Tuxedo: server with alternate APPDIR directory
Good day,
Is there a way to Change the application directory for a group of servers?
We thought that by providing a different APPDIR in an ENVFILE affiliated to a specific GROUP, it would overwright the APPDIR variable provided in the MACHINE section.
But it does not! Our .exe file for the server has to be in the APPDIR (from *Machine section) or it is not found by Tuxedo.
Any alternative?
Ash
Edited by: ashanty on 2012-02-02 16:21
Hi Ash,
As the name of the executable. So often the *SERVERS section looks like:
*SERVERS
simpapp SRVGRP=APPS SRVID=1 MIN=1 MAX=1
You can instead use:
*SERVERS
/home/app1/simpapp SRVGRP=APPS SRVID=1 MIN=1 MAX=1
Thus telling Tuxedo where the server binary is located. If you don't specify a full directory path, Tuxedo uses APPDIR as the default. So the following are equivalent:
*SERVERS
simpapp SRVGRP=APPS SRVID=1 MIN=1 MAX=1
and
*SERVERS
/home/mine/simpapp SRVGRP=APPS SRVID=1 MIN=1 MAX=1
where /home/mine is the location of APPDIR.
Regards,
Todd Little
Oracle Tuxedo Chief Architect
Similar Messages
-
ICal server with alternate LDAP
Hi,
In the (very, very brief) documentation for iCal Server, it says:
To run iCal service, you need:
User names and passwords stored in a Mac OS X version 10.5 Open Directory system,
an Active Directory system (using the Active Directory plug-in for Mac OS X version
10.5 Open Directory), or an OpenLDAP directory with schema to support iCal service
Now, this sounds great. However, everywhere I look it says no, you need to have Open Directory, and not only that, but you have to have Open Directory on a Leopard Server.
What is the deal with this? We have an OD on a 10.4 server. That server is not getting upgraded - it is just not going to happen. My network administrator is ripping his hair out for days now trying to get LDAP data migrated to the 10.5 server with absolutely no success - most users do not transfer over directly, and doing the "export from Workgroup Manager" method completely destroys our users' records (attributes dropped, all inactive users become active!) It's a disaster!
If this thing supports any LDAP server with the right schema, why can't we just get an idea of what that schema would be and add it to our 10.4 Open Directory? OpenLDAP is OpenLDAP isn't it? I really understand what the issue is here, but either the documentation is flat out lying or there's some secret that no one's decided to actually write down yet. Which is it?Well, schema modifications were exactly what I had in mind. I went of instructions in the ical source and that seemed to go pretty well - I can now start iCal services and get a clean log file out of it. I'm not saying it's working 100% yet (can grant users access to create calendars but they get an error "No Calendar Home Error" when they do - in the logs it seems to complain about not authenticating properly). I'm still pretty confident this can be done, it just seems that any of the automatic tools in Server Admin are pretty much worthless to us - so we have to learn how to emulate what it would be doing were it functional. We've even managed to get the wiki server up and running to - again, it just takes some patience to get things moving right. Once we do have a complete setup, I'll post the instructions somewhere. I'm sorry, but It's crap that this can't work - they just choose not to tell us how or provide any relevant patches. Upgrading an LDAP schema is not impossible. Used to have to do it once in a while back in the day before there was anything like Active Directory.
We would gladly just move the directory to 10.5 but it just does not seem to be possible without redoing all the information manually - as you have suggested. Now, that would be all well and good if we were a tiny little workgroup but we're talking about a whole company with hundreds of users here. It would be a major support nightmare for them all to lose their passwords or worse, for 2/3 of the accounts to disappear, which is the scenario with any of the automatic migration methods. Manual entry is technically possible but it would take quite a long time and it would also require reconfiguring many computers which aren't located anywhere near us anymore. The transportation and overtime costs alone are staggering. This is not the ease of use that Apple so heavily promotes for themselves. Upgrading the server to 10.5 would most surely knock out a lot of custom services that are running on the 10.4 server (things like ruby on rails that were set up manually - and are tied into so many other things that would take months to get tested and moved).
