The documentation is recommending deploying the admin server and the directory server on different machines.
The examples in the High Availability guide describe only how to put up a db router on the eTrust Directory machines. This means that the admin server process will point to an eTrust Directory server for finding the DB router. If this eTrust Directory server is down, there will effectively be no failover.
This document describes how to move the DB Router over to the Admin server instead, so that the Admin server will not depend on one eTrust directory server to do failover.
For the scenario below the following assumptions are made:
- Two eTrust Admin servers
- Two eTrust Directory servers
- They have been configured following the eTrust Admin High Availability Guide using the samples included at installation.
- The samples use the hostnames root01 and root02. This will be used for the eTrust Directory servers
- The above configuration is working.
- For the eTrust Admin servers the name admin01 and admin02 will be used
The default installation of eTrust Admin server should have installed eTrust Directory on admin01 and admin02. If not, please install it now.
For 8.1 sp2; Use CD2 and the command below (Please change the paths as needed):
D:\install\eTrustDirectory\dxserver\windows\dxsetup.exeADDLOCAL=DXServer,IngresDBMS,IngresNet,JXplorerETRDIRBASEPATH="c:\Program Files\CA\eTrust Directory"INGRES_DESTINATION="c:\Program Files\CA\Ingres [EI]"REBOOT=ReallySuppress ETRDIR_DXSERVER_SAMPLES=0 ETRDIR_DXSERVER_README=0 ETRDIR_SILENT_INSTALL=1 INGRES_CKPDIR="c:\Program Files\CA\Ingres [EI]\ingres\ckp"INGRES_DATADIR="c:\Program Files\CA\Ingres [EI]\ingres\data"INGRES_DMPDIR="c:\Program Files\CA\Ingres [EI]\ingres\dmp" INGRES_JNLDIR="c:\Program Files\CA\Ingres [EI]\ingres\jnl"INGRES_PRIMLOGDIR="c:\Program Files\CA\Ingres [EI]\ingres\log"INGRES_WORKDIR="c:\Program Files\CA\Ingres [EI]\ingres\work"ETRDIR_DXSERVER_EMBEDDED=1 CALLER_ID=IAM
For 8.1 sp1 use the command:
D:\install\eTrustDirectory\dxserver\windows\dxsetup.exeADDLOCAL=DXServer,IngresDBMS,IngresNet,JXplorer,TeraTerm ETRDIR_DXSERVER_EMBEDDED=1 CALLER_ID=ETADMIN TRDIR_DXSERVER_SAMPLES=0 ETRDIR_DXSERVER_README=0ETRDIR_BASIC_UI_INSTALL=1
Both these commands are described in the implementation guide.
How to reconfigure
We will use root01 for the reconfiguration. It is best to create all needed files on this one, and then create the certificates here before copying/moving the files to the other machines
Configure the DSA
- Copy admin_dbrouter_root01.dxc to admin_dbrouter_admin01.dxc and admin_dbrouter_admin02.dxc
- Edit admin_dbrouter_admin01.dxc and change the following. The following lines should be changed:
- set dsa admin_dbrouter_root01 =
set dsa admin_dbrouter_admin01 =
- dsa-name = <dc etadb><cn admin_dbrouter_root01>
dsa-name = <dc etadb><cn admin_dbrouter_admin01>
- address = tcp "root01" port 21399
address = tcp "admin01" port 21399
- Repeat the changes outlined in step 2 for admin_dbrouter_admin02.dxc but replace admin01 with admin02.
- Edit admin_dbrouter.dxg and insert the following lines at the end of the file
You should now have all the needed DSA's
Create and configure the certificate
- The next steps effectively create/recreate the certificates. This is done using dxcertgen.exe (Full usage described in High Availability guide).
A sample command is: "dxcertgen -d 365 -i "dc=etadb" certs"
- Shut down the admin services on both admin01 and admin02
- Shut down all directory services on all servers (dxserver stop all)
- Create a backup of the file %DXHOME%\config\ssld\trusted.pem on the hosts: root02, admin01 and admin02
- Copy the following files to the directory %DXHOME%\config\knowledge on root02:
- Copy the directory %DXHOME%\config\ssl to the directory %DXHOME%\config\ssld on root02
- Copy back the backup of file trusted.pem for root02 taken in step 9
- Copy the directory %DXHOME%\config to the directory %DXHOME%\config on both admin01 and admin02
- Restore the backup version of file trusted.pem taken in step 9, for both admin01 and admin02
- Go over to admin server admin01 (all subsequent operations need to be performed on admin02 as well, replacing admin01 with admin02)
- Go to %DXHOME%\config\servers and delete all files apart from *.help and admin_dbrouter_root01.dxi
- Rename the file %DXHOME%\config\servers\admin_dbrouter_root01.dxi to %DXHOME%\config\servers\admin_dbrouter_admin01.dxi
- Edit the file %DXHOME%\config\knowledge\admin_dbrouter.dxg , move the following two lines
to the beginning of the file (for admin02, change the order of the lines)
- From a command prompt; execute the following command to install the dbrouter as a service:
dxserver install admin_dbrouter_admin01
- To change the dependencies of the Admin services, do the following two commands:
slapd remove eta_slapd
slapd install eta_slapd "eTrust Admin Provisioning" auto
- Start up directory services on admin01 and admin02
- Start up the admin services on admin01 and admin02
- Verify that all services are up and running
- Test with admin manager (etadmin.exe) to see if it works
If it does not work, please check the log files. Relevant files will be the directory log files (%DXHOME%\logs. Check the DSA logs and the SSLD log (eTrust Admin.log)) and the admin logs (%ETAHOME%\logs)
If the DSA is not starting at all, a good trick would be to start it with the -d flag (dxserver -d start <DSA name> (dxserver -d start admin_dbrouter_admin01)). This will show you any syntax errors.