-jp |
Create the individual configuration files for the calendar agent:
# cd /etc/opt/SUNWiim/default/config # cp iim.conf cal2.conf |
Edit cal2.conf and change the following parameters:
iim_server.enable = "false" iim_wd.enable = "false" iim_mux.enable = "false" |
Now modify the calendar agent information in the cal2.conf file
iim.instancevardir = "/var/opt/SUNWiim/cal-agent2-jp" ! ! Calendar-IM integration Configuration ! iim_agent.enable="true" ! iim_agent.agent-calendar.enable="true" ! iim_server.components=agent-calendar agent-calendar.jid=calimbot.aedge3-cal1.jp.example.com agent-calendar.password=password agent-calendar.category=component ! JMS Consumers jms.consumers=cal_reminder jms.consumer.cal_reminder.destination=enp:///ics/customalarm jms.consumer.cal_reminder.provider=ens jms.consumer.cal_reminder.type=topic jms.consumer.cal_reminder.param="eventtype=calendar.alarm" jms.consumer.cal_reminder.factory=com.iplanet.im.server.JMSCalendarMessageListener ! JMS providers jms.providers=ens jms.provider.ens.broker=aedge3-cal1.jp.example.com:7997 jms.provider.ens.factory=com.iplanet.ens.jms.EnsTopicConnFactory |
Edit the iim.conf file to modify the Calendar Agent information:
! Calendar-IM integration Configuration iim_agent.enable="true" iim_agent.agent-calendar.enable="true" iim_server.components=agent-calendar,agent-calendar2[,...] agent-calendar.jid=calimbot.bedge5-cal1.us.example.com agent-calendar.password=netscape agent-calendar.category=component agent-calendar2.jid=calimbot.aedge3-cal1.jp.example.com agent-calendar2.password=netscape agent-calendar2.category=component [...] ! JMS Consumers jms.consumers=cal_reminder jms.consumer.cal_reminder.destination=enp:///ics/customalarm jms.consumer.cal_reminder.provider=ens jms.consumer.cal_reminder.type=topic jms.consumer.cal_reminder.param="eventtype=calendar.alarm" jms.consumer.cal_reminder.factory=com.iplanet.im.server.JMSCalendarMessageListener ! JMS providers jms.providers=ens jms.provider.ens.broker=bedge5-cal1.us.example.com:7997 jms.provider.ens.factory=com.iplanet.ens.jms.EnsTopicConnFactory |
Edit the /etc/init.d/sunwiim file to add the additional Calendar Agent information:
#!/bin/sh # # Copyright (c) 1991-2001, by Sun Microsystems, Inc. # #ident "@(#)sunwiim 1.7 96/10/02 SMI" case "$1" in 'start') /opt/SUNWiim/sbin/imadmin start # Start the JP calendar agent /opt/SUNWiim/sbin/imadmin -c /opt/SUNWiim/config/cal2.conf start agent-calendar # Start other calendar agents here if neccessary ;; 'stop') /opt/SUNWiim/sbin/imadmin stop # Stop the JP calendar agent /opt/SUNWiim/sbin/imadmin -c /opt/SUNWiim/config/cal2.conf stop agent-calendar # Stop other calendar agents here if neccessary ;; *) echo "Usage: /etc/init.d/sunwiim { start | stop }" ;; esac exit |
Ensure the following conditions are met:
MEM installed and configured in the same VIP as Comms Express (access-[geo].example.com)
Calendar FE installed and configured (on calendar VIP)
Web server installed and configured with a virtual server for access-[geo].example.com
Access Manager available
Messaging BE installed and configured
Calendar BE installed and configured
Install Comms Express via the JES installer.
Language Support: select all languages Component Selection: Sun Java(TM) System Communications Express Installation Directories: Identity Server = /opt Communications Express = /opt/SUNWuwc Type of Configuration: Configure Later |
Installer will automatically add Sun Java System Access Manager to the install list, but only the SDK subcomponent. Accept the addition of the SDK.
Sample configuration data from installation on fe-amer-01.example.com.
fe-amer-01.example.com# cd /opt/SUNWuwc/sbin fe-amer-01.example.com# ./config-uwc -nodisplay Select the components to be configured: [X] 1 Mail Component 0 bytes [X] 2 Calendar Component 0 bytes Verify Host and DNS: Host Name [fe-amer-01]: access-amer DNS Domain Name [example.com] Web Server Configuration: Enter Web Server Root Directory [/opt/SUNWwbsvr] Enter Virtual Server Identifier [https-access-amer.example.com] Enter Web Server HTTP Port [80] Web Container User and Group: Enter the Web Container User ID [webservd] Enter the Web Container Group ID [webservd] URI Path: Enter URI Path for Communications Express [/uwc] Hosted Domain Support: Do you want Hosted Domain support for Communications Express [no] User/Group LDAP Server details: Ldap URL [ldap://mail-amer.example.com:389]: ldap://ds-amer-01.us.example.com:389 Bind DN [cn=Directory Manager] Bind Password: (enter the appropriate password) Enter DC Tree Suffix [dc=example,dc=com] Enter the Default Domain Name [example.com] Identity Server Preferences: Enter Identity Server Login URL [http://mail-amer.example.com:80/amserver/UI/Login]: http://id-amer-01.us.example.com:80/amserver/UI/Login Enter Identity Server Administrator DN []: amadmin Enter Identity Server Administrator Password []: (enter the appropriate password) Enter the Messenger Express Port [80]: 82 Enter the Calendar Server Host Name [access-amer.example.com]: cal-amer.example.com Enter the Calendar Server Port Number [9004]: 81 Enter the Calendar Server Administrator User ID [calmaster] Enter the Calendar Server Administrator Password []: (enter the appropriate password) Personal Address Book (PAB) LDAP Server info: LDAP URL [ldap://ds-amer-01.us.example.com:389] Bind DN [cn=Directory Manager] Bind Password: (enter the appropriate password) |
Enable Identity SSO in Messenger Express
phys-bedgeN-1# cd /opt/SUNWmsgsr/sbin phys-bedgeN-1# ./configutil -o local.webmail.sso.amnamingurl -v http://id-amer-01.us.example.com/amserver/namingservice phys-bedgeN-1# ./configutil -o local.webmail.sso.uwcenabled -v 1 phys-bedgeN-1# ./configutil -o local.webmail.sso.uwclogouturl -v http://mail-amer.example.com/uwc/base/UWCmain?op=logout phys-bedgeN-1# ./configutil -o local.webmail.sso.uwcport -v 80 phys-bedgeN-1# ./configutil -o local.webmail.sso.uwccontexturi -v uwc phys-bedgeN-1# ./configutil -o local.webmail.sso.amcookiename -v iPlanetDirectoryPro phys-bedgeN-1# ./stop-msg http phys-bedgeN-1# ./start-msg http |