Professional Documents
Culture Documents
Documentation version:
PN:
Legal Notice
Copyright © 2010 Symantec Corporation. All rights reserved.
Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec
Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks
of their respective owners.
This Symantec product may contain third party software for which Symantec is required
to provide attribution to the third party (“Third Party Programs”). Some of the Third Party
Programs are available under open source or free software licenses. The License Agreement
accompanying the Software does not alter any rights or obligations you may have under
those open source or free software licenses. Please see the Third Party Legal Notice Appendix
to this Documentation or TPIP ReadMe File accompanying this Symantec product for more
information on the Third Party Programs.
The product described in this document is distributed under licenses restricting its use,
copying, distribution, and decompilation/reverse engineering. No part of this document
may be reproduced in any form by any means without prior written authorization of
Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,
ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO
BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL
OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,
PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED
IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software
as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19
"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in
Commercial Computer Software or Commercial Computer Software Documentation", as
applicable, and any successor regulations. Any use, modification, reproduction release,
performance, display or disclosure of the Licensed Software and Documentation by the U.S.
Government shall be solely in accordance with the terms of this Agreement.
http://www.symantec.com
Customer service
Customer service information is available at the following URL:
www.symantec.com/business/support/
Customer Service is available to assist with non-technical questions, such as the
following types of issues:
■ Questions regarding product licensing or serialization
■ Product registration updates, such as address or name changes
■ General product information (features, language availability, local dealers)
■ Latest information about product updates and upgrades
■ Information about upgrade assurance and support contracts
■ Information about the Symantec Buying Programs
■ Advice about Symantec's technical support options
■ Nontechnical presales questions
■ Issues that are related to CD-ROMs or manuals
Managed Services Managed Services remove the burden of managing and monitoring security
devices and events, ensuring rapid response to real threats.
Consulting Services Symantec Consulting Services provide on-site technical expertise from
Symantec and its trusted partners. Symantec Consulting Services offer a variety
of prepackaged and customizable options that include assessment, design,
implementation, monitoring, and management capabilities. Each is focused on
establishing and maintaining the integrity and availability of your IT resources.
Education Services Education Services provide a full array of technical training, security education,
security certification, and awareness communication programs.
To access more information about enterprise services, please visit our web site
at the following URL:
www.symantec.com/business/services/
Select your country or language from the site index.
■ Assumptions
Assumptions
All of these will be further defined through this document. This document assumes
the use of 3 SSIM Directory Machines – 1 Master Directory, and 2 Replica
Directories. From these instructions based on 3 directories, it should then be easy
to extrapolate specific instructions that could be used for only 2 SSIM Directories,
or 4 or more SSIM Directories.
Throughout the remainder of this document, the following will be assumed:
1. Machine hostname nomenclature used in this document:
■ LDAP1.SSIM
This is the FQDN (Fully Qualified Domain Name) of the Master SSIM
Directory.
■ LDAP2.SSIM
This is the FQDN of a Replica SSIM Directory.
■ LDAP3.SSIM
This is the FQDN of a Replica SSIM Directory.
Note: All Replica Directories are equal. There is no ordering, weighting, or
ranking assigned to Replica Directories.
2. The SSIM Domain name throughout this document will assume the name –
SSIMDomain.com
3. DNS is completely and correctly configured. All machines can be resolved
using fully qualified domain names. There should be no need to manually
edit hosts files.
4. NTP servers are being used and all times on all machines are synchronized.
5. Machines have been installed with a version of SSIM compatible with this
document (4.6.3+, 4.7.x), and are all in their own Domain – meaning they have
not been registered to any other directory. They may all have the same domain
name configured during installation, but should not be registered to any other
machine after installation.
6. All commands to be run on any SSIM Server assumes the user is logged onto
that machine locally or remotely as the Linux root user, such as using a DRAC
or SSH Terminal session.
7. When a command is listed in this document, it is a single line command,
unless otherwise specified. Do to word wrapping and paper size, all commands
may not fit on a single line as displayed in this document.
