4.8 Installing and Configuring Calendar Server

Calendar Server is installed on all the FE systems where Communications Express will be installed. Calendar Server is also installed on all of the BE clusters designated for calendaring usage. Perform the following procedures in the order they are listed here:

To Install Calendar Server on FE Servers

Steps

1. Create the icsuser userid and icsgroup groupid.

   /etc/passwd: icsuser:x:503:503::/home/icsuser:/bin/pfsh /etc/shadow: icsuser:NP::::::: /etc/group: icsgroup::503: /etc/group: nobody::60001: (Needed for installing patches later on)

2. Verify that the calmaster account and attributes already exist in ldap:

   phys-bedgeN-1# ldapsearch -h ds-amer-01 -b dc=example,dc=com uid=calmaster

3. Ensure that the hostname cal-amer.example.com is plumbed and working

4. Install Calendar Server using the JES installer (select all languages and the Configure Later option during the installation):

   fe-amer-N# cd /var/bits/java_es/Solaris_sparc fe-amer-N# ./installer -nodisplay Sun Java(TM) System Calendar Server 6 2004Q2 (via JES installer)

To Install Calendar Server on BE Servers

This procedure first configures HA on the server. Use /shared/bedge5/cal/opt as the CalendarServerPath.

Steps

1. Make sure the appropriate mountpoints are in the /etc/vfstab files

   /dev/md/bedge5-ds/dsk/d300 /dev/md/bedge5-ds/rdsk/d300 /shared/bedge5/cal/opt ufs 2 no logging /dev/md/bedge5-ds/dsk/d301 /dev/md/bedge5-ds/rdsk/d301 /shared/bedge5/cal/dbbackup ufs 2 no logging,nosuid

2. Add IP and hostname for logical host (bedge5-cal1) in /etc/hosts of both nodes.

3. Run the HA commands for calendar (this assumes that the cluster software was installed in accordance to this document)

   phys-bedgeN-1# scrgadm -a -t SUNW.HAStoragePlus phys-bedgeN-1# scrgadm -a -t SUNW.scics phys-bedgeN-1# scrgadm -a -g cal1-svc-rg -h phys-bedgeN-1,phys-bedgeN-2 phys-bedgeN-1# scrgadm -a -L -g cal1-svc-rg -j cal1-addr-rs -l bedge5-cal1 phys-bedgeN-1# scrgadm -a -j cal1-storplus-rs -g cal1-svc-rg \ -t SUNW.HAStoragePlus -x FilesystemMountPoints=/shared/bedge5/cal/opt,/shared/bedge5/cal/dbbackup \ -x AffinityOn=True

4. Enable the resource to mount the shared filesystems prior to installing calendar

   phys-bedgeN-1# scswitch -Z -g cal1-svc-rg phys-bedgeN-1# scswitch -e -j cal1-storplus-rs

5. Verify that the directories /shared/bedge5/cal/opt and /shared/bedge5/cal/dbbackup directories are mounted on node 1 where Calendar Server will be installed.

6. Install Calendar Server on node 1 using the Java ES installer:

   phys-bedgeN-1# cd /var/bits/java_es/Solaris_sparc phys-bedgeN-1# ./installer -nodisplay

   When prompted, select all languages and the Configure Later option. When you select Calendar Server for installation, Directory Server is automatically selected, but you must deselect it before proceeding.

7. On node 2, install the following software: SUNWicu, SUNWldk, SUNWpr, SUNWsasl, and SUNWtls

   phys-bedgeN-2# cd /var/bits/java_es/Solaris_sparc/Product/shared_components/Solaris_9/Packages phys-bedgeN-2# pkgadd -d . SUNWicu SUNWpr SUNWsasl SUNWtls phys-bedgeN-2# cd /var/bits/java_es/Solaris_sparc/Product/shared_components/Packages phys-bedgeN-2# pkgadd -d . SUNWldk

To Configure Calendar Server on BE Clusters

Before You Begin

Make sure directory server is configured and hostname is in /etc/hosts on both nodes. Know the Bind DN password and login (cn=directory manager) for ldap and the calmaster password.

