Manuals / Sun Microsystems / Computer Equipment / Server

Sun Microsystems 8190994 manual Managing Certificates, Access Control on the Proxy Configuration

Models: 8190994

1 148

Download 148 pages 5.33 Kb

Page 86

Mapping the Global Configuration

TABLE 6–2Mapping of Security Configuration

Directory Proxy Server 5 Attribute	Directory Proxy Server 6.0 Property

ids-proxy-con-ssl-key	ssl-key-pin

ids-proxy-con-ssl-cert	ssl-certificate-directory
	ssl-server-cert-alias

ids-proxy-con-send-cert-as-client	ssl-client-cert-alias
This attribute enables the proxy server to send its	This property enables the proxy server to send a different
certificate to the LDAP server to allow the LDAP	certificate to the LDAP server, depending on whether it is
server to authenticate the proxy server as an SSL	acting as an SSL Server or an SSL Client.
client.

ids-proxy-con-server-ssl-version	No equivalent
ids-proxy-con-client-ssl-version

ids-proxy-con-ssl-cert-required	This feature can be achieved by setting the following
	server property:
	$ dpconf set-server-prop
	allow-cert-based-auth:require

ids-proxy-con-ssl-cafile	No equivalent

Managing Certificates

Directory Proxy Server 5, certificates were managed by using the certreq utility, or by using the console. In Directory Proxy Server 6.0, certificates are managed by using the dpadm command, or by using the DSCC.

Certificates must be installed on each individual data source in Directory Proxy Server 6.0.

For information about managing certificates in Directory Proxy Server 6.0, see Chapter 19, “Directory Proxy Server Certificates,” in Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide.

Access Control on the Proxy Configuration

In Directory Proxy Server 5, access control on the proxy configuration is managed by ACIs in the configuration directory server. In Directory Proxy Server 6.0, access to the configuration file is restricted to the person who created the proxy instance, or to the proxy manager if the configuration is accessed through Directory Proxy Server. Editing the configuration file directly is not supported.

86	Sun Java System Directory Server Enterprise Edition 6.0 Migration Guide • March 2007

Sun Confidential: Registered

Image 86

Sun Microsystems 8190994 manual Managing Certificates, Access Control on the Proxy Configuration