Warning: If you do not set up all of the necessary replication agreements your
replication setup will break.
Certificate Exchange
Before replication between SSIM Servers can be configured, each server must
trust each other. To achieve this objective, a certificate from each machine is
shared with all other machines.
Note: A new certificate gets created when the network settings or date/time change
or if customers are using signed certificates. These certificates are usually valid
for one year only.
To exchange Certificates
1 Logon to the SSIM Server as root using a local or remote console session(via
a DRAC or SSH Terminal).
■ On each server, run the following command from any folder. This
command is on a single line:
gsk7cmd.ssim -cert -extract -db /etc/symantec/ses/key.kdb
-label SESA -target /tmp/LDAP1.crt -pw
`/opt/Symantec/simserver/bin/get_stash_pwd.pl
/etc/symantec/ses/key.sth
Where:
2 Using the example three server names that are used in this document and
assuming SESA is the certificate label on each server, run the following
commands:
On LDAP1.SSIM
gsk7cmd.ssim -cert -extract -db /etc/symantec/ses/key.kdb -label
SESA -target /tmp/LDAP1.crt -pw
`/opt/Symantec/simserver/bin/get_stash_pwd.pl
/etc/symantec/ses/key.sth
On LDAP2.SSIM
gsk7cmd.ssim -cert -extract -db /etc/symantec/ses/key.kdb -label
SESA -target /tmp/LDAP2.crt -pw
`/opt/Symantec/simserver/bin/get_stash_pwd.pl
/etc/symantec/ses/key.sth`
On LDAP3.SSIM
gsk7cmd.ssim -cert -extract -db /etc/symantec/ses/key.kdb -label
SESA -target /tmp/LDAP3.crt -pw
`/opt/Symantec/simserver/bin/get_stash_pwd.pl
/etc/symantec/ses/key.sth`
3 Copy certificates to each of the SSIM Servers using a SCP application directly
from the server, or via Windows. If you are using a Windows SCP application
to transfer files from each SSIM Server to a Windows machine then you must
follow the steps outlined below:
■ Create a folder on the computer having the Windows OS to store all
certificates.
■ Using the Windows SCP application, open the /tmp folder on each SSIM
Server and copy the new .crt file to the folder on your computer having
the Windows OS.
■ Using the Windows SCP application, copy all of the .crt files from the
Windows folder to each of the SSIM servers to the /tmp folder. The goal
is to have a certificate for each server stored in the /tmp folder on each
server.
After completing the steps detailed above, LDAP1.SSIM, LDAP2.SSIM, and
LDAP3.SSIM would all have the following files in their /tmp folders -
LDAP1.crt, LDAP2.crt, LDAP3.crt.
Insert figure for Certificate files on a SSIM Server, in the /tmp folder:
4 To insert certificates into each SSIM Server, logon as root using a local or
remote console session.
■ On each server, run the following command for each new certificate, from
any folder:
gsk7cmd.ssim -cert -add -file /tmp/LDAP1.crt -db
/etc/symantec/ses/key.kdb -label LDAP1Cert -format ascii -trust
enable -pw `/opt/Symantec/simserver/bin/get_stash_pwd.pl
/etc/symantec/ses/key.sth
Note: The above command is all in a single line.
With appropriate modifications as shown below, two forms of this
command will need to be run on each SSIM Server. One command for each
certificate of the other 2 servers.
Where:
■ LDAP1.crt – is the name of one of the servers that is not the one you
are logged onto
■ LDAP1Cert – is a unique label to be given for that server’s certificate.
This can be any name, however is much easier to use descriptive labels
such as the one used above.