Really, I just think Apple needs to step up here and make their products interoperate better. How can it be so impossible to move users from an older server *of their making* to a newer one - they didn't consider this at all while developing the new version, that people may want to ... you know, expand to multiple servers? They didn't even consider that people might have an old, but perfectly functional, 10.4 server that they might want to keep around? It just doesn't make sense to me. Sadly, I feel in the Windows world this would have gone a lot better - I don't remember having nearly as many issues interoperating with Windows NT and Windows 2000 servers - at least, not with transferring accounts. Also, upgrading and migrating Tiger clients to Leopard is not nearly so impossible - in fact, it's remarkably simple. Granted the level of complexity is far greater, but I should think they'd be able to handle it - otherwise I think we should investigate more stable and long-term oriented server architechtures. -
A Tuxedo server hangs at tmboot with Tuxedo 12.1.3, but works fine with 10.0
We have been running a Tuxedo server with pretty much the same logic in the sample code below in our systems for years on AIX (OS level 6100) with Tuxedo 10-32 bit. We are upgrading to Tuxedo 12.1.3 (12cr2) now. The code is compiled fine with Tuxedo 12, however, it just hangs at tmboot. We have tried on multiple servers (all AIX), but it hung on all the servers with tmboot. Is there anyone in the forum ran into the same problem?
The source code ForkSrv.c:
#include <unistd.h>
#include <signal.h>
#include <atmi.h>
void doChildProcess();
void launchChildProcess();
static pid_t m_iChildPid = -1;
/** FUNCTION: tpsvrinit */
int tpsvrinit( int argc, char **argv ) {
launchChildProcess();
userlog("Service initilized: (pid=%d)\n", getpid());
/* FUNCTION: killChild
* DESCRIPTION: send SIGTERM to the child process and wait for it terminates. */
void killChild() {
int iChildStatus;
if (m_iChildPid>0)
kill(m_iChildPid, SIGTERM);
userlog("Service (pid=%d) kill child process %d\n",
getpid(), m_iChildPid);
wait(&iChildStatus);
userlog("Service (pid=%d) killed child process %d\n",
getpid(), m_iChildPid);
/** FUNCTION: tpsvrdone
* DESCRIPTION: terminate the child process and do other clean ups */
void tpsvrdone(void) {
killChild();
userlog("Service done: (pid=%d)\n", getpid());
/* FUNCTION: ForkSvc
* DESCRIPTION: service function */
void ForkSvc(TPSVCINFO *tpinfo)
userlog("Service call: (pid=%d)\n", getpid());
tpreturn(TPSUCCESS, 0, tpinfo->data, 0, 0);
/* FUNCTION: launchChildProcess
* DESCRIPTION: launch the child process. If the child process exists terminate it first. */
void launchChildProcess()
m_iChildPid = fork();
switch (m_iChildPid) {
case -1:/* error */
userlog("launchChildProcess: Service failed to fork: (pid=%d)\n", getpid());
break;
case 0:/* child */
doChildProcess();
exit(0);
break;
default:/* parent */
userlog("launchChildProcess: Child created with pid=%d\n", m_iChildPid);
break;
/* FUNCTION: doChildProcess
* DESCRIPTION: child process routing */
void doChildProcess()
sleep(100000);
userlog("doChildProcess: Service child exited: (pid=%d)\n", getpid());
exit(0);
The Makefile fork.mak:
CC=cc
SERVERS=ForkSrv
server: $(SERVERS)
all:ForkSrv
ForkSrv: ForkSrv.o
buildserver -t -o ForkSrv -s ForkSvc -f ForkSrv.o
ForkSrv.o:ForkSrv.c
$(CC) -c -I${TUXDIR}/include -o ForkSrv.o ForkSrv.cWe have a tuxedo service which needs to communicate with a POS device by socket. The parent process provides the tuxedo service. The child process provides the connection management for the device. Unnamed pipe is used for communication between the parent and the child. In the child process, there is no code related to tuxedo. The benefit of that design is the tuxedo server does not need to wait for connection from the device when boots up, and the tuxedo service does not need to wait for connection from the device when the service is called.
The tuxedo server was developed 10 years ago, and worked fine till we upgraded tuxedo from 10 to 12 recently. That means it worked for 10 years, and it worked in tuxedo 6.5, tuxedo 10. But in tuxedo 12, tmboot does not return for this tuxedo server. We have to press CTRL-C and yes to cancel. After cancel, the tuxedo service seems working fine. -
Create a new directory in server with JSP
Hi,
How can I create a directory in server with JSP.
File dir = new File("a");
dir.mkdir();
does not work. what do I do?
best regards,Hi
Check the following things.