Contents

Sun Microsystems, Inc 4150 Network Circle Santa Clara, CA U.S.A Enterprise Edition 6.0 Migration GuideSun Java System Directory Server Sun Confidential RegisteredSun Confidential Registered This distribution may include materials developed by third parties1 Overview of the Migration Process for Directory Server Contents2 Automated Migration Using the dsmig Command 3 Migrating Directory Server ManuallyMigrating the Schema Manually New Plug-Ins in Directory Server 7 Migrating Identity Synchronization for Windows Sun Confidential Registered IndexContents Sun Confidential Registered Migrating a Multi-Master Replication Deployment FiguresMigrating a Single-Host Deployment Migrating a Multi-Host Deployment with Windows NTSun Confidential Registered Tools Previously Under ServerRoot/shared/bin TablesMapping Between 5 and 6.0 Password Policy Attributes Location of Certificate and Key FilesTables Sun Confidential Registered Sample Export Configuration FileExamples EXAMPLESun Confidential Registered Before You Read This Book PrefaceWho Should Use This Book How This Book Is OrganizedDirectory Server Enterprise Edition Documentation Set TABLE P-1 Directory Server Enterprise Edition DocumentationContinued Related ReadingTABLE P-1 Directory Server Enterprise Edition Documentation http//docs.sun.com/coll/DirEdit05q1Redistributable Files Default Paths and Command LocationsDefault Paths Sun Confidential Registered TABLE P-2 Default PathsJava Enterprise System installer, the default install-path is of Directory Server or Directory ProxyCommand Locations TABLE P-3 Command LocationsContinued Typographic ConventionsTABLE P-3 Command Locations TABLE P-4 Typographic ConventionsSymbol Conventions Shell Prompts in Command ExamplesSymbol Conventions ContinuedSearching Sun Product Documentation Documentation, Support, and TrainingThird-Party Web Site References Sun Welcomes Your Comments “Before You Migrate” on page Overview of the Migration Process for Directory ServerBefore You Migrate “Deciding on the New Product Distribution” on pageBefore You Migrate Prerequisites to Migrating a Single Directory Server Instance FromPrerequisites to Migrating a Single Directory Server Instance From Deciding on the New Product Distribution Outline of Migration StepsDeciding on Automatic or Manual Migration TABLE 1-1 Migration Matrix Showing Support for Automated Migration“Using dsmig to Migrate Security Data” on page Automated Migration Using the dsmig Command“Using dsmig to Migrate the Schema” on page “Using dsmig to Migrate Configuration Data” on pageUsing dsmig to Migrate the Schema Prerequisites for Running dsmig$ dsmig migrate-config old-instance-path new-instance-path Using dsmig to Migrate Security DataUsing dsmig to Migrate Configuration Data $ dsmig migrate-security old-instance-path new-instance-pathPlug-in Configuration Data Chained Suffix Configuration DataConfiguration Data for o=netscapeRoot Configuration Data For Suffixes With Multiple BackendsReplication Configuration Data Configuration Attributes Not Migrated by dsmignsabandonedsearchcheckinterval $ dsmig migrate-data old-instance-path new-instance-path Using dsmig to Migrate User DataTasks to be Performed After Automatic Migration Sun Confidential Registered “Migrating Security Settings Manually” on page “Migrating the Schema Manually” on page“Migrating Configuration Data Manually” on page Migrating Directory Server ManuallyMigration of Specific Configuration Attributes Migrating the Schema ManuallyMigrating Configuration Data Manually Chapter 3 Migrating Directory Server Manually Global Configuration AttributesMigrating Configuration Data Manually Mapping Tree Configuration Attributes Security Configuration AttributesFeature Configuration Attributes Replica Configuration Attributes Replication Configuration AttributesFractional Replication Configuration Attributes Change Log AttributesPassword Policy Configuration Attributes Replication Agreement ConfigurationTABLE 3-3 Mapping Between 5 and 6.0 Password Policy Attributes SNMP Attributes UniqueID Generator Configuration AttributesDatabase Configuration Attributes TABLE 3-3 Mapping Between 5 and 6.0 Password Policy AttributesChained Suffix Attributes 7-Bit Check Plug-In Plug-In Configuration AttributesClass of Service Plug-In DSML Frontend Plug-InReferential Integrity Plug-In Pass Through Authentication Plug-InPassword Synchronization Plug-In Retro Change Log Plug-InMigrating Security Settings Manually Migrating User Data Manually Migrating User Plug-Ins Manually Migrating User