Chapter 3   Using iPlanet Console


This chapter shows you how to log in to, customize, and use iPlanet Console. It contains the following sections:

• Starting iPlanet Console and Logging In

• A Tour of iPlanet Console

• Customizing iPlanet Console

• Administration Express

Starting iPlanet Console and Logging In

---

iPlanet Console is a stand-alone Java application that works in conjunction with an instance of Directory Server and an instance of Administration Server on your network. Typically, you log in to iPlanet Console using your own user name and password. If the instance of Administration Server that you're logging in to requires client authentication, you will be prompted to present a client certificate. This certificate is used to create a secure channel of communication between iPlanet Console and the instance of Administration Server.

Starting iPlanet Console

The following procedures tell you how to start iPlanet Console.

To Start iPlanet Console on UNIX Systems

In the server root, enter startconsole [arguments] where arguments are any of the optional command-line arguments listed in Table 3-1.

To Start iPlanet Console on Windows NT Systems

Click Start, and then choose Programs > iPlanet Server Program Group > iPlanet Console 5.0.

Alternatively, you can start iPlanet Console in two additional ways:

• Double-click the "startconsole" icon in your server root.

• Enter startconsole [arguments] on the command line. For arguments, you can specify any of the arguments listed in Table 3-1.

  
  

  Table 3-1    Arguments for startconsole  
  
  

  Argument	What it Does
  -a adminURL	Specifies a base URL for the instance of Administration Server that you want to log in to. For example, to log in to http://eastcoast.siroe.com:987, you would enter the following: startconsole -a http://eastcoast.siroe.com:987
  -f fileName	Captures errors and system messages to fileName. For example, to capture all errors and messages to a file called system.out, you would enter the following: startconsole -f system.out
  -h	Prints out the help message for startconsole.
  -l languageCode	Specifies which language this version of iPlanet Console should use. Possible values for languageCode are en, fr, and ja. For example, to start iPlanet Console in French, you would enter the following: startconsole -l fr
  -u userID	Specifies the user ID to log in to iPlanet Console with. For example, to start iPlanet Console and log in with the user ID bjensen, you would enter the following: startconsole -u bjensen
  -w password	Specifies the password for the user entered with the -u argument. For example, to start iPlanet Console and log in with the user ID bjensen and password super15243, you would enter the following: startconsole -u bjensen -w super15243
  -x extraOptions	Specifies that you want to use extra options. Possible values for extraOptions are nowinpos and nologo. If you specify the nologo option, the iPlanet Console splash screen will not be displayed. If you specify the nowinpos option, the iPlanet Console window will be placed in the upper left corner of the screen. To specify both options, separate them with a comma. For example, to start iPlanet Console in the upper left corner of the screen and without a splash screen, you would enter the following: startconsole -x nologo, nowinpos

Logging In to iPlanet Console With a User Name and Password

The following procedure tells you how to log in to iPlanet Console with just a user name and password. If you are logging in to an instance of Administration Server that requires you to present a client certificate, see "Logging In to iPlanet Console Using Client Authentication."

To Log in to iPlanet Console With a User Name and Password

1. Start iPlanet Console.

   For more information, see "To Start iPlanet Console on UNIX Systems" and "To Start iPlanet Console on Windows NT Systems."

2. In the iPlanet Console Login dialog box, enter your user name, password, and the URL for the instance of Administration Server you want to access.

   When specifying an Administration Server URL, you can use a hostname (such as eastcoast.siroe.com:8943) or IP address (such as 199.99.9.1:8943) You do not need to include http:// or use a fully qualified domain name, but you must include the Administration Server port number.

   
   
   

3. Click OK.

   The user name and password you use to log in determine which servers and server operations you can access through iPlanet Console. See "Overview of Access Control" for more information.

   
   

   ---

   Tip	iPlanet Console remembers the last five Administration URLs that you entered. To use one of these URLs, select it from the drop-down list in the Administration URL field.

   ---

   
   

Logging In to iPlanet Console Using Client Authentication

When logging in to an instance of Administration Server that has been configured to require client authentication, you enter your user name and password, and then present a client certificate. This certificate is used by the instance of Administration Server to establish an SSL-enabled connection with iPlanet Console. For more information on this process, known as the Secure Sockets Layer (SSL) handshake, see Appendix C, "Introduction to SSL."

