Environment
NetIQ Access Manager 3.2
Novell Access Manager 3.1
Upgrading from Access Manager 3.1 to 3.2
Novell Access Manager 3.1
Upgrading from Access Manager 3.1 to 3.2
Situation
When migrating from Access Manager 3.1 to 3.2, the following steps were performed:
1. Prior to starting the migration process, took a backup on existing 3.1.4 configuration on Admin Console by running "./ambkup.sh" script.
2. Installed the 3.2 SP1 Administration Console on new hardware using the same IP address and but different hostname as the 3.1.4 server we backed up. This is all as per the migration docs at https://www.netiq.com/documentation/novellaccessmanager32/mig_upgrade/?page=/documentation/novellaccessmanager32/mig_upgrade/data/bookinfo.html
3. Did a shutdown of the existing 3.1.4 Admin Console
4. To test failover at this stage, a backup of the newly install Access Manager 3.2 server was performed
5. Shutdown this new Access Manager 3.2 Admin Console server
6. Install an Administration Console on new hardware, using the same DNS name and IP address we used with the recently shutdown Admin Console from previous step
7. Restore the backed up configuration from step 4.
The restore script appeared to execute successfully but displayed the following message below after providing private key encryption password:
-------------------------------------------------------------- Restoring certificatres... *** Error ************ Error ************** Error ****
AM#201002008: FAILED to restore certificates from backup file. FAILED to restore. Please verify
IP Address: 192.168.171.155
LDAP Port: 636
Administrator id:cn=admin,o=novell
Administrator Password:
Backup file: app153_20121005_1226
eDirectory Server: Certificate Encryption Pharse:
*** Error ************ Error ************** Error **** Log file for this restore is /var/log/nidp_backup_20121005_1513.log -----------------------------------------------------------------
Despite this error, all devices seemed to continue working indicating it is cosmetic in nature. To confirm this after restoring, we unassigned the Identity Server from the cluster configuration, installed and reinstalled the Identity Server and then reassign the Identity Server to the cluster configuration. All worked fine.
1. Prior to starting the migration process, took a backup on existing 3.1.4 configuration on Admin Console by running "./ambkup.sh" script.
2. Installed the 3.2 SP1 Administration Console on new hardware using the same IP address and but different hostname as the 3.1.4 server we backed up. This is all as per the migration docs at https://www.netiq.com/documentation/novellaccessmanager32/mig_upgrade/?page=/documentation/novellaccessmanager32/mig_upgrade/data/bookinfo.html
3. Did a shutdown of the existing 3.1.4 Admin Console
4. To test failover at this stage, a backup of the newly install Access Manager 3.2 server was performed
5. Shutdown this new Access Manager 3.2 Admin Console server
6. Install an Administration Console on new hardware, using the same DNS name and IP address we used with the recently shutdown Admin Console from previous step
7. Restore the backed up configuration from step 4.
The restore script appeared to execute successfully but displayed the following message below after providing private key encryption password:
-------------------------------------------------------------- Restoring certificatres... *** Error ************ Error ************** Error ****
AM#201002008: FAILED to restore certificates from backup file. FAILED to restore. Please verify
IP Address: 192.168.171.155
LDAP Port: 636
Administrator id:cn=admin,o=novell
Administrator Password:
Backup file: app153_20121005_1226
eDirectory Server: Certificate Encryption Pharse:
*** Error ************ Error ************** Error **** Log file for this restore is /var/log/nidp_backup_20121005_1513.log -----------------------------------------------------------------
Despite this error, all devices seemed to continue working indicating it is cosmetic in nature. To confirm this after restoring, we unassigned the Identity Server from the cluster configuration, installed and reinstalled the Identity Server and then reassign the Identity Server to the cluster configuration. All worked fine.