Steps

1. Run the calendar configurator on node 1, the active calendar node:

   phys-bedgeN-1# cd /shared/bedge5/cal/opt/SUNWics5/cal/sbin phys-bedgeN-1# sh ./csconfigurator.sh -nodisplay Provide the following information during the configuration Sample: LDAP Server Name: ds-amer-02.us.example.com LDAP Port: 389 Directory Manager Bind DN: cn=Directory Manager Directory Manager Bind Password: xxxxxxxx Base DN: dc=example,dc=com Calendar Administrator Username: calmaster Calendar Administrator Password: xxxxxxxx Email Alarms: Enabled Administrator Email Address: wwcs-csg-if@example.com SMTP Hostname: mail-amer.example.com Service Port: [80] Maximum Sessions: [5000] Maximum Threads: [20] Number of server processes: [4] Runtime Username: icsuser Runtime Usergroup: icsgroup Start after successful installation: No Start on system startup: No Config Directory: /etc/opt/SUNWics5/config Database location: /shared/bedge5/cal/opt/csdb Logs: /shared/bedge5/cal/opt/logs Temporary Files: /shared/bedge5/cal/opt/tmp

2. Move the config directory to the shared filesystem

   phys-bedgeN-1# cd /shared/bedge5/cal/opt/SUNWics5/cal phys-bedgeN-1# rm config phys-bedgeN-1# cp -pr /etc/opt/SUNWics5/config . phys-bedgeN-1# cd /shared/bedge5/cal/opt/SUNWics5/cal/lib phys-bedgeN-1# rm config phys-bedgeN-1# ln -s ../config config phys-bedgeN-1# cd /shared/bedge5/cal/opt/SUNWics5/cal/sbin phys-bedgeN-1# rm config phys-bedgeN-1# ln -s ../config config

3. Create the hotbackup and archive directories for database backups:

   phys-bedgeN-1# cd /shared/bedge5/cal/dbbackup phys-bedgeN-1# mkdir hotbackup archive phys-bedgeN-1# chown icsuser:icsgroup hotbackup phys-bedgeN-1# chown icsuser:icsgroup archive

4. Edit the ics.conf file and add the following to the end of the file. Change shared paths and add IP for logical host.

   phys-bedgeN-1# cd /share/bedge5/cal/opt/SUNWics5/cal/config phys-bedgeN-1# cp ics.conf ics.conf.orig

   ! Configure hotbackups and archiving ! caldb.berkeleydb.archive.path = "/shared/bedge5/cal/dbbackup/archive" caldb.berkeleydb.archive.enable = "yes" caldb.berkeleydb.archive.mindays = "3" caldb.berkeleydb.archive.maxdays = "5" caldb.berkeleydb.archive.threshold = "70" ! Interval between hotbackup or archivebackup in seconds caldb.berkeleydb.archive.interval = "120" ! caldb.berkeleydb.hotbackup.enable = "yes" caldb.berkeleydb.hotbackup.path = "/shared/bedge5/cal/dbbackup/hotbackup" caldb.berkeleydb.hotbackup.mindays = "3" caldb.berkeleydb.hotbackup.maxdays = "5" caldb.berkeleydb.hotbackup.threshold = "70" logfile.store.logname = "store.log" ! ! End -- Hotbackup/Archiving section ! local.server.ha.enabled = "yes" local.server.ha.agent = "SUNWscics" service.http.listenaddr = "logicalHostIP"

5. Modify the ics.conf file with the following parameters. When adding parameters to the ics.conf file that don't already exist, add them in the alphabetical order of the parameter name.

   caldb.berkeleydb.circularlogging = "no" caldb.serveralarms.contenttype = "text/xml" caldb.serveralarms.url = "enp:///ics/customalarm" service.calendarsearch.ldap = "y" caldb.cld.type = "directory" logfile.loglevel = "Information" service.dwp.enable = "yes" service.dwp.port = "9779" service.ens.port = "7997" local.hostname = "bedge5-cal1.us.example.com" local.servername = "bedge5-cal1.us.example.com" service.ens.host = "bedge5-cal1.us.example.com" service.http.calendarhostname = "bedge5-cal1.us.example.com"

   Uncomment the following two lines:

   caldb.serveralarms.url = "enp:///ics/customalarm" caldb.serveralarms.contenttype = "text/xml"

   Comment out this line:

   !service.listenaddr = "INADDR_ANY"

   Locate the first line below and add the second one after it:

   service.siteadmin.userid = "" service.store.enable = "yes"

   Uncomment the default DWP server entry and set it appropriately:

   ! Default DWP server (LDAP CLD only), used if user's icsDWPhost value does not exist. ! caldb.dwp.server.default = "bedge5-cal1.us.example.com"

6. Update all existing ics.conf files (FEs and BEs) with new calendar backend server information. In order for all of the frontend calendar servers to be able to communicate with all of the backend database servers, all backend servers must be listed in all ics.conf files. Services must be restarted in order for this change to take effect.