1. What is the path where you are creating the directory.
2. Do you permissions to create file in that directory.
3. do a delete on that filename if that exists just to be sure. isdeleted = filedir.delete(). Check the boolean flag isdeleted too.
Thanx and Regards
Aruneesh -
Msg server implementation with change in directory tree strcucture
Hello all,
Our organization is using directory server 5.1 and messaging server5.2.Our company is going for a change of directory tree structure.Can anybody please tell me whether for this change of directory tree structure we will have to again go for a reinstall of our messaging servers.Is there a way by which present messaging servers can be made to operate with new directory server with revamped directory tree structure.We are not going to upgrade to a new version of either directory or messaging server.The "schema 1" that 6.0 supports is the two tree system.
Schema 2 is single tree. You may be able to go that direction, BUT this road is not well documented. There's really no "schema guide" the way there is for 5.2 and "schema 1".
You can certainly download and install 6.1, and provisioin some test users, and see what it does.
The mailstore has had only minor changes gooing from 5.1 to 5.2 to 6.0 to 6.1, and the server should automatically and invisibly upgrade as you go.
the queue is incompatible, so you will need to clear the queue before you upgrade. -
Weblogic server 5.1.0 with sp8 does not work with LDAP (Netscape Directory Server 4.12)
I have weblogic server 5.1.0 with the sp8 running on Windows NT server 4.0.
The weblogic server is configured to use LDAP realm (Netscape directory
server 4.12).
When I try to run weblogic server and I am getting the following errors:
The WebLogic Server did not start up properly.
Exception raised: java.lang.reflect.InvocationTargetException
java.lang.reflect.InvocationTargetException: java.lang.ExceptionInInitialize
or: weblogic.security.ldaprealm.LDAPRealmException: cannot connect to ldapse
without a principal to authenticate as
at weblogic.security.ldaprealm.LDAPDelegate.setupProperties(LDAPDele
.java, Compiled Code)
at weblogic.security.ldaprealm.LDAPDelegate.<clinit>(LDAPDelegate.ja
83)
at weblogic.security.ldaprealm.LDAPRealm.<init>(LDAPRealm.java:34)
at java.lang.Class.newInstance0(Native Method)
at java.lang.Class.newInstance(Class.java:241)
at weblogic.security.acl.Realm.getRealm(Realm.java:78)
at weblogic.security.acl.Realm.getRealm(Realm.java:56)
at weblogic.t3.srvr.T3Srvr.initializeSecurity(T3Srvr.java:1756)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java, Compiled Code)
at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:827)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.Server.startServerDynamically(Server.java:99)
at weblogic.Server.main(Server.java:65)
at weblogic.Server.main(Server.java:55)
java.lang.ExceptionInInitializerError: weblogic.security.ldaprealm.LDAPRealm
ption: cannot connect to ldapserver without a principal to authenticate as
at weblogic.security.ldaprealm.LDAPDelegate.setupProperties(LDAPDele
.java, Compiled Code)
at weblogic.security.ldaprealm.LDAPDelegate.<clinit>(LDAPDelegate.ja
83)
at weblogic.security.ldaprealm.LDAPRealm.<init>(LDAPRealm.java:34)
at java.lang.Class.newInstance0(Native Method)
at java.lang.Class.newInstance(Class.java:241)
at weblogic.security.acl.Realm.getRealm(Realm.java:78)
at weblogic.security.acl.Realm.getRealm(Realm.java:56)
at weblogic.t3.srvr.T3Srvr.initializeSecurity(T3Srvr.java:1756)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java, Compiled Code)
at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:827)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.Server.startServerDynamically(Server.java:99)
at weblogic.Server.main(Server.java:65)
at weblogic.Server.main(Server.java:55)
And here is the my ldaprealm.properties file
netscape.server.host=localhost
netscape.server.port=389
netscape.server.ssl=false
netscape.server.principal=uid=admin, ou=Administrators,
ou=TopologyManagement, o=NetscapeRoot
netscape.server.credential=password
netscape.user.dn=ou=People, o=towers.com
netscape.user.filter=(&(uid=%u)(objectclass=person))
netscape.group.dn=ou=Groups, o=towers.com
netscape.group.filter=(&(cn=%g)(objectclass=groupofuniquenames))
netscape.membership.filter=(&(uniquemember=%M)(objectclass=groupofuniquename
s))
By looking at the error message, it seems like the "server.principal" and
"server.credential" info is not correct.