Using the three machine names used as an example in this document, the following
commands must be run (2 commands per server):
On LDAP1.SSIM
■ SSIM gsk7cmd.ssim -cert -add -file /tmp/LDAP2.crt -db
/etc/symantec/ses/key.kdb -label LDAP2Cert -format ascii -trust
enable -pw `/opt/Symantec/simserver/bin/get_stash_pwd.pl
/etc/symantec/ses/key.sth`
■ On LDAP2.SSIM
■ On LDAP3.SSIM
gsk7cmd.ssim -cert -add -file /tmp/LDAP2.crt -db
/etc/symantec/ses/key.kdb -label LDAP2Cert -format ascii -trust
enable -pw `/opt/Symantec/simserver/bin/get_stash_pwd.pl
/etc/symantec/ses/key.sth`
Where:
■ LDAP2.SSIM
Is the hostname of the SSIM Server which you want to test the connection to.
■ password – is the password for the directory’s cn=root user.
■ dc=SSIMDomain,dc=com
Is the full notation for the SSIM Domain name. In this example, the SSIM
Domain name is SSIMDomain.com. If your domain name is
SSIM.MyCompany.com, then this value would be
dc=SSIM,dc=MyCompany,dc=com. The ou=locations must precede this value,
and o=symc_ses must follow it. There are no spaces in this entire value.
After running this command, no errors should be displayed. An output describing
the Locations container in the directory should be displayed on the screen.
As an example , the output displayed when testing the connection from
LDAP1.SSIM to LDAP2.SSIM is shown below:
ou=Locations,dc=SSIMDomain,dc=com,o=symc_ses ou=Locations description=The
root of the SYMC Locations DIT. objectclass=top objectclass=organizationalUnit
Note: The dc=SSIMDomain,dc=com is the long format of the SSIM Domain name.
Using the example computer names used in this document and assuming SESA
is the certificate label on each, the following commands would be run (2 commands
per SSIM Server):
Directory Registration
Starting with three installed SSIM Servers, two of the SSIM Servers must register
to the first SSIM Server (LDAP2.SSIM and LDAP3.SSIM would register to
LDAP1.SSIM). This is the process needed to join all of the SSIM Servers into the
same, single SSIM Domain.
To do this, the SSIM Web configuration interface will be used. Before proceeding,
ensure all machine names are resolvable, and the Date/Time on all are
synchronized.
Symantec recommends that full DNS and NTP support be configured in your
network environment prior to deploying or configuring SSIM.
Command line options are available to do this, and are described in Appendix A
and B. However, for the purpose of this document section, and for ease of use, the
Web configuration interface must be used for all directory registration. Because
the Web configuration interface validates user input, and makes the command
less error prone, this is the suggested method for any directory registration for
any user.
To perform Directory Registration
1 The following procedure assumes that LDAP1.SSIM will be the Master SSIM
Directory, and all others will be replicas. SSIMDomain.com will be the SSIM
domain name for all machines when done.
Register LDAP2.SSIM to LDAP1.SSIM
■ Open the Web configuration interface on the Replica Directory –
https://LDAP2.SSIM
■ Logon as the SSIM Administrator
■ Access the Directory Registration section.
If you are using SSIM 4.6.x, this is a link in the left pane
If you are using SSIM 4.7.x, select this from the Settings menu.
■ Fill out the following required information:
■ Hostname or IP Address
This is the Hostname or IP of the Master Directory. Following this
document, this would be LDAP1.SSIM * It is highly suggested to use
FQDN and not IP Address, or alias.
■ LDAP port
This will always be 636.
■ LDAP cn=root password
This is the password on LDAP1.SSIM assigned to the IBM Directory
cn=root user. By default, this is the password you entered during the
SSIM installation, and is typically the same as the SSIM Administrator
or Linux root user password.
■ Administrator
This is the SSIM Administrator name on LDAP1.SSIM. This is typically
‘administrator’.
■ Password
The password for the SSIM Administrator account.
■ Domain
The full SSIM Domain name for LDAP1.SSIM. In this document example
this would be SSIMDomain.com.
■ System view > Appliance Configurations: This should list all 3 SSIM
Directories being configured – LDAP1.SSIM, LDAP2.SSIM, LDAP3.SSIM
On SSIM 4.7.x, this tab is named Server Configurations.