   The following parameter must be uncommented in the ics.conf files and parameters changed on all servers (front and back ends) when a new backend server is brought on line:

   caldb.dwp.server.bedge5-cal1.us.example.com.ip = "bedge5-cal1.us.example.com"

7. The fully qualified name for the calendar server MUST be the first entry in /etc/hosts files on all systems for this to work and the /etc/nsswitch.conf MUST be set up correctly. Example /etc/hosts file entry for BRM:

   10.1.82.143 bedge5-cal1.us.example.com bedge5-cal1.us.example.com bedge5-cal1

   For reference, a copy of the current ics.conf file from the Broomfield BE calendar cluster is in the appendix of this cookbook.

8. Create the cal1-svc resource and define dependencies.

   phys-bedgeN-1# mkdir /shared/bedge5/cal/opt/opt phys-bedgeN-1# cd /shared/bedge5/cal/opt/opt phys-bedgeN-1# ln -s ../SUNWics5 SUNWics5 phys-bedgeN-1# scrgadm -a -j cal1-svc-rs -g cal1-svc-rg -t SUNW.scics \ -x Confdir_list=/shared/bedge5/cal/opt -y \ Resource_dependencies=cal1-storplus-rs,cal1-addr-rs -y Port_list=80/tcp phys-bedgeN-1# scswitch -e -j cal1-svc-rs

9. Verify that cal1-svc-rg, cal1-addr-rs, cal1-storplus-rs, and cal1-svc-rs are online and calendar processes running on node 1.

   phys-bedgeN-1# scstat -g phys-bedgeN-1# ps -ef | grep icsuser

10. Verify services can be switched over to Node 2 successfully, and back again

    phys-bedgeN-1# scswitch -z -g cal1-svc-rg -h phys-bedge5-2 phys-bedgeN-1# scstat -g phys-bedgeN-1# scswitch -z -g cal1-svc-rg -h phys-bedge5-1 phys-bedgeN-1# scstat -g

11. Duplicate the contents of /var/sadm/pkg/SUNWics5 on the other node. This is primarily for monitoring so that SunMC can determine if the package exists and set $serverroot. On the node that calendar was installed:

    phys-bedgeN-1# mkdir /global/.devices/node@1/tmp phys-bedgeN-1# cd /var/sadm/pkg phys-bedgeN-1# tar cf /global/.devices/node@1/tmp/ics5.tar SUNWics5

    On the other node:

    phys-bedgeN-2# cd /var/sadm/pkg phys-bedgeN-2# tar xf /global/.devices/node@1/tmp/ics5.tar phys-bedgeN-2# rm -r /global/.devices/node@1/tmp

To Configure Calendar Server on FE Servers

Before You Begin

Make sure directory server is configured and has an entry in the /etc/hosts file.

The following ports must be open for communication between the D1/FE servers and the D2/BE calendar servers (including cross-geo communication): 7997, 9779.

Know the Bind DN password and login (cn=directory manager) for ldap and the calmaster password.

Steps

1. Run the calendar configuration script:

   fe-amer-N# cd /opt/SUNWics5/cal/sbin fe-amer-N# sh ./csconfigurator.sh -nodisplay Provide the following information during the configuration Sample: LDAP Server Name: ds-amer-02.us.example.com LDAP Port: 389 Directory Manager Bind DN: cn=Directory Manager Directory Manager Bind Password: xxxxxxxx Base DN: dc=example,dc=com Calendar Administrator Username: calmaster Calendar Administrator Password: xxxxxxxx Email Alarms: Enabled SMTP Hostname: mail-amer.example.com http Port: 80 (Port 81 for Nauticus sites) Runtime Username: icsuser Runtime Usergroup: icsgroup Start after successful installation: No Start on system startup: Yes Database location: /var/opt/SUNWics5/csdb Temporary Files: /var/opt/SUNWics5/tmp Logs: /var/opt/SUNWics5/logs

2. Follow the procedure To Request an SSL Certificate, and retrieve PKI certificates for the Calendar Server.

3. Import the certificate chain:

   # certutil -A -n "ABC Trusted Root" -t "TCu,TCu,TCuw" -d . -a -i \ ../ABC_chain.cert -f ./PW # certutil -A -n "Example Corp Root CA - ABC Corporation" \ -t "C,," -d . -a -i ../Example_Corp.cert -f ./PW # certutil -A -n "Example Corp CA (Class B) - Example Corp" \ -t "C,," -d . -a -i ../Example Corp_cB.cert -f ./PW # certutil -A -n "Server-Cert" -t "u,u,u" -d . -a -i ./cal.cert -f ./PW