But I was able to use the same Netscape Directory server with Welogic 5.1.0
with sp4, although the ldaprealm.properties file has somewhat different
format.
Did anyone have similar problems with sp8?
Thanks in advance for any suggestions.BEA support just gave me the solution.
They told me to uncomment out the line
server.alias=netscape
in the ldaprealm.properties file
And I am able to start weblogic with my NIS
Thanks
"Enrique" <[email protected]> wrote in message
news:[email protected]...
>
Hi,
Have you try to remove the "system" user on the LDAP server?
Regards.
"Honghai Zhang" <[email protected]> wrote:
I have weblogic server 5.1.0 with the sp8 running on Windows NT server
4.0.
The weblogic server is configured to use LDAP realm (Netscape directory
server 4.12).
When I try to run weblogic server and I am getting the following errors:***************************************************************************
The WebLogic Server did not start up properly.
Exception raised: java.lang.reflect.InvocationTargetException
java.lang.reflect.InvocationTargetException:
java.lang.ExceptionInInitialize
or: weblogic.security.ldaprealm.LDAPRealmException: cannot connect toldapse
without a principal to authenticate as
atweblogic.security.ldaprealm.LDAPDelegate.setupProperties(LDAPDele
..java, Compiled Code)
atweblogic.security.ldaprealm.LDAPDelegate.<clinit>(LDAPDelegate.ja
83)
atweblogic.security.ldaprealm.LDAPRealm.<init>(LDAPRealm.java:34)
at java.lang.Class.newInstance0(Native Method)
at java.lang.Class.newInstance(Class.java:241)
at weblogic.security.acl.Realm.getRealm(Realm.java:78)
at weblogic.security.acl.Realm.getRealm(Realm.java:56)
at weblogic.t3.srvr.T3Srvr.initializeSecurity(T3Srvr.java:1756)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java, Compiled Code)
at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:827)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.Server.startServerDynamically(Server.java:99)
at weblogic.Server.main(Server.java:65)
at weblogic.Server.main(Server.java:55)
java.lang.ExceptionInInitializerError:weblogic.security.ldaprealm.LDAPRealm
ption: cannot connect to ldapserver without a principal to authenticate
as
atweblogic.security.ldaprealm.LDAPDelegate.setupProperties(LDAPDele
..java, Compiled Code)
atweblogic.security.ldaprealm.LDAPDelegate.<clinit>(LDAPDelegate.ja
83)
atweblogic.security.ldaprealm.LDAPRealm.<init>(LDAPRealm.java:34)
at java.lang.Class.newInstance0(Native Method)
at java.lang.Class.newInstance(Class.java:241)
at weblogic.security.acl.Realm.getRealm(Realm.java:78)
at weblogic.security.acl.Realm.getRealm(Realm.java:56)
at weblogic.t3.srvr.T3Srvr.initializeSecurity(T3Srvr.java:1756)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java, Compiled Code)
at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:827)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.Server.startServerDynamically(Server.java:99)
at weblogic.Server.main(Server.java:65)
at weblogic.Server.main(Server.java:55)***************************************************************************
And here is the my ldaprealm.properties file////////////////////////////////////////////////////////////////////////////
netscape.server.host=localhost
netscape.server.port=389
netscape.server.ssl=false
netscape.server.principal=uid=admin, ou=Administrators,
ou=TopologyManagement, o=NetscapeRoot
netscape.server.credential=password
netscape.user.dn=ou=People, o=towers.com
netscape.user.filter=(&(uid=%u)(objectclass=person))
netscape.group.dn=ou=Groups, o=towers.com
netscape.group.filter=(&(cn=%g)(objectclass=groupofuniquenames))
netscape.membership.filter=(&(uniquemember=%M)(objectclass=groupofuniquename
s))////////////////////////////////////////////////////////////////////////////
By looking at the error message, it seems like the "server.principal" and
"server.credential" info is not correct.
But I was able to use the same Netscape Directory server with Welogic5.1.0
with sp4, although the ldaprealm.properties file has somewhat different
format.
Did anyone have similar problems with sp8?
Thanks in advance for any suggestions. -
RSA Certificate Manager with Sun Java Directory Server
Has anyone integrated Sun Java Directory Server with RSA Certificate Manager
we have the Key Managment System in our DSEE 6.3 through a proxy. We had to enable some OIDs for it to work.
