Chapter 4 Java ES Installation and Configuration

The installation and configuration of each Java Enterprise System component is performed sequentially on all necessary servers in the Edge complex. Because of component dependencies, the procedures in this chapter must be performed in the order in which they are presented. The names and numbers of servers identified in prompts are critical to performing commands on the correct servers.

The Java ES binaries, required patches, and silent install state files are transferred to each server as part of the system's jump-start installation. The files are unzipped in the directory /var/bits/ during the procedures for configuration in 3.2 Jump-Starting the Servers. If servers are not jump-started, the Java ES binaries must be downloaded to each server or copied from a CD.

The procedures in this chapter assume that Java ES binaries and files are located in /var/bits/. If binaries are located elsewhere, the paths in the commands should be modified accordingly. Some procedures rely on state files installed in /var/bits/ to provide configuration information during the silent installation of Java ES components. If these files are not present, see Creating a State File in Sun Java Enterprise System 2005Q4 Installation Guide for UNIX or perform an interactive installation to enter information manually.

Procedures often need to be repeated on a certain number of servers. In this case, command prompts and property values in the procedure may contain placeholders. In a prompt, a placeholder shows which servers you should perform that command on. In a property value, you should replace a placeholder with the current cluster or node number. The following placeholders are commonly used:

• phys-bedgeN-M means the command must be performed on all servers.

• phys-bedgeN-[12] means the command must be performed on both nodes in a procedure that is repeated for all clusters.

• phys-bedgeN-1 means the command must be performed only on the first node of all clusters.

• phys-bedge[123]-2 means the command must be performed on the second node of clusters 1, 2, and 3.

4.1 Upgrading Shared Components

Perform the following procedure to identify any shared components in the operating system that need to be upgraded before installing Java ES. Perform this procedure on all front-end (FE) and back-end (BE) servers.

To Identify Upgrade Needs of Shared Components

Steps

1. Launch the Java ES installer in command-line report-only mode:

   # cd /var/bits/ # ./installer -nodisplay -no

2. Proceed to the language selection page and select a language, by default en_US. After a language is selected, the installer begins inspection for previously installed components.

3. If components are detected, a report will be shown. Review the report. If there are outdated versions, exit the installer now by typing “!” and upgrade those shared components.

4. When all shared components are up-to-date, continue to the Component Selection menu and select the following components:

   • On FE systems designated as MTA

     • Sun Java System Messaging Server

   • On FE systems designated as MMP, MEM, or CE

     • Sun Java System Messaging Server

     • Sun Java System Communications Express

     • Sun Java System Calendar Server

     • Sun Java System Instant Messaging (Multiplexor and Client Resources)

     • Sun Java System Web Server

   • On FE systems designated as Portal Gateway

     • Sun Java System Portal Server

   • On BE systems designated as Messaging Store

     • Sun Java System Messaging Server

     • Sun Cluster

     • Sun Java System Directory Server

     • Sun Java System Access Manager

   • On BE systems designated as Calendar Store

     • Sun Java System Calendar Server

     • Sun Java System Instant Messaging (on one Calendar Server BE instance only)

     • Sun Java System Web Server (on the same BE instance as Instant Messaging only)

     • Sun Cluster

   The installer now checks for shared component dependencies. If there is a broken dependency, it will display an explanation.

5. Exit the installer. If there are shared components to be installed/removed, do that before continuing.

6. Make a copy of the /var/sadm/install/productregistry file on each server.

7. Verify that the file /etc/resolv.conf exists and that the information it contains is correct.

8. Verify that the 2nd column in the /etc/hosts file contains only fully-qualified domain names (FQDN) in all lower case (avoids known issue 6330974).

4.2 Installing and Configuring Sun Cluster

Perform the following procedure on the pair of back-end servers, called nodes, in each cluster. See 1.2.1 Physical System Names for more details.

To Install and Configure Sun Cluster

Steps

1. Edit the /etc/inet/hosts file on both nodes to contain the following lines. Set the IP addresses appropriately for each cluster:

   10.2.0.129 phys-bedgeN-1-ic-privateInterface1 10.2.1.1 phys-bedgeN-1-ic-privateInterface2 10.2.193.1 clusternode1-priv 10.2.0.130 phys-bedgeN-2-ic-privateInterface1 10.2.1.2 phys-bedgeN-2-ic-privateInterface2 10.2.193.2 clusternode2-priv

2. Enable host-based ssh authentication from the first node to the second node with the following commands:

   1. Copy the public key:

      phys-bedgeN-1# cat /etc/ssh/ssh_host_rsa_key.pub phys-bedgeN-1# cp -p /etc/ssh/ssh_host_rsa_key /.ssh/id_rsa

   2. Establish an ssh connection to create the file /.ssh/know_hosts:

      phys-bedgeN-1# ssh phys-bedgeN-2

   3. Add the public key of the first node to the end of the list of authorized keys on the second node:

      phys-bedgeN-2# vi /.ssh/authorized_keys

   4. Save a backup of the sshd configuration file, then change the value of PermitRootLogin from no to yes:

      phys-bedgeN-2# cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.bak phys-bedgeN-2# vi /etc/ssh/sshd_config

   5. Restart the ssh daemon on the second node and exit ssh:

      phys-bedgeN-2# /etc/init.d/sshd stop; /etc/init.d/sshd start phys-bedgeN-2# exit

   6. Connect to the second node with the following command to verify whether ssh is configured properly:

      phys-bedgeN-1# ssh root@phys-bedgeN-2 -o "BatchMode yes" \ -o "StrictHostKeyChecking yes" -n "uname -a"

   7. While still connected to the second node, back up the /etc/system file and then edit its contents:

      phys-bedgeN-2# cp -p /etc/system /etc/system.bak phys-bedgeN-2# vi /etc/system

      Comment out the following line:

      #set c2audit:audit_load = 1

3. On both nodes, perform the following commands:

   phys-bedgeN-[12]# touch /etc/cluster/.installed phys-bedgeN-[12]# vi /etc/inet/inetd.conf

   In the /etc/inet/inetd.conf file, uncomment the lines for rpc.metad and rpc.metamedd, if they are commented out.

4. Run the Sun Cluster installation script on the first node:

   phys-bedgeN-1# /usr/cluster/bin/scinstall *** Main Menu *** Please select from one of the following (*) options: -> * 1) Install a cluster or cluster node *** Install Menu *** Please select from any one of the following options: -> 1) Install all nodes of a new cluster *** Installing all Nodes of a New Cluster *** >>> Type of Installation <<< -> 2) Custom >>> Cluster Name <<< -> bedgeN >>> Cluster Nodes <<< -> phys-bedgeN-1, phys-bedgeN-2, Ctrl-D >>> Authenticating Requests to Add Nodes <<< -> Do you need to use DES authentication (yes/no) [no]? Enter >>> Network Address for the Cluster Transport <<< -> Is it okay to accept the default network address (yes/no) [yes]? Enter Is it okay to accept the default netmask (yes/no) [yes]? Enter >>> Point-to-Point Cables <<< -> Does this two-node cluster use transport junctions (yes/no) [yes]? no >>> Cluster Transport Adapters and Cables <<< -> Pick appropriate adapters >>> Software Patch Installation <<< -> Do you want scinstall to install patches for you (yes/no) [yes]? no >>> Global Devices File System <<< -> For node "phys-bedgeN-1", Is it okay to use this default (yes/no) [yes]? Enter For node "phys-bedgeN-2", Is it okay to use this default (yes/no) [yes]? Enter Is it okay to begin the installation (yes/no) [yes]? Enter Interrupt the installation for sccheck errors (yes/no) [no]? Enter

5. If both nodes do no reboot automatically after the installation, reboot them starting with the second one first.

6. Restore the modified files on the second node, and restart its ssh daemon:

   phys-bedgeN-2# mv /etc/system.bak /etc/system phys-bedgeN-2# mv /etc/ssh/sshd_config.bak /etc/ssh/sshd_config phys-bedgeN-2# /etc/init.d/sshd stop; /etc/init.d/sshd start

7. On the first node only, set the quorum device and reset the install mode flag with the following command:

   phys-bedgeN-1# /usr/cluster/bin/scdidadm -L

8. Again on the first node, list the DID numbers and select one to use in the following command, for example ld0-00:

   phys-bedgeN-1# /usr/cluster/bin/scconf -a -q globaldev=DIDnumber phys-bedgeN-1# /usr/cluster/bin/scconf -c -q reset

9. Configure NTP by adding the following lines to the /etc/inet/ntp.conf.cluster file on both nodes. The NTPservers should be those in the same domain as your Edge complex:

   peer clusternode1-priv prefer peer clusternode2-priv server NTPserver1 server NTPserver2

   Then restart NTP with the following command:

   phys-bedgeN-[12]# /etc/init.d/xntpd stop; /etc/init.d/xntpd.cluster start

10. Configure IPMP on both nodes with the appropriate adapters:

    phys-bedgeN-[12]# cp /etc/hostname.publicInterface1 /etc/hostname.publicInterface1.bak phys-bedgeN-[12]# vi /etc/hostname.publicInterface1

    Modify the file as follows:

    phys-bedgeN-[12] netmask + broadcast + group ipmp1 up \ addif monitoringIP1 netmask + broadcast + deprecated -failover up

    Back up and modify the second file on both nodes:

    phys-bedgeN-[12]# cp /etc/hostname.publicInterface2 /etc/hostname.publicInterface2.bak phys-bedgeN-[12]# vi /etc/hostname.publicInterface2

    Modify the file as follows:

    monitoringIP2 netmask + broadcast + deprecated group ipmp1 \ -failover standby up

11. Configure the public interfaces on both nodes with the following commands:

    phys-bedgeN-M# ifconfig publicInterface1 group ipmp1 phys-bedgeN-M# ifconfig publicInterface2 plumb phys-bedgeN-M# ifconfig publicInterface2 group ipmp1 phys-bedgeN-M# ifconfig publicInterface1 addif monitoringIP1 \ netmask + broadcast + deprecated -failover up phys-bedgeN-M# ifconfig publicInterface2 monitoringIP2 netmask \ + broadcast + deprecated -failover standby up

12. Setup disksets and file systems on the first node only. The following information should be used as a guide. See 2.2 Storage Area Network (SAN) for further details.

    • Each cluster has one diskset.

    • Each disk must be labeled via format, which best to do before creating a metaset. A script can be used to do the format.

    • Disks ending in 04d0s2 are for LUN mapping and do not belong in a metaset but should be labeled to avoid errors on boot.

    • Disks ending in 03d0s2 02d0s2 01d0s2 will be the stores starting at metadevice 311.

    • Disks ending in 00d0s2 are the 20GB partitions and are subpartitioned into 5 and 15GB respectively for s0 and s1.

    • Disks ending in 00d0s2 use metadevices d300, d301, d302, and d304 (5GB conf, 15GB imta, 5GB var, and 15GB dbbackup respectively).

    • Reminder: when disks are added into a metaset, metadbs are automatically created and the disk is automatically partitioned.

    • Mirror across minnows and from the same logical device (ld0 to ld0) using corresponding partition of RAID5 logical drive.

    • Use the following commands on minnows to get information needed in creating metasets:

      # sccli minnow show unique # sccli minnow show logical

    • In general once a metaset is created on the first mail cluster, the metastat -p output can be used for clusters 2 and 3; cluster 4 may have differences due to fact it uses all the minnows and does not have LDAP on node 2.

    • Because there is no data and newfs will be used, the following example attaches both mirrors using metainit instead of using metattach:

      # metaset -s bedgeN-ds -a -h phys-bedgeN-1 phys-bedgeN-2 # metaset -s bedgeN-ds -a -m phys-bedgeN-1 phys-bedgeN-2 # metaset -s bedgeN-ds -a /dev/did/dsk/DIDnumber /dev/did/dsk/DIDnumber .. Sample: # metainit -s bedgeN-ds d400 1 1 /dev/did/dsk/dAs0 # metainit -s bedgeN-ds d500 1 1 /dev/did/dsk/dBs0 # metainit -s bedgeN-ds d300 -m d400 d500 # metainit -s bedgeN-ds d401 1 1 /dev/did/dsk/dAs1 # metainit -s bedgeN-ds d501 1 1 /dev/did/dsk/dBs1 # metainit -s bedgeN-ds d301 -m d401 d501 # metainit -s bedgeN-ds d402 1 1 /dev/did/dsk/dCs0 # metainit -s bedgeN-ds d502 1 1 /dev/did/dsk/dDs0 # metainit -s bedgeN-ds d302 -m d402 d502 # metainit -s bedgeN-ds d403 1 1 /dev/did/dsk/dCs1 # metainit -s bedgeN-ds d503 1 1 /dev/did/dsk/dDs1 # metainit -s bedgeN-ds d303 -m d403 d503 ... # newfs /dev/md/bedgeN-ds/d300 # newfs /dev/md/bedgeN-ds/d301 # newfs /dev/md/bedgeN-ds/d302 # newfs /dev/md/bedgeN-ds/d303 # newfs -m 3 -i 4096 -o time /dev/md/bedgeN-ds/d311 # newfs -m 3 -i 4096 -o time /dev/md/bedgeN-ds/d312 ...

    • For the messaging clusters, add the following lines to /etc/vfstab on both nodes, then run mkdir on one of the nodes:

      /dev/md/disksetName/dsk/d300 /dev/md/disksetName/rdsk/d300 \ /shared/bedgeN/msg/conf ufs 1 no logging,nosuid /dev/md/disksetName/dsk/d301 /dev/md/disksetName/rdsk/d301 \ /shared/bedgeN/msg/imta ufs 1 no logging,nosuid /dev/md/disksetName/dsk/d302 /dev/md/disksetName/rdsk/d302 \ /shared/bedgeN/msg/var ufs 1 no logging,nosuid /dev/md/disksetName/dsk/d303 /dev/md/disksetName/rdsk/d303 \ /shared/bedgeN/msg/dbbackup ufs 1 no logging,nosuid /dev/md/disksetName/dsk/d311 /dev/md/disksetName/rdsk/d311 \ /shared/bedgeN/msg/partition/store001 ufs 2 no logging,nosuid /dev/md/disksetName/dsk/d312 /dev/md/disksetName/rdsk/d312 \ /shared/bedgeN/msg/partition/store002 ufs 2 no logging,nosuid ...

      # mkdir /shared/bedgeN/msg/conf # mkdir /shared/bedgeN/msg/imta # mkdir /shared/bedgeN/msg/var # mkdir /shared/bedgeN/msg/dbbackup # mkdir /shared/bedgeN/msg/partition/store001 # mkdir /shared/bedgeN/msg/partition/store002

    • For the calendar clusters, add the following lines to /etc/vfstab on both nodes, then run mkdir on one of the nodes:

      /dev/md/disksetName/dsk/d300 /dev/md/disksetName/rdsk/d300 \ /shared/bedgeN/cal/opt ufs 2 no logging /dev/md/disksetName/dsk/d301 /dev/md/disksetName/rdsk/d301 \ /shared/bedgeN/cal/dbbackup ufs 2 no logging,nosuid

      # mkdir /shared/bedgeN/cal/opt # mkdir /shared/bedgeN/cal/dbbackup

4.3 Installing and Configuring Directory Server

Directory will be installed only as a standalone service on the second node of each back-end cluster. Each installation will be configured to have a configuration directory branch called CFG and a user directory branch called USR.

Obtain the following state files from your Sun representative and store them in the directory /var/bits/silent of the designated host.

Installing the Directory Server Instances

Steps

1. Plumb all interfaces. Make sure /etc/netmasks is updated correctly before you proceed.

   phys-bedge[123]-2# ifconfig ce1:5 plumb phys-bedge[123]-2# ifconfig ce1:5 129.147.156.132 netmask + broadcast + up phys-bedge[123]-2# echo "ds-amer-N" > /etc/hostname.ce1:5

2. The file /etc/hosts should also be updated with IP address and host mapping for all Directory Server hosts at the site:

   phys-bedge[123]-2# grep "ds-" /etc/hosts 129.147.156.132 ds-amer-01 ds-amer-01.us ds-amer-01.us.example.com 129.147.156.133 ds-amer-02 ds-amer-02.us ds-amer-02.us.example.com 129.147.156.134 ds-amer-03 ds-amer-02.us ds-amer-03.us.example.com

3. Install the Directory Server binaries with the Java ES installer on BE clusters 1, 2, and 3, and on all FE hosts. Nothing in the silent install state file ds.cnf needs changing.

   phys-bedge[123]-2# cd /var/bits/java_es/Solaris_sparc phys-bedge[123]-2# ./installer -noconsole -state /var/bits/silent/ds.cnf fe-amer-NN# cd /var/bits/java_es/Solaris_sparc fe-amer-NN# ./installer -noconsole -state /var/bits/silent/ds.cnf

4. Create the configuration branches (CFG) on the BE servers. CFG need to be installed on all servers where USR will be.

   phys-bedge1-2# /usr/sbin/directoryserver -u 5.2 configure -noconsole \ -nodisplay -state /var/bits/silent/ds-cfg-1.cnf Update of the Directory Server layout ... done Update of the links between server root and Directory Server Layout ... done [slapd-cfg]: starting up server ... [slapd-cfg]: [26/Jan/2005:14:20:28 -0800] - Sun-ONE-Directory/5.2_Patch_2 B2004.107.0034 (64-bit) starting up [slapd-cfg]: [26/Jan/2005:14:20:31 -0800] - Listening on all interfaces port 34389 for LDAP requests [slapd-cfg]: [26/Jan/2005:14:20:31 -0800] - slapd started. Your new directory server has been started. Created new Directory Server Start Slapd Starting Slapd server configuration. Success Slapd Added Directory Server information to Configuration Server. Configuration of the server(s) succeeded. phys-bedge2-2# /var/bits/silent/ds-cfg-2.sh ... phys-bedge3-2# /var/bits/silent/ds-cfg-3.sh ...