There is no need to perform any appliance configurations yet at this point.
There are many more steps to complete to finalize the replications.
■ System view > Visualizer: This should show all 3 SSIM Servers in the
diagram.
■ Currently only 1 directory will show in this diagram. All 3 will show
after finalizing replication.
■ Appliance configuration should be done after the replication process
is fully complete.
from the SSIM Web configuration interface, and run on a Windows machine
running Java version 1.6.x.
Warning: If you have an existing replication agreement with another Server, then
you must not perform ldap restore.
Here
LDAP1.SSIM – is the Master SSIM Directory.
LDAP2.SSIM – is one of the Replica SSIM Directories
password – is the cn=root password for the directory
This command will be run one time per replica to create agreements from
the Master to each Replica Directory.
2 In the examples used in this document, the two commands would be run as
follows:
java -jar dirreplicatool.jar replicate -from
ldaps://LDAP1.SSIM:636 password -to ldaps://LDAP2.SSIM:636
password
Where
LDAP2.SSIM – Is a Replica SSIM Directory
LDAP3.SSIM – Is the other Replica SSIM Directory
password – is the cn=root password for the directory.
This command is run once per replica pair. In a three directory environment,
where there are two replicas, this command is only needed once. In a four
directory environment, this command would be run three times. This
command should never use the Master Directory hostname, and should only
replicate using replica hostnames.
Using the environment setup example described in this document, the above
command is run verbatim, and only run once.
When complete, the following should be output at the command line:
Completed setting up peer to peer replication agreement.
After this is entered, a series of prompts will be displayed and await user input:
Provide SESA Directory connection parameters when prompted:
Enter SESA domain password and press [ENTER]:
Provide SESA Directory replica connection parameters when prompted:
Enter SESA Directory hostname/ip of the replica and press [Enter]: LDAP2.SSIM
Enter SESA Directory port of the replica and press [Enter]: 636
Enter SESA Manager hostname/ip of the Replica and press [Enter]: LDAP2.SSIM
Where:
SESA domain password – The cn=root password for the directory
SESA Directory hostname/ip of the replica – The hostname for a replica directory.
SESA Directory port of the replica – This should always be 636
SESA Manager hostname/ip of the Replica – This is the same value as entered in
the above SESA Directory hostname/ip value
This command should only take a few minutes to run. When done, the following
should output to the command line:
*** Completed ***
This command is only run from the Master SSIM Directory (such as LDAP1.SSIM),
and is run once per each replica directory being added. In the examples used in
this document, this command would be run 2 times, one each for LDAP1.SSIM,
and LDAP2.SSIM.
At this time, all directory replication should be complete.
4 All Directories should be listed here, each with the correct Directory type.
a. In the examples in this document, the following directories should have
the type:
LDAP1.SSIM – Read/Write Master
LDAP2.SSIM – Read/Write Replica
LDAP3.SSIM – Read/Write Replica
5 Verify new objects are replicated in the UI
Logon to the SSIM Console on the Master SSIM Directory (such as
LDAP1.SSIM)
Create a new user
Logon to the SSIM Console on a Replica SSIM Directory (such as LDAP2.SSIM)
Verify the new user created above exists.
where
Password – is the cn=root password for this SSIM Domain
dc=SSIMDomain,dc=com – Is the long format of the SSIM Domain
3 When done, information for all SSIM Directory machines will be output. You
will see something similar to the following for each SSIM Directory configured:
dlmName=0a001e841ad7a870125791e436a01001,cn=Directories,cn=SES,ou=Administration,dc=SSIMDomain,dc=com,o=symc_ses
host=LDAP1.SSIM
4 Run this command on each SSIM Directory server (Master and Replicas).
Using the examples in this document, each time the command is run, the
information for three servers, where host is LDAP1.SSIM, LDAP2.SSIM, and
LDAP3.SSIM is displayed as follows:.
