Environment
Novell Access Manager 3 SSLVPN Server
Novell Access Manager 3.1 SSLVPN Server
Novell Access Manager 3.1 SSLVPN Server
Situation
SSLVPN server was setup and working fine in traditional (non ESP) mode on a test platform. Administrator wanted to keep the existing SSLVPN server host, but import the device into the production Admin Console. After following the instructions at https://www.novell.com/documentation/novellaccessmanager31/sslvpn_serverguide/index.html?page=/documentation/novellaccessmanager31/sslvpn_serverguide/data/b5nvtfb.html, no SSLVPN server device would appear in the production Admin Console. Administrator could not re-import the device from that point on.
Resolution
Run the following scripts to allow a reimport of the SSLVPN server into another (or existing) Admin Console. Note that the script should be saved, execute rights added, and then run on the SSLVPN server. Note that both ESP and non ESP SSLVPN servers are considered.
1. ESP enabled SSLVPN server
#!/bin/bash
# This script is used to reimport ESP SSLVPN to the new device manager
export DS_ADMIN_DN
export DS_ADMIN_PWD
read -e -p "Enter the configuration store admin DN [cn=admin,o=novell]:" DS_ADMIN_DN
if [ -z "${DS_ADMIN_DN}"]
then
DS_ADMIN_DN="cn=admin,o=novell"
fi
stty -echo
read -e -p "Enter the configuration store admin password []:" DS_ADMIN_PWD
stty echo
echo
#Bring down all services
/etc/init.d/novell-jcc stop
/etc/init.d/novell-tomcat5 stop
sslvpnc -d
sleep 3
#Configure sslvpn for new admin server. This will update config.xml
sslvpnc -c
#Configure jcc with new set of ips
/opt/novell/devman/jcc/bin/config.sh --two_pass_configure
#Generate new random number for the new device ID.
SSLVPN_UNIQUE_ID=`head -c8 /dev/urandom | od -An -tx8 | tr -d "[:space:]" | tr "[:lower:]""[:upper:]"`
echo "New id $SSLVPN_UNIQUE_ID"
#run configure to update with new set of IDs
/opt/novell/devman/jcc/conf/Configure.sh --user "${DS_ADMIN_DN}" --pass "${DS_ADMIN_PWD}" --nespid "esp-${SSLVPN_UNIQUE_ID}" --sslvpnid "${SSLVPN_UNIQUE_ID}" --tomcatdir "/var/opt/novell/tomcat5" --two_pass_configure --no_jcc_configure
#Update the new jcc ID for the ESP
ESPSSLVPN_ID_FILE="/var/opt/novell/tomcat5/webapps/sslvpn/WEB-INF/jccid.dat"
echo "inserving new id ${SSLVPN_UNIQUE_ID}"
echo "esp-${SSLVPN_UNIQUE_ID}"> ${ESPSSLVPN_ID_FILE}
cat $ESPSSLVPN_ID_FILE
chown novlwww: ${ESPSSLVPN_ID_FILE}
#Bring up all services
sslvpnc -u
/etc/init.d/novell-jcc start
/etc/init.d/novell-tomcat5 start
2) Traditional (non ESP) SSLVPN server
#!/bin/bash
# This script is used to reimport traditional (non-esp) SSLVPN to the new device manager
export DS_ADMIN_DN
export DS_ADMIN_PWD
read -e -p "Enter the configuration store admin DN [cn=admin,o=novell]:" DS_ADMIN_DN
if [ -z "${DS_ADMIN_DN}"]
then
DS_ADMIN_DN="cn=admin,o=novell"
fi
stty -echo
read -e -p "Enter the configuration store admin password []:" DS_ADMIN_PWD
stty echo
echo
#Bring down all services
/etc/init.d/novell-jcc stop
/etc/init.d/novell-tomcat5 stop
sslvpnc -d
sleep 3
#Configure sslvpn for new admin server. This will update config.xml
sslvpnc -c
#Debug : Check /etc/opt/novell/sslvpn/config.xml file for /DeviceManagerAddress tag,
#Configure jcc with new set of ips
/opt/novell/devman/jcc/bin/config.sh --two_pass_configure
#Debug : check /opt/novell/devman/jcc/conf/settings.properties file for remotemgmtip tag,
#Generate new random number for the new device ID.