5. Create CFG instances on the FE servers with the following commands:

   fe-amer-NN# /usr/sbin/directoryserver -u 5.2 configure -noconsole \ -nodisplay -state /var/bits/silent/ds-cfg-fe.cnf

6. Create the USR instance on the master directory (phys-bedge1–2), and configure the USR instance on the replicas:

   phys-bedge1-2# /var/bits/silent/ds-usr-1.sh [slapd-usr]: starting up server ... [slapd-usr]: [26/Jan/2005:14:21:58 -0800] - Sun-ONE-Directory/5.2_Patch_2 B2004.107.0034 (64-bit) starting up [slapd-usr]: [26/Jan/2005:14:22:01 -0800] - Listening on all interfaces port 389 for LDAP requests [slapd-usr]: [26/Jan/2005:14:22:01 -0800] - slapd started. Your new directory server has been started. Created new Directory Server Start Slapd Starting Slapd server configuration. Success Slapd Added Directory Server information to Configuration Server. phys-bedge2-2# /usr/sbin/directoryserver -u 5.2 configure -noconsole \ -nodisplay -state /var/bits/silent/ds-usr-2.cnf ... phys-bedge3-2# /usr/sbin/directoryserver -u 5.2 configure -noconsole \ -nodisplay -state /var/bits/silent/ds-usr-3.cnf ...

Configuring the Directory Server

Steps

1. Bind the Directory Server to specific IP addresses. Replace IPaddress with the virtual IP address on which you want Directory Server to respond. Replace DShostname with the logical service name corresponding to the host you are configuring, for example ds-sfbay-02.sfbay on phys-bedge2–2.

   # cd /var/bits/silent For USR server on BE: phys-bedge[123]-2# ./ldap_1.ldif DShostname IPaddress 389 For CFG server on BE: phys-bedge[123]-2# ./ldap_1.ldif DShostname IPaddress 34389 For CFG server on FE: fe-amer-NN# ./ldap_1.ldif DShostname IPaddress 34389

2. Enable the change log on the master replica of the user directory. The following command should create the directory /opt/ds/changelog. If it does not, create it with dsuser:dsgroup permissions and then run this script. This script also updates the schema with the Safeword object class and attribute.

   phys-bedge1-2# ./ldap_2.ldif

3. Configure Directory Server to start automatically at system boot. Edit the file /etc/init.d/directory on all nodes with directory. Comment out lines 115 and 116:

   # Test if we are in a cluster and silently exit if so #is_cluster_mode #[ $? -eq 0 ] && exit 0

4. Change the userRoot db database directory to a different partition:

   phys-bedge[123]-2# mkdir /var/ldap/db; chown dsuser:dsgroup /var/ldap/db phys-bedge[123]-2# cd /opt/ds/slapd-usr phys-bedge[123]-2# ./stop-slapd phys-bedge[123]-2# cd /opt/ds/slapd-usr/db phys-bedge[123]-2# mv userRoot /var/ldap/db phys-bedge[123]-2# cd /opt/ds/slapd-usr/config

5. Modify the dse.ldif file in order to change the nsslapd-directory parameter to the new userRoot directory:

   nsslapd-directory: /var/ldap/db/userRoot

6. Start the USR directory instances

   phys-bedge[123]-2# cd /opt/ds/slapd-usr phys-bedge[123]-2# ./start-slapd

7. Configure ACIs (Access Control Instructions):

   aci: (targetattr="mailQuota")(version 3.0; acl "ERL mailQuota"; allow (wr ite) use rdn="ldap:///uid=adminuser,ou=people,dc=example,dc=com";) aci: (targetattr != "userPassword || passwordHistory || passwordExpiratio nTime || passwordExpWarned || passwordRetryCount || retryCountResetTime || accountUnlockTime || passwordAllowChangeTime || sunPortalDesktopDpDoc umentUser || sunPortalDesktopDpDocument || sunMobileAppMailConfig || sun MobileAppABConfig ") (version 3.0; acl "Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) aci: (target = "ldap:///ou=people,dc=example,dc=com")(targetattr = "*")(versi on 3.0; acl "Allow access to all under ou=people,dc=example,dc=com"; allow (all) userdn = "ldap:///uid=itmsgroot,ou=people,dc=example,dc=com";) aci: (target = "ldap:///o=pab")(targetattr = "*")(version 3.0; acl "Allow public ro access to PAB"; allow(read, search, compare) userdn = "ldap: ///anyone";)

8. Create a root account:

   dn: uid=itmsgroot,ou=people,dc=example,dc=com changetype: add objectclass: top objectclass: person objectclass: account uid: itmsgroot cn: Messaging Server Root sn: Root userpassword: password

9. Tune the USR instances to use more cache for their database.

   phys-bedge[123]-2# cd /var/bits/silent phys-bedge[123]-2# ./tune-usr.ldif DShostname

10. Tune the CFG instances to allow for more lookups at a time, in order for the alluser alias to work:

    phys-bedge[123]-2# cd /var/bits/silent phys-bedge[123]-2# ./tune-cfg.ldif DShostname

11. Copy the prepared directory schema and restart the USR instances:

    phys-bedge[123]-2# cd /opt/ds/slapd-usr phys-bedge[123]-2# ./stop-slapd phys-bedge[123]-2# cd config phys-bedge[123]-2# mv schema schema.old phys-bedge[123]-2# cp /var/bits/silent/schema-usr.tar . phys-bedge[123]-2# tar -xvf schema-usr.tar phys-bedge[123]-2# rm -rf schema-usr.tar schema.old phys-bedge[123]-2# cd ..; ./start-slapd

12. Look for errors during the restart:

    phys-bedge[123]-2# tail -10 logs/errors

13. Copy the prepared directory schema and restart the CFG instances:

    phys-bedge[123]-2# cd /opt/ds/slapd-cfg phys-bedge[123]-2# ./stop-slapd phys-bedge[123]-2# cd config phys-bedge[123]-2# mv schema schema.old phys-bedge[123]-2# cp /var/bits/silent/schema-cfg.tar . phys-bedge[123]-2# tar -xvf schema-cfg.tar phys-bedge[123]-2# rm -rf schema-cfg.tar schema.old phys-bedge[123]-2# cd ..; ./start-slapd

14. Look for errors during the restart:

    phys-bedge[123]-2# tail -10 logs/errors

15. Set up the USR instances for Messaging. These steps will mimic running the comms_dssetup.pl script for the slapd-usr instance:

    1. Copy the prepared configuration file:

       phys-bedge[123]-2# cd /var/bits/silent phys-bedge[23]-2# cp msg-ds-setup.sh msg-ds-setup.ldif /var/tmp phys-bedge[23]-2# chmod 750 /var/tmp/msg-ds-setup.sh

    2. Change the IP address in the script to be that of the current USR instance.

       phys-bedge[23]-2# vi /var/tmp/msg-ds-setup.sh

    3. Run the script:

       phys-bedge[23]-2# /var/tmp/msg-ds-setup.sh -D "cn=directory manager" -w password ...

    4. Examine /var/tmp/msg-ds-setup.ldif.rej for any unusual errors. It is normal to see a couple of entries in this file.

       phys-bedge[23]-2# ps -ef |grep slapd ; cat /var/tmp/msg-ds-setup.ldif.rej

16. Install the password syntax plug-in. This should be done only on the master replica of the URS instance. Saving the dictionary file as /usr/local/etc/words-english-big.txt.disabled will disable dictionary checks if desired.

    phys-bedge1-2# cd /var/bits/silent/pass_syntax_plugin-2.30 phys-bedge1-2# mkdir -p /usr/local/etc; mkdir -p /usr/local/lib/64 phys-bedge1-2# cp libpstx-plugin.so /usr/local/lib phys-bedge1-2# cp 64/libpstx-plugin.so /usr/local/lib/64 phys-bedge1-2# cd /var/bits/silent phys-bedge1-2# cp words* /usr/local/etc/words-english-big.txt.disabled phys-bedge1-2# ldapmodify -v -h DShostname -D "cn=directory manager" \ -w password -a -f pass_syntax_plugin-2.30/pass_syntax_plugin.ldif

17. Stop and restart the USR instance. Confirm that the plugin started successfully with information displayed on stdout. Fix any errors that are displayed.

18. Disable the Pass-Through Authentication (PTA) plug-in on CFG instances. Ignore any errors caused when the PTA plug-in is not enabled.

    phys-bedge[123]-2# ldapmodify -p 34389 -h DShostname -D \ "cn=directory manager" -w password dn: cn=Pass Through Authentication,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: off

19. Setup the Directory Server instances with SSL. Edit the cert.sh file to use the correct virtual IP (VIP) address for the certificate being generated. For each server you do this, the VIP needs to be changed. Use same password every time you are prompted for one.

    phys-bedge[123]-2# cd /var/bits/silent phys-bedge[123]-2# ./cert.sh ... phys-bedge[123]-2# ./ldap-ssl.ldif DShostname

20. Configure Directory Server to start up without password prompt to accommodate SSL. Create a file that contains the password chosen in the previous step. For USR instances, create /opt/ds/alias/slapd-usr-pin.txt:

    Internal (Software) Token:password

    For CFG instances, create /opt/ds/alias/slapd-cfg-pin.txt:

    # cp /opt/ds/alias/slapd-usr-pin.txt /opt/ds/alias/slapd-cfg-pin.txt phys-bedge[123]-2# chown dsuser:dsgroup /opt/ds/alias/* phys-bedge[123]-2# chmod 600 /opt/ds/alias/*

    Restart both CFG and USR instances:

    phys-bedge[123]-2# cd /opt/ds/slapd-usr; ./stop-slapd; ./start-slapd phys-bedge[123]-2# cd /opt/ds/slapd-cfg; ./stop-slapd; ./start-slapd

Configuring Administration Server

Administration Server will need to be installed on every first node BE for use by Messaging Server. The following state files will be used in this section:

Steps

1. Copy the base binaries and install the Administration Server on the first node of the messaging clusters and all FE hosts:

   phys-bedge[1234]-1# cd /var/bits/Solaris_sparc phys-bedge[1234]-1# ./installer -noconsole -state /var/bits/silent/adm.cnf phys-bedge1-2# cd /var/bits/Solaris_sparc phys-bedge1-2# ./installer -noconsole -state /var/bits/silent/adm.cnf fe-amer-NN# cd /var/bits/Solaris_sparc fe-amer-NN# ./installer -noconsole -state /var/bits/silent/adm.cnf

2. Configure Administration Serverfor Messaging Server on all first nodes and FE hosts:

   phys-bedge[1234]-1# /usr/sbin/mpsadmserver configure -nodisplay -noconsole \ -state /var/bits/silent/ms-adm-N-1.cnf Checking connection to the Configuration Directory Server... done. Updating Administration Server layout... done. Updating links between Server Root and Administration Server layout... done. Registering Administration Server with Configuration Directory Server... done. Loading Administration Server tasks... done. Loading global Administration Server configuration... done. Generating configuration files ... done. Configuration of the Administration Server succeeded. fe-amer-NN# /usr/sbin/mpsadmserver configure -nodisplay -noconsole \ -state /var/bits/silent/ms-adm-fe.cnf Checking connection to the Configuration Directory Server... done. Updating Administration Server layout... done. Updating links between Server Root and Administration Server layout... done. Registering Administration Server with Configuration Directory Server... done. Loading Administration Server tasks... done. Loading global Administration Server configuration... done. Generating configuration files ... done. Configuration of the Administration Server succeeded.

3. Configure Administration Server for Directory Server:

   phys-bedge1-2# /usr/sbin/mpsadmserver configure -nodisplay -noconsole \ -state /var/bits/silent/ds-adm-1.cnf Checking connection to the Configuration Directory Server... done. Updating Administration Server layout... done. Updating links between Server Root and Administration Server layout... done. Registering Administration Server with Configuration Directory Server... done. Loading Administration Server tasks... done. Loading global Administration Server configuration... done. Generating configuration files ... done. Configuration of the Administration Server succeeded.

Setting Up Replication

This deployment example shows the installation of a single Edge complex. However, several complexes are meant to be deployed geographically, and directory information must be shared among them through replication. Each site has a master and two consumer replicas. The master at each site is configured in multi-master replication with the other site masters. The following table shows the Directory Server instances at each site, their type and the unique replica ID chosen for each.

Steps

1. Obtain the setup-mmr.ldif and setup-replica.ldif files from your Sun representative. Edit these files to contain the correct host names and replica ID values for your Edge complex.

2. Set up multi-master replication on the servers designated -01 only. Edit the setup file to contain the suffix name each time prior to running the command:

   • o=NetscapeRoot

   • dc=example,dc=com

   • o=pab

   • o=PiServerDb

   Run the setup command once for each suffix in the directory:

   phys-bedge1-2# vi setup-mmr.ldif phys-bedge1-2# ./setup-mmr.ldif

3. Set up the consumer replicas on the servers designated -02 and -03. Run the following commands once for each suffix of the same suffixes listed in the previous step. Edit the setup file to contain the suffix name each time prior to running the command:

   phys-bedge[23]-2# vi setup-replica.ldif phys-bedge[23]-2# ./setup-replica.ldif

4.4 Installing and Configuring Web Server

Web Server is installed on the front-end (FE) servers for mail filters and on the back-end (BE) servers for hosting Access Manager.

To Install Web Server on Front-End Servers

Steps

1. Add the runtime userid webservd to the following files:

   /etc/passwd: webservd:x:80:80::/home/webservd:/bin/pfsh /etc/shadow: webservd:*LK*::::::: /etc/group: webservd::80:

2. Make sure the hostname mail-domain is plumbed and working.

3. Modify the silent install state file to contain the hostname and IP address of the current server.

   # cd /var/bits/silent # vi FEWebServerStateFile

4. Run the Java ES installer using the same state file.

   # cd /var/bits/Java_es/Solaris_sparc # ./installer -nodisplay -noconsole -state /var/bits/silent/FEWebServerStateFile

To Install Web Server on Back-End Servers

Steps

1. Add the runtime userid webservd to the following files:

   /etc/passwd: webservd:x:80:80::/home/webservd:/bin/pfsh /etc/shadow: webservd:*LK*::::::: /etc/group: webservd::80:

2. Make sure the hostname of the current server id-amer-NN.us is plumbed and working.

3. Run the Java ES installer in graphical or command-line mode.

   # cd /var/bits/Java_es/Solaris_sparc # ./installer [ -nodisplay ]

4. Proceed through the installer, and select Web Server for installation. Then enter the following configuration values when prompted:

   Install directory: /apps hostname: id-amer-NN.us http port: 80 Runtime user: webservd Admin Port: 8888

To Configure Web Server

Steps

1. Login to the administration port of the server at http://id-amer-NN.domain:8888/

2. Create virtual server instance ls2 for secure connection on port 443. The silent install file uses following configuration information:

   Port: 80 Admin port: 34713 CMN_SYSTEM_USER= webservd CMN_SYSTEM_GROUP=webservd WS_Admin_user=admin CMN_host_name: id-amer-NN

3. Edit the server.xml file for the ls1 instance and add the highlighted portion to the line below:

   <LS id="ls1" port="92" servername="id-amer-NN.us.example.com" defaultvs="https-id-amer-NN.us.example.com" security="false" ip="IPaddress" blocking="false" acceptorthreads="1"/>

4. Restart the Web Server instance.

4.5 Installing and Configuring Access Manager

Access Manager needs to be installed on the back-end servers id-amer-NN.us. Make sure that Web Server has been previously installed on these servers, as described in 4.4 Installing and Configuring Web Server.

To Install and Configure Access Manager

Steps

1. Run the Java ES installer using the silent install state file.

   id-amer-NN# cd /var/bits/Java_es/Solaris_sparc id-amer-NN# ./installer -nodisplay -noconsole \ -state /var/bits/silent/AccessManagerStateFile

2. Verify the installation by accessing the Access Manager console at http://id-amer-NN.us.example.com/amconsole. Log in as amadmin using the password given in AccessManagerStateFile.

3. On all Access Manager instances except id-amer-01.us, perform the following configuration changes to avoid a service initialization error:

   1. After logging in, select General Properties and edit the Organization alias. Add this server's name to the Organization Alias, for example id-amer-NN.us.example.com. Save the changes.

   2. Select the Service Configuration tab, then select Platform and edit the Server List. Add this server's name and port, for example id-amer-NN.us.example.com:80|02, and save the changes.

To Configure the SafeWord Authentication Module

Perform this procedure on id-amer-01.us only.

Steps

1. Save a backup copy of the following files:

   /etc/opt/SUNWam/config/xml/amAuthSafeWord.xml /opt/SUNWam/locale/amAuthSafeWord.properties /opt/SUNWam/locale/amAdminCLI.properties /etc/opt/SUNWam/config/AMConfig.properties

2. Download the Access Manager patch 115766 and install it with the patchadd command.

3. Load the XML for the new SafeWord authentication module with the following commands:

   id-amer-01# cd /opt/SUNWam/bin/ id-amer-01# ./amadmin -u amadmin -w password \ -deleteservice iPlanetAMauthSafeWordService id-amer-01# ./amadmin -u amadmin -w password \ -schema /etc/opt/SUNWam/config/xml/amAuthSafeWord-63p.xml

4. Edit the following files so that they use the base DN of dc=example,dc=com and reference URLs of the BE servers in this Edge complex. The AccessManagerPath is the installation path specified in the AccessManagerStateFile.