Plug-Ins ManuallyTasks to be Performed After Manual Migration Overview of Migrating Replicated Servers “Issues Related to Migrating Replicated Servers” on pageMigrating a Replicated Topology “Overview of Migrating Replicated Servers” on pageMigration of Replication Agreements Issues Related to Migrating Replicated ServersIssues With the New Password Policy Migration of ReferralsNew Replication Recommendations Manual Reset of Replication CredentialsProblems Related to Tombstone Purging Migrating the Consumers Migration ScenariosMigrating a Replicated Topology to an Identical Topology Migration Scenarios FIGURE 4-1 Existing version 5 TopologyFIGURE 4-2 Isolating the Consumer From the Topology Chapter 4 Migrating a Replicated TopologyThe next step involves migrating the version 5 consumer Migrating the Hubs Migration Scenarios FIGURE 4-5 Existing version 5 Topology With Migrated ConsumersFIGURE 4-6 Isolating the Hub From the Topology 6.0 Consumer BMigration Scenarios The next step involves migrating the version 5 hubFIGURE 4-7 Migrating the version 5 Hub Chapter 4 Migrating a Replicated TopologyMigrating the Masters 9. If you have migrated the data, check that replication is in sync FIGURE 4-11 Migrating the version 5 Master The next step involves migrating the version 5 masterFIGURE 4-10 Isolating the Master From the Topology Migration ScenariosMigrating a Replicated Topology to a New Topology Migrating All the Servers FIGURE 4-13 Existing version 5 TopologyPromoting the Hubs FIGURE 4-14 Existing Topology With Migrated ServersPromoting the Consumers FIGURE 4-15 Migrated Topology With Promoted Hub ReplicasMigrating Over Multiple Data Centers Sun Confidential Registered “Changes to ACIs” on page “Command Line Changes” on page Changes in the Administration Framework“Changes in the Administration Framework” on page “Changes to the Console” on page “New Password Policy” on pageChanges in the ACI Scope Changes to ACIsRemoval of the o=netscapeRoot Suffix Changes in Suffix-Level ACIsCommand Line Changes Continued TABLE 5-1 Directory Server 5 and 6 commandsVersion 6.0 Command Sun Confidential RegisteredTABLE 5-3 Version 5 Commands That Have Been Deprecated Deprecated CommandsTABLE 5-1 Directory Server 5 and 6 commands ContinuedNew Password Policy Changes to the ConsolePassword Policy Compatibility The pwd-compat-mode property can have one of the following values Changes to Plug-Ins New Plug-Ins in Directory ServerChanges to the Plug-In API Changes to the Installed Product LayoutPlug-Ins Deprecated in Directory Server Online Help Previously Under ServerRoot/manual Administration Utilities Previously Under ServerRootBinaries Previously Under ServerRoot/bin Libraries and Plug-Ins Previously Under ServerRoot/libPlug-Ins Previously Under ServerRoot/plugins Utilities Previously Under ServerRoot/shared/binContinued Certificate and Key FilesTABLE 5-5 Tools Previously Under ServerRoot/shared/bin TABLE 5-6 Location of Certificate and Key FilesServer Instance Subdirectories Silent Installation and Uninstallation TemplatesServer Instance Scripts Previously Under ServerRoot/slapd-ServerID“Mapping the Connection Pool Configuration” on page Mapping the Global Configuration“Mapping the Global Configuration” on page “Mapping the Groups Configuration” on pageMapping the Global Configuration Mapping the Global Security Configuration TABLE 6-2 Mapping of Security Configuration Access Control on the Proxy ConfigurationManaging Certificates Mapping the Connection Pool Configuration TABLE 6-3 Mapping of Connection Pool AttributesMapping the Groups Configuration Mapping the Group ObjectCONNECTION-HANDLER-NAME is-ssl-mandatoryfalse Mapping the Network Group ObjectCONNECTION-HANDLER-NAME is-ssl-mandatorytrue This functionality exists but with less granularity than in Mapping Bind ForwardingSet this as a property for a specific listener port by using Directory Proxy Server 5. Set this limit as a property for a$ dpconf help-properties grep request-filtering-policy Mapping Operation ForwardingConnection Handler Property Settings $ dpconf help-properties grep resource-limits-policy Mapping Subtree HidingMapping Search Request Controls Mapping Compare Request Controls Mapping Attributes Modifying Search RequestsMapping Attributes Restricting Search Responses $ dpconf help-properties grep search-data-hiding-ruleDirectory Proxy Server 6.0 Properties Mapping the Referral Configuration AttributesDirectory Proxy Server 5 Attributes Mapping the Server Load Configuration Forbidden Entry Property Mapping the