4. Create the certificate directory for calendar in the /etc/opt/SUNWics5/config directory:

   # cd /etc/opt/SUNWics5/config # mkdir alias # chown icsuser:icsgroup alias

5. Copy the certificates to the calendar directory. Example for BRM:

   # cd /etc/opt/SUNWics5/config/alias # cp /usr/local/cert/SunPKI/cal/cert8.db cert8.db # cp /usr/local/cert/SunPKI/cal/key3.db key3.db # cp /usr/local/cert/SunPKI/cal/secmod.db secmod.db # cp /usr/local/cert/SunPKI/cal/sslpassword.conf sslpassword.conf

6. Verify the certificates directory and files have the appropriate permissions:

   # cd /etc/opt/SUNWics5/config # ls -ld alias drwxr-xr-x 2 icsuser icsgroup 512 Mar 24 11:52 alias/ # ls -l alias drwxr-xr-x 2 icsuser icsgroup 512 Mar 24 11:52 ./ drwxr-xr-x 16 icsuser icsgroup 1024 Jun 3 11:05 ../ -rw------- 1 icsuser icsgroup 65536 May 23 10:23 cert8.db -rw------- 1 icsuser icsgroup 32768 May 23 10:23 key3.db -rw------- 1 icsuser icsgroup 32768 May 23 10:23 secmod.db -rw-r--r-- 1 icsuser icsgroup 36 Mar 24 11:53 sslpassword.conf

7. Verify the following parameters are set correctly for SSL in the ics.conf file:

   encryption.rsa.nssslactivation = "on" encryption.rsa.nssslpersonalityssl = "Server-Cert" encryption.rsa.nsssltoken = "internal" service.http.tmpdir = "/var/opt/SUNWics5/tmp" service.http.uidir.path = "html" service.http.ssl.cachedir = "." service.http.ssl.cachesize = "10000" service.http.ssl.certdb.password = "CertPassword" service.http.ssl.certdb.path = "/etc/opt/SUNWics5/config/alias" service.http.ssl.port.enable = "yes" service.http.ssl.port = "443" service.http.ssl.securelogin = "yes" service.http.ssl.sourceurl = "https://cal-amer.example.com:443" service.http.ssl.ssl2.ciphers = "" service.http.ssl.ssl2.sessiontimeout = "0" service.http.ssl.usessl = "yes"

8. Modify /opt/SUNWics5/cal/html/*/default.html (for ALL languages) to setup the redirect to port 443 by adding the following code to each file:

   <script> if (window.location.protocol != 'https:') window.location = 'https://' + window.location.host </script>

9. Modify the ics.conf file with the following parameters. When adding parameters to the ics.conf file that don't already exist, add them in the alphabetical order of the parameter name.

   caldb.berkeleydb.circularlogging = "yes" caldb.dwp.server.default = "bedge5-cal1.us.example.com" (should be set to the FQHN of the BE calendar server for the same geo as the FE systems. Example: sedge5-cal1.singapore.example.com) caldb.dwp.server.bedge5-cal1.us.example.com.ip = "bedge5-cal1.us.example.com"

   NOTE: the fully qualified name for the BE calendar server MUST be the first entry in /etc/hosts files on all systems for this to work and the /etc/nsswitch.conf MUST be set up correctly.

   service.calendarsearch.ldap = "y" service.dwp.enable = "no" service.dwp.port = "9779" service.ens.enable = "no" service.notify.enable = "no" alarm.msgalarmnoticercpt = "gsdm-collector@example.com" alarm.msgalarmnoticesender = "gsdm-collector@example.com" caldb.calmaster = "gsdm-collector@example.com" caldb.cld.type = "directory" csapi.plugin.calendarlookup = "y" local.servername = "cal-amer.example.com" logfile.loglevel = "Information" service.admin.port = "21840" service.ens.host = "xxx.xxx.xxx.xxx" (should be IP addr of the BE calendar server for that geo) service.ens.port = "7997" service.http.calendarhostname = "cal-amer.example.com" service.http.listenaddr = "xxx.xxx.xxx.xxx" (should be IP address of the FE for the geo, i.e. cal-amer.example.com) !service.listenaddr = "INADDR_ANY" service.store.enable = "no"

10. The following parameter must be added to the ics.conf files of all servers (front and back ends) when a new backend server is brought on line.

    caldb.dwp.server.bedge5-cal1.us.example.com.ip = "bedge5-cal1.us.example.com"

11. There will be at least four entries of this type in ics.conf files -- one each for Broomfield, Newark, Singapore and Gilmont Park. For example, once all of the Edge-3 sites are online, all ics.conf files will have the following entries:

    caldb.dwp.server.bedge5-cal1.us.example.com.ip = "bedge5-cal1.us.example.com" caldb.dwp.server.sedge3-cal1.singapore.example.com.ip = "sedge3-cal1.singapore.example.com" caldb.dwp.server.nedge5-cal1.sfbay.example.com.ip = "nedge5-cal1.sfbay.example.com" caldb.dwp.server.gedge5-cal1.uk.example.com.ip = "gedge5-cal1.uk.example.com"

    NOTE: For reference, a copy of the current ics.conf file from the Broomfield FE calendar servers is in the appendix of this cookbook.