   AccessManagerPath/locale/amAuthUI.properties AccessManagerPath/locale/amAuthSafeWord.properties /apps/http-id-amer-01/is-web-apps/services/config/auth/default/Login.jsp /apps/http-id-amer-01/is-web-apps/services/config/auth/default/aml/Login.jsp /apps/http-id-amer-01/is-web-apps/services/config/auth/default/wml/Login.jsp AccessManagerPath/web-src/services/config/auth/default/LDAP.xml AccessManagerPath/web-src/services/config/auth/default_en/LDAP.xml AccessManagerPath/web-src/services/config/auth/default/SafeWord.xml AccessManagerPath/web-src/services/config/auth/default_en/SafeWord.xml AccessManagerPath/locale/amAuthMobilePass.properties AccessManagerPath/web-src/services/config/auth/default/MobilePass.xml AccessManagerPath/web-src/services/config/auth/default/MobilePass.xml AccessManagerPath/web-src/services/config/auth/default_en/MobilePass.xml AccessManagerPath/lib/am_services.jar /etc/opt/SUNWam/config/amAuthMobilePass-63p.xml /SW/wireless/auth/xml/amAuth_add_mobilepass.xml

5. Configure the authentication modules with the following commands:

   AccessManagerPath/bin/amadmin -u amadmin -w password -v -t /SW/wireless/auth/xml/amAuth_add_mobilepass.xml AccessManagerPath/bin/amadmin -u amadmin -w password -v -s /etc/opt/SUNWam/config/amAuthMobilePass-63p.xml AccessManagerPath/bin/amadmin -u amadmin -w password -v -t /SW/wireless/auth/xml/SetAuthOrg-63.xml AccessManagerPath/bin/amadmin -u amadmin -w password -v -t /SW/wireless/auth/xml/CreateOrgMobilePassTemplate-63.xml AccessManagerPath/bin/amadmin -u amadmin -w password -v -t /SW/wireless/auth/xml/CreateOrgMobilePassRequests-63.xml AccessManagerPath/bin/amadmin -u amadmin -w password -v -t /SW/wireless/auth/xml/CreateOrgSafeWordTemplate-63.xml AccessManagerPath/bin/amadmin -u amadmin -w password -v -t /SW/wireless/auth/xml/CreateOrgSafeWordRequests-63.xml *

   Some of these commands may take up to several hours to complete. Some may also hang and not terminate. If SetAuthOrg-63.xml, CreateOrgMobilePassTemplate-63.xml, or CreateOrgSafeWordTemplate-63.xml fail to terminate, do the following:

   1. Log into the Access Manager console at http://id-amer-01.us.example.com/amconsoleas amadmin using the password given in AccessManagerStateFile.

   2. Select View->Services and expand the Core service. Then highlight LDAP, MobilePass and SafeWord from the list box entitled Organization Authentication Modules.

   3. Add safewordid to the Alias Search Attribute Name and click Save.

   4. Click Edit beside the Organization Authentication Configuration, and in the dialog window, select all modules and click on Delete.

   5. Add the SafeWord module by selecting it from the Module name list and setting the Enforcement Requirement to REQUIRED. Click OK to save the change.

   6. Modify the Gateway access service by setting the accepted authentication level to 2 with the following command:

      AccessManagerPath/bin/amadmin -u amadmin -w password -v -t /SW/wireless/xml/modifyGWAccessService.xml

4.6 Installing and Configuring Portal Server

Follow the installation instruction on product installation guide to install Remote Access Pack Core, and Mobile Access.

To Install Portal Server

Steps

1. Run the Java ES installer with the silent install file for Portal Server:

   /var/bits/Java_es/Solaris_sparc/installer -nodisplay -noconsole -state PortalServerStateFile

2. If the runtime userID for Portal Server is not root, you must change ownership of its related directories with the following commands:

   # chown -R userID \ AccessManagerPath /var/AccessManagerPath /etc/AccessManagerPath \ PortalServerPath /var/PortalServerPath /etc/PortalServerPath # chgrp -R usergroup \ AccessManagerPath /var/AccessManagerPath /etc/AccessManagerPath \ PortalServerPath /var/PortalServerPath /etc/PortalServerPath

3. Change gateway.user from noaccess to userID.

To Configure the Provider Channels

Steps

1. To configure the mail provider, copy the following files from phys-bedge1-1 or phys-bedge3–1. edit them as needed to use the local hostname and the dc=example,dc=com base DN.

   /var/opt/SUNWps/instance/portal/web-apps/jsp/default/launchCompose.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/launchInbox.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/launchFolder.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/doNewInbox.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/doInboxCont.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/doInboxStart.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/getfolders.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/getnewmsgs.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/getnewmsg.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/aml/getnewmsgs.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/aml/getnewmsg.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/aml/delete.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/aml/menu.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/aml/moveMsg.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/aml/doNewFd.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/aml/folders.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/aml/getfolders.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/aml/message.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/aml/newFd.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/mail/aml/typeMsg.jsp /var/opt/SUNWps/instance/portal/web-aps/jsp/default/mail/aml/compose.jsp /etc/opt/SUNWps/desktop/default/MailProvider/aml/display-summary.template /etc/opt/SUNWps/desktop/default/MailProvider/aml/display.template

2. To configure the calendar provider, copy and edit the following files in the same way:

   /var/opt/SUNWps/instance/portal/web-apps/jsp/default/cal/sun-one/aml/event.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/cal/sun-one/aml/task.jsp /var/opt/SUNWps/instance/portal/web-apps/jsp/default/cal/sun-one/aml/dayview.jsp

3. To configure the LDAP look-up channel:

   1. Copy ldaplookupprovider.jar from PortalPath/web-src/WEB-INF/lib/ of phys-bedgeN-1.us into /var/opt/SUNWps/instance/portal/web-apps/WEB-INF/lib and PortalPath/web-src/WEB-INF/lib/.

   2. Copy countryAccessCodes.properties, countryShortDial.properties, ldapab.properties, ldapab_en.properties, wireless.properties from PortalPath/web-src/WEB-INF/classes/ of phys-bedgeN-1.us into /var/opt/SUNWps/instance/portal/web-apps/WEB-INF/classes/ and PortalPath/web-src/WEB-INF/classes/.

   3. Copy launchLDAPABook.jsp from PortalPath/web-src/jsp/default/ of phys-bedgeN-1.us into /var/opt/SUNWps/instance/portal/web-apps/jsp/default/ and PortalPath/web-src/jsp/default/.

   4. Copy compose.jsp, doSearch.jsp, search.jsp from PortalPath/web-src/jsp/default/ldapab/aml of phys-bedge-1.us into /var/opt/SUNWps/instance/portal/web-apps/jsp/default/ldapab/aml and PortalPath/web-src/jsp/default/ ldapab/aml.

   5. Copy compose.jsp, doSearch.jsp, search.jsp from PortalPath/web-src/jsp/default/ldapab/wml of phys-bedgeN-1.us into /var/opt/SUNWps/instance/portal/web-apps/jsp/default/ldapab/wml and PortalPath/web-src/jsp/default/ldapab/wml

   6. Add /var/opt/SUNWps/instance/portal/web-apps/WEB-INF/classes to the classpath of the web server.

   7. Modify the value of the PropertyDirectory baseURL attribute in /opt/SUNWps/web-src/WEB-INF/classes/wireless.properties accordingly.

To Configure the Single Sign-On (SSO) Adaptor

Steps

1. Logon to amconsole as admin. Configure SSO template:

   1.Select the tab "Service Configuration" 2.Select SSO Adapter on the right panel 3.Confiture SSO template for each provider

2. sso adapter template for mail provider (note: in edge 2, mail provider is configured to use proxy auth and only one mail server existed. Configuration may be different if proxy auth is not to be used and more than one mail server existed in edge 3) update sso adapter template forSUN-ONE-MAIL

   * click on the "Edit Properties.." link of SUN-ONE-MAIL under the section "SSO Adapter Templates" * update the following properties accordingly o enableProxyAuth o proxyAdminUid o proxyAdminPassword

3. - so adapter template for address book provider (Note: in edge 2, address book provider is configured to use proxy auth and only one mail server existed. Configuration may be different if proxy auth is not to be used or if more than one mail server existed in edge 3) create sso adapter template for SUN-ONE-ADDRESS-BOOK

   * click on the "NEW" button under the section "SSO Adapter Templates" * Enter "SUN-ONE-ADDRESS-BOOK" into the field Name * Select "[SUN-ONE-ADDRESS-BOOK]" from the "Existing Template" selection list. * Click OK to create a copy of "SUN-ONE-ADDRESS-BOOK" template * Upon the template successfully created, update the following template properties accordingly o host e.g. edge-ds1.us.example.com o port e.g. 389 o pabSearchBase e.g. ou=people,o=example.com,o=esmi,o=pab o userSearchBase e.g. Ou=people,o=example.com,o=esmi o aid o adminPassword o imapHost e.g. edge-mail1.us.example.com o imapPort e.g. 443 o clientPort e.g. 80 o enableProxyAuth (set to true to enable proxy Auth) o proxyAdminUid (if Poxy Auth is to be enabled) o proxyAdminPassword (if Proxy Auth is to be enabled)

4. - update sso adapter template for calendar provider (note: in edge 2, address book provider is configured to use proxy auth and only one calendar server existed. Configuration may be different if proxy auth is not to be used and more than one calendar server existed in edge 3) update sso adapter template for SUN-ONE-CALENDAR

   * click on the "Edit Properties.." link of SUN-ONE-CALENDAR under the section "SSO Adapter Templates" * update the following properties accordingly o enableProxyAuth (set to true to enable proxy Auth) o proxyAdminUid (if Poxy Auth is to be enabled) o proxyAdminPassword (if Proxy Auth is to be enabled)

5. Configure SSO Adapter Configuration at top organization level

   1. Select tab "Identiy Management" 2. Select "services" from the "View" dorp down list on the right panel 3. Select "SSO Adapter" from the Services list on the right panel - sso adapter configuration for mail provider

6. - sso adapter configuration for mail provider (Note: in edge 2, only one mail server existed. Configuration may be if more than one mail server existed in edge 3) create sso adapter template for SunOneMail

   * click on the "Edit Properties..." link of SunOneMail on the left panel * update the following properties o host: edge-mail1.us.example.com o port e.g. 143 o smtpServer e.g. edge-mail1.us.example.com o clientPort e.g. 80 o smtpServer e.g. 25

7. - sso adapter configuration for calendar provider (note: in edge 2, only one mail server existed. Configuration may be if more than one mail server existed in edge 3) create sso adapter template for SunOneCalendar

   * click on the "Edit Properties..." link of SunOneCalendar on the left panel * update the following properties o host: edge-cal1.us.example.com o port e.g. 143 o clientPort e.g. 80

8. Disable authless anonymous portal

   * Logon to amconsole * select the "Service Configuration tab * select Portal Desktop under Portal Server Configuration * Check the Disable radio button under Authentication-less Portal Desktop Configuration

9. Setup user profile for MAP application access (at/after user loading) (note: this may already covered in user profile loading) add objectclass to pre-selected users (/apps/dirserv/shared/bin/wirelessUserProvision.sh)

   * sunmobileappmailpersion * sunmobileappcalendarperson * sunssoadapterperson * sunportaldesktopperson * sunmobileappabperson * sunportalgatewayaccessservice

4.6.1 Remote Access Pack

Modify AMConfig.properties ref to AMConfig.properties of phys-edge-1 Software installation on edge-fe-n machines

Follow the installation instruction on product installation guide to install remote access pack post-installation configuration on remote access pack

Enable notification and disable polling between IS and gateway and other system tunning

- update platform.conf.default

- update AMConfig*.properties (ref to /var/opt/SUNWam/config/AMConfig*.properties of edge-fe6)

- update gateway script (ref to /apps/SUNWps/bin/gateway.sh of edge-fe6)

To Request an SSL Certificate

The following example is for messaging, substitute appropriate parameters as necessary. Note that certificate names can be anything because they are just nicknames. For example, if you call mail-amer.example.com “Server-Cert”, then “Server-Cert” needs to be in your configuration files. Common certutil commands

# certutil -L -d .
# certutil -L -d . -n certificateName
# certutil -D -d . -n Server-Cert

Steps

1. Create certificate directory for setting up the certificates

   # mkdir -p /usr/local/cert/SunPKI/app_id (where app_id = mail, cal, etc.) # cd /usr/local/cert/SunPKI/app_id

2. Create sslpassword.conf that contains the correct password in the following format:

   Internal (Software) Token:password

3. Create PW

   # sed s/'^.*:'// sslpassword.conf > PW

4. Create an empty certificate database:

   # certutil -N -d . -f ./PW

5. Generate the request for a new PKI certificate, for example:

   # certutil -R -d . -s "CN=mail-amer.example.com, OU=messaging server/SSL Server,O=Example Corp." \ -p 3032722269 -o ./cert_req.mail-amer -f ./PW -z /etc/passwd -a

6. Order a new PKI certificate on your certificate server and retrieve it according to your corporate policy. Save the certificate in a file.

7. Copy the certificate chain from your certificate server and save it to a file as well.

8. Import all the certificates. The following commands assume that copies of certificate chain files are in the parent directory; certificate received for mail in current directory:

   # certutil -A -n "ABC Trusted Root" -t "TCu,TCu,TCuw" -d . -a -i ../ABC_chain.cert -f ./passwd # certutil -A -n "Example Corp Root CA - ABC Corporation" -t "C,," -d . -a -i ../Example_Corp.cert -f ./passwd # certutil -A -n "Example Corp CA (Class B) - Example Corp" -t "C,," -d . -a -i ../Example_Corp_cB.cert -f ./passwd # certutil -A -n "Server-Cert" -t "u,u,u" -d . -a -i ./mail.cert -f ./passwd

9. List out each certificate and document dates of expiration:

   # certutil -L -d . -n "ABC Trusted Root" Expirations related to mail-amer.example.com: ABC Trusted Root: Not After: Thu Feb 23 23:59:00 2007 Example Corp CA ABC: Not After: Thu Feb 23 23:59:00 2007 Example Corp Class B: Not After: Fri Nov 13 19:23:10 2009 mail-amer.example.com: Not After: Tue May 18 19:34:36 2010 cal-amer.example.com: Not After: Tue May 18 19:24:21 2010

   At a minimum per above output you will need to replace or renew the ABC Trusted Root and Example Corp CA ABC certificates in Feb 2007.

10. Copy certificates to final destination on each front end mail node.

    # cp *.db /opt/SUNWmsgsr/config #tar up the cert dir from d1/fe node on which you generated the certs and copy (scp) same certs to all fe/d1 nodes. #this include the cert8.db, key3.db and secmod.db files. Extract tar file within /usr/local/cert subdir, #and from there copy all certs to /opt/SUNWmsgsr/config and verify perms (600, mailsrv:mailsrv) #Verify password in sslpassword.conf contains PW used during cert generation and replace if necessary. cat /opt/SUNWmsgsr/config/sslpassowrd.conf # should show single line with PW at the end and no spaces after the ":": Internal (Software) Token:password

11. Copy same mail certificates to webserver for mail filter use if need to listen on ssl ports (443 or 444):

    1. For webserver certificates go into: /opt/SUNWwbsvr/alias

    2. Create under webserver config directory file: password.conf (perms same as db files) Format of password.conf file is e.g. (assuming real password for mail certificate dbs of: something): internal:something.

    3. Edit under webserver config dir file: magnus.conf and change Security to on.

    4. Edit under webserver config dir file: server.xml and add in/modify listen ports as needed. On Nauticus server.xml should use hostname vs the mail VIP; on Foundry sites mail VIP should be used.

    5. Restart webserver.

12. If using Nauticus, complete this step (for mail and cal certificates)

    pk12util -d . -o /var/tmp/mail_pkcs12.out -n Server-Cert openssl pkcs12 -in /var/tmp/mail_pkcs12.out -out /var/tmp/mail_key.pem rm /var/tmp/mail_pkcs12.out # Provide mail_key.pem to GIS for import into Nauticus.

13. Restart mail services so that certificates will be used. Verify SSL is working by connecting using openssl program.

    e.g. from Foundry front end: ./openssl s_client -connect mail-amer.example.com:993 e.g. from Nauticus front end: ./openssl s_client -connect d1-sfbay-01.example.com:993 Also check logs for any messages relating to issues with SSL.

To Install an SSL Certificate

Steps

1. Installing Certificate

   # PortalPath/SUNWps/bin/certadmin -n default

2. Select 4) Install Certificate From Certificate Authority (CA) on the certificate administration menu

3. Provide server-cert (or whatever certificate name is to be used) as the certificate name and the certificate file saved in “Order a Certificate From a CA.”

4. Restart gateway.

Setting up the Gateway Redirector

Steps

1. Install and configure a web server with the gw dns listen on port 80 from edge-fe6, copy the /apps/SUNWwbsvr/docs/index.html to WebServerPath/docs/ and /apps/SUNWwbsvr/docs/en/index.html to WebServerPath/docs/en/

2. modify the url in index.html accordingly

Setting Up Load Balancing

Step

Modify /etc/mail/submit.cf and change MTAHost to relay all e-mails through the dedicated MTA VIP.

D{MTAHost}[10.1.82.194]

4.7 Installing and Configuring Messaging Server

To Install Messaging Server

Steps

1. Make sure Admin server is already installed.

2. Create UNIX user/group names: mailsrv/mailsrv if not already done by JumpStart.

3. Install Messaging Server on both nodes using silent install method:

   Verify you are using latest version of the install and configuration files and that you have customized if needed for your hostname.

   phys-bedge1-[12]# ./installer -nodisplay -noconsole -state /var/bits/silent/BE/msg-ha-bits.cnf

4. Patch Messaging Server on both nodes with the latest patches.

5. Prepare the LDAP directories

   1. Run comm_dssetup.pl on all CFG directory servers -- master and replicas, FE and BE.

   2. Apply schema to cfgdir (on node 2 of 1st cluster where directory server cfg instance is installed)

      phys-bedge1-2# cd /opt/SUNWmsgsr/lib phys-bedge1-2# perl comm_dssetup.pl ... Here is a summary of the settings that you chose: Server Root : /opt/ds Server Instance : slapd-cfg Users/Groups Directory : no Update Schema : yes Schema Type : 2 Directory Manager DN : cn=Directory Manager

To Configure HA on the BE

Before You Begin

• All steps under Solaris Installation and Configuration section must be completed, especially parts pertaining to BE nodes.

• Directory Server on port 34389 must be installed and configured.

• Administration Server must be installed and configured.

• Messaging Server must be installed and patched.

