Environment
Novell Access Management 3 Linux Access Gateway
Novell Access Management 3 SSLVPN Server
Situation
SSLVPN installation during the Linux Access Gateway install failed.
The installation logs for SSLVPN indicate that the required
certificates were not created. SSLVPN will not function from this
point on.
Resolution
When an administrator installs the Linux Access Gateway, the sslvpn
rpms (novl-sslvpn* rpms) get installed by default. Only when the
SSLVPN services are automatically enabled via the SSLVPN options at
install time, or using the lagconfigure (/chroot/lag/opt/novell/bin
directory) shell script, will the SSLVPN device appear in Access
Administrator. The script to enable the services will also create
the stunnel default certificate and SSLVPN device keystore. Unlike
the SSLVPN server coming with the Identity Server CD, there is no
uninstall script to remove all the SSLVPN components.
To cleanly remove the SSLVPN server from a Linux Access gateway, the following steps need to be done:
1. stop all SSLVPN services on the LAG using the 'sslvpnc --down' command
2. remove the SSLVPN device from the Access Administrator
3. use rpm -e to remove the novl-sslvpn* packages.
For example, use rpm -qa|grep -i sslvpn to find the package names as shown below:
mylag:~ # rpm -qa|grep -i sslv
novl-sslvpn-servlet-3.0.0-100
novl-sslvpn-3.0.0-73
Then use the rpm -e to remove each package
rpm -e novl-sslvpn-servlet-3.0.0-100 novl-sslvpn-3.0.0-73
4. On the Access Administration server, run the /opt/novell/devman/bin/ambkup.sh and backup the configuration for emergencies
5. Using an LDAP browser (e.g. http://www-unix.mcs.anl.gov/~gawor/ldap/), browse the configuration store of your Access Manager setup. Make sure that, in the configuration, the secure LDAP connection method is used. Once there, browse to the following container:
* o=novell -> accessManagerContainer -> VCDN_Root -> PartitionsContainer -> Partition -> KeyCOntainer
Locate all certificates starting with SSLVPN. You should look at the RomaCertXMLDoc attribute of each object to make sure that the certificate name is stunnel or the romaKeyStore attribute references the SSLVPN keystore.
Once located, delete all certificates.
* Remove any entries referring to sslvpn in the container o=novell -> accessManagerContainer -> VCDN_Root -> PartitionsContainer ->Partition -> ApplianceContainer
You should now have a completely clean Linux Access Gateway with no reference to the SSLVPN services.
To reinstall SSLVPN services on the Linux Access Gateway, the following will need to be done:
1. copy the novl-sslvpn* packages from the Identity Server CD (nids-agents directory) to the Linux Access Gateway
2. install each of these packages using the rpm -ivh command
mylag:~ # rpm -ivh novl-sslvpn-servlet-3.0.0-100.i586.rpm novl-sslvpn-3.0.0-73.noarch.rpm
3. From a shell on the LAG type the following command for configuring Access Administrator and SSLVPN configuration.
yast2 sp-agent
4. In the YaST screen, Enable Onbox SSLVPN Server, Give Administrator IP, Access Gateway IP and password of Adminstrator and click next until the operation is finished
5. Run the script /chroot/lag/opt/novell/bin/auto_import to import the components. This script reimports both LAG and SSLVPN.
At this stage, you now have the SSLVPN and Access Gateway services up and running.
To cleanly remove the SSLVPN server from a Linux Access gateway, the following steps need to be done:
1. stop all SSLVPN services on the LAG using the 'sslvpnc --down' command
2. remove the SSLVPN device from the Access Administrator
3. use rpm -e to remove the novl-sslvpn* packages.
For example, use rpm -qa|grep -i sslvpn to find the package names as shown below:
mylag:~ # rpm -qa|grep -i sslv
novl-sslvpn-servlet-3.0.0-100
novl-sslvpn-3.0.0-73
Then use the rpm -e to remove each package
rpm -e novl-sslvpn-servlet-3.0.0-100 novl-sslvpn-3.0.0-73
4. On the Access Administration server, run the /opt/novell/devman/bin/ambkup.sh and backup the configuration for emergencies
5. Using an LDAP browser (e.g. http://www-unix.mcs.anl.gov/~gawor/ldap/), browse the configuration store of your Access Manager setup. Make sure that, in the configuration, the secure LDAP connection method is used. Once there, browse to the following container:
* o=novell -> accessManagerContainer -> VCDN_Root -> PartitionsContainer -> Partition -> KeyCOntainer
Locate all certificates starting with SSLVPN. You should look at the RomaCertXMLDoc attribute of each object to make sure that the certificate name is stunnel or the romaKeyStore attribute references the SSLVPN keystore.
Once located, delete all certificates.
* Remove any entries referring to sslvpn in the container o=novell -> accessManagerContainer -> VCDN_Root -> PartitionsContainer ->Partition -> ApplianceContainer
You should now have a completely clean Linux Access Gateway with no reference to the SSLVPN services.
To reinstall SSLVPN services on the Linux Access Gateway, the following will need to be done:
1. copy the novl-sslvpn* packages from the Identity Server CD (nids-agents directory) to the Linux Access Gateway
2. install each of these packages using the rpm -ivh command
mylag:~ # rpm -ivh novl-sslvpn-servlet-3.0.0-100.i586.rpm novl-sslvpn-3.0.0-73.noarch.rpm
3. From a shell on the LAG type the following command for configuring Access Administrator and SSLVPN configuration.
yast2 sp-agent
4. In the YaST screen, Enable Onbox SSLVPN Server, Give Administrator IP, Access Gateway IP and password of Adminstrator and click next until the operation is finished
5. Run the script /chroot/lag/opt/novell/bin/auto_import to import the components. This script reimports both LAG and SSLVPN.
At this stage, you now have the SSLVPN and Access Gateway services up and running.
Additional Information
Should be addressed in SP1.