The client certificates that iPlanet Console presents to an instance of Administration Server are stored in Netscape Communicator certificate database format. New and existing certificates are not recognized by Administration Server unless they are stored in the Netscape Navigator 4.7X certificate database format. For initial setup of client authentication, store certificates in the Netscape Navigator browser. After initial setup certificates can be stored in other browser certificate databases. For more information about Netscape Navigator certificate database format and certificate storage see "To Set Up Client Authentication for Users" in Chapter 10, "Using SSL and TLS with iPlanet Servers Depending on which types of certificates the instance of Administration Server is configured to accept, you may be able to use an existing certificate, or you may need to request a new one. You must use Communicator to request and install client certificates.

This section tells you how to do the following:

• Request and install a new client certificate

• Make your client certificate available to iPlanet Console

• Establish a secure connection with an instance of Administration Server

For more information on configuring an instance of Administration Server to require client authentication, see Chapter 10, "Using SSL and TLS with iPlanet Servers."

To Request and Install a New Client Certificate

1. Go to the web site for a certificate authority (CA) that is trusted by the instance of Administration Server that you want to establish a secure connection with.

2. Follow the CA's instructions to request and install a client certificate.

   
   

   ---

   Note	If you already have a client certificate that is acceptable to the instance of Administration Server that you want to log in to, you do not need to request and install a new certificate.

   ---

   
   

To Make Your Client Certificate Available to iPlanet Console on UNIX Systems

1. From the system prompt, go to the .netscape subdirectory of your home directory. For example, /u/bjensen/.netscape.

2. Copy the key3.db, cert7.db, and secmodule.db files to the .mcc subdirectory of your home directory.

   These files are the certificate database files that iPlanet Console uses during client authentication. These files are only used by iPlanet Console. Administration Server creates and uses its own certificate database files.

To Make Your Client Certificate Available to iPlanet Console on Windows NT

1. Open the folder containing Netscape Communicator. For example, C:\Program Files\Netscape.

2. Open the Users folder and then open your specific user folder. For example, BJensen (C:\Program Files\Netscape\Users\BJensen).

3. Copy the key3.db, cert7.db, and secmod.db files from your user folder to the C:\WINNT\Profiles\your_user_ID\.mcc folder, where your_user_ID is the ID that you use to log in to Windows NT.

   These files are the certificate database files that iPlanet Console uses during client authentication. These files are only used by iPlanet Console. Administration Server creates and uses its own certificate database files.

To Establish a Secure Connection With an Instance of Administration Server

1. Start iPlanet Console.

   For more information, see "To Start iPlanet Console on UNIX Systems" and "To Start iPlanet Console on Windows NT Systems."

2. In the iPlanet Console Login dialog box, enter your user name, password, and the URL for the secure instance of Administration Server you want to access.

   When specifying an Administration Server URL, you can use a hostname (such as eastcoast.siroe.com:8943) or IP address (such as 199.99.9.1:4434). Make sure to include https:// and the Administration Server port number in the URL.

   
   
   

3. Click OK.

   The user name and password you use to log in determine which servers and server operations you can access through iPlanet Console. See "Overview of Access Control" for more information.

4. In the Password Entry dialog box, enter the password for the iPlanet Console certificate database (this is the same as the password for your Netscape Communicator certificate database), and then click OK.

5. In the "Select a Certificate" dialog box, select your client certificate from the drop-down list, and then click OK.

   iPlanet Console presents this certificate to the instance of Administration Server. If the instance of Administration Server is configured to accept certificates from your CA, your user name and password will be authenticated, and you will see the iPlanet Console interface. Otherwise, you will be prompted to select a different certificate.

A Tour of iPlanet Console

---

After you log in to an Administration Server, you see the iPlanet Console interface. This section introduces the graphical elements of this interface and explains the basic concepts you need to understand before managing iPlanet and Netscape servers with iPlanet Console.

iPlanet Console Menus

The main iPlanet Console window (shown in Figure 3-1) has five menus: Console, Edit, View, Object, and Help. Table 3-2 summarizes what these menus are used for.

Table 3-2    iPlanet Console's Menus and What You Can Do With Them

Menu	What It Lets You Do
Console	Add and remove items from the navigation tree.
Edit	Set general iPlanet Console preferences.
View	Change the appearance of the main iPlanet Console window.
Object	Perform tasks related to resources such as administration domains, server groups, and servers.
Help	Obtain online assistance while using iPlanet Console.