dlmName=0a001e841ad7a870125791bcf9a01001,cn=Directories,cn=SES,ou=Administration,dc=SSIMDomain,dc=com,o=symc_ses
host=LDAP1.SSIM
dlmName=0a001e841ad7a870123714d954001005,cn=Directories,cn=SES,ou=Administration,dc=SSIMDomain,dc=com,o=symc_ses
host=LDAP2.SSIM
dlmName=0a001e841ad7a870125791e436a01001,cn=Directories,cn=SES,ou=Administration,dc=SSIMDomain,dc=com,o=symc_ses
host=LDAP3.SSIM
Note: A SSIM Primary Directory does not necessarily have to be the same machine
as the Master Directory. For failover only use cases, the Primary and Master
Directory will typically be the same. For Directory Homing, these may differ.
6 In the Primary Directory field, select the directory machine you want to serve
as the Primary SSIM Directory. This will be the directory all SSIM servers
attempt to contact first to get directory information such as configurations
and authentication.
7 Set all other applicable values and Save.
When clicking the Save button, there is no longer a need to distribute. In
SSIM 4.6 and above, this is done automatically after any configuration has
been changed or saved.
For details on the other settings in this configuration, click the Help icon in
the tool bar. Each configurable property will be explained in detail.
In this configuration, only a Primary can be selected. The order of secondary
directories is determined by each SSIM Server.
3 From the SSIM Domain name listed, drill down to SSIM Agent and Manager
> Manager Connection Configurations.
4 Create a new configuration for each logical region, where a SSIM Master or
Replica Directory will be placed.
a. Using the customer example above, configurations would be created such
as:
Americas, APAC, and EMEA
5 Assign logical regional SSIM Servers to each regional configuration.
Using the customer example above, SSIM Servers in Nashville and Norfolk
would be assigned to the Americas configuration, Servers in Dublin and Paris
would be added to the EMEA configuration, and so on.
6 Modify each configuration and select the Primary Directory to be the directory
closest to their region.
Using the use case above, the Americas configuration would select the Chicago
SSIM Directory as the Primary Directory. The APAC configuration would
select the Tokyo SSIM Directory (which is a replica) as the Primary Directory.
The EMEA configuration would select the Dublin Directory.
In the following image, LDAP3.SSIM is in Tokyo, and is a Replica Directory. All
SSIM Servers in the entire APAC region should be assigned to this configuration.
By setting LDAP3.SSIM as the Primary, any machine assigned to this configuration
will first try to connect to LDAP3.SSIM in Tokyo to get directory information such
as configurations, authentication, etc.
■ During the replication process, the certificates did not exchange correctly, or
they have been corrupted.
Where
LDAP1.SSIM – is the hostname of the Master SSIM Directory
SSIMDomain.com – is the SSIM Domain name
password – is the password for the SSIM Administrator account
This process will take 40 to 60 minutes to complete. Progress will be output
to the terminal console. Alternatively, you can monitor
/opt/Symantec/simserver/logs/dirreg.log.
A command line tool can be used to check replication status. This command
is run at the SSIM Directory machine as root user. This command is all on one
line.
idsldapsearch -K /etc/symantec/ses/key.kdb -N LDAP1 -P
`/opt/Symantec/simserver/bin/get_stash_pwd.pl
/etc/symantec/ses/key.sth` -D cn=root -w password -b "o=symc_ses"
-s "sub" "objectclass=ibm-replicationAgreement"
ibm-replicationState
Where
LDAP1 – is the label of the certificate for the machine you are running the
command on
password – is the cn=root password of the directory
After running this command, information will be output to the screen. In this
output, look for
ibm-replicationState=ready
This should be listed after each of the replica directories. If the state is not
ready, the LDAP Diff Tool should be run to verify the differences and possibly
force synchronization.
ibm-replicationState: The current state of replication with this consumer. Possible
values are:
■ Ready
In immediate replication mode, ready to send updates as they occur.