Steps

1. Verify that the SUNWscims package is installed; if not, install it on both nodes.

2. Set up the cluster resource group and resources:

   Clusters 1 and 2 will have 15 stores while clusters 3 & 4 will have only 11 stores. Run commands on primary node.

   phys-bedgeN-1# scrgadm -a -t SUNW.HAStoragePlus phys-bedgeN-1# scrgadm -a -t SUNW.ims phys-bedgeN-1# scrgadm -a -g msg1-svc-rg -h phys-bedge1-1,phys-bedge1-2 phys-bedgeN-1# scrgadm -a -L -g msg1-svc-rg -j msg1-addr-rs -l bedge1-mail1 phys-bedgeN-1# scswitch -Z -g msg1-svc-rg phys-bedgeN-1# scrgadm -a -j msg1-storplus1-rs -g msg1-svc-rg -t SUNW.HAStoragePlus \ -x FilesystemMountPoints=/shared/bedge1/msg/partition/store001,\ /shared/bedge1/msg/partition/store002,/shared/bedge1/msg/partition/store003,\ /shared/bedge1/msg/partition/store004,/shared/bedge1/msg/partition/store005,\ /shared/bedge1/msg/partition/store006,/shared/bedge1/msg/conf,\ /shared/bedge1/msg/dbbackup -x AffinityOn=True phys-bedgeN-1# scrgadm -a -j msg1-storplus2-rs -g msg1-svc-rg -t SUNW.HAStoragePlus \ -x FilesystemMountPoints=/shared/bedge1/msg/partition/store007,\ /shared/bedge1/msg/partition/store008,/shared/bedge1/msg/partition/store009,\ /shared/bedge1/msg/partition/store010,/shared/bedge1/msg/partition/store011,\ /shared/bedge1/msg/partition/store012,/shared/bedge1/msg/imta,\ /shared/bedge1/msg/var -x AffinityOn=True phys-bedgeN-1# scrgadm -a -j msg1-storplus3-rs -g msg1-svc-rg -t SUNW.HAStoragePlus \ -x FilesystemMountPoints=/shared/bedge1/msg/partition/store013,\ /shared/bedge1/msg/partition/store014,/shared/bedge1/msg/partition/store015,\ /shared/bedge1/msg/partition/store016,/shared/bedge1/msg/partition/store006,\ /shared/bedge1/msg/partition/store018,/shared/bedge1/msg/db -x AffinityOn=True phys-bedgeN-1# scswitch -e -j msg1-storplus1-rs phys-bedgeN-1# scswitch -e -j msg1-storplus2-rs phys-bedgeN-1# scswitch -e -j msg1-storplus3-rs

3. Verify that all messaging partitions are mounted before proceeding. Run configure on primary node interactively:

   phys-bedgeN-1# cd /opt/SUNWmsgsr/lib phys-bedgeN-1# ./configure

   Alternatively, use the silent install state file (always check the silent install file before using):

   phys-bedgeN-1# ./configure -noconsole -state /var/bits/bedge/BE/bedge1-msg.cnf

4. Backup configdir with db2ldif to ensure a good copy is saved

   phys-bedgeN-2# cd /opt/ds/slapd-cfg phys-bedgeN-2# ./db2ldif

5. On the primary node, run the ha_ip_config command:

   phys-bedgeN-1# cd /opt/SUNWmsgsr/sbin phys-bedgeN-1# ./ha_ip_config Logical IP address: 129.146.xx.yy iMS server root: /opt/SUNWmsgsr The iMS server root directory does not contain any slapd-* subdirectories. Skipping configuration of LDAP servers. Logical IP address: 129.146.xx.yy iMS server root: /opt/SUNWmsgsr Do you wish to change any of the above choices (yes/no) [no]? Updating the file /opt/SUNWmsgsr/config/dispatcher.cnf Updating the file /opt/SUNWmsgsr/config/job_controller.cnf Setting the service.listenaddr configutil parameter Setting the service.http.smtphost configutil parameter Setting the local.watcher.enable configutil parameter Setting the local.autorestart configutil parameter Configuration successfully updated

6. Copy state files to node 2, then run useconfig on node 2

   phys-bedgeN-1# cd /opt/SUNWmsgsr/install phys-bedgeN-1# cp -r configure_20050318142130 /shared/bedge1/msg/var/

7. Switch over services to node 2 OR use scp to copy configure dir locally to node 2

   phys-bedgeN-2# /opt/SUNWmsgsr/sbin/useconfig /shared/bedge1/msg/var/configure_20050318142130

To Configure Messaging Server

Steps

1. Set up hostnames

   phys-bedgeN-1# configutil -o local.hostname -v "bedge1-mail1.us.example.com" phys-bedgeN-1# configutil -o local.webmail.da.host -v bedge1-mail1.us.example.com phys-bedgeN-1# configutil -o local.servername -v bedge1-mail1.us.example.com

2. Set up LDAP (using the following guidelines)

   phys-bedgeN-1# configutil -o local.ldapuselocal -v yes phys-bedgeN-1# configutil -o local.ugldaphost -v "stringBelow" phys-bedgeN-1# configutil -o local.ldaphost -v "stringBelow" phys-bedgeN-1# configutil -o local.service.pab.ldaphost -v "localMMR"

   Substitution string:

   cluster 1: ds-amer-03.us.example.com ds-amer-02.us.example.com cluster 2: ds-amer-02.us.example.com ds-amer-03.us.example.com cluster 3: ds-amer-03.us.example.com ds-amer-02.us.example.com cluster 4: ds-amer-02.us.example.com ds-amer-03.us.example.com

3. Change administrative account names to msg-admin-bedgeN-mail1

   Need to also change account name in the LDAP directory and verify that it is in the correct group.

   phys-bedgeN-1# configutil -o local.enduseradmindn \ -v "uid=msg-admin-bedge1-mail1,ou=People,dc=example,dc=com" phys-bedgeN-1# configutil -o local.service.pab.ldapbinddn \ -v "uid=msg-admin-bedge1-mail1,ou=People,dc=example,dc=com" phys-bedgeN-1# configutil -o local.ugldapbinddn \ -v "uid=msg-admin-bedge1-mail1,ou=People,dc=example,dc=com"

4. Disable POP

   phys-bedgeN-1# configutil -o service.pop.enable -v 0 phys-bedgeN-1# configutil -o service.pop.enablesslport -v 0

5. Enable Distributed IMAP Folder Sharing

   First server listed in local.service.proxy.serverlist should be the one being installed/configured.

   phys-bedgeN-1# configutil -o local.service.proxy.admin -v admin phys-bedgeN-1# configutil -o local.service.proxy.adminpass -v adminPassword phys-bedgeN-1# configutil -o local.service.proxy.serverlist -v \ "nedge1-mail1.sfbay.example.com, \ nedge2-mail1.sfbay.example.com, \ nedge3-mail1.sfbay.example.com, \ bedge1-mail1.us.example.com, \ bedge2-mail1.us.example.com, \ bedge3-mail1.us.example.com \ sedge1-mail1.singapore.example.com, \ sedge2-mail1.singapore.example.com"

6. Set up logdir

   phys-bedgeN-1# configutil -o logfile.imap.logdir -v /shared/bedge1/msg/var/log/imap phys-bedgeN-1# configutil -o logfile.http.logdir -v /shared/bedge1/msg/var/log/http phys-bedgeN-1# configutil -o logfile.imta.logdir -v /shared/bedge1/msg/var/log/imta

7. Verify local.autorestart is true:

   phys-bedgeN-1# configutil -o local.autorestart

8. Configure stores (repeat for each store partition)

   phys-bedgeN-1# configutil -o store.partition.store001.path \ -v "/shared/bedge1/msg/partition/store001"

9. Set up log locations:

   phys-bedgeN-1# mkdir -p /shared/bedge1/msg/var/log phys-bedgeN-1# chown mailsrv:mailsrv /shared/bedge1/msg/var/log phys-bedgeN-1# cd /shared/bedge1/msg/var/log phys-bedgeN-1# mkdir imap http imta default phys-bedgeN-1# chown mailsrv:mailsrv imap http imta default phys-bedgeN-1# chmod 755 imap http imta default phys-bedgeN-1# cd /opt/SUNWmsgsr/data; mv log log.orig; ln -s /shared/bedge1/msg/var/log

10. Edit imta_tailor to place MTA logs into the imta subdir

    phys-bedgeN-1# cd /opt/SUNWmsgsr/config phys-bedgeN-1# cp imta_tailor imta_tailor.orig phys-bedgeN-1# sed s/"\/log\/"/"\/log\/imta\/"/ imta_tailor.orig > imta_tailor phys-bedgeN-1# diff imta_tailor.orig imta_tailor

11. Other settings including tuning, queue, db snapshots...

    phys-bedgeN-1# cd /shared/bedge1/msg/db phys-bedgeN-1# mkdir mboxlist phys-bedgeN-1# chown -R mailsrv:mailsrv * phys-bedgeN-1# cd /shared/bedge1/msg/imta phys-bedgeN-1# mkdir -p queue phys-bedgeN-1# chown -R mailsrv:mailsrv * phys-bedgeN-1# chmod -R 755 * phys-bedgeN-1# cd /opt/SUNWmsgsr/data

    phys-bedgeN-1# rm -r queue db phys-bedgeN-1# ln -s /shared/bedge1/msg/imta/queue queue phys-bedgeN-1# ln -s /shared/bedge1/msg/db db phys-bedgeN-1# cd /opt/SUNWmsgsr/data/store phys-bedgeN-1# ln -s /shared/bedge1/msg/db/mboxlist mboxlist phys-bedgeN-1# cd /opt/SUNWmsgsr/data/store/dbdata phys-bedgeN-1# mkdir -p /shared/bedge1/msg/dbbackup/snapshots phys-bedgeN-1# chown mailsrv:mailsrv /shared/bedge1/msg/dbbackup/snapshots phys-bedgeN-1# chmod 755 /shared/bedge1/msg/dbbackup/snapshots phys-bedgeN-1# ln -s /shared/bedge1/msg/dbbackup/snapshots snapshots

    phys-bedgeN-1# configutil -o local.store.snapshotdirs -v 12 phys-bedgeN-1# configutil -o local.store.snapshotinterval -v 720

12. Verify start of services and proper logging

    phys-bedgeN-1# /opt/SUNWmsgsr/sbin/stop-msg phys-bedgeN-1# /opt/SUNWmsgsr/sbin/start-msg

13. Set up messaging resource and enable:

    phys-bedgeN-1# scrgadm -a -j msg1-svc-rs -g msg1-svc-rg -t SUNW.ims \ -x IMS_serverroot=/opt/SUNWmsgsr \ -y Resource_dependencies=msg1-addr-rs,msg1-storplus1-rs,msg1-storplus2-rs,msg1-storplus3-rs phys-bedgeN-1# /usr/cluster/bin/scswitch -e -j msg1-svc-rs

To Configure SMTP

Steps

1. Make sure SUNWsndmr SUNWsndmu packages are installed

2. Stop sendmail if it's running

   # /etc/init.d/sendmail stop (for Solaris 9) # svcadmin disable network/smtp:sendmail (for Solaris 10)

3. Create or modify /etc/default/sendmail to prevent accidental start of sendmail in daemon mode. Add:

   MODE=""

4. Edit sjsms-submit.mc and change the line that starts with FEATURE to:

   # cd /usr/lib/mail/cf # cp submit.mc sjsms-submit.mc

   FEATURE('msp', `[cookbook-mail1.us.example.com]')dnl

   # /usr/ccs/bin/make sjsms-submit.cf # mv /etc/mail/submit.cf /etc/mail/submit.cf.orig # cp sjsms-submit.cf /etc/mail/submit.cf

5. Add patch 113575-05 or the most recent patch that replaces it. Note: future sendmail patches may overwrite submit.cf. You should always check submit.cf after applying such patches.

6. Start sendmail

   # /etc/init.d/sendmail start (for Solaris 9) # svcadmin enable network/smtp:sendmail (for Solaris 10)

7. * Repeat the above on the other node(s) if applicable * Test that failover is working properly before proceeding.

8. Modify the file /opt/SUNWmsgsr/config/imta.cnf and put the IP addresses of all MTAs, including those of other sites, into the tcp_scanner-daemon definition.

   ! ! IMTA configuration file ! ! part I : rewrite rules ! ! Domain Rewrite Rules. ! Uncomment this line to use domain rewrite rules ! from the configuration file instead of the domain database. ! Please refer to the iMS documentation for details. !<IMTA_TABLE:domains.rules ! ! Rules to select local users $* $A$E$F$U%$H$V$H@bedge1-mail1.us.example.com bedge1-mail1.us.example.com $U%$D@bedge1-mail1.us.example.com phys-bedge1-1.us.example.com $U@bedge1-mail1.us.example.com phys-bedge1-2.us.example.com $U@bedge1-mail1.us.example.com localhost $U@bedge1-mail1.us.example.com ! ! ims-ms .ims-ms-daemon $U%$H.ims-ms-daemon@ims-ms-daemon ! ! lmtp !.lmtp $U%$H@lmtpcs-daemon ! ! lmtpn !.lmtpn $U%$H@lmtpcn-daemon ! ! native .native-daemon $U%$H.native-daemon@native-daemon ! ! pipe .pipe-daemon $U%$H.pipe-daemon@pipe-daemon ! ! tcp_local ! Rules for top level internet domains <IMTA_TABLE:internet.rules ! ! tcp_intranet ! Do mapping lookup for internal IP addresses [] $E$R${INTERNAL_IP,$L}$U%[$L]@tcp_intranet-daemon bedge2-mail1.us.example.com $U%$D@tcp_intranet-daemon bedge3-mail1.us.example.com $U%$D@tcp_intranet-daemon bedge4-mail1.us.example.com $U%$D@tcp_intranet-daemon* $U%$&0.example.com ! ! tcp_example for internal example.com addresses .example.com $U%$H$D@tcp_example-daemon! ! messages returning from MTA must not be re-scanned ! US MTA [10.1.82.175] $E$R$U%[10.1.82.175]@tcp_scanner-daemon [10.1.82.176] $E$R$U%[10.1.82.176]@tcp_scanner-daemon [10.1.82.177] $E$R$U%[10.1.82.177]@tcp_scanner-daemon [10.1.82.178] $E$R$U%[10.1.82.178]@tcp_scanner-daemon [10.1.82.179] $E$R$U%[10.1.82.179]@tcp_scanner-daemon [10.1.82.180] $E$R$U%[10.1.82.180]@tcp_scanner-daemon [10.1.82.183] $E$R$U%[10.1.82.183]@tcp_scanner-daemon [10.1.82.184] $E$R$U%[10.1.82.184]@tcp_scanner-daemon! ! Repeat for MTAs at other EdgeMail complexes as necessary ! ! reprocess reprocess $U%reprocess.bedge1-mail1.us.example.com@reprocess-daemon reprocess.bedge1-mail1.us.example.com $U%reprocess.bedge1-mail1.us.example.com @reprocess-daemon ! ! process process $U%process.bedge1-mail1.us.example.com@process-daemon process.bedge1-mail1.us.example.com $U%process.bedge1-mail1.us.example.com@pro cess-daemon ! ! defragment defragment $U%defragment.bedge1-mail1.us.example.com@defragment-daemon defragment.bedge1-mail1.us.example.com $U%defragment.bedge1-mail1.us.example.c om@defragment-daemon ! ! conversion conversion $U%conversion.bedge1-mail1.us.example.com@conversion-daemon conversion.bedge1-mail1.us.example.com $U%conversion.bedge1-mail1.us.example.c om@conversion-daemon ! ! bitbucket bitbucket $U%bitbucket.bedge1-mail1.us.example.com@bitbucket-daemon bitbucket.bedge1-mail1.us.example.com $U%bitbucket.bedge1-mail1.us.example.com @bitbucket-daemon ! ! deleted deleted-daemon $U%$H@deleted-daemon .deleted-daemon $U%$H@deleted-daemon ! ! inactive inactive-daemon $U%$H@inactive-daemon .inactive-daemon $U%$H@inactive-daemon ! ! hold hold-daemon $U%$H@hold-daemon .hold-daemon $U%$H@hold-daemon ! ! part II : channel blocks ! defaults notices 1 2 4 7 errwarnpost errsendpost postheadonly noswitchchannel im mnonurgent maxjobs 7 logging defaulthost example.com example.com ! ! delivery channel to local /var/mail store l subdirs 20 viaaliasrequired maxjobs 7 pool LOCAL_POOL bedge1-mail1.us.example.com ! ! ims-ms ims-ms defragment threaddepth 20 subdirs 20 notices 1 7 14 21 28 backoff "pt5m" "pt10m" "pt30m" "pt1h" "pt2h" "pt4h" maxjobs 4 pool IMS_POOL fileinto $U+$S@$D ims-ms-daemon ! ! native native defragment subdirs 20 maxjobs 1 native-daemon ! ! pipe pipe single defragment subdirs 20 pipe-daemon ! ! tcp_local tcp_local smtp nomx single_sys remotehost daemon gis-relay.us.example.com inne r switchchannel identnonenumeric subdirs 20 maxjobs 7 sourceblocklimit 10000 poo l SMTP_POOL maytlsserver maysaslserver saslswitchchannel tcp_auth missingrecipie ntpolicy 0 aliasdetourhost tcp_scanner-daemon tcp-daemon ! ! tcp_example tcp_example smtp nomx single_sys remotehost daemon gis-relay.us.example.com inner switchchannel identnonenumeric subdirs 20 maxjobs 7 pool SMTP_POOL maytlsserver maysaslserver saslswitchchannel tcp_auth missingrecipientpolicy 0 tcp_example-daemon ! ! tcp_intranet tcp_intranet smtp nomx single_sys subdirs 20 dequeue_removeroute maxjobs 7 sourceblocklimit 10000 pool SMTP_POOL maytlsserver allowswitchchannel saslswitchchann el tcp_auth missingrecipientpolicy 4 tcp_intranet-daemon ! ! tcp_scanner tcp_scanner smtp mx single_sys subdirs 20 noreverse maxjobs 7 pool SMTP_POOL all owswitchchannel daemon mail-amer-xfr.example.com enqueue_removeroute tcp_scanner-daemon ! ! tcp_submit tcp_submit submit smtp mx single_sys mustsaslserver maytlsserver missingrecipien tpolicy 4 tcp_submit-daemon ! ! tcp_auth tcp_auth smtp mx single_sys mustsaslserver missingrecipientpolicy 4 tcp_auth-daemon

9. Modify the /opt/SUNWmsgsr/config/option.dat file:

   # cp -p option.dat option.dat.orig_`date +%Y%m%d` # vi option.dat

   #add below MISSING_RECIPIENT_POLICY: ALLOW_RECIPIENTS_PER_TRANSACTION=256 LOG_CONNECTION=3 LOG_USERNAME=1 LOG_TRANSPORTINFO=1 SEPARATE_CONNECTION_LOG=1 LOG_MESSAGE_ID=1

10. Modify /opt/SUNWmsgsr/config/mappings. Use a range with the /NN format that will contain all the physical hosts IPs for your edge site. In the case of bedge, 129.147.156.99/26 spans from 129.147.156.65 to 129.147.156.126.