Other iPlanet products may have additional menus or use these menus differently. For more information, see the documentation for each product.

Figure 3-1    The Servers and Applications Tab of the Main iPlanet Console Window

iPlanet Console Tabs

The main iPlanet Console window (shown in Figure 3-1) has two tabs: "Servers and Applications" and "Users and Groups." The "Servers and Applications" tab contains a navigation tree and an information panel. The "Users and Groups" tab has an interface that you can use to manage entries in the user directory. The "Users and Groups" tab is discussed in Chapter 5, "User and Group Administration."

The Servers and Applications Tab

The "Servers and Applications" tab consists of a navigation tree and an information panel. The navigation tree represents an iPlanet topology. A topology is a hierarchical representation of all the resources, or objects (such as servers, applications, and hosts), that are registered in a configuration directory. You use the navigation tree to navigate to the resource you want to work with.

One type of resource in a topology is an administration domain. An administration domain is a collection of host systems and servers that share a user directory.

A number of server groups can exist within an administration domain. A server group consists of one or more servers that are managed by a common instance of Administration Server and that share a server root folder. The individual servers in a server group are instances of server software that provide specific services such as directory database services, messaging, and publishing.

Figure 3-1 shows a sample navigation tree. In this example, the siroe.com administration domain includes three hosts. The eastcoast and midwest hosts have Messaging Server groups while the westcoast host contains a web server group. If the administration domain grows, an administrator can install additional server groups on these hosts. To expand a section of the navigation tree, click the plus (+) signs. To collapse a section of the tree, click the minus (-) sign.

On the right-hand side of the "Servers and Applications" tab is the information panel. When you select an administration domain, host, server group, or server instance in the navigation tree, this panel displays detailed information about it. Depending on the selected resource, you can edit all or some of these details.

For information on modifying administration domain settings, see "To Modify an Administration Domain." For information on modifying host, server group, and instance information, see "Modifying Host, Server Group, and Instance Information."

The Administration Domain

An administration domain is a group of iPlanet server products that share a user directory for data management and authentication. A company might want to create separate administration domains for each of its business sites. Each of these domains could include the host computers used only by that business site.

Before you can create a new administration domain, you must be a member of the Configuration Administrators group. If you are not a member of this group, you must ask your Configuration Administrator to add you to it. For instructions on adding a user to the Configuration Administrators group, see "To Add Users to the Configuration Administrators Group."

To Create an Administration Domain

1. Open iPlanet Console.

2. From the Console menu, choose Create Administration Domain.

3. In the Create Administration Domain dialog box, enter domain information:

   Domain Name. Enter a name that helps you identify this domain. This can be a fully qualified domain name such as siroe.com or a descriptive title such as East Coast Sales.

   User Directory Host. Specify the host machine on which the user directory for this domain is located. Use the fully qualified domain name. For example, east.siroe.com.

   User Directory Port. Enter the port number for the user directory you specified above.

   Secure Connection. Check this box if you want to connect to the user directory using SSL. If you select this option, make sure that the user directory port you've entered is already enabled for SSL communication.

   Directory Subtree. Enter the base DN of the user subtree in the directory. Example: o=siroe.com

   Bind DN. Enter the distinguished name for a user who has full access permission to the user directory. Example: uid=jdoe, ou=people, o=siroe.com.

   Bind Password. Enter the password for the user specified by the Bind DN.

   Owner DN. Enter the distinguished name for the user who has administrative control over this domain. By default, your DN is entered.

4. Click OK.

   If you've made a change to the User Directory option or the Secure Connection option, you must restart the server for the change to take effect.

To Modify an Administration Domain

1. In the iPlanet Console navigation tree, select the domain you want to modify, then click the Edit button in the server information panel of iPlanet Console.

2. Modify domain information as necessary:

   Domain Name. Enter the name of the domain as you want it to appear in the navigation tree.

   Description (Optional). Enter a text string that helps you identify this domain.

   User Directory Host and Port. Specify the location of the user directory using the host computer's fully qualified domain name and port number. You can enter more than one user directory location separated by spaces. This is useful when you use multiple directories to allow users to log in if a primary Directory Server is inaccessible. Example:

   east.siroe.com:389 west.siroe.com:393

   See " for more information.