-
Integrating Sun Java Directory Server with Sun Java Application Server 7
Hi,
My basic goal is to implement Single Sign On within the network i,e if the user is inside the company's network and tries to access any application, then he should not be required for Username/password again becuase he is in the network.
My question is Is this possible with Sun Java System DIrectory server. If yes how can we integrate Directory Server with Sun Java System Application Server 7 2004Q2.
Please help.
ThanksDirectory Server in itself doesn't provide any kind of SSO functions. Basically it is a high performing data repository accessible via LDAP and DSML. It is, however, a key component used by SSO applications like Access Manager. If your applications are web applications then take a look at Access Manager for your SSO needs.
Regards,
Scott -
How to migrate Open Directory from 10.6 to another server with 10.8?
Hello all,
I have a Mac Pro running Mac OS X Server 10.6.8 with Open Directory active. Now I bought a new Mac Pro running MAC OS 10.8 and I also bought the OS X Server app.
What I want to know is how can I migrate the users and their home folders from old server with Snow Leopard to the new one? The Open Directory Archive does this job?
Regards,
Carlos.Ok. I did a test and I saw that it exports only the information account. So I suppose that I have to copy the home folder using scp or something similar. Is that correct?
I also have to keep the same hostname from the old server in the new server or this can be done in a different way?
Thanks. -
Install database server with the existance of 9iAS and internet directory
I want install the 9i database to a Sun Unix system. But that system already has the internet directory and 9i application server with the infrastructure. What are those steps I should follow to install the database?
Where can I find any documentation about the coexistance of internet directory, 9i AS and 9i database?
Thank you for your help.
XiaoyunJust install it in a separate ORACLE_HOME.
-
I want to be able to setup a user mobile account, with the home directory stored locally and not synced to the server. What is the best way to do this? I am running Server 10.6 with 10.6 clients. Open Directory will be used to authenticate and manage preferences. Also, this one account will be used simultaneosly in a computer lab setting, so files will be stored locally in the client, hence the need to NOT sync to the server. Any Ideas?
currofelix wrote:
So what does WGM Look like in the Home Tab? afp://servername.domainname/Users? or afp://Users?
The attached screen shots should help you:
You will only have to do this step once. Obviously you want to use the user's shortname here.
Then, you will see this as an option in WGM: -
Using tuxedo client 8.1 with tuxedo server 6.4
Hi,
I am using Weblogic server 7 sp2 with Tuxedo 8.1 on my Windows XP machine, I have configured weblogic (config.xml) to use WTC to connect to tuxedo 6.4 on windows 2000 machine which in turn connects to tuxedo 6.4 server. When I try to do a tpcall I get an error on weblogic server log 'TPENOENT(6):0:0:TPED_MINVAL(0):QMNONE(0):0:Could not find service'.
My question is I haven't made any configuration changes on the tuxedo server end like ubb.config or dm.config files. We are currently in the process of upgrading to weblogic 7 or 8. At the moment we are using JOLT to connect to the existing tux services on the dynix box.
I want to know if I can configur WTC on weblogic 7 using tuxedo 8.1 API to connect to tuxedo 6.4. What all changes do I need to make on both WLS and Tuxedo end.
I have read some documentation which state ways where old tuxedo client versions 7.1 and earlier can access tuxedo server 8 by configuring WSH (CLOPT -t) option in ubb.config file.
Can someone please help.
Thanks,
SmitaHello Smita,
I don't think WTC is supported with Tuxedo 6.4. I think (for a number of reasons) that you really should consider an upgrade to 6.5 or newer version of Tuxedo.
Regards,
/Per
Per Lindström - R2Meton AB, SWEDEN -
How to Cleanup the System Landscape Directory in XI Server with Backup?
Hi All,
Could i know the steps to Cleanup the SLD,IR and ID in XI server with backup(IMP)?
pls send me the links if there is any Documents available.
Thanks,
Govindu.Hi Govindu,
Have a look at this document:
System Content Copy Guide
https://websmp110.sap-ag.de/~sapidb/011000358700000315022005E.PDF
this should be enough to give you a very clear idea on taking a Backup....
Regards,
Abhy -
I recently installed a fresh version of Lion Server after attempting to fix a broken upgrade. With some help from others, I've managed to get all the new features working and have kept notes, having found that many or most of the necessary installation steps for both the OS and its services are almost entirely undocumented. When you get them working, they work great, but the entire process is very fragile, with simple setup steps causing breaks or even malicious behaviors. In case this is useful to others, here are my notes.