■ Retry
An error exists, and an update to correct the error is sent every 60 seconds
■ Waiting
Waiting for next scheduled replication time.
■ Binding
In the process of binding to the consumer.
■ Connecting
In the process of connecting to the consumer.
■ On Hold
This replication agreement has been suspended or "held".
■ Error log full
More replication errors have occurred than can be logged. The amount of
errors that can be logged is based on the configured value for
ibm-slapdReplMaxErrors.
See “Using the IBM LDAP Diff tool” on page 41.
■ Retrying
It means that a conflict occurred and no new changes will be replicated for
this replication agreement.
See “Recovering from a situation where the ibm-replicationState for a
replication agreement is in Retrying state” on page 40.
You will find the following error message in the ibmslapd.log in this case:
GLPRPL118E Replication for replica 'cn=atr-ses-9551.emea.ts:636,ibm-
replicaServerId=990a7cc0-f665-102c-975e-b3d706ee3073,ibm-
replicaGroup=default,o=symc_ses' will continue to retry the same failed with change
ID 1323 until it is successful.
You can clear the replication queue in this example with the following command:
ldapexop -K /etc/Symantec/ses/key.kdb -P
`/opt/Symantec/simserver/bin/get_stash_pwd.pl
/etc/Symantec/ses/key.sth` -N SESA -D cn=root -w password -op
controqueue -skip all -ra cn=atr-ses-
9551.emea.ts:636,ibm-replicaServerId=990a7cc0-f665-102c-975e-b3d706ee3073,ibm-
replicaGroup=default,o=symc_ses
Where
LDAP2.SSIM – is the directory to remove
LDAP1.SSIM – is the directory where it is being removed from
password – is the cn=root password
2 In the SSIM Console, open the System view > Administration Tab >
Organizational Units. Here find the directory machines in the OU they were
in. Select each removed replica and delete it.
keystore. These 2 steps must be done on the Master SSIM Directory (such as
LDAP1.SSIM), and as the root user.
To create a symbolic link to IBM’s Java:
◆ Execute the following command from any folder:
cd /opt/ibm/ldap/V6.1/java
ln -s /opt/jdk/jre jre
Where
AliasName – is a name given to the certificate being imported. This should
be something descriptive like LDAP2.
Cert.crt – is the name of the certificate file for the replica certificate being
added.
Using the machine examples used throughout this document, the following three
commands would be run from the Master SSIM Directory – LDAP1.SSIM:
To import LDAP1.SSIM Certificate to LDAP1.SSIM IBM Java Keystore
◆ /opt/IBMJava2-142/jre/bin/keytool -import -alias LDAP1 -file
/tmp/LDAP1.crt -keystore
/opt/IBMJava2-142/jre/lib/security/cacerts
Where
o=symc_ses – is the DN in the directory where synchronization starts. All
trees under this DN will be compared. o=symc_ses is the top most level of a
SSIM Directory. A lower level directory tree under o=symc_ses can be specified
by entering the full DN value
LDAP1.SSIM – is the hostname of the Master SSIM Directory.
LDAP2.SSIM – is the hostname of the Replica SSIM Directory to be compared
to the Master.
o password – is the cn=root password for that directory.
Using example machines used throughout this document, the following two
commands would be run from the Master SSIM Directory:
To compare LDAP1.SSIM to LDAP2.SSIM
ldapdiff -S -b o=symc_ses -sh LDAP1.SSIM -sp 636 -sD "CN=ROOT" -sw
password -sZ -sK /opt/IBMJava2-142/jre/lib/security/cacerts -sP
changeit -sN jks -sT /opt/IBMJava2-142/jre/lib/security/cacerts -sY
changeit -st jks -ch LDAP2.SSIM -cp 636 -cD "CN=ROOT" -cw password
-cZ -cK /opt/IBMJava2-142/jre/lib/security/cacerts -cP changeit -cN
jks -cT /opt/IBMJava2-142/jre/lib/security/cacerts -cY changeit -ct
jks