Properties ConfigurationAttribute Renaming Property LDAP Server Property $ dpconf help-properties grep ldap-data-sourceSource” in Sun Java System Directory Server Load Balancing PropertyEnterprise Edition 6.0 Administration Guide Sun Confidential RegisteredEnterprise Edition 6.0 Administration Guide Monitoring Backend ServersSearch Size Limit Property Log Property$ dpconf set-access-log-prop PROPERTYVALUE TABLE 6-17 Version 5 and Version 6 Log FunctionalityMapping the Events Configuration Mapping the Events ConfigurationMapping the Actions Configuration Properties“Migration Overview” on page “What to Do if the 1.1 Uninstallation Fails” on pageMigrating Identity Synchronization for Windows “Before You Migrate Identity Synchronization for Windows” on pageMigration Overview Before You Migrate Identity Synchronization for WindowsExporting Version 1.1 Configuration Preparing for Identity Synchronization for Windows MigrationUsing the export11cnf Utility Inserting Clear-Text PasswordsSample Export Configuration File cleartextPassword=Continued index=0 location=ou=people,dc=example,dc=com filter=Continued TopologyHost TopologyHostAttributeMap AttributeDescription parent.attr=SunAttribute EXAMPLE 7-1 Sample Export Configuration FileContinued name=uniquemember syntax=1.3.6.1.4.1.1466.115.121.1.25INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE ContinuedUsing the checktopics Utility Checking for Undelivered Messages2 Wait until the messages are applied to the destination connector To Clear Messages2 From a command prompt, type the subcommand as follows 1 Open a Terminal window and cd to the migration directoryForcing Password Changes on Windows NT Migrating Your SystemPreparing for Migration Use the following procedure to prepare for migration to version3 Add passwords to the exported XML file Preparing to migrate from version 1.1, and 1.1 SP1, to version2 Export your version 1.1 configuration settings to an XML file 7 On Windows NT only, perform the following steps b. Save the NT Change Detector Service counters5 Verify that your system is in a stable state i. Open the Registry Editor by executing regedt32.exeOn Solaris Type serverRoot \/slapd-hostname \/restart-slapd Uninstalling Identity Synchronization for WindowsTo Uninstall Identity Synchronization for Windows Version On Windows Type serverRoot\\\slapd- hostname\\\restart-slapd.batOn Solaris or SPARC Type ./runUninstaller.sh On Windows Type \\runUninstaller.batTo install the Identity Synchronization for Windows 6.0 components Installing or Upgrading the Dependent ProductsInstalling Identity Synchronization for Windows cd serverRoot\isw-hostname\bin idsync prepds arguments\9 Start the service and the synchronization “Manually Uninstalling 1.1 Core and Instances from Solaris” on page What to Do if the 1.1 Uninstallation FailsManually Uninstalling 1.1 Core and Instances from Solaris “Manually Uninstalling a 1.1 Instance from Windows NT” on pageTo Manually Uninstall Core From a Solaris Machine etc/init.d/imq stop4 Remove the Directory Server Plugin 5 Back-up copy and rename the current productregistry file located in f. Stop Directory Serverh. Restart Directory Server 8 Clean up the configuration directory as follows a. Remove all the Console jar files by typing Manually Uninstalling 1.1 Core and Instances from Windows10 Clean up all other Console-related files as follows b. Remove all the Console servlet jar files by typingTo uninstall Core from a Windows 2000 machine serverRoot\isw-hostname\Core and Instances from Windows 2000” on page net stop slapd-myhostnameb. Select Registry →Export Registry File from the menu bar 4 In the Registry Editor, select Edit →Delete from the menu bar8 Clean up the configuration directory as follows Manually Uninstalling a 1.1 Instance from Windows NT serverRoot\\\isw-hostname\ a. Open the Services window, right-click on Change Detector Service and select Properties a. Select the registry key entry in the left pane 10 Restart your machine for all changes to take effect Other Migration Scenarios9 Remove the Password Filter DLL “Multi-Host Deployment with Windows NT” on page Multi-Master Replication Deployment“Multi-Master Replication Deployment” on page Multi-Host Deployment with Windows NT Three hosts are used in this deployment scenario A Windows NT systemA host for all other components Password Changes on Both Directory Server Masters are Lost FIGURE 7-3 Migrating a Multi-Host Deployment with Windows NTChecking the Logs Index instance-path Page XML configuration documents Continued