    INTERNAL_IP $(129.147.156.99/##) $Y 127.0.0.1 $Y * $N ORIG_SEND_ACCESS tcp_local|*|tcp_local|* $N$D30|Relaying$ not$ allowed tcp_*|*|native|* $N tcp_*|*|hold|* $N tcp_*|*|pipe|* $N tcp_*|*|ims-ms|* $N ! ! Block "external" submissions of explicitly source-routed "internal" addresses ! tcp_local|*|tcp_intranet|@*:*.* $N$D30|Explicit$ routing$ not$ allowed tcp_local|*|tcp_intranet|*$%*@* $N$D30|Explicit$ routing$ not$ allowed tcp_local|*|tcp_intranet|*.*!*@* $N$D30|Explicit$ routing$ not$ allowed tcp_local|*|tcp_intranet|"*@*"@* $N$D30|Explicit$ routing$ not$ allowed SEND_ACCESS tcp_local|*|tcp_example|* $N$D30|Relaying$ not$ allowed tcp_*|*|*|*@[127.*] $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@localhost.* $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@example.com $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@example.net $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@example.org $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@*.test $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@*.example $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@*.invalid $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@*.localhost $X5.1.2|$NBad$ destination$ system <IMTA_TABLE:mappings.locale

11. Modify the /opt/SUNWmsgsr/config/aliases file:

    ! MTA aliases file ! !root@example.com: postmaster adm@bedge1-mail1.us.example.com: postmast root@bedge1-mail1.us.example.com: postmast postmaster@bedge1-mail1.us.example.com: postmast sunmc-alert: root@bedge1-mail1.us.example.com sunmc-critical: root@bedge1-mail1.us.example.com

12. Setup logadm

    # mkdir /opt/SUNWmsgsr/log/imta/archive (owner mailsrv:mailsrv) # logadm -f /opt/SUNWmsgsr/config/logadm.conf -w mail -C 28 -p 1d \ -t '/opt/SUNWmsgsr/log/imta/archive/mail.log.$n' -z 6 \ /opt/SUNWmsgsr/log/imta/mail.log # configutil -o local.schedule.logadm -v "10 4 * * * /usr/sbin/logadm \ -f /opt/SUNWmsgsr/config/logadm.conf

13. Create the alias smarthost.example.com to the GIS relay VIP in /etc/hosts to ensure a fallback mechanism through the local smarthost:

    10.1.97.30 gis-relay.us.example.com smarthost.example.com

14. Configure the IMAP parameters

    # configutil -o local.ldapconnecttimeout -v 30 # configutil -o service.imap.maxsessions -v 600 # configutil -o service.imap.maxthreads -v 250 # configutil -o service.imap.numprocesses -v 8 # configutil -o store.dbtmpdir -v /tmp/msg-bedge1-mail1

15. Setting to enable MailFilter

    # configutil -o local.webmail.sieve.port -v 444

16. Set smtphost to the dedicated MTA host:

    # configutil -o service.http.smtphost -v mail-amer-xfr.example.com

17. If UWC is not enabled, set local.service.http.cookiename to something, for example webmailsid to prevent sessionid from being visible in the URL. When UWC is enabled, this is set by default.

To Configure Messaging Server on FE Servers

Before You Begin

• All steps under in Chapter 3, Solaris Installation and Configuration must be completed, especially parts pertaining to FE nodes.

• Directory Server on port 34389 in /opt/ds must be installed and configured.

• Admin Server must be installed and configured.

• Web Server must be installed for MailFilters.

• Messaging Server must be installed and patched.

• FOUNDRY: set up loopback for mail-amer.example.com and use mail VIP for install and configuration.

• NAUTICUS: use hostname of d1 server for install and configuration: d1-amer-01.example.com.

Steps

1. Run configure Always check the silent install file before using it.

   # cd /opt/SUNWmsgsr/sbin # ./configure -nodisplay -noconsole -state /var/bits/silent/BE/FE_RAMESH/d1-msg-configure.cnf

2. Backup configdir with db2ldif to ensure a good copy is saved

   # cd /opt/ds/slapd-cfg # ./db2ldif

3. Disable POP and IMAP

   # configutil -o service.pop.enable -v 0 # configutil -o service.pop.enablesslport -v 0 # configutil -o service.imap.enable -v 0 # configutil -o service.imap.enablesslport -v 0

4. Verify msg-admin account for your geo; setup if needed; add to group similar to BE process

   1. ldapsearch -h ds-amer-0[123] -b dc=example,dc=com uid=msg-admin-mail-amer.example.com dn

   • IF uid is NOT in ldap , create ldap entry for your msg-admin user. Create ldap file .e.g call it msg-admin.ldif with contents (modify contents for your geo):

     dn: uid=msg-admin-mail-sfbay.example.com,ou=People, dc=example,dc=com givenName: Messaging End User SFBAY userPassword: {SSHA}ttW9Pash8si8u81XCWAXwV9Hfk9JRBti/yOJMw== objectClass: top objectClass: person objectClass: inetorgperson objectClass: iplanet-am-managed-person objectClass: organizationalPerson cn: Messaging End User SFBAY Administrator sn: Administrator uid: msg-admin-mail-sfbay.example.com

     Add the entry to ldap

     ldapmodify -h ds-amer-0[123] -D "cn=Directory Manager" -w password -a -f ./msg-admin.ldif

   • IF uid IS in ldap, then verify the msg-admin user for your geo is a uniqueMember in the ou=groups entry for cn=Messaging End User Administrators

     ldapsearch -h ds-amer-01 -b dc=example,dc=com cn="Messaging End User Administrators Group" uniqueMember |\ grep msg-admin-mail-amer

     If necessary add in your msg-admin user to the Administrators Group using an ldap browser or ldapmodify command. Note: any entries with long time stamps should probably be removed in a clean up effort. However, it is suggested that you clean up entries only for geo you are configuring.

5. Change the following:

   ImapProxyAservice.cfg default:BindDN "uid=msg-admin-mail-amer.example.com, ou=People, dc=example, dc=com" default:BindPass (verify PW for your msg-admin user and reset if needed) configutil values local.service.pab.ldapbinddn (same DN as above) local.ugldapbinddn (same DN as above) local.ugldapbindcred (same PW as above) local.service.pab.ldappasswd (same PW as above)

6. Restart messaging and test. Use e.g. ImapProxy log to see if authentication is working as expected. Edit LDIF or configuration information as needed; it all needs to match.

7. Enable SSL by following the procedures To Request an SSL Certificate and To Install an SSL Certificate. Messaging Server uses the /opt/SUNWmsgsr/config/sslpassword.conf file.

To Configure Messaging Server on the MTA Server

Steps

1. Make sure SUNWsndmr SUNWsndmu packages are installed

2. Stop sendmail if it's running

   # /etc/init.d/sendmail stop (for Solaris 9) # svcadmin disable network/smtp:sendmail (for Solaris 10)

3. Create or modify /etc/default/sendmail to prevent accidental start of sendmail in daemon mode. Add:

   MODE=""

4. Edit sjsms-submit.mc and change the line that starts with FEATURE

   # cd /usr/lib/mail/cf # cp submit.mc sjsms-submit.mc

   FEATURE('msp', `[cookbook-mail1.us.example.com]')dnl

   # /usr/ccs/bin/make sjsms-submit.cf # mv /etc/mail/submit.cf /etc/mail/submit.cf.orig # cp sjsms-submit.cf /etc/mail/submit.cf

5. Add patch 113575-05. Note: future sendmail patches may overwrite submit.cf. You should always check submit.cf after applying such patches.

6. Start sendmail

   # /etc/init.d/sendmail start (for Solaris 9) # svcadmin enable network/smtp:sendmail (for Solaris 10)

7. Repeat the above on the other node(s) if applicable

8. Edit imta.cnf (changes are marked in bold)

   ! ! IMTA configuration file ! ! part I : rewrite rules ! ! Domain Rewrite Rules. ! Uncomment this line to use domain rewrite rules ! from the configuration file instead of the domain database. ! Please refer to the iMS documentation for details. !<IMTA_TABLE:domains.rules ! ! Rules to select local users $* $A$E$F$U%$H$V$H@mail-amer.example.com mail-amer.example.com $U%$D@mail-amer.example.com example.com $U%$D@mail-amer.example.com fe-amer-09.example.com $U@mail-amer.example.com phys-bedge5-1.us.example.com $U@mail-amer.example.com phys-bedge5-2.us.example.com $U@mail-amer.example.com localhost $U@mail-amer.example.com! ! ims-ms .ims-ms-daemon $U%$H.ims-ms-daemon@ims-ms-daemon ! ! lmtp !.lmtp $U%$H@lmtpcs-daemon ! ! lmtpn !.lmtpn $U%$H@lmtpcn-daemon ! ! native .native-daemon $U%$H.native-daemon@native-daemon ! ! pipe .pipe-daemon $U%$H.pipe-daemon@pipe-daemon ! ! tcp_local ! Rules for top level internet domains %lt;IMTA_TABLE:internet.rules ! ! tcp_intranet ! Do mapping lookup for internal IP addresses [] $E$R${INTERNAL_IP,$L}$U%[$L]@tcp_intranet-daemon !.example.com $U%$H.example.com@tcp_intranet-daemon ! b complex back-end servers bedge1-mail1.us.example.com $U%$D@tcp_intranet-daemon bedge2-mail1.us.example.com $U%$D@tcp_intranet-daemon bedge3-mail1.us.example.com $U%$D@tcp_intranet-daemon bedge4-mail1.us.example.com $U%$D@tcp_intranet-daemon ! add back=end servers for global complexes aedge1-mail1.eu.example.com $U%$D@tcp_intranet-daemon ! ...* $U%$&0.example.com ! ! tcp_example for internal example.com addresses .example.com $U%$H$D@tcp_example-daemon! ! reprocess reprocess $U%reprocess.mail-amer.example.com@reprocess-daemon reprocess.mail-amer.example.com $U%reprocess.mail-amer.example.com@reprocess-daemon ! ! process process $U%process.mail-amer.example.com@process-daemon process.mail-amer.example.com $U%process.mail-amer.example.com@process-daemon ! ! defragment defragment $U%defragment.mail-amer.example.com@defragment-daemon defragment.mail-amer.example.com $U%defragment.mail-amer.example.com@defragment-daemon ! ! conversion conversion $U%conversion.mail-amer.example.com@conversion-daemon conversion.mail-amer.example.com $U%conversion.mail-amer.example.com@conversion-daemon ! ! bitbucket bitbucket $U%bitbucket.mail-amer.example.com@bitbucket-daemon bitbucket.mail-amer.example.com $U%bitbucket.mail-amer.example.com@bitbucket-daemon ! ! deleted deleted-daemon $U%$H@deleted-daemon .deleted-daemon $U%$H@deleted-daemon ! ! inactive inactive-daemon $U%$H@inactive-daemon .inactive-daemon $U%$H@inactive-daemon ! ! hold hold-daemon $U%$H@hold-daemon .hold-daemon $U%$H@hold-daemon ! ! part II : channel blocks ! defaults notices 1 2 4 7 errwarnpost errsendpost postheadonly noswitchchannel im mnonurgent maxjobs 7 logging defaulthost example.com example.com ! ! delivery channel to local /var/mail store l subdirs 20 viaaliasrequired maxjobs 7 pool LOCAL_POOL mail-amer.example.com ! ! ims-ms ims-ms defragment subdirs 20 notices 1 7 14 21 28 backoff "pt5m" "pt10m" "pt30m" "pt1h" "pt2h" "pt4h" maxjobs 2 pool IMS_POOL fileinto $U+$S@$D ims-ms-daemon ! ! native native defragment subdirs 20 maxjobs 1 native-daemon ! ! pipe pipe single defragment subdirs 20 pipe-daemon ! ! tcp_local tcp_local smtp nomx single_sys remotehost daemon gis-relay.us.example.com inne r switchchannel identnonenumeric subdirs 20 maxjobs 7 pool SMTP_POOL musttlsserv er mustsaslserver saslswitchchannel tcp_auth missingrecipientpolicy 0 dequeue_removeroute tcp-daemon ! ! tcp_example tcp_example smtp nomx single_sys remotehost daemon gis-relay.us.example.com inner switchchannel identnonenumeric subdirs 20 maxjobs 7 pool SMTP_POOL authrewrite 1 musttlsserver mustsaslserver saslswitchchannel tcp_auth missingrecipientpolicy 0 dequeue_removeroute tcp_example-daemon ! ! tcp_iplanet tcp_iplanet smtp nomx single_sys remotehost daemon gis-relay.us.example.com in ner switchchannel identnonenumeric subdirs 20 maxjobs 7 pool SMTP_POOL authrewri te 1 musttlsserver mustsaslserver saslswitchchannel tcp_auth missingrecipientpol icy 0 dequeue_removeroute tcp_iplanet-daemon ! ! tcp_intranet tcp_intranet smtp nomx single_sys sourceblocklimit 10000 subdirs 20 maxjobs 7 po ol SMTP_POOL maytlsserver allowswitchchannel saslswitchchannel tcp_auth missingr ecipientpolicy 4 tcp_intranet-daemon ! ! tcp_submit tcp_submit submit smtp mx single_sys sourceblocklimit 10000 authrewrite 1 mustsa slserver musttlsserver missingrecipientpolicy 4 tcp_submit-daemon ! ! tcp_auth tcp_auth smtp mx single_sys authrewrite 1 sourceblocklimit 10000 musttlsserver m ustsaslserver missingrecipientpolicy 4 tcp_auth-daemon ! ! tcp_tas tcp_tas smtp mx single_sys allowswitchchannel mustsaslserver maytlsserver delive ryflags 2 tcp_tas-daemon ! ! tcp_lmtpss (LMTP server - store) !tcp_lmtpss lmtp subdirs 20 !tcp_lmtpss-daemon ! ! tcp_lmtpsn (LMTP server - native) !tcp_lmtpsn lmtp subdirs 20 !tcp_lmtpsn-daemon ! ! tcp_lmtpcs (LMTP client - store) !tcp_lmtpcs defragment lmtp port 225 nomx single_sys subdirs 20 maxjobs 7 pool S MTP_POOL dequeue_removeroute !lmtpcs-daemon ! ! tcp_lmtpcn (LMTP client - native) !tcp_lmtpcn defragment lmtp port 226 nomx single_sys subdirs 20 maxjobs 7 pool S MTP_POOL dequeue_removeroute !lmtpcn-daemon ! ! reprocess reprocess reprocess-daemon ! ! process process process-daemon ! ! defragment defragment defragment-daemon ! ! conversion conversion threaddepth 100 maxjobs 10 pool CONVERSION_POOL conversion-daemon ! ! bitbucket bitbucket bitbucket-daemon

9. Edit option.dat

   ! MTA configuration options ! ! This sets the alias resolution order ! 8 = Use ALIAS_URL0 ! 7 = Use ALIAS_URL1 ! 6 = Use ALIAS_URL2 ! 4 = Use the alias file ALIAS_MAGIC=8764 ALIAS_URL0=ldap:///$V?*?sub?$R USE_REVERSE_DATABASE=4 REVERSE_URL=ldap:///$V?$N?sub?$R USE_DOMAIN_DATABASE=0 ! MISSING_RECIPIENT_POLICY controls how illegal headers that don't ! contain any To:, Cc:, or Bcc: fields are handled for channels that ! do not have their own explicit missingrecipientpolicy keyword set. ! The default of 0 means that the envelope addresses are used to ! construct a valid To: header field. This default behavior tends ! to be especially appropriate for the tcp_local channel. MISSING_RECIPIENT_POLICY=0 MISSING_RECIPIENT_GROUP_TEXT=Undisclosed recipients ALIAS_DOMAINS=6 ! LDAP_SCHEMALEVEL=2 ! VACATION_TEMPLATE=file:///opt/SUNWmsgsr/data/vacation/$3I/$1U/$2U/$U.vac ! ! custom add-ons below ALLOW_RECIPIENTS_PER_TRANSACTION=256 LOG_CONNECTION=3 LOG_MESSAGE_ID=1 LOG_TRANSPORTINFO=1 LOG_USERNAME=1 SEPARATE_CONNECTION_LOG=1 !LOG_PROCESS=1

10. Edit mappings

    ! MTA mappings file ! for access control and other table lookups PORT_ACCESS *|*|*|*|* $C$|INTERNAL_IP;$3|$Y$E * $YEXTERNAL INTERNAL_IP $(10.1.82.183/24) $Y (129.147.156.0/24) $Y 127.0.0.1 $Y * $N ORIG_SEND_ACCESS tcp_local|*|tcp_local|* $N$D30|Relaying$ not$ allowed tcp_*|*|native|* $N tcp_*|*|hold|* $N tcp_*|*|pipe|* $N tcp_*|*|ims-ms|* $N ! ! Block "external" submissions of explicitly source-routed "internal" addresses ! tcp_local|*|tcp_intranet|@*:*.* $N$D30|Explicit$ routing$ not$ allowed tcp_local|*|tcp_intranet|*$%*@* $N$D30|Explicit$ routing$ not$ allowed tcp_local|*|tcp_intranet|*.*!*@* $N$D30|Explicit$ routing$ not$ allowed tcp_local|*|tcp_intranet|"*@*"@* $N$D30|Explicit$ routing$ not$ allowed SEND_ACCESS tcp_*|*|*|*@[127.*] $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@localhost.* $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@example.com $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@example.net $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@example.org $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@*.test $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@*.example $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@*.invalid $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@*.localhost $X5.1.2|$NBad$ destination$ system CONVERSIONS in-chan=tcp_intranet;out-chan=tcp_example;CONVERT No in-chan=tcp_*;out-chan=*;CONVERT Yes in-chan=l;out-chan=*;CONVERT Yes <IMTA_TABLE:mappings.locale