Resolution
Need to do the following:
a) make sure that the install of the Admin Console in step 6 is done using the same IP address used on recently shutdown Admin Console from step 5, but also with the same hostname as that of the original 3.1.4 Admin Console
b) replace the "amrest-fn.sh" script located in "/opt/novell/devman/bin/" with the script below before running step 7. above. After the script is replaced, simply restore the configuration on the freshly installed Administration Console by running "./amrestore.sh" script.
#!/bin/bash
# These functions are required to accomplish certain restore actions for
# Novell Access Manager. These functions expect certain things to be defined.
#
# JAVA : Path to Java VM executable
# IP_ADDR : IP address of the server to modify
# IP_PORT : IP port of the database service on the server
# DS_ADMIN_DN : LDAP DN for the administrative user
# DS_ADMIN_PWD : Password for the administrative user
# DEL_CNTNR : Container to be restored
# BKUP_DIR : the directory path of the backup files
# BKUP_FILE : the base name of the backup files
# RECOVER_FILE : File prefix for recovery files
# LOG_FILE : Log file path
# DEL_LDIF_FILE: File path of temporary LDIF file
#
# Also, it is important to have defined the following functions.
#
# failError : Parameters - First: Error number, Second: Error string
am30_restore_database()
{
if ! [ -e ${BKUP_DIR}/${BKUP_FILE}.zip ]
then
failError 201002001 "The backup file does not exist"
fi
LDIF_FILE_NAME=`unzip -l ${BKUP_DIR}/${BKUP_FILE}.zip | grep ldif | awk '{print $NF;}'`
unzip -o ${BKUP_DIR}/${BKUP_FILE}.zip ${LDIF_FILE_NAME} -d ${BKUP_DIR}
if [ $LDIF_FILE_NAME != ${BKUP_FILE}.ldif ]
then
mv ${BKUP_DIR}/${LDIF_FILE_NAME} ${BKUP_DIR}/${BKUP_FILE}.ldif
fi
${JAVA} -Xmx2048m -Djava.library.path=/opt/novell/lib64 -classpath log4j-1.2.15.jar:certtool.jar:vcdnbkup.jar:${VCDNLIB}/vcdn_sc.jar:${VCDNLIB}/vcdn_platform.jar:${VCDNLIB}/novbp.jar com.novell.nids.bkuputil.Util -unprotect -pwd "${CERT_ENC_PWD}" -file ${BKUP_DIR}/${BKUP_FILE}.ldif >> ${LOG_FILE} 2>&1
if [ $? -ne 0 ]
then
rm ${BKUP_DIR}/${BKUP_FILE}.ldif
failError 201002002 "Failed to decrypt the backup file."
fi
./ldifReverse -t ${BKUP_DIR}/${BKUP_FILE}.ldif
if [ $? -ne 0 ]
then
./ldifReverse ${BKUP_DIR}/${BKUP_FILE}.ldif ${BKUP_DIR}/${BKUP_FILE}_pre
if [ $? -ne 0 ]
then
rm ${BKUP_DIR}/${BKUP_FILE}.ldif
failError 201002002 "The backup file (${BKUP_DIR}/${BKUP_FILE}) does not appear to be a valid backup file."
fi
mv ${BKUP_DIR}/${BKUP_FILE}_pre ${BKUP_DIR}/${BKUP_FILE}.ldif
fi
# Get the root_ca in a der file to use with ice
LD_LIBRARY_PATH=/opt/novell/lib64:/opt/novell/eDirectory/lib64 ${JAVA} -cp "certtool.jar:/opt/novell/lib64/npki.jar" com.novell.nids.certmgr.DirCertTool -edirIP ${IP_ADDR} -edirUser ${DS_ADMIN_DN_DOT} -edirPwd ${DS_ADMIN_PWD} -exportCACert -file "ca.der" >> ${LOG_FILE} 2>&1
# Build temporary backup file in case we successfully delete records and then fail to restore from the backup file.
#
/opt/novell/eDirectory/bin/ice -SLDAP -L ca.der -s${IP_ADDR} -p${IP_PORT} -d${DS_ADMIN_DN} -w${DS_ADMIN_PWD} -b${DEL_CNTNR} -csub -DLDIF -f${RECOVER_FILE}_pre >> ${LOG_FILE} 2>&1
if [ $? -ne 0 ]
then
rm ca.der
rm ${BKUP_DIR}/${BKUP_FILE}.ldif
failError 201002003 "Failed to access configure store."