   All host computers specified in the User Directory Host and Port field must have the same settings for the following fields:

   Secure Connection. Check this box if the new user directory port is already enabled for SSL communication.

   User Directory Subtree. Enter the base DN of the user information in the new user directory. Example: o=siroe.com

   Bind DN. Enter the distinguished name for a user who has full access permission to the new user directory. Example: uid=jdoe, ou=people, o=siroe.com.

   Bind Password. Enter the password for the user specified by the Bind DN.

   
   

   ---

   Caution

   These settings affect all servers in the domain. If you make changes here, you must restart all servers in the domain.

   ---

   
   

3. Click OK.

To Remove an Administration Domain

1. Open iPlanet Console.

2. Remove all server instances from the administration domain that you want to remove.

   For more information on removing server instances, see "Removing a Server Instance."

3. Select the administration domain that you want to remove.

4. From the Console menu, choose Remove Administration Domain.

5. Click OK.

Customizing iPlanet Console

---

This section tells you how to specify where to store display settings as well as how to change iPlanet Console's appearance to meet your specific needs. It explains the following:

• How to specify where iPlanet Console should store your display preferences.

• How to specify which fonts iPlanet Console should use for onscreen elements.

• How to change the width and position of columns in tables.

• How to customize views of the navigation tree.

In addition, you can change iPlanet Console's appearance by applying access control instructions to user interface elements. This procedure is discussed in Chapter 9, "Access Control."

Storing Display Settings

When you exit iPlanet Console, any display changes you've made during the session are saved. This includes changes to window size or position; banner bar, status bar, or navigation tree visibility; and fonts.

You can store these display settings on the network or on your local disk to suit your needs. If, at any time, you want the settings reset to what they were when you installed iPlanet Console, you can do so.

To Change Where Display Settings Are Stored

1. In iPlanet Console, from the Edit menu, choose Preferences.

2. Click the Settings tab.

3. Specify where you want to save your display settings:

   In your configuration directory. Select this option if you want to be able to use your settings no matter where you are when you log in to iPlanet Console. This option is useful if you frequently "roam" between a number of similar workstations at your business site. No matter what workstation you're using, when you log in to iPlanet Console you can use your preset display preferences.

   On your computer's hard disk. Select this option if you want to be able to use different display settings depending upon the individual workstation you're using. This option is useful when you use one workstation at work and a dissimilar system, such as a laptop computer, at home. The settings for the workstation are stored and used on the workstation. The settings for the laptop are stored and used on the laptop.

4. Click OK.

To Reset Display Settings to Their Default Values

1. In iPlanet Console, from the Edit menu, choose Preferences.

2. Click the Settings tab.

3. Click the Restore Defaults button to revert to the default display settings.

4. Click OK.

Setting Display Fonts

You can specify which fonts iPlanet Console should use for different screen elements. If you use more than one computer system to administer servers, you can save different sets of font preferences, or profiles, for use on each system.

To Create a Font Profile

1. In the main iPlanet Console window, from the Edit menu, choose Preferences.

2. Click the Fonts tab.

3. Click Save As, enter a name for this profile, and then click OK.

4. In the Screen Element column, click a screen element that you want to change the font for.

   The Font column contains samples of the fonts that are currently associated with the listed screen elements.

5. Click Change Font.

   The Select Font dialog box appears.

6. In the Select Font dialog box, make your font selections:

   Font. Choose the font face you want to use for this element.

   Size. Choose a size for the selected font face.

   Bold. Select this option to display the font in bold.

   Italic. Select this option to display the font in italics.

   Sample. This frame displays sample type using the current settings.

7. Click OK to close the Select Font dialog box.

8. If you want to set fonts for additional screen elements, repeat steps 4 through 7.

9. Click OK to save the profile.

To Edit an Existing Font Profile

1. In the main iPlanet Console window, from the Edit menu, choose Preferences.

2. Click the Fonts tab.

3. Select the font profile to edit.

   From the Font Profile drop-down list, choose a profile. If the list is grayed out, no profiles are available.