11. Install the scan-attachment.sh script and make sure its permission and ownership are correct:

    fe-amer-N# cd /opt/SUNWmsgsr/config fe-amer-N# ls -ld scripts/ drwxr-xr-x 2 mailsrv mailsrv 512 Apr 20 00:37 scripts/ fe-amer-N# ls -ld scripts/scan-attachment.sh -rwxr--r-- 1 mailsrv mailsrv 5330 Apr 20 00:35 scripts/scan-attachment.sh

12. Create the conversions file:

    ! Scan attachments for banned prefixes that often contain viruses in-channel=*; out-channel=*; in-type=*; in-subtype=*; parameter-symbol-0=NAME; parameter-copy-0=*; dparameter-symbol-0=FILENAME; dparameter-copy-0=*; message-header-file=2; original-header-file=1; override-header-file=1; command="/opt/SUNWmsgsr/config/scripts/scan-attachment.sh"

13. Edit the dispatcher.cnf file with the following highlighted changes:

    ! VERSION=1.1 ! IMTA default dispatcher configuration file ! ! Global defaults ! MIN_PROCS=1 MAX_PROCS=10 MIN_CONNS=30 MAX_CONNS=50 MAX_SHUTDOWN=2 MAX_LIFE_TIME=86400 MAX_LIFE_CONNS=10000 MAX_IDLE_TIME=600 HISTORICAL_TIME=0 ! ! multithreaded SMTP server ! [SERVICE=SMTP] PORT=25,12196 ! Uncomment the following line if you want to support SSL on the alternate ! port 465 TLS_PORT=465 IMAGE=IMTA_BIN:tcp_smtp_server LOGFILE=IMTA_LOG:tcp_smtp_server.log STACKSIZE=2048000 ! Uncomment the following line and set INTERFACE_ADDRESS to an appropriate ! host IP (dotted quad) if the dispatcher needs to listen on a specific ! interface (e.g. in a HA environment). INTERFACE_ADDRESS=10.1.82.187,127.0.0.1 ! ! rfc 2476 Submit server ! [SERVICE=SMTP_SUBMIT] PORT=587 IMAGE=IMTA_BIN:tcp_smtp_server LOGFILE=IMTA_LOG:tcp_smtp_server.log PARAMETER=CHANNEL=tcp_submit STACKSIZE=2048000 ! Uncomment the following line and set INTERFACE_ADDRESS to an appropriate ! host IP (dotted quad) if the dispatcher needs to listen on a specific ! interface (e.g. in a HA environment). INTERFACE_ADDRESS=10.1.82.187 ! ! rfc 2033 LMTP server - store ! ![SERVICE=LMTPSS] !PORT=225 !IMAGE=IMTA_BIN:tcp_lmtp_server !LOGFILE=IMTA_LOG:tcp_lmtpss_server.log !PARAMETER=CHANNEL=tcp_lmtpss !STACKSIZE=2048000 ! Uncomment the following line and set INTERFACE_ADDRESS to an appropriate ! host IP (dotted quad) if the dispatcher needs to listen on a specific ! interface (e.g. in a HA environment). !INTERFACE_ADDRESS= ! ! rfc 2033 LMTP server - native ! ![SERVICE=LMTPSN] !PORT=226 !USER=root !IMAGE=IMTA_BIN:tcp_lmtpn_server !LOGFILE=IMTA_LOG:tcp_lmtpsn_server.log !PARAMETER=CHANNEL=tcp_lmtpsn !STACKSIZE=2048000 ! Uncomment the following line and set INTERFACE_ADDRESS to an appropriate ! host IP (dotted quad) if the dispatcher needs to listen on a specific ! interface (e.g. in a HA environment). !INTERFACE_ADDRESS= !

14. Edit the job_controller.cnf file:

    [POOL=SMTP_POOL] job_limit=10 ! [POOL=CONVERSION_POOL] job_limit=10 ! !Channel definitions !

15. Edit aliases

    ! MTA aliases file ! !root@example.com: postmast adm@mail-amer.example.com: postmast root@mail-amer.example.com: postmast postmaster@mail-amer.example.com: postmast examplemc-alert: root@mail-amer.example.com examplemc-critical: root@mail-amer.example.com

16. Add BE relay host to /etc/hosts (different site uses different BE relay host, refer to EdgeProfile):

    fe-amer-N# grep gis-relay /etc/hosts 10.1.99.30 amerea-mail.example.com gis-relay.us.example.com

17. Create symbolic link for the certmap.conf file to workaround known issue 5008768:

    fe-amer-N# cd /opt/SUNWmsgsr/config fe-amer-N# ls -l certmap* lrwxrwxrwx 1 root other 34 Apr 20 00:16 certmap.conf -> /opt/ds/shared/config/certmap.conf

18. Edit the imta_tailor file to place MTA logs into the imta subdirectory:

    fe-amer-N# cd /opt/SUNWmsgsr/config fe-amer-N# cp imta_tailor imta_tailor.orig_`date +%Y%m%d` fe-amer-N# sed s/"\/log\//\/log\/imta\/"/ imta_tailor.orig_`date +%Y%m%d` > imta_tailor

19. Compile this new configuration and restart the dispatcher with the following commands:

    fe-amer-N# imsimta cnbuild fe-amer-N# imsimta restart dispatcher

20. Configure the logadm utility:

    fe-amer-N# mkdir /opt/SUNWmsgsr/log/imta/archive (owner mailsrv:mailsrv) fe-amer-N# logadm -w mail -C 28 -p 1d -t \ '/opt/SUNWmsgsr/log/imta/archive/mail.log.$n' \ -z 6 /opt/SUNWmsgsr/log/imta/mail.log fe-amer-N# logadm -w attach -C 28 -c -t \ '/opt/SUNWmsgsr/log/imta/archive/attachment.log.$n' -z 6 \ /opt/SUNWmsgsr/log/imta/attachment.log_current fe-amer-N# logadm -w virus -C 28 -c -t \ '/opt/SUNWmsgsr/log/imta/archive/virus.log.$n' \ -z 6 /opt/SUNWmsgsr/log/imta/virus-attachment.log_current fe-amer-N# logadm -w connection -C 28 -t \ '/opt/SUNWmsgsr/log/imta/archive/connection.log.$n' \ -z 6 /opt/SUNWmsgsr/log/imta/connection.log

21. If there is a dedicated queue partition, relocate imta/queue

    fe-amer-N# stop-msg smtp fe-amer-N# mkdir -p /imta/queue fe-amer-N# chown mailsrv:mailsrv /imta/queue fe-amer-N# cd /opt/SUNWmsgsr/data fe-amer-N# ln -s /imta/queue queue fe-amer-N# start-msg smtp

22. Create an alias called smarthost.example.com to the GIS relay VIP in /etc/hosts to ensure a fallback mechanism through the local smarthost vs a single GIS relay VIP.

    10.1.99.30 gis-relay.us.example.com smarthost.example.com

To Configure Messaging Server on the MMP Server

Steps

1. Make backups of the original MMP configuration files AService.cfg and ImapProxyAService.cfg:

   # cd /opt/SUNWmsgsr/config # cp AService.cfg AService.cfg.orig_`date +%Y%m%d` # cp ImapProxyAService.cfg ImapProxyAService.cfg.orig_`date +%Y%m%d`

2. Edit the AService.cfg file:

   default:ServiceList /opt/SUNWmsgsr/lib/ImapProxyAService@10.1.82.187:143|10.1.82.187:993 default:LogDir /opt/SUNWmsgsr/data/log/mmp default:NumThreads 2

3. Edit the ImapProxyAService.cfg file. For odd-numbered FE, use Directory Servers in the following order: –03, -02, -01. For even-numbered FE use Directory Servers in the following order: –02, -03, -01.

   default:LdapUrl "ldap://ds-amer-03.us.example.com ds-amer-02.us.example.com ds-amer-01.us.example.com/dc=example,dc=com" default:LogDir /opt/SUNWmsgsr/data/log/mmp default:LogLevel 10 default:BindDN "uid=msg-admin-mail-amer.example.com, ou=People, dc=example, dc=com" default:BindPass "password" default:BacksidePort 143 default:SearchFormat (uid=%s) default:SSLEnable yes default:SSLPorts 993 default:SSLCertNicknames Server-Cert default:SSLKeyPasswdFile /opt/SUNWmsgsr/config/sslpassword.conf default:SSLCacheDir /opt/SUNWmsgsr/config default:SSLSecmodFile secmod.db default:SSLCertPrefix "" default:SSLKeyPrefix "" default:SSLBacksidePort 0 default:RestrictPlainPasswords yes default:ConnLimits 129.0.0.0|255.0.0.0:10000,0.0.0.0|0.0.0.0:500 default:LdapCacheSize 10000 default:LdapCacheTTL 900

4. Create log directory

   # mkdir /opt/SUNWmsgsr/data/log/mmp # chown mailsrv:mailsrv /opt/SUNWmsgsr/data/log/mmp # chmod 755 /opt/SUNWmsgsr/data/log/mmp

5. Restart service and verify IMAP is working properly. If so, and assuming certificates have been configured, turn on SSL by uncommenting the following lines in ImapProxyAService.cfg

   default:SSLEnable yes default:RestrictPlainPasswords yes

To Configure Messaging Server on the MEM Server

Before You Begin

Validate that webmail is working properly and that you can connect to the back end server via the front end webmail connection.

Steps

1. Set up configutil

   # configutil -o service.http.ipsecurity -v yes # configutil -o local.service.http.proxy -v 1

2. Restart webmail

   # stop-msg http # start-msg http

3. Verify that when you connect that the url displayed does not change to that of the back end server.

4. Complete steps for configuring *MailFilters*

5. Verify BE/D2 mail servers are configured for port 444 for mail filters.

   # configutil -o local.webmail.sieve.port -v 444

   dd ports 92 and/or 444 to webserver server.xml file on FE/D1 nodes. */opt/SUNWwbsvr/https-mail-amer.example.com/config* Add/replace series of LS sections as follows replacing your GEO and your IP and modifying ports as needed: Note: each *LS* section is a single line; each *SSLPARAMS* section is a single line.

   Port 92 is not required for Foundry Sites; ports 80, 443, 444 required. Port 443 not needed for Nauticus sites; one of port 92, 444 will be used for mail filters; need to test to confirm.

   <LS id="ls1" port="80" servername="mail-amer.example.com" defaultvs="https-mail-am er.example.com" security="false" ip="10.1.82.187" blocking="false" acceptorthread s="1" /> <LS id="ls2" port="92" servername="mail-amer.example.com" defaultvs="https-mail-am er.example.com" security="false" ip="10.1.82.187" blocking="false" acceptorthread s="1" /> <LS id="ls3" port="444" servername="mail-amer.example.com" defaultvs="https-mail-a mer.example.com" security="true" blocking="false" acceptorthreads="1" ip="10.1.82 .187"> <SSLPARAMS servercertnickname="Server-Cert" ssl2="off" ssl2ciphers="-rc4,-rc 4export,-rc2,-rc2export,-desede3,-des" ssl3="on" tls="on" ssl3tlsciphers="+rsa_r c4_128_sha,+rsa_rc4_128_md5,-rsa_rc4_56_sha,-rsa_rc4_40_md5,+rsa_3des_sha,-rsa_d es_sha,-rsa_des_56_sha,-rsa_rc2_40_md5,-rsa_null_md5,-fortezza,-fortezza_rc4_128 _sha,-fortezza_null,+fips_3des_sha,-fips_des_sha" tlsrollback="on" clientauth="o ff"/> </LS>

6. Restart Web server and verify it is listening on correct ports and no errors messages in logs

   # /opt/SUNWwbsvr/https-mail-amer.example.com/ {stop,start}

7. Deploy the MailFilter war file

   # /opt/SUNWwbsvr/bin/https/httpadmin/bin/wdeploy deploy \ -u /MailFilter -i https-mail-amer.example.com \ -v https-mail-amer.example.com /opt/SUNWmsgsr/SUNWmsgmf/MailFilter.war

8. Test Mail Filters from a webmail connection on the corporate network.

9. Remove Password option from Messenger Express:

   --- /opt/SUNWmsgsr/config/html/opts_fs.html.orig Thu Mar 31 16:04:17 2005 +++ /opt/SUNWmsgsr/config/html/opts_fs.html Wed Aug 10 10:00:26 2005 @@ -131,8 +131,6 @@ 'javascript:parent.toggle(\'summary\')') + getToggle(main.i18n['personal'], 'personal', 'javascript:parent.toggle(\'personal\')') + - getToggle(main.i18n['password'], 'password', - 'javascript:parent.toggle(\'password\')') + (main.cfgFrame.mbox.length == 0 ? : getToggle(main.i18n['settings'], 'settings', 'javascript:parent.toggle(\'settings\')')) +

4.8 Installing and Configuring Calendar Server

Calendar Server is installed on all the FE systems where Communications Express will be installed. Calendar Server is also installed on all of the BE clusters designated for calendaring usage. Perform the following procedures in the order they are listed here:

To Install Calendar Server on FE Servers

Steps

1. Create the icsuser userid and icsgroup groupid.

   /etc/passwd: icsuser:x:503:503::/home/icsuser:/bin/pfsh /etc/shadow: icsuser:NP::::::: /etc/group: icsgroup::503: /etc/group: nobody::60001: (Needed for installing patches later on)

2. Verify that the calmaster account and attributes already exist in ldap:

   phys-bedgeN-1# ldapsearch -h ds-amer-01 -b dc=example,dc=com uid=calmaster

3. Ensure that the hostname cal-amer.example.com is plumbed and working

4. Install Calendar Server using the JES installer (select all languages and the Configure Later option during the installation):

   fe-amer-N# cd /var/bits/java_es/Solaris_sparc fe-amer-N# ./installer -nodisplay Sun Java(TM) System Calendar Server 6 2004Q2 (via JES installer)

To Install Calendar Server on BE Servers

This procedure first configures HA on the server. Use /shared/bedge5/cal/opt as the CalendarServerPath.

Steps

1. Make sure the appropriate mountpoints are in the /etc/vfstab files

   /dev/md/bedge5-ds/dsk/d300 /dev/md/bedge5-ds/rdsk/d300 /shared/bedge5/cal/opt ufs 2 no logging /dev/md/bedge5-ds/dsk/d301 /dev/md/bedge5-ds/rdsk/d301 /shared/bedge5/cal/dbbackup ufs 2 no logging,nosuid

2. Add IP and hostname for logical host (bedge5-cal1) in /etc/hosts of both nodes.

3. Run the HA commands for calendar (this assumes that the cluster software was installed in accordance to this document)

   phys-bedgeN-1# scrgadm -a -t SUNW.HAStoragePlus phys-bedgeN-1# scrgadm -a -t SUNW.scics phys-bedgeN-1# scrgadm -a -g cal1-svc-rg -h phys-bedgeN-1,phys-bedgeN-2 phys-bedgeN-1# scrgadm -a -L -g cal1-svc-rg -j cal1-addr-rs -l bedge5-cal1 phys-bedgeN-1# scrgadm -a -j cal1-storplus-rs -g cal1-svc-rg \ -t SUNW.HAStoragePlus -x FilesystemMountPoints=/shared/bedge5/cal/opt,/shared/bedge5/cal/dbbackup \ -x AffinityOn=True

4. Enable the resource to mount the shared filesystems prior to installing calendar

   phys-bedgeN-1# scswitch -Z -g cal1-svc-rg phys-bedgeN-1# scswitch -e -j cal1-storplus-rs

5. Verify that the directories /shared/bedge5/cal/opt and /shared/bedge5/cal/dbbackup directories are mounted on node 1 where Calendar Server will be installed.

6. Install Calendar Server on node 1 using the Java ES installer:

   phys-bedgeN-1# cd /var/bits/java_es/Solaris_sparc phys-bedgeN-1# ./installer -nodisplay

   When prompted, select all languages and the Configure Later option. When you select Calendar Server for installation, Directory Server is automatically selected, but you must deselect it before proceeding.

7. On node 2, install the following software: SUNWicu, SUNWldk, SUNWpr, SUNWsasl, and SUNWtls

   phys-bedgeN-2# cd /var/bits/java_es/Solaris_sparc/Product/shared_components/Solaris_9/Packages phys-bedgeN-2# pkgadd -d . SUNWicu SUNWpr SUNWsasl SUNWtls phys-bedgeN-2# cd /var/bits/java_es/Solaris_sparc/Product/shared_components/Packages phys-bedgeN-2# pkgadd -d . SUNWldk

To Configure Calendar Server on BE Clusters

Before You Begin

Make sure directory server is configured and hostname is in /etc/hosts on both nodes. Know the Bind DN password and login (cn=directory manager) for ldap and the calmaster password.