fi
./ldifReverse ${RECOVER_FILE}_pre ${RECOVER_FILE}
if [ $? -ne 0 ]
then
rm ca.der
rm ${BKUP_DIR}/${BKUP_FILE}.ldif
failError 201002004
fi
rm ${RECOVER_FILE}_pre
# Create the delete commands in an ldif file.
#
/opt/novell/eDirectory/bin/ice -SLDAP -L ca.der -s${IP_ADDR} -p${IP_PORT} -d${DS_ADMIN_DN} -w${DS_ADMIN_PWD} -b${DEL_CNTNR} -csub -x -DLDIF -f${DEL_LDIF_FILE}_pre >> ${LOG_FILE} 2>&1
if [ $? -ne 0 ]
then
rm ca.der
rm ${BKUP_DIR}/${BKUP_FILE}.ldif
failError 201002005 "Failed to prepare configure store for restore operation."
fi
# Run the delete command
#
./ldifReverse ${DEL_LDIF_FILE}_pre ${DEL_LDIF_FILE}
/opt/novell/eDirectory/bin/ice -SLDIF -f ${DEL_LDIF_FILE} -DLDAP -L ca.der -s${IP_ADDR} -p${IP_PORT} -d${DS_ADMIN_DN} -w${DS_ADMIN_PWD} >> ${LOG_FILE} 2>&1
if [ $? -ne 0 ]
then
rm ca.der
rm ${BKUP_DIR}/${BKUP_FILE}.ldif
failError 201002006 "Failed to back out configure store data."
fi
rm ${DEL_LDIF_FILE}
###################################################################
### Restore the accessManagerContainer
# import the records from the backup ldif file.
#
# bug 532726
grep "nidsIconURL" ${BKUP_DIR}/${BKUP_FILE}.ldif >> /dev/null
if [ $? -eq 0 ]
then
egrep -v 'nidsIconURL' ${BKUP_DIR}/${BKUP_FILE}.ldif > temp.ldif
mv temp.ldif ${BKUP_DIR}/${BKUP_FILE}.ldif
fi
echo Restoring configuration... | tee -a ${LOG_FLE}
/opt/novell/eDirectory/bin/ice -SLDIF -f ${BKUP_DIR}/${BKUP_FILE}.ldif -C -n -DLDAP -L ca.der -s${IP_ADDR} -p${IP_PORT} -d${DS_ADMIN_DN} -w${DS_ADMIN_PWD} -F >> ${LOG_FILE}_temp 2>&1
cat ${LOG_FILE}_temp | grep "Total entries failed: 0"
if [ $? -ne 0 ]
then
rm ${BKUP_DIR}/${BKUP_FILE}.ldif
/opt/novell/eDirectory/bin/ice -SLDIF -f ${RECOVER_FILE} -C -n -DLDAP -L ca.der -s${IP_ADDR} -p${IP_PORT} -d${DS_ADMIN_DN} -w${DS_ADMIN_PWD} -F >> ${LOG_FILE} 2>&1
failError 201002007 "Failed to restore from backup file: ${BKUP_DIR}/${BKUP_FILE}.ldif."