4. Make the desired changes to the font profile.

5. Click OK to save the profile.

To Rename a Font Profile

1. In the main iPlanet Console window, from the Edit menu, choose Preferences.

2. Click the Fonts tab.

3. Select the font profile to rename.

   From the Font Profile drop-down list, choose a profile. If the list is grayed out, no profiles are available.

4. Click Save As, enter the new name for this profile, and then click OK.

   A new profile with the name you specified appears in the Font Profile drop-down list. The original profile is still listed.

5. From the Font Profile drop-down list, select the original font profile.

6. Click Remove, and then confirm the deletion.

7. Click OK to save the renamed profile.

To Use a Font Profile

1. In the main iPlanet Console window, from the Edit menu, choose Preferences.

2. Click the Fonts tab.

3. Select the font profile to use.

   From the Font Profile drop-down list, choose a profile. If the list is grayed out, no profiles are available.

4. Click OK.

To Remove a Font Profile

1. In the main iPlanet Console window, from the Edit menu, choose Preferences.

2. Click the Fonts tab.

3. Select the font profile to remove.

   From the Font Profile drop-down list, choose a profile. If the list is grayed out, no profiles are available.

4. Click Remove, and then confirm the deletion.

5. Click OK.

Customizing the Main Window

You can specify which elements of the main iPlanet Console window you want to see.

To Customize the Main Window

Select or deselect items in the View menu.

Selecting a menu item displays it and deselecting an item hides it. You can show or hide the following screen elements:

• Banner Bar

• Status Bar

• Tree

Figure 3-2    The Banner Bar, Navigation Tree, and Status Bar

Customizing Tables

Some iPlanet Console tasks, such as setting display fonts, use tables. You can change the position and adjust the width of columns in these tables.

To Change Column Position in a Table

Drag each column head into the desired position.

See Figure 3-3 for an example.

When you release the mouse button, the column will snap into its new position.

Figure 3-3    Changing the Position of a Column

To Change the Width of Columns in a Table

1. Position the pointer over a boundary of a column head.

   It turns into a double arrow, as shown in Figure 3-4.

2. Drag the boundary to change the width of the column.

Figure 3-4    Resizing a Column

Creating Custom Views of the Navigation Tree

You can create custom views of the navigation tree. Custom views are useful when you want to see the resources that you access routinely, and hide resources that you access infrequently.

When creating a custom view, you can specify whether the view is public or private. A public view is visible to any user who logs in to iPlanet Console. A private view is visible only to the person who created it.

To Create a Custom View of the Navigation Tree

1. From the View menu, choose Custom View Configuration, then click New.

2. Choose whether the new view will be public or private, then click OK.

   By default, a public view is visible to all users of iPlanet Console, but you can restrict access to it using access control instructions (ACIs). For more information, see "To Set Access Permissions for a Public View," on page 65

   A private view is only visible to you. You cannot apply ACIs to it.

3. In the Edit View window, position your cursor in the text field and enter a descriptive name for this Custom View.

4. Select a resource from the Default View navigation tree on the left. Click Copy to include it in your Custom View navigation tree on the right.

   If you need to remove a resource from the new tree, select it and click Remove.

   You can select a range of resources by clicking the first item and then pressing Shift while clicking the last item. You can select multiple resources by pressing and holding down Control while clicking on one item after another.

5. Click OK when you have finished adding resources.

In the example that follows, an administrator has created a view named Messaging Servers that includes instances of iPlanet Messaging Server and their hosts.

Figure 3-5    Customized Navigation Tree Example

Working With Custom Views

You can use multiple views to suit your needs. The administrator who created the view shown in the preceding example might also have views called Directory Servers and Enterprise Servers. The administrator can switch to the Custom View needed for a specific task or choose Default View to see all the servers in the navigation tree.

When you install iPlanet Console, a Custom View called Server View is configured for you. This view displays server instances grouped by type; it does not include administration domains, hosts, or server groups.

To Switch to a Custom View

Choose the desired custom view from the drop-down list on the "Servers and Applications" tab. To return to the default view, choose Default View from the drop-down list.

Figure 3-6    Switching to a Custom View

To Edit a Custom View

1. From the View menu, choose Custom View Configuration.

2. Select a Custom View from the list and click Edit.

3. Make any necessary changes to the Custom View.

4. Click OK.

To Rename a Custom View

1. From the View menu, choose Custom View Configuration.

2. Choose a Custom View from the list and click Edit.

3. In the Edit View window, position the cursor in the text field, then type the new name for your Custom View.

4. Click OK.

To Set Access Permissions for a Public View

1. From the View menu, choose Custom View Configuration.

2. Choose a public Custom View from the list and click Access.

3. Specify the ACI you want to use, or create a new ACI:
   • If you want to use an existing Access Control Instruction (ACI), select it and click OK.