Steps

1. Run the calendar configurator on node 1, the active calendar node:

   phys-bedgeN-1# cd /shared/bedge5/cal/opt/SUNWics5/cal/sbin phys-bedgeN-1# sh ./csconfigurator.sh -nodisplay Provide the following information during the configuration Sample: LDAP Server Name: ds-amer-02.us.example.com LDAP Port: 389 Directory Manager Bind DN: cn=Directory Manager Directory Manager Bind Password: xxxxxxxx Base DN: dc=example,dc=com Calendar Administrator Username: calmaster Calendar Administrator Password: xxxxxxxx Email Alarms: Enabled Administrator Email Address: wwcs-csg-if@example.com SMTP Hostname: mail-amer.example.com Service Port: [80] Maximum Sessions: [5000] Maximum Threads: [20] Number of server processes: [4] Runtime Username: icsuser Runtime Usergroup: icsgroup Start after successful installation: No Start on system startup: No Config Directory: /etc/opt/SUNWics5/config Database location: /shared/bedge5/cal/opt/csdb Logs: /shared/bedge5/cal/opt/logs Temporary Files: /shared/bedge5/cal/opt/tmp

2. Move the config directory to the shared filesystem

   phys-bedgeN-1# cd /shared/bedge5/cal/opt/SUNWics5/cal phys-bedgeN-1# rm config phys-bedgeN-1# cp -pr /etc/opt/SUNWics5/config . phys-bedgeN-1# cd /shared/bedge5/cal/opt/SUNWics5/cal/lib phys-bedgeN-1# rm config phys-bedgeN-1# ln -s ../config config phys-bedgeN-1# cd /shared/bedge5/cal/opt/SUNWics5/cal/sbin phys-bedgeN-1# rm config phys-bedgeN-1# ln -s ../config config

3. Create the hotbackup and archive directories for database backups:

   phys-bedgeN-1# cd /shared/bedge5/cal/dbbackup phys-bedgeN-1# mkdir hotbackup archive phys-bedgeN-1# chown icsuser:icsgroup hotbackup phys-bedgeN-1# chown icsuser:icsgroup archive

4. Edit the ics.conf file and add the following to the end of the file. Change shared paths and add IP for logical host.

   phys-bedgeN-1# cd /share/bedge5/cal/opt/SUNWics5/cal/config phys-bedgeN-1# cp ics.conf ics.conf.orig

   ! Configure hotbackups and archiving ! caldb.berkeleydb.archive.path = "/shared/bedge5/cal/dbbackup/archive" caldb.berkeleydb.archive.enable = "yes" caldb.berkeleydb.archive.mindays = "3" caldb.berkeleydb.archive.maxdays = "5" caldb.berkeleydb.archive.threshold = "70" ! Interval between hotbackup or archivebackup in seconds caldb.berkeleydb.archive.interval = "120" ! caldb.berkeleydb.hotbackup.enable = "yes" caldb.berkeleydb.hotbackup.path = "/shared/bedge5/cal/dbbackup/hotbackup" caldb.berkeleydb.hotbackup.mindays = "3" caldb.berkeleydb.hotbackup.maxdays = "5" caldb.berkeleydb.hotbackup.threshold = "70" logfile.store.logname = "store.log" ! ! End -- Hotbackup/Archiving section ! local.server.ha.enabled = "yes" local.server.ha.agent = "SUNWscics" service.http.listenaddr = "logicalHostIP"

5. Modify the ics.conf file with the following parameters. When adding parameters to the ics.conf file that don't already exist, add them in the alphabetical order of the parameter name.

   caldb.berkeleydb.circularlogging = "no" caldb.serveralarms.contenttype = "text/xml" caldb.serveralarms.url = "enp:///ics/customalarm" service.calendarsearch.ldap = "y" caldb.cld.type = "directory" logfile.loglevel = "Information" service.dwp.enable = "yes" service.dwp.port = "9779" service.ens.port = "7997" local.hostname = "bedge5-cal1.us.example.com" local.servername = "bedge5-cal1.us.example.com" service.ens.host = "bedge5-cal1.us.example.com" service.http.calendarhostname = "bedge5-cal1.us.example.com"

   Uncomment the following two lines:

   caldb.serveralarms.url = "enp:///ics/customalarm" caldb.serveralarms.contenttype = "text/xml"

   Comment out this line:

   !service.listenaddr = "INADDR_ANY"

   Locate the first line below and add the second one after it:

   service.siteadmin.userid = "" service.store.enable = "yes"

   Uncomment the default DWP server entry and set it appropriately:

   ! Default DWP server (LDAP CLD only), used if user's icsDWPhost value does not exist. ! caldb.dwp.server.default = "bedge5-cal1.us.example.com"

6. Update all existing ics.conf files (FEs and BEs) with new calendar backend server information. In order for all of the frontend calendar servers to be able to communicate with all of the backend database servers, all backend servers must be listed in all ics.conf files. Services must be restarted in order for this change to take effect.

   The following parameter must be uncommented in the ics.conf files and parameters changed on all servers (front and back ends) when a new backend server is brought on line:

   caldb.dwp.server.bedge5-cal1.us.example.com.ip = "bedge5-cal1.us.example.com"

7. The fully qualified name for the calendar server MUST be the first entry in /etc/hosts files on all systems for this to work and the /etc/nsswitch.conf MUST be set up correctly. Example /etc/hosts file entry for BRM:

   10.1.82.143 bedge5-cal1.us.example.com bedge5-cal1.us.example.com bedge5-cal1

   For reference, a copy of the current ics.conf file from the Broomfield BE calendar cluster is in the appendix of this cookbook.

8. Create the cal1-svc resource and define dependencies.

   phys-bedgeN-1# mkdir /shared/bedge5/cal/opt/opt phys-bedgeN-1# cd /shared/bedge5/cal/opt/opt phys-bedgeN-1# ln -s ../SUNWics5 SUNWics5 phys-bedgeN-1# scrgadm -a -j cal1-svc-rs -g cal1-svc-rg -t SUNW.scics \ -x Confdir_list=/shared/bedge5/cal/opt -y \ Resource_dependencies=cal1-storplus-rs,cal1-addr-rs -y Port_list=80/tcp phys-bedgeN-1# scswitch -e -j cal1-svc-rs

9. Verify that cal1-svc-rg, cal1-addr-rs, cal1-storplus-rs, and cal1-svc-rs are online and calendar processes running on node 1.

   phys-bedgeN-1# scstat -g phys-bedgeN-1# ps -ef | grep icsuser

10. Verify services can be switched over to Node 2 successfully, and back again

    phys-bedgeN-1# scswitch -z -g cal1-svc-rg -h phys-bedge5-2 phys-bedgeN-1# scstat -g phys-bedgeN-1# scswitch -z -g cal1-svc-rg -h phys-bedge5-1 phys-bedgeN-1# scstat -g

11. Duplicate the contents of /var/sadm/pkg/SUNWics5 on the other node. This is primarily for monitoring so that SunMC can determine if the package exists and set $serverroot. On the node that calendar was installed:

    phys-bedgeN-1# mkdir /global/.devices/node@1/tmp phys-bedgeN-1# cd /var/sadm/pkg phys-bedgeN-1# tar cf /global/.devices/node@1/tmp/ics5.tar SUNWics5

    On the other node:

    phys-bedgeN-2# cd /var/sadm/pkg phys-bedgeN-2# tar xf /global/.devices/node@1/tmp/ics5.tar phys-bedgeN-2# rm -r /global/.devices/node@1/tmp

To Configure Calendar Server on FE Servers

Before You Begin

Make sure directory server is configured and has an entry in the /etc/hosts file.

The following ports must be open for communication between the D1/FE servers and the D2/BE calendar servers (including cross-geo communication): 7997, 9779.

Know the Bind DN password and login (cn=directory manager) for ldap and the calmaster password.

Steps

1. Run the calendar configuration script:

   fe-amer-N# cd /opt/SUNWics5/cal/sbin fe-amer-N# sh ./csconfigurator.sh -nodisplay Provide the following information during the configuration Sample: LDAP Server Name: ds-amer-02.us.example.com LDAP Port: 389 Directory Manager Bind DN: cn=Directory Manager Directory Manager Bind Password: xxxxxxxx Base DN: dc=example,dc=com Calendar Administrator Username: calmaster Calendar Administrator Password: xxxxxxxx Email Alarms: Enabled SMTP Hostname: mail-amer.example.com http Port: 80 (Port 81 for Nauticus sites) Runtime Username: icsuser Runtime Usergroup: icsgroup Start after successful installation: No Start on system startup: Yes Database location: /var/opt/SUNWics5/csdb Temporary Files: /var/opt/SUNWics5/tmp Logs: /var/opt/SUNWics5/logs

2. Follow the procedure To Request an SSL Certificate, and retrieve PKI certificates for the Calendar Server.

3. Import the certificate chain:

   # certutil -A -n "ABC Trusted Root" -t "TCu,TCu,TCuw" -d . -a -i \ ../ABC_chain.cert -f ./PW # certutil -A -n "Example Corp Root CA - ABC Corporation" \ -t "C,," -d . -a -i ../Example_Corp.cert -f ./PW # certutil -A -n "Example Corp CA (Class B) - Example Corp" \ -t "C,," -d . -a -i ../Example Corp_cB.cert -f ./PW # certutil -A -n "Server-Cert" -t "u,u,u" -d . -a -i ./cal.cert -f ./PW

4. Create the certificate directory for calendar in the /etc/opt/SUNWics5/config directory:

   # cd /etc/opt/SUNWics5/config # mkdir alias # chown icsuser:icsgroup alias

5. Copy the certificates to the calendar directory. Example for BRM:

   # cd /etc/opt/SUNWics5/config/alias # cp /usr/local/cert/SunPKI/cal/cert8.db cert8.db # cp /usr/local/cert/SunPKI/cal/key3.db key3.db # cp /usr/local/cert/SunPKI/cal/secmod.db secmod.db # cp /usr/local/cert/SunPKI/cal/sslpassword.conf sslpassword.conf

6. Verify the certificates directory and files have the appropriate permissions:

   # cd /etc/opt/SUNWics5/config # ls -ld alias drwxr-xr-x 2 icsuser icsgroup 512 Mar 24 11:52 alias/ # ls -l alias drwxr-xr-x 2 icsuser icsgroup 512 Mar 24 11:52 ./ drwxr-xr-x 16 icsuser icsgroup 1024 Jun 3 11:05 ../ -rw------- 1 icsuser icsgroup 65536 May 23 10:23 cert8.db -rw------- 1 icsuser icsgroup 32768 May 23 10:23 key3.db -rw------- 1 icsuser icsgroup 32768 May 23 10:23 secmod.db -rw-r--r-- 1 icsuser icsgroup 36 Mar 24 11:53 sslpassword.conf

7. Verify the following parameters are set correctly for SSL in the ics.conf file:

   encryption.rsa.nssslactivation = "on" encryption.rsa.nssslpersonalityssl = "Server-Cert" encryption.rsa.nsssltoken = "internal" service.http.tmpdir = "/var/opt/SUNWics5/tmp" service.http.uidir.path = "html" service.http.ssl.cachedir = "." service.http.ssl.cachesize = "10000" service.http.ssl.certdb.password = "CertPassword" service.http.ssl.certdb.path = "/etc/opt/SUNWics5/config/alias" service.http.ssl.port.enable = "yes" service.http.ssl.port = "443" service.http.ssl.securelogin = "yes" service.http.ssl.sourceurl = "https://cal-amer.example.com:443" service.http.ssl.ssl2.ciphers = "" service.http.ssl.ssl2.sessiontimeout = "0" service.http.ssl.usessl = "yes"

8. Modify /opt/SUNWics5/cal/html/*/default.html (for ALL languages) to setup the redirect to port 443 by adding the following code to each file:

   <script> if (window.location.protocol != 'https:') window.location = 'https://' + window.location.host </script>

9. Modify the ics.conf file with the following parameters. When adding parameters to the ics.conf file that don't already exist, add them in the alphabetical order of the parameter name.

   caldb.berkeleydb.circularlogging = "yes" caldb.dwp.server.default = "bedge5-cal1.us.example.com" (should be set to the FQHN of the BE calendar server for the same geo as the FE systems. Example: sedge5-cal1.singapore.example.com) caldb.dwp.server.bedge5-cal1.us.example.com.ip = "bedge5-cal1.us.example.com"

   NOTE: the fully qualified name for the BE calendar server MUST be the first entry in /etc/hosts files on all systems for this to work and the /etc/nsswitch.conf MUST be set up correctly.

   service.calendarsearch.ldap = "y" service.dwp.enable = "no" service.dwp.port = "9779" service.ens.enable = "no" service.notify.enable = "no" alarm.msgalarmnoticercpt = "gsdm-collector@example.com" alarm.msgalarmnoticesender = "gsdm-collector@example.com" caldb.calmaster = "gsdm-collector@example.com" caldb.cld.type = "directory" csapi.plugin.calendarlookup = "y" local.servername = "cal-amer.example.com" logfile.loglevel = "Information" service.admin.port = "21840" service.ens.host = "xxx.xxx.xxx.xxx" (should be IP addr of the BE calendar server for that geo) service.ens.port = "7997" service.http.calendarhostname = "cal-amer.example.com" service.http.listenaddr = "xxx.xxx.xxx.xxx" (should be IP address of the FE for the geo, i.e. cal-amer.example.com) !service.listenaddr = "INADDR_ANY" service.store.enable = "no"

10. The following parameter must be added to the ics.conf files of all servers (front and back ends) when a new backend server is brought on line.

    caldb.dwp.server.bedge5-cal1.us.example.com.ip = "bedge5-cal1.us.example.com"

11. There will be at least four entries of this type in ics.conf files -- one each for Broomfield, Newark, Singapore and Gilmont Park. For example, once all of the Edge-3 sites are online, all ics.conf files will have the following entries:

    caldb.dwp.server.bedge5-cal1.us.example.com.ip = "bedge5-cal1.us.example.com" caldb.dwp.server.sedge3-cal1.singapore.example.com.ip = "sedge3-cal1.singapore.example.com" caldb.dwp.server.nedge5-cal1.sfbay.example.com.ip = "nedge5-cal1.sfbay.example.com" caldb.dwp.server.gedge5-cal1.uk.example.com.ip = "gedge5-cal1.uk.example.com"

    NOTE: For reference, a copy of the current ics.conf file from the Broomfield FE calendar servers is in the appendix of this cookbook.

To Patch Calendar Server on BE Servers

Steps

1. The patches are currently on fe-amer-01.example.com in /var/tmp/cal_patches and are: 118099-01-2864962307.zip, T116577-11.tar.gz, and T118477-07.tar.gz. They should be applied in the above order. This includes the latest patch for calendar. Copy patches to the management station under /export/puppet/world/Calendar/patches.

2. Unzip/Untar the patches (example assumes the tarfiles are in /var/tmp/cal_patches)

   # mount -F nfs mgmt-amer-01:/export/puppet/world /mnt # mkdir /var/tmp/cal_patches # cd /var/tmp/cal_patches # cp /mnt/Calendar/patches/118099-01-2864962307.zip . # cp /mnt/Calendar/patches/T116577-11.tar.gz . # cp /mnt/Calendar/patches/T118477-07.tar.gz . # unzip 118099-01-2864962307.zip # gzcat T116577-11.tar.gz | tar xf - # gzcat T118477-07.tar.gz | tar xf -

3. Shutdown the calendar service:

   # /usr/cluster/bin/scswitch -n -j cal1-svc-rs

4. Apply the patches. nobody must have an /etc/group entry. /etc/group: nobody::60001:

   # cd /var/tmp/cal_patches # /usr/sbin/patchadd -d 118099-01 # /usr/sbin/patchadd -d 116577-11 # /usr/sbin/patchadd -d 118477-07

5. Restart the calendar resources:

   # /usr/cluster/bin/scswitch -e -j cal1-svc-rs # umount /mnt

To Patch and Verify Calendar Server on FE Servers

Steps

1. Unzip/Untar the patches (example assumes the tarfiles are in /var/tmp/cal_patches)

   # mount -F nfs mgmt-amer-01:/export/puppet/world /mnt # mkdir /var/tmp/cal_patches # cd /var/tmp/cal_patches # cp /mnt/Calendar/patches/118099-01-2864962307.zip . # cp /mnt/Calendar/patches/T116577-11.tar.gz . # cp /mnt/Calendar/patches/T118477-07.tar.gz . # unzip 118099-01-2864962307.zip # gzcat T116577-11.tar.gz | tar xf - # gzcat T118477-07.tar.gz | tar xf -

2. Shutdown the calendar service:

   # cd /opt/SUNWics5/cal/sbin # ./stop-cal # ps -ef | grep icsuser

3. Apply the patches. The user nobody must have an /etc/group entry: /etc/group: nobody::60001:

   # cd /var/tmp/cal_patches # /usr/sbin/patchadd -d 118099-01 # /usr/sbin/patchadd -d 116577-11 # /usr/sbin/patchadd -d 118477-07

4. Restart the calendar service:

   # cd /opt/SUNWics5/cal/sbin # ./start-cal # ps -ef | grep icsuser icsuser 12047 1 0 18:29:06 ? 0:07 /opt/SUNWics5/cal/lib/cshttpd -d 3 -D 4 icsuser 12041 1 0 18:29:04 ? 0:01 /opt/SUNWics5/cal/lib/csadmind icsuser 12048 12047 0 18:29:06 ? 0:07 /opt/SUNWics5/cal/lib/cshttpd -0 -d 0 -D 1 -b 1 # umount /mnt

5. Check that the front end is connecting with the backends:

   # cd /var/opt/SUNWics5/logs # grep cdwp_login http.log [10/May/2005:18:29:06 -0600] fe-amer-01 cshttpd[12047]: General Notice: caldb: cdwp_login: ctx for host:10.1.82.143 and port:9779 is authenticated and the sessionid is q6l05rw9x9eee8u [10/May/2005:18:29:07 -0600] fe-amer-01 cshttpd[12048]: General Notice: caldb: cdwp_login: ctx for host:10.1.82.143 and port:9779 is authenticated and the sessionid is bu9hbbv6t9ebn0

   There should be at least two of these entries (for the local backend) -- more, if there are multiple BE calendar servers configured in the ics.conf file.