rm ca.der
fi
rm ca.der
rm ${BKUP_DIR}/${BKUP_FILE}.ldif
rm ${DEL_LDIF_FILE}_pre
#############################################################
### Bug 783872 - Restoring configuration displays FAILED to restore certificates.
#############################################################
LDAP_TOOLS_BASE_PATH="/opt/novell/eDirectory/bin"
OLD_ENTRY=`${LDAP_TOOLS_BASE_PATH}/ldapsearch -A -LLL -b "ou=ROMAServerContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_root,ou=accessManagerContainer,o=novell" -D "${DS_ADMIN_DN}" -w "${DS_ADMIN_PWD}" "romaServerAddress=${DS_SERVER_ADDR}" |grep dn: | awk '{print $2}' | awk -F ',' '{print $1}' |awk -F '=' '{print $2}'` >> ${LOG_FILE} 2>&1
NEW_ENTRY=`unzip -l ${BKUP_DIR}/${BKUP_FILE}.zip | grep -i "TREE CA" | awk '{print $4;}' | sed 's/.....$//'`
${LDAP_TOOLS_BASE_PATH}/ldapmodrdn -r -D "${DS_ADMIN_DN}" -w "${DS_ADMIN_PWD}" "ou=${OLD_ENTRY},ou=ROMAServerContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_root,ou=accessManagerContainer,o=novell" "ou=${NEW_ENTRY}" >> ${LOG_FILE} 2>&1
#############################################################
${JAVA} -classpath log4j-1.2.15.jar:vcdnbkup.jar:certtool.jar:${VCDNLIB}/novbp.jar com.novell.nids.bkuputil.Util -userid ${DS_ADMIN_DN} -pwd ${DS_ADMIN_PWD} -vcdnUser >> ${LOG_FILE} 2>&1
if [ $? -ne 0 ]
then
failError 201002009 "Failed to reconfigure VCDN user objects."
fi
unzip -o ${BKUP_DIR}/${BKUP_FILE}.zip devman.cacerts devman.keystore .keystore -d ${NOVLWWW_DIR}
unzip -o ${BKUP_DIR}/${BKUP_FILE}.zip server.xml -d ${ADMINCONSOLE_CONF_DIR}
if [ "$IS_SINGLEBOX" != "" ]
then
unzip -o ${BKUP_DIR}/${BKUP_FILE}.zip nam.keystore -d ${SINGLEBOX_DIR}
chown novlwww:novlwww ${SINGLEBOX_DIR}/nam.keystore
fi
chown novlwww:novlwww ${NOVLWWW_DIR}/devman.cacerts ${NOVLWWW_DIR}/devman.keystore ${NOVLWWW_DIR}/.keystore
chown novlwww:novlwww ${ADMINCONSOLE_CONF_DIR}/server.xml
}
am30_restore_certificates()
{
${JAVA} -Djava.library.path=/opt/novell/lib64 -jar certtool.jar -edirTree "${EDIR_TREE}" -edirIP "${IP_ADDR}" -edirServer "${EDIR_SERVER_DN_DOT}" -edirUser "${DS_ADMIN_DN_DOT}" -edirPwd "${DS_ADMIN_PWD}" -restore -file "${BKUP_DIR}/${BKUP_FILE}.zip" -pwd "${CERT_ENC_PWD}" -trcontainer trustedRoots.accessManagerContainer.novell -caName "${EDIR_CA}" >> ${LOG_FILE} 2>&1
if [ $? -ne 0 ]
then
failError 201002008 "FAILED to restore certificates from backup file."
fi
}
a) make sure that the install of the Admin Console in step 6 is done using the same IP address used on recently shutdown Admin Console from step 5, but also with the same hostname as that of the original 3.1.4 Admin Console
b) replace the "amrest-fn.sh" script located in "/opt/novell/devman/bin/" with the script below before running step 7. above. After the script is replaced, simply restore the configuration on the freshly installed Administration Console by running "./amrestore.sh" script.
