To Configure Calendar Server on FE Servers

Before You Begin

Make sure directory server is configured and has an entry in the /etc/hosts file.

The following ports must be open for communication between the D1/FE servers and the D2/BE calendar servers (including cross-geo communication): 7997, 9779.

Know the Bind DN password and login (cn=directory manager) for ldap and the calmaster password.

Steps

1. Run the calendar configuration script:

   fe-amer-N# cd /opt/SUNWics5/cal/sbin fe-amer-N# sh ./csconfigurator.sh -nodisplay Provide the following information during the configuration Sample: LDAP Server Name: ds-amer-02.us.example.com LDAP Port: 389 Directory Manager Bind DN: cn=Directory Manager Directory Manager Bind Password: xxxxxxxx Base DN: dc=example,dc=com Calendar Administrator Username: calmaster Calendar Administrator Password: xxxxxxxx Email Alarms: Enabled SMTP Hostname: mail-amer.example.com http Port: 80 (Port 81 for Nauticus sites) Runtime Username: icsuser Runtime Usergroup: icsgroup Start after successful installation: No Start on system startup: Yes Database location: /var/opt/SUNWics5/csdb Temporary Files: /var/opt/SUNWics5/tmp Logs: /var/opt/SUNWics5/logs

2. Follow the procedure To Request an SSL Certificate, and retrieve PKI certificates for the Calendar Server.

3. Import the certificate chain:

   # certutil -A -n "ABC Trusted Root" -t "TCu,TCu,TCuw" -d . -a -i \ ../ABC_chain.cert -f ./PW # certutil -A -n "Example Corp Root CA - ABC Corporation" \ -t "C,," -d . -a -i ../Example_Corp.cert -f ./PW # certutil -A -n "Example Corp CA (Class B) - Example Corp" \ -t "C,," -d . -a -i ../Example Corp_cB.cert -f ./PW # certutil -A -n "Server-Cert" -t "u,u,u" -d . -a -i ./cal.cert -f ./PW

4. Create the certificate directory for calendar in the /etc/opt/SUNWics5/config directory:

   # cd /etc/opt/SUNWics5/config # mkdir alias # chown icsuser:icsgroup alias

5. Copy the certificates to the calendar directory. Example for BRM:

   # cd /etc/opt/SUNWics5/config/alias # cp /usr/local/cert/SunPKI/cal/cert8.db cert8.db # cp /usr/local/cert/SunPKI/cal/key3.db key3.db # cp /usr/local/cert/SunPKI/cal/secmod.db secmod.db # cp /usr/local/cert/SunPKI/cal/sslpassword.conf sslpassword.conf

6. Verify the certificates directory and files have the appropriate permissions:

   # cd /etc/opt/SUNWics5/config # ls -ld alias drwxr-xr-x 2 icsuser icsgroup 512 Mar 24 11:52 alias/ # ls -l alias drwxr-xr-x 2 icsuser icsgroup 512 Mar 24 11:52 ./ drwxr-xr-x 16 icsuser icsgroup 1024 Jun 3 11:05 ../ -rw------- 1 icsuser icsgroup 65536 May 23 10:23 cert8.db -rw------- 1 icsuser icsgroup 32768 May 23 10:23 key3.db -rw------- 1 icsuser icsgroup 32768 May 23 10:23 secmod.db -rw-r--r-- 1 icsuser icsgroup 36 Mar 24 11:53 sslpassword.conf

7. Verify the following parameters are set correctly for SSL in the ics.conf file:

   encryption.rsa.nssslactivation = "on" encryption.rsa.nssslpersonalityssl = "Server-Cert" encryption.rsa.nsssltoken = "internal" service.http.tmpdir = "/var/opt/SUNWics5/tmp" service.http.uidir.path = "html" service.http.ssl.cachedir = "." service.http.ssl.cachesize = "10000" service.http.ssl.certdb.password = "CertPassword" service.http.ssl.certdb.path = "/etc/opt/SUNWics5/config/alias" service.http.ssl.port.enable = "yes" service.http.ssl.port = "443" service.http.ssl.securelogin = "yes" service.http.ssl.sourceurl = "https://cal-amer.example.com:443" service.http.ssl.ssl2.ciphers = "" service.http.ssl.ssl2.sessiontimeout = "0" service.http.ssl.usessl = "yes"

8. Modify /opt/SUNWics5/cal/html/*/default.html (for ALL languages) to setup the redirect to port 443 by adding the following code to each file:

   <script> if (window.location.protocol != 'https:') window.location = 'https://' + window.location.host </script>

9. Modify the ics.conf file with the following parameters. When adding parameters to the ics.conf file that don't already exist, add them in the alphabetical order of the parameter name.

   caldb.berkeleydb.circularlogging = "yes" caldb.dwp.server.default = "bedge5-cal1.us.example.com" (should be set to the FQHN of the BE calendar server for the same geo as the FE systems. Example: sedge5-cal1.singapore.example.com) caldb.dwp.server.bedge5-cal1.us.example.com.ip = "bedge5-cal1.us.example.com"

   NOTE: the fully qualified name for the BE calendar server MUST be the first entry in /etc/hosts files on all systems for this to work and the /etc/nsswitch.conf MUST be set up correctly.

   service.calendarsearch.ldap = "y" service.dwp.enable = "no" service.dwp.port = "9779" service.ens.enable = "no" service.notify.enable = "no" alarm.msgalarmnoticercpt = "gsdm-collector@example.com" alarm.msgalarmnoticesender = "gsdm-collector@example.com" caldb.calmaster = "gsdm-collector@example.com" caldb.cld.type = "directory" csapi.plugin.calendarlookup = "y" local.servername = "cal-amer.example.com" logfile.loglevel = "Information" service.admin.port = "21840" service.ens.host = "xxx.xxx.xxx.xxx" (should be IP addr of the BE calendar server for that geo) service.ens.port = "7997" service.http.calendarhostname = "cal-amer.example.com" service.http.listenaddr = "xxx.xxx.xxx.xxx" (should be IP address of the FE for the geo, i.e. cal-amer.example.com) !service.listenaddr = "INADDR_ANY" service.store.enable = "no"

10. The following parameter must be added to the ics.conf files of all servers (front and back ends) when a new backend server is brought on line.

    caldb.dwp.server.bedge5-cal1.us.example.com.ip = "bedge5-cal1.us.example.com"

11. There will be at least four entries of this type in ics.conf files -- one each for Broomfield, Newark, Singapore and Gilmont Park. For example, once all of the Edge-3 sites are online, all ics.conf files will have the following entries:

    caldb.dwp.server.bedge5-cal1.us.example.com.ip = "bedge5-cal1.us.example.com" caldb.dwp.server.sedge3-cal1.singapore.example.com.ip = "sedge3-cal1.singapore.example.com" caldb.dwp.server.nedge5-cal1.sfbay.example.com.ip = "nedge5-cal1.sfbay.example.com" caldb.dwp.server.gedge5-cal1.uk.example.com.ip = "gedge5-cal1.uk.example.com"

    NOTE: For reference, a copy of the current ics.conf file from the Broomfield FE calendar servers is in the appendix of this cookbook.