4.9 Installing and Configuring Instant Messaging

Instant Messaging client resources and multiplexor will be installed on two dedicated FE systems: fe-amer-11.example.com and fe-amer-12.example.com. Instant Messaging (server configuration) will be installed on a single BE system in Broomfield: phys-bedge6-2.us.example.com. A pre-requisite for installation of Instant Messaging and Web Server (for IM) is that the im-amer.example.com interface must be plumbed and ifconfig'd up as an entry in the /etc/rc3.d/S80loopbacks file on the FEs. Example entry:

ifconfig lo0:1 plumb
ifconfig lo0:1 inet 10.1.82.193 netmask 255.255.255.255 up

On the BE (phys-bedge6-2.us), the file /etc/hostname.ce1:10 must exist and contain im-amer-01. The ce1:10 interface must be plumbed and up. On all servers, update /etc/passwd, /etc/shadow and /etc/group with the following information:

/etc/passwd:  iimuser:x:504:504::/home/iimuser:/bin/pfsh
/etc/passwd:  webservd:x:80:80::/home/webservd:/bin/pfsh

/etc/shadow:  iimuser:NP:::::::
/etc/shadow:  webservd:*LK*:::::::

/etc/group:   iimgroup::504:
/etc/group:   webservd::80:

To Install Instant Messaging

Steps

1. cd to the directory that contains the JES3 software

   # cd /var/tmp/im/java_es_05Q1_im/Solaris_sparc

2. Start JES installer

   # ./installer -nodisplay

3. Select the following options

   Select all languages Select the software components: Sun Java(TM) System Web Server 6.1 SP4 2005Q1 (60.58 MB) Sun Java(TM) System Instant Messaging 7 2005Q1 (11.40 MB) Component Selection will be: 1. Instant Messaging Server Core 2. Instant Messenger Resources 3. Access Manager Instant Messaging Service Install directories: Instant Messaging: /opt Web Server: /opt/SUNWwbsvr Select: Configure Later

4. Patch IM

   # cd /var/tmp/im # /usr/sbin/patchadd -d T118786-05 # /usr/sbin/patchadd -d T118789-06/

To Configure Web Server for Instant Messaging on FE Servers

Steps

1. Run the Instant Messaging configurator:

   # cd /opt/SUNWwbsvr # ./configure Sun Java(TM) System Web Server 6.1 2005Q1 SP4 Enter the hostname for this machine [fe-amer-11.us.example.com]: im-amer.example.com Enter your Sun Java System Web Server server port [80]: 80 Enter a content root [/opt/SUNWwbsvr/docs]: Would you like the Web Server to start on system boot (n/y): [y] Enter a valid system user for the Administration Server [root]: (NOTE: USE THE SAME ADMIN PASSWD AS IN THE OTHER WEB INSTALLATIONS FOR EDGE3) Administration Server User Name [admin]: Enter your Administration Server Password : Enter (again) your Administration Server Password : Enter your Administration Server Port [8888]:

2. Modify the /opt/SUNWwbsvr/https-im-amer.example.com/config/server.xml file for the newly created web server:

   <PROPERTY name="docroot" value="/opt/SUNWwbsvr/docs/im"/> <LS id="ls1" port="80" servername="im-amer.example.com" defaultvs="https-im-amer.example.com" ip="10.1.82.193" security="false" acceptorthreads="1" blocking="false"> <PROPERTY name="docroot" value="/opt/SUNWwbsvr/docs/im"/>

3. Create the new docroot for the IM client services:

   # cd /opt/SUNWwbsvr/docs # ln -s /opt/SUNWiim/html/ im

4. Start the webserver:

   # /etc/init.d/webserver01 start

To Configure Web Server for Instant Messaging on BE Servers

Steps

1. Run the Instant Messaging configurator:

   # cd /opt/SUNWwbsvr # ./configure Sun Java(TM) System Web Server 6.1 2005Q1 SP4 Enter the hostname for this machine [fe-amer-11.us.example.com]: im-amer-01.c entral.example.com Enter your Sun Java System Web Server server port [80]: 80 Enter a content root [/opt/SUNWwbsvr/docs]: Would you like the Web Server to start on system boot (n/y): [y] n Enter a valid system user for the Administration Server [root]: (NOTE: USE THE SAME ADMIN PASSWD AS IN THE OTHER WEB INSTALLATIONS FOR EDGE3) Administration Server User Name [admin]: Enter your Administration Server Password : Enter (again) your Administration Server Password : Enter your Administration Server Port [8888]:

2. Modify the /opt/SUNWwbsvr/https-im-amer.example.com/config/server.xml file for the newly created web server:

   <PROPERTY name="docroot" value="/opt/SUNWwbsvr/docs-im"/> <LS id="ls1" port="80" servername="im-amer-01.us.example.com" defaultvs="http s-im-amer-01.us.example.com" ip="10.1.82.137" security="false" acceptorth reads="1" blocking="false"/> <PROPERTY name="docroot" value="/opt/SUNWwbsvr/docs-im"/>

3. Create the new docroot for the IM client services:

   # cd /opt/SUNWwbsvr/ # ln -s /opt/SUNWiim/html/ docs-im

4. Start the webserver:

   # /etc/init.d/webserver01 start

To Configure Instant Messaging on the FE Servers

Configure Instant Messaging services on two of the FE systems, fe-amer-11.example.com and fe-amer-12.example.com.

Steps

1. Run the Instant Messaging configurator:

   # cd /opt/SUNWiim # ./configure -nodisplay Components to configure: Sun Java System Instant Messaging Server Sun Java System Instant Messenger Resources Host name: im-amer DNS Domain name: example.com User ID: iimuser Group ID: iimgroup Instant Messaging Server runtime files directory: /var/opt/SUNWiim Instant Messaging Server Configuration: Domain Name: example.com IM Server port: 9999 Multiplexor port: 9909 Disable Server: yes Remote Server Hostname: im-amer-01.us.example.com Messenger Resources Code Base URL: http://im-amer.example.com:80 Start Instant Messaging Services after successful configuration: no Start Instant Messaging Services on system startup: yes

2. Add the SSL certificates

   # cd /usr/local/cert/SUN_PKI.cert/im-amer # cp cert8.db /opt/SUNWwbsvr/alias/https-im-amer-cert8.db # cp key3.db /opt/SUNWwbsvr/alias/https-im-amer-key3.db # cp secmod.db /opt/SUNWwbsvr/alias/secmod.db # cp cert8.db /etc/opt/SUNWiim/default/config/https-im-amer-cert8.db # cp key3.db /etc/opt/SUNWiim/default/config/https-im-amer-key3.db # cp secmod.db /etc/opt/SUNWiim/default/config/secmod.db # cp PW /etc/opt/SUNWiim/default/config/PW # cd /opt/SUNWwbsvr/alias # chmod 644 * # cd /etc/opt/SUNWiim/default/config # mv PW sslpassword.conf # chown iimuser:iimgroup *

3. Edit the /etc/opt/SUNWiim/default/config/sslpassword.conf file and change it to the following format:

   Internal (Software) Token:password_from_PW_file

4. Edit the /etc/opt/SUNWiim/default/config/iim.conf file and verify the following parameters:

   iim.smtpserver = "mail-amer-xfr.example.com" iim.instancedir = "/opt/SUNWiim" iim.instancevardir = "/var/opt/SUNWiim/default" iim.user = "iimuser" iim.group = "iimgroup" iim_ldap.host = "empldap1.us.example.com:389" iim_ldap.searchbase = "dc=example,dc=com" iim_ldap.usergroupbinddn = "" iim_ldap.usergroupbindcred = "" iim.log.iim_server.severity = "INFO" iim.log.iim_mux.severity = "INFO" iim.log.iim_wd.severity = "INFO" iim_server.domainname = "example.com" iim_server.useport = "True" iim_server.port = "5269" iim_server.usesslport = "False" iim_server.enable = "false" iim_server.clienttimeout = "15" iim_server.usesso = "0" iim.policy.modules = "iim_ldap" iim.userprops.store = "file" iim_mux.listenport = "im-amer.example.com:9909" iim_mux.serverport = "im-amer-01.us.example.com:9999" iim_mux.enable = "true" iim_mux.numinstances = "4" iim_mux.maxthreads = "10" iim_mux.maxsessions = "1000" ! SSL settings iim_mux.usessl = "on" iim_mux.secconfigdir = "/etc/opt/SUNWiim/default/config" iim_mux.keydbprefix = "https-im-amer-" iim_mux.certdbprefix = "https-im-amer-" iim_mux.secmodfile = "secmod.db" iim_mux.certnickname = "Server-Cert" iim_mux.keystorepasswordfile = "sslpassword.conf" iim_wd.enable = "true" iim_wd.period = "300" iim_wd.maxRetries = "3" ! Calendar agent stuff - disable on the FEs iim_agent.enable = "false" iim_agent.agent-calendar.enable = "false"

5. Edit the IM client resources to force the use of SSL (all language files must be edited

6. Edit /opt/SUNWiim/html/index.html, search for and change all instances of the following:

   im.html to imssl.html im.jnlp to imssl.jnlp

7. Perform the same edits on the index.html files for all languages. The index.html file is found in the following directories:

   /opt/SUNWiim/html/de /opt/SUNWiim/html/es /opt/SUNWiim/html/fr /opt/SUNWiim/html/ja /opt/SUNWiim/html/ko /opt/SUNWiim/html/zh /opt/SUNWiim/html/zh_TW

To Configure Instant Messaging on the BE Server

Configure Instant Messaging on the BE server phys-bedge6-2.us.

Steps

1. Run the Instant Messaging configurator:

   # cd to the IM installation directory # cd /opt/SUNWiim # ./configure -nodisplay

   Components to configure: Sun Java System Instant Messaging Server Sun Java System Instant Messenger Resources Host name: im-amer-01 DNS Domain name: central.example.com User ID: iimuser Group ID: iimgroup Instant Messaging Server runtime files directory: /var/opt/SUNWiim Instant Messaging Server Configuration: Domain Name: example.com IM Server port: 9999 Multiplexor port: 9909 Disable Server: no LDAP Host Name: empldap1.us.example.com LDAP Port Number: 389 Base DN: dc=example,dc=com Bind DN: cn=directory manager Bind Password: (enter directory manager password here) SMTP Server Host Name: mail-amer-xfr.example.com Messenger Resources Code Base URL: http://im-amer-01.us.example.com:80 Start Instant Messaging Services after successful configuration: no Start Instant Messaging Services on system startup: yes

2. Edit the /etc/opt/SUNWiim/default/config/iim.conf file and verify the following parameters:

   iim.smtpserver = "mail-amer-xfr.example.com" iim.instancedir = "/opt/SUNWiim" iim.instancevardir = "/var/opt/SUNWiim/default" iim.user = "iimuser" iim.group = "iimgroup" ! iim_ldap.host = "ds-amer-01.us.example.com:389" iim_ldap.host = "empldap1.us.example.com:389" iim_ldap.searchbase = "dc=example,dc=com" iim_ldap.usergroupbinddn = "" iim_ldap.usergroupbindcred = "" iim.log.iim_server.severity = "INFO" iim.log.iim_mux.severity = "INFO" iim.log.iim_wd.severity = "INFO" iim.log.agent-calendar.severity = "INFO" iim_server.domainname = "example.com" iim_server.useport = "True" iim_server.port = "5269" iim_server.usesslport = "False" iim_server.enable = "true" iim_server.clienttimeout = "15" iim_server.usesso = "0" iim.policy.modules = "iim_ldap" iim.userprops.store = "file" iim_mux.listenport = "im-amer-01.us.example.com:9909" iim_mux.serverport = "im-amer-01.us.example.com:9999" iim_mux.enable = "true" iim_mux.numinstances = "4" iim_mux.maxthreads = "10" iim_mux.maxsessions = "1000" iim_wd.enable = "true" iim_wd.period = "300" iim_wd.maxRetries = "3"

3. If you are deploying EdgeMail complexes in multiple locations, each must have local calendar agent to communicate with the other complexes. For each remote complex, such as the one serving Asia located in Japan for this example, perform the following steps:

   1. Create a directory for the calendar agent:

      # cd /var/opt/SUNWiim # mkdir cal-agent2-jp

   2. Create the individual configuration files for the calendar agent:

      # cd /etc/opt/SUNWiim/default/config # cp iim.conf cal2.conf

   3. Edit cal2.conf and change the following parameters:

      iim_server.enable = "false" iim_wd.enable = "false" iim_mux.enable = "false"

   4. Now modify the calendar agent information in the cal2.conf file

      iim.instancevardir = "/var/opt/SUNWiim/cal-agent2-jp" ! ! Calendar-IM integration Configuration ! iim_agent.enable="true" ! iim_agent.agent-calendar.enable="true" ! iim_server.components=agent-calendar agent-calendar.jid=calimbot.aedge3-cal1.jp.example.com agent-calendar.password=password agent-calendar.category=component ! JMS Consumers jms.consumers=cal_reminder jms.consumer.cal_reminder.destination=enp:///ics/customalarm jms.consumer.cal_reminder.provider=ens jms.consumer.cal_reminder.type=topic jms.consumer.cal_reminder.param="eventtype=calendar.alarm" jms.consumer.cal_reminder.factory=com.iplanet.im.server.JMSCalendarMessageListener ! JMS providers jms.providers=ens jms.provider.ens.broker=aedge3-cal1.jp.example.com:7997 jms.provider.ens.factory=com.iplanet.ens.jms.EnsTopicConnFactory

   5. Edit the iim.conf file to modify the Calendar Agent information:

      ! Calendar-IM integration Configuration iim_agent.enable="true" iim_agent.agent-calendar.enable="true" iim_server.components=agent-calendar,agent-calendar2[,...] agent-calendar.jid=calimbot.bedge5-cal1.us.example.com agent-calendar.password=netscape agent-calendar.category=component agent-calendar2.jid=calimbot.aedge3-cal1.jp.example.com agent-calendar2.password=netscape agent-calendar2.category=component [...] ! JMS Consumers jms.consumers=cal_reminder jms.consumer.cal_reminder.destination=enp:///ics/customalarm jms.consumer.cal_reminder.provider=ens jms.consumer.cal_reminder.type=topic jms.consumer.cal_reminder.param="eventtype=calendar.alarm" jms.consumer.cal_reminder.factory=com.iplanet.im.server.JMSCalendarMessageListener ! JMS providers jms.providers=ens jms.provider.ens.broker=bedge5-cal1.us.example.com:7997 jms.provider.ens.factory=com.iplanet.ens.jms.EnsTopicConnFactory

   6. Edit the /etc/init.d/sunwiim file to add the additional Calendar Agent information:

      #!/bin/sh # # Copyright (c) 1991-2001, by Sun Microsystems, Inc. # #ident "@(#)sunwiim 1.7 96/10/02 SMI" case "$1" in 'start') /opt/SUNWiim/sbin/imadmin start # Start the JP calendar agent /opt/SUNWiim/sbin/imadmin -c /opt/SUNWiim/config/cal2.conf start agent-calendar # Start other calendar agents here if neccessary ;; 'stop') /opt/SUNWiim/sbin/imadmin stop # Stop the JP calendar agent /opt/SUNWiim/sbin/imadmin -c /opt/SUNWiim/config/cal2.conf stop agent-calendar # Stop other calendar agents here if neccessary ;; *) echo "Usage: /etc/init.d/sunwiim { start | stop }" ;; esac exit

4.10 Installing and Configuring Communications Express

To Install and ConfigureCommunications Express

Before You Begin

Ensure the following conditions are met:

• MEM installed and configured in the same VIP as Comms Express (access-[geo].example.com)

• Calendar FE installed and configured (on calendar VIP)

• Web server installed and configured with a virtual server for access-[geo].example.com

• Access Manager available

• Messaging BE installed and configured

• Calendar BE installed and configured

Steps

1. Install Comms Express via the JES installer.

   Language Support: select all languages Component Selection: Sun Java(TM) System Communications Express Installation Directories: Identity Server = /opt Communications Express = /opt/SUNWuwc Type of Configuration: Configure Later

   Installer will automatically add Sun Java System Access Manager to the install list, but only the SDK subcomponent. Accept the addition of the SDK.

2. Sample configuration data from installation on fe-amer-01.example.com.

   fe-amer-01.example.com# cd /opt/SUNWuwc/sbin fe-amer-01.example.com# ./config-uwc -nodisplay Select the components to be configured: [X] 1 Mail Component 0 bytes [X] 2 Calendar Component 0 bytes Verify Host and DNS: Host Name [fe-amer-01]: access-amer DNS Domain Name [example.com] Web Server Configuration: Enter Web Server Root Directory [/opt/SUNWwbsvr] Enter Virtual Server Identifier [https-access-amer.example.com] Enter Web Server HTTP Port [80] Web Container User and Group: Enter the Web Container User ID [webservd] Enter the Web Container Group ID [webservd] URI Path: Enter URI Path for Communications Express [/uwc] Hosted Domain Support: Do you want Hosted Domain support for Communications Express [no] User/Group LDAP Server details: Ldap URL [ldap://mail-amer.example.com:389]: ldap://ds-amer-01.us.example.com:389 Bind DN [cn=Directory Manager] Bind Password: (enter the appropriate password) Enter DC Tree Suffix [dc=example,dc=com] Enter the Default Domain Name [example.com] Identity Server Preferences: Enter Identity Server Login URL [http://mail-amer.example.com:80/amserver/UI/Login]: http://id-amer-01.us.example.com:80/amserver/UI/Login Enter Identity Server Administrator DN []: amadmin Enter Identity Server Administrator Password []: (enter the appropriate password) Enter the Messenger Express Port [80]: 82 Enter the Calendar Server Host Name [access-amer.example.com]: cal-amer.example.com Enter the Calendar Server Port Number [9004]: 81 Enter the Calendar Server Administrator User ID [calmaster] Enter the Calendar Server Administrator Password []: (enter the appropriate password) Personal Address Book (PAB) LDAP Server info: LDAP URL [ldap://ds-amer-01.us.example.com:389] Bind DN [cn=Directory Manager] Bind Password: (enter the appropriate password)

3. Enable Identity SSO in Messenger Express

   phys-bedgeN-1# cd /opt/SUNWmsgsr/sbin phys-bedgeN-1# ./configutil -o local.webmail.sso.amnamingurl -v http://id-amer-01.us.example.com/amserver/namingservice phys-bedgeN-1# ./configutil -o local.webmail.sso.uwcenabled -v 1 phys-bedgeN-1# ./configutil -o local.webmail.sso.uwclogouturl -v http://mail-amer.example.com/uwc/base/UWCmain?op=logout phys-bedgeN-1# ./configutil -o local.webmail.sso.uwcport -v 80 phys-bedgeN-1# ./configutil -o local.webmail.sso.uwccontexturi -v uwc phys-bedgeN-1# ./configutil -o local.webmail.sso.amcookiename -v iPlanetDirectoryPro phys-bedgeN-1# ./stop-msg http phys-bedgeN-1# ./start-msg http