#!/bin/bash
# These functions are required to accomplish certain restore actions for
# Novell Access Manager. These functions expect certain things to be defined.
#
# JAVA : Path to Java VM executable
# IP_ADDR : IP address of the server to modify
# IP_PORT : IP port of the database service on the server
# DS_ADMIN_DN : LDAP DN for the administrative user
# DS_ADMIN_PWD : Password for the administrative user
# DEL_CNTNR : Container to be restored
# BKUP_DIR : the directory path of the backup files
# BKUP_FILE : the base name of the backup files
# RECOVER_FILE : File prefix for recovery files
# LOG_FILE : Log file path
# DEL_LDIF_FILE: File path of temporary LDIF file
#
# Also, it is important to have defined the following functions.
#
# failError : Parameters - First: Error number, Second: Error string
am30_restore_database()
{
if ! [ -e ${BKUP_DIR}/${BKUP_FILE}.zip ]
then
failError 201002001 "The backup file does not exist"
fi
LDIF_FILE_NAME=`unzip -l ${BKUP_DIR}/${BKUP_FILE}.zip | grep ldif | awk '{print $NF;}'`
unzip -o ${BKUP_DIR}/${BKUP_FILE}.zip ${LDIF_FILE_NAME} -d ${BKUP_DIR}
if [ $LDIF_FILE_NAME != ${BKUP_FILE}.ldif ]
then
mv ${BKUP_DIR}/${LDIF_FILE_NAME} ${BKUP_DIR}/${BKUP_FILE}.ldif
fi
${JAVA} -Xmx2048m -Djava.library.path=/opt/novell/lib64 -classpath log4j-1.2.15.jar:certtool.jar:vcdnbkup.jar:${VCDNLIB}/vcdn_sc.jar:${VCDNLIB}/vcdn_platform.jar:${VCDNLIB}/novbp.jar com.novell.nids.bkuputil.Util -unprotect -pwd "${CERT_ENC_PWD}" -file ${BKUP_DIR}/${BKUP_FILE}.ldif >> ${LOG_FILE} 2>&1
if [ $? -ne 0 ]
then
rm ${BKUP_DIR}/${BKUP_FILE}.ldif
failError 201002002 "Failed to decrypt the backup file."
fi
./ldifReverse -t ${BKUP_DIR}/${BKUP_FILE}.ldif
if [ $? -ne 0 ]
then
./ldifReverse ${BKUP_DIR}/${BKUP_FILE}.ldif ${BKUP_DIR}/${BKUP_FILE}_pre
if [ $? -ne 0 ]
then
rm ${BKUP_DIR}/${BKUP_FILE}.ldif
failError 201002002 "The backup file (${BKUP_DIR}/${BKUP_FILE}) does not appear to be a valid backup file."
fi
mv ${BKUP_DIR}/${BKUP_FILE}_pre ${BKUP_DIR}/${BKUP_FILE}.ldif
fi
# Get the root_ca in a der file to use with ice
LD_LIBRARY_PATH=/opt/novell/lib64:/opt/novell/eDirectory/lib64 ${JAVA} -cp "certtool.jar:/opt/novell/lib64/npki.jar" com.novell.nids.certmgr.DirCertTool -edirIP ${IP_ADDR} -edirUser ${DS_ADMIN_DN_DOT} -edirPwd ${DS_ADMIN_PWD} -exportCACert -file "ca.der" >> ${LOG_FILE} 2>&1
# Build temporary backup file in case we successfully delete records and then fail to restore from the backup file.
#
/opt/novell/eDirectory/bin/ice -SLDAP -L ca.der -s${IP_ADDR} -p${IP_PORT} -d${DS_ADMIN_DN} -w${DS_ADMIN_PWD} -b${DEL_CNTNR} -csub -DLDIF -f${RECOVER_FILE}_pre >> ${LOG_FILE} 2>&1
if [ $? -ne 0 ]
then
rm ca.der
rm ${BKUP_DIR}/${BKUP_FILE}.ldif
failError 201002003 "Failed to access configure store."