   • If you want to create a new ACI, click New, and then follow the directions for creating a new ACI under "Using the ACI Manager and ACI Editor."

4. Click OK when you have finished setting access permissions.

For more information on setting Access Permissions and creating Access Control Instructions, see Chapter 9, "Access Control."

To Delete a Custom View

1. From the View menu, choose Custom View Configuration.

2. Choose a Custom View from the list and click Delete.

3. Click Yes to confirm the deletion.

Administration Express

---

The Administration Express page is an HTML-based version of iPlanet Console that provides quick access to servers running Administration Server 4.2 or later. In the Administration Express page, you can perform four administration tasks:

• Starting servers (except stopped instances of Administration Server, which must be started from the command line)

• Stopping servers

• Viewing basic server information, such as name, description, and installation folder.

• Viewing logs

Keep the following in mind when you use the Administration Express page:

• Before you can use Administration Express to manage a server, you must upgrade its instance of Administration Server to version 4.2 or later. If you try to use Administration Express with a server using a pre-4.2 version of Administration Server, you'll get the message "Status Unknown."

• If you turn off the instance of Administration Server that you used to log in to Administration Express, you will no longer be able to use that Administration Express page. If this happens, log in again using a different Administration Server URL.

Accessing Administration Express

The Administration Express page is accessed through a browser.

To Open Administration Express

1. Open version 3.0 or later of either Netscape Navigator or Microsoft Internet Explorer, and enter the qualified host name and port number for the instance of Administration Server that you want to access.

   Example: eastcoast.siroe.com:26751

2. In the Administration page, under Services for Administrators, click iPlanet Administration Express.

3. If prompted, enter your user name and password in the dialog box, then click OK.

   If the instance of Administration Server that you are logging in to uses SSL, you may be prompted to confirm the acceptability of the instance's certificate. Additionally, if the server instance is configured to require client authentication, you may be prompted to present a client certificate. Typically, accepting server certificates involves clicking through several dialog boxes while presenting a client certificate involves making a selection from a drop-down list. If you need more information on accepting server certificates and presenting client certificates, see your browser documentation.

   Once authentication is complete, you will see the main Administration Express screen:

Figure 3-7    The Administration Express Page and How to Use It

Using Administration Express

From the main Administration Express screen, you can start and stop server instances, view basic server information, and view access and error logs.

To Start or Stop a Server Instance From Administration Express

In the row containing the server instance that you want to start or stop, click On to start the server instance or Off to stop it.

Keep the following in mind when starting and stopping server instances:

• Before you can turn a server instance on or off, or view its log files, the instance of Administration Server for the server group must be running.

• You cannot use the Administration Express page to start a stopped instance of Administration Server or an instance of any server that's using SSL encryption.

UNIX

To start a stopped instance of Administration Server or an instance that's running SSL, you must always run start-admin from the command line. For more information on starting Administration Server, see "Restarting Administration Server."

Windows NT

To start a stopped instance of Administration Server or an instance that's running SSL, you can run start-admin or use the Services control panel. For more information on starting Administration Server, see "Restarting Administration Server."

To View Basic Server Information From Administration Express

In the row containing the server instance that you want to view information about, click Server Info.

To View Access and Error Logs From Administration Express

In the row containing the server instance that you want to view the logs for, click Logs.

Setting the Refresh Rate for Administration Express

You can configure Administration Express to automatically refresh its display of hosts and server instances. This is useful if you want to monitor the status of your iPlanet and Netscape servers and applications at regular intervals.

To Set the Refresh Rate for Administration Express

1. In a text editor, open the serverRoot/admin-serv/config/adm.conf file.

2. Add the following line to adm.conf:

   ExpressRefreshRate: refreshRate

   where refreshRate is an integer value representing the number of seconds Administration Express should wait before refreshing its display. For example, entering ExpressRefreshRate: 120 instructs Administration Express to refresh the display every two minutes (120 seconds).

3. Save adm.conf.