To Patch Calendar Server on BE Servers

Steps

1. The patches are currently on fe-amer-01.example.com in /var/tmp/cal_patches and are: 118099-01-2864962307.zip, T116577-11.tar.gz, and T118477-07.tar.gz. They should be applied in the above order. This includes the latest patch for calendar. Copy patches to the management station under /export/puppet/world/Calendar/patches.

2. Unzip/Untar the patches (example assumes the tarfiles are in /var/tmp/cal_patches)

   # mount -F nfs mgmt-amer-01:/export/puppet/world /mnt # mkdir /var/tmp/cal_patches # cd /var/tmp/cal_patches # cp /mnt/Calendar/patches/118099-01-2864962307.zip . # cp /mnt/Calendar/patches/T116577-11.tar.gz . # cp /mnt/Calendar/patches/T118477-07.tar.gz . # unzip 118099-01-2864962307.zip # gzcat T116577-11.tar.gz | tar xf - # gzcat T118477-07.tar.gz | tar xf -

3. Shutdown the calendar service:

   # /usr/cluster/bin/scswitch -n -j cal1-svc-rs

4. Apply the patches. nobody must have an /etc/group entry. /etc/group: nobody::60001:

   # cd /var/tmp/cal_patches # /usr/sbin/patchadd -d 118099-01 # /usr/sbin/patchadd -d 116577-11 # /usr/sbin/patchadd -d 118477-07

5. Restart the calendar resources:

   # /usr/cluster/bin/scswitch -e -j cal1-svc-rs # umount /mnt

To Patch and Verify Calendar Server on FE Servers

Steps

1. Unzip/Untar the patches (example assumes the tarfiles are in /var/tmp/cal_patches)

   # mount -F nfs mgmt-amer-01:/export/puppet/world /mnt # mkdir /var/tmp/cal_patches # cd /var/tmp/cal_patches # cp /mnt/Calendar/patches/118099-01-2864962307.zip . # cp /mnt/Calendar/patches/T116577-11.tar.gz . # cp /mnt/Calendar/patches/T118477-07.tar.gz . # unzip 118099-01-2864962307.zip # gzcat T116577-11.tar.gz | tar xf - # gzcat T118477-07.tar.gz | tar xf -

2. Shutdown the calendar service:

   # cd /opt/SUNWics5/cal/sbin # ./stop-cal # ps -ef | grep icsuser

3. Apply the patches. The user nobody must have an /etc/group entry: /etc/group: nobody::60001:

   # cd /var/tmp/cal_patches # /usr/sbin/patchadd -d 118099-01 # /usr/sbin/patchadd -d 116577-11 # /usr/sbin/patchadd -d 118477-07

4. Restart the calendar service:

   # cd /opt/SUNWics5/cal/sbin # ./start-cal # ps -ef | grep icsuser icsuser 12047 1 0 18:29:06 ? 0:07 /opt/SUNWics5/cal/lib/cshttpd -d 3 -D 4 icsuser 12041 1 0 18:29:04 ? 0:01 /opt/SUNWics5/cal/lib/csadmind icsuser 12048 12047 0 18:29:06 ? 0:07 /opt/SUNWics5/cal/lib/cshttpd -0 -d 0 -D 1 -b 1 # umount /mnt

5. Check that the front end is connecting with the backends:

   # cd /var/opt/SUNWics5/logs # grep cdwp_login http.log [10/May/2005:18:29:06 -0600] fe-amer-01 cshttpd[12047]: General Notice: caldb: cdwp_login: ctx for host:10.1.82.143 and port:9779 is authenticated and the sessionid is q6l05rw9x9eee8u [10/May/2005:18:29:07 -0600] fe-amer-01 cshttpd[12048]: General Notice: caldb: cdwp_login: ctx for host:10.1.82.143 and port:9779 is authenticated and the sessionid is bu9hbbv6t9ebn0

   There should be at least two of these entries (for the local backend) -- more, if there are multiple BE calendar servers configured in the ics.conf file.