fi
./ldifReverse ${RECOVER_FILE}_pre ${RECOVER_FILE}
if [ $? -ne 0 ]
then
rm ca.der
rm ${BKUP_DIR}/${BKUP_FILE}.ldif
failError 201002004
fi
rm ${RECOVER_FILE}_pre
# Create the delete commands in an ldif file.
#
/opt/novell/eDirectory/bin/ice -SLDAP -L ca.der -s${IP_ADDR} -p${IP_PORT} -d${DS_ADMIN_DN} -w${DS_ADMIN_PWD} -b${DEL_CNTNR} -csub -x -DLDIF -f${DEL_LDIF_FILE}_pre >> ${LOG_FILE} 2>&1
if [ $? -ne 0 ]
then
rm ca.der
rm ${BKUP_DIR}/${BKUP_FILE}.ldif
failError 201002005 "Failed to prepare configure store for restore operation."
fi
# Run the delete command
#
./ldifReverse ${DEL_LDIF_FILE}_pre ${DEL_LDIF_FILE}
/opt/novell/eDirectory/bin/ice -SLDIF -f ${DEL_LDIF_FILE} -DLDAP -L ca.der -s${IP_ADDR} -p${IP_PORT} -d${DS_ADMIN_DN} -w${DS_ADMIN_PWD} >> ${LOG_FILE} 2>&1
if [ $? -ne 0 ]
then
rm ca.der
rm ${BKUP_DIR}/${BKUP_FILE}.ldif
failError 201002006 "Failed to back out configure store data."
fi
rm ${DEL_LDIF_FILE}
###################################################################
### Restore the accessManagerContainer
# import the records from the backup ldif file.
#
# bug 532726
grep "nidsIconURL" ${BKUP_DIR}/${BKUP_FILE}.ldif >> /dev/null
if [ $? -eq 0 ]
then
egrep -v 'nidsIconURL' ${BKUP_DIR}/${BKUP_FILE}.ldif > temp.ldif
mv temp.ldif ${BKUP_DIR}/${BKUP_FILE}.ldif
fi
echo Restoring configuration... | tee -a ${LOG_FLE}
/opt/novell/eDirectory/bin/ice -SLDIF -f ${BKUP_DIR}/${BKUP_FILE}.ldif -C -n -DLDAP -L ca.der -s${IP_ADDR} -p${IP_PORT} -d${DS_ADMIN_DN} -w${DS_ADMIN_PWD} -F >> ${LOG_FILE}_temp 2>&1
cat ${LOG_FILE}_temp | grep "Total entries failed: 0"
if [ $? -ne 0 ]
then
rm ${BKUP_DIR}/${BKUP_FILE}.ldif
/opt/novell/eDirectory/bin/ice -SLDIF -f ${RECOVER_FILE} -C -n -DLDAP -L ca.der -s${IP_ADDR} -p${IP_PORT} -d${DS_ADMIN_DN} -w${DS_ADMIN_PWD} -F >> ${LOG_FILE} 2>&1
failError 201002007 "Failed to restore from backup file: ${BKUP_DIR}/${BKUP_FILE}.ldif."