SSLVPN_UNIQUE_ID=`head -c8 /dev/urandom | od -An -tx8 | tr -d "[:space:]" | tr "[:lower:]""[:upper:]"`
#run configure to update with new set of IDs
/opt/novell/devman/jcc/conf/Configure.sh --user "${DS_ADMIN_DN}" --pass "${DS_ADMIN_PWD}" --sslvpnid "${SSLVPN_UNIQUE_ID}" --two_pass_configure --no_jcc_configure
#Bring up all services
sslvpnc -u
/etc/init.d/novell-jcc start
/etc/init.d/novell-tomcat5 start
1. ESP enabled SSLVPN server
#!/bin/bash
# This script is used to reimport ESP SSLVPN to the new device manager
export DS_ADMIN_DN
export DS_ADMIN_PWD
read -e -p "Enter the configuration store admin DN [cn=admin,o=novell]:" DS_ADMIN_DN
if [ -z "${DS_ADMIN_DN}"]
then
DS_ADMIN_DN="cn=admin,o=novell"
fi
stty -echo
read -e -p "Enter the configuration store admin password []:" DS_ADMIN_PWD
stty echo
echo
#Bring down all services
/etc/init.d/novell-jcc stop
/etc/init.d/novell-tomcat5 stop
sslvpnc -d
sleep 3
#Configure sslvpn for new admin server. This will update config.xml
sslvpnc -c
#Configure jcc with new set of ips
/opt/novell/devman/jcc/bin/config.sh --two_pass_configure
#Generate new random number for the new device ID.
SSLVPN_UNIQUE_ID=`head -c8 /dev/urandom | od -An -tx8 | tr -d "[:space:]" | tr "[:lower:]""[:upper:]"`
echo "New id $SSLVPN_UNIQUE_ID"
#run configure to update with new set of IDs
/opt/novell/devman/jcc/conf/Configure.sh --user "${DS_ADMIN_DN}" --pass "${DS_ADMIN_PWD}" --nespid "esp-${SSLVPN_UNIQUE_ID}" --sslvpnid "${SSLVPN_UNIQUE_ID}" --tomcatdir "/var/opt/novell/tomcat5" --two_pass_configure --no_jcc_configure
#Update the new jcc ID for the ESP
ESPSSLVPN_ID_FILE="/var/opt/novell/tomcat5/webapps/sslvpn/WEB-INF/jccid.dat"
echo "inserving new id ${SSLVPN_UNIQUE_ID}"
echo "esp-${SSLVPN_UNIQUE_ID}"> ${ESPSSLVPN_ID_FILE}
cat $ESPSSLVPN_ID_FILE
chown novlwww: ${ESPSSLVPN_ID_FILE}
#Bring up all services
sslvpnc -u
/etc/init.d/novell-jcc start
/etc/init.d/novell-tomcat5 start
2) Traditional (non ESP) SSLVPN server
#!/bin/bash
# This script is used to reimport traditional (non-esp) SSLVPN to the new device manager
export DS_ADMIN_DN
export DS_ADMIN_PWD
read -e -p "Enter the configuration store admin DN [cn=admin,o=novell]:" DS_ADMIN_DN
if [ -z "${DS_ADMIN_DN}"]
then
DS_ADMIN_DN="cn=admin,o=novell"
fi
stty -echo
read -e -p "Enter the configuration store admin password []:" DS_ADMIN_PWD
stty echo
echo
#Bring down all services
/etc/init.d/novell-jcc stop
/etc/init.d/novell-tomcat5 stop
sslvpnc -d
sleep 3
#Configure sslvpn for new admin server. This will update config.xml
sslvpnc -c
#Debug : Check /etc/opt/novell/sslvpn/config.xml file for /DeviceManagerAddress tag,
#Configure jcc with new set of ips
/opt/novell/devman/jcc/bin/config.sh --two_pass_configure
#Debug : check /opt/novell/devman/jcc/conf/settings.properties file for remotemgmtip tag,
#Generate new random number for the new device ID.
SSLVPN_UNIQUE_ID=`head -c8 /dev/urandom | od -An -tx8 | tr -d "[:space:]" | tr "[:lower:]""[:upper:]"`
#run configure to update with new set of IDs
/opt/novell/devman/jcc/conf/Configure.sh --user "${DS_ADMIN_DN}" --pass "${DS_ADMIN_PWD}" --sslvpnid "${SSLVPN_UNIQUE_ID}" --two_pass_configure --no_jcc_configure
#Bring up all services
sslvpnc -u
/etc/init.d/novell-jcc start
/etc/init.d/novell-tomcat5 start