Environment
Access Manager 4.4
Access Manager 4.3
Administration Console Upgrade
Situation
Access Manager 4.3 up and working fine. Administrator wanted to upgrade to AM 4.4 and started with the Admin Console primary. After running the upgrade script and answering the standard questions, the upgrade errors out quickly with the following message on the server console:
"There has been an error extending schema nids"
Looking at the /tmp/novell_access_manager/upgrade_edir-*, the indications are that an ice and LDAP server bind command failed with the following seen multiple times at end of log file
NetIQ Import Convert Export utility for NetIQ eDirectory
version: 40005.13
Copyright (c) 2013 NetIQ Corporation and its affiliates. All Rights Reserved. U.S. Patent No. 6,915,287.
Source Handler: ICE LDAP handler for NetIQ eDirectory (version: 40005.13 )
Destination Handler: ICE LDIF handler for NetIQ eDirectory (version: 40005.13 )
ldap_simple_bind failed: -1(Can't contact LDAP server), dn: cn=admin,o=novell
You may type 'ice' to see the command line help.
version: 40005.13
Copyright (c) 2013 NetIQ Corporation and its affiliates. All Rights Reserved. U.S. Patent No. 6,915,287.
Source Handler: ICE LDAP handler for NetIQ eDirectory (version: 40005.13 )
Destination Handler: ICE LDIF handler for NetIQ eDirectory (version: 40005.13 )
ldap_simple_bind failed: -1(Can't contact LDAP server), dn: cn=admin,o=novell
You may type 'ice' to see the command line help.
Options Used:
-v -C -n -S LDAP -v -L /var/opt/novell/eDirectory/data/SSCert.der -s nam431.blr.novell.com -p 636 -d cn=admin,o=novell -F (objectclass=ldapServer) -a ldapBindRestrictions -D LDIF -v
-f /tmp/nids_inst_bind_rest.ldif
NetIQ Import Convert Export utility for NetIQ eDirectory
version: 40005.13
Copyright (c) 2013 NetIQ Corporation and its affiliates. All Rights Reserved. U.S. Patent No. 6,915,287.
Source Handler: ICE LDIF handler for NetIQ eDirectory (version: 40005.13 )
Destination Handler: ICE LDAP handler for NetIQ eDirectory (version: 40005.13 )
/tmp/nids_inst_bind_rest.ldif can not be opened
You may type 'ice' to see the command line help.
-v -C -n -S LDAP -v -L /var/opt/novell/eDirectory/data/SSCert.der -s nam431.blr.novell.com -p 636 -d cn=admin,o=novell -F (objectclass=ldapServer) -a ldapBindRestrictions -D LDIF -v
-f /tmp/nids_inst_bind_rest.ldif
NetIQ Import Convert Export utility for NetIQ eDirectory
version: 40005.13
Copyright (c) 2013 NetIQ Corporation and its affiliates. All Rights Reserved. U.S. Patent No. 6,915,287.
Source Handler: ICE LDIF handler for NetIQ eDirectory (version: 40005.13 )
Destination Handler: ICE LDAP handler for NetIQ eDirectory (version: 40005.13 )
/tmp/nids_inst_bind_rest.ldif can not be opened
You may type 'ice' to see the command line help.
This is also seen with the NAM appliance!
Resolution
1. Correct the /etc/hosts so that it includes the right DNS entry for the LDAPS IP address and does NOT have any commented out entries for this IP address. If unsure as to what the DNS entry should be, simply run 'openssl s_client -connect <IPaddress>:636 | grep -i CN' where IPAddress is the IP address of the Admin Console server.
2. Depending on whether the problem occured with the NAM sngle box appliance or seperate Admin Console component, the following changes are required:
# For Non-Singlebox Admin Console Server
a. Open upgrade.sh script in the extracted installer.
b. Comment out line number 100: #checkVersion
c. Replace line 150 with the following:
b. Comment out line number 100: #checkVersion
c. Replace line 150 with the following:
upgradeRPM "Tomcat configuration for Admin Console" "novell-nam-adminconsole-tomcat-config*.rpm" "${SCRIPT_DIR}/tomcat" "$ADMIN_INSTALL_LOG" --force
d. Save the changes.
e. Re-run upgrade.sh script.
# For Singlebox Appliance
a. Run upgrade.sh script.Open sb_upgrade.sh script in the extracted installer.
b. Comment out line number 96: #checkVersion
c. Save the changes
b. Comment out line number 96: #checkVersion
c. Save the changes
d. Run sb_upgrade.sh script
Cause
With upgrade to eDirectory 9.0, certificates have changed and the ice commands fails as a result of this when passing in the wrong subject name.
Administration Console checks for proper host entry in FQDN format before upgrading to Access Manager 4.4. The host entry must be the first entry in /etc/hosts file. For example, 10.10.10.10 amac.test.microfocus.com must be the first entry in the /etc/hosts file, where 10.10.10.10 is the IP address of the Administration Console. To find FQDN, use command openssl s_client -connect <IP address>:636 | grep CN