rm ca.der
fi
rm ca.der
rm ${BKUP_DIR}/${BKUP_FILE}.ldif
rm ${DEL_LDIF_FILE}_pre
#############################################################
### Bug 783872 - Restoring configuration displays FAILED to restore certificates.
#############################################################
LDAP_TOOLS_BASE_PATH="/opt/novell/eDirectory/bin"
OLD_ENTRY=`${LDAP_TOOLS_BASE_PATH}/ldapsearch -A -LLL -b "ou=ROMAServerContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_root,ou=accessManagerContainer,o=novell" -D "${DS_ADMIN_DN}" -w "${DS_ADMIN_PWD}" "romaServerAddress=${DS_SERVER_ADDR}" |grep dn: | awk '{print $2}' | awk -F ',' '{print $1}' |awk -F '=' '{print $2}'` >> ${LOG_FILE} 2>&1
NEW_ENTRY=`unzip -l ${BKUP_DIR}/${BKUP_FILE}.zip | grep -i "TREE CA" | awk '{print $4;}' | sed 's/.....$//'`
${LDAP_TOOLS_BASE_PATH}/ldapmodrdn -r -D "${DS_ADMIN_DN}" -w "${DS_ADMIN_PWD}" "ou=${OLD_ENTRY},ou=ROMAServerContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_root,ou=accessManagerContainer,o=novell" "ou=${NEW_ENTRY}" >> ${LOG_FILE} 2>&1
#############################################################
${JAVA} -classpath log4j-1.2.15.jar:vcdnbkup.jar:certtool.jar:${VCDNLIB}/novbp.jar com.novell.nids.bkuputil.Util -userid ${DS_ADMIN_DN} -pwd ${DS_ADMIN_PWD} -vcdnUser >> ${LOG_FILE} 2>&1
if [ $? -ne 0 ]
then
failError 201002009 "Failed to reconfigure VCDN user objects."
fi
unzip -o ${BKUP_DIR}/${BKUP_FILE}.zip devman.cacerts devman.keystore .keystore -d ${NOVLWWW_DIR}
unzip -o ${BKUP_DIR}/${BKUP_FILE}.zip server.xml -d ${ADMINCONSOLE_CONF_DIR}
if [ "$IS_SINGLEBOX" != "" ]
then
unzip -o ${BKUP_DIR}/${BKUP_FILE}.zip nam.keystore -d ${SINGLEBOX_DIR}
chown novlwww:novlwww ${SINGLEBOX_DIR}/nam.keystore
fi
chown novlwww:novlwww ${NOVLWWW_DIR}/devman.cacerts ${NOVLWWW_DIR}/devman.keystore ${NOVLWWW_DIR}/.keystore
chown novlwww:novlwww ${ADMINCONSOLE_CONF_DIR}/server.xml
}
am30_restore_certificates()
{
${JAVA} -Djava.library.path=/opt/novell/lib64 -jar certtool.jar -edirTree "${EDIR_TREE}" -edirIP "${IP_ADDR}" -edirServer "${EDIR_SERVER_DN_DOT}" -edirUser "${DS_ADMIN_DN_DOT}" -edirPwd "${DS_ADMIN_PWD}" -restore -file "${BKUP_DIR}/${BKUP_FILE}.zip" -pwd "${CERT_ENC_PWD}" -trcontainer trustedRoots.accessManagerContainer.novell -caName "${EDIR_CA}" >> ${LOG_FILE} 2>&1
if [ $? -ne 0 ]
then
failError 201002008 "FAILED to restore certificates from backup file."
fi
}
Cause
There is an issue with the eDirectory tree name where the configuration is stored. Consider the case where we we have an Access Manager 3.1.4 setup with IP 'ip1' and hostname 'host1'. By default the tree name for that Admin Console setup would be 'host1_tree'. After migrating to the Access Manager 3.2 setup on host with IP address 'ip1' and Hostname 'host2' (hostname is different) but the Admin Console eDir tree name would still be 'host1_tree'.
With a newly installed Access Manager 3.2 server to do a fresh install on, with IP address 'ip1' and hostname 'host2', the Admin Console tree name would be host2_tree. Trying to restore the previous backup from the migrated box would result in a tree name conflict, which is the reason for the failure.
It is a very unusual use case but replacing the script above will work around it.
With a newly installed Access Manager 3.2 server to do a fresh install on, with IP address 'ip1' and hostname 'host2', the Admin Console tree name would be host2_tree. Trying to restore the previous backup from the migrated box would result in a tree name conflict, which is the reason for the failure.
It is a very unusual use case but replacing the script above will work around it.
The end result will be an Admin Console with the pre-migration (3.1.4/3.1.5) hostname and post-migration IP address.