Start with an erased, virgin, single guid partitioned drive. Not an upgrade. Not simply a repartitioned drive. Erased. Clean. Anything else can and probably will break the Lion Server install, as I discovered myself more than once. Before erasing my drive, I already had Lion and made a Lion install DVD from instructions widely available on the web. I suppose you could also boot into the Lion recovery partition and use disk utility to erase the OS X partition then install a new partition, but I cut a DVD. The bottom line is to erase any old OS partitions. And of course to have multiple, independent backups: I use both Time Machine with a modified StdExclusions.plist and Carbon Copy Cloner.
Also, if you will be running your own personal cloud, you will want to know your domain name ahead of time, as this will be propagated everywhere throughout server, and changing anything related to SSL on Lion Server is a nightmare that I haven't figured out. If you don't yet have a domain name, go drop ten dollars at namecheap.com or wherever and reserve one before you start. Soemday someone will document how to change this stuff without breaking Lion Server, but we're not there yet. I'll assume the top-level domain name "domain.com" here.
Given good backups, a Lion Install DVD (or Recovery Partition), and a domain name, here are the steps, apparently all of which must be more-or-less strictly followed in this order.
DVD>Disk Utility>Erase Disk [or Recovery Partition>Disk Utility>Erase Partition]
DVD>Install Lion
Reboot, hopefully Lion install kicks in
Update, update, update Lion (NOT Lion Server yet) until no more updates
System Preferences>Network>Static IP on the LAN (say 10.0.1.2) and Computer name ("server" is a good standbye)
Terminal>$ sudo scutil --set HostName server.domain.com
App Store>Install Lion Server and run through the Setup
Download install Server Admin Tools, then update, update, update until no more updates
Server Admin>DNS>Zones [IF THIS WASN'T AUTOMAGICALLY CREATED (mine wasn't): Add zone domain.com with Nameserver "server.domain.com." (that's a FQDN terminated with a period) and a Mail Exchanger (MX record) "server.domain.com." with priority 10. Add Record>Add Machine (A record) server.domain.com pointing to the server's static IP. You can add fancier DNS aliases and a simpler MX record below after you get through the crucial steps.]
System Prefs>Network>Advanced>Set your DNS server to 127.0.0.1
A few DNS set-up steps and these most important steps:
A. Check that the Unix command "hostname" returns the correct hostname and you can see this hostname in Server.app>Hardware>Network
B. Check that DNS works: the unix commands "host server.domain.com" and "host 10.0.1.2" (assuming that that's your static IP) should point to each other. Do not proceed until DNS works.
C. Get Apple Push Notification Services CA via Server.app>Hardware>Settings><Click toggle, Edit... get a new cert ...>
D. Server.app>Profile Manager>Configure... [Magic script should create OD Master, signed SSL cert]
E. Server.app>Hardware>Settings>SSL Certificate> [Check to make sure it's set to the one just created]
F. Using Server.app, turn on the web, then Server.app>Profile Manager> [Click on hyperlink to get to web page, e.g. server.domain.com/profilemanager] Upper RHS pull-down, install Trust Profile
G. Keychain Access>System>Certificates [Find the automatically generated cert "Domain", the one that is a "Root certificate authority", Highlight and Export as .cer, email to all iOS devices, and click on the authority on the device. It should be entered as a trusted CA on all iOS devices. While you're at it, highlight and Export... as a .cer the certificate "IntermediateCA_SERVER.DOMAIN.COM_1", which is listed an an "Intermediate CA" -- you will use this to establish secure SSL connections with remote browsers hitting your server.]
H. iOS on LAN: browse to server.domain.com/mydevices> [click on LHS Install trust cert, then RHS Enroll device.
I. Test from web browser server.domain.com/mydevices: Lock Device to test
J. ??? Profit
12. Server Admin>DNS>Zones> Add convenient DNS alias records if necessary, e.g., mail.domain.com, smtp.domain.com, www.domain.com. If you want to refer to your box using the convenient shorthand "domain.com", you must enter the A record (NOT alias) "domain.com." FQDN pointing to the server's fixed IP. You can also enter the convenient short MX record "domain.com." with priority 11. This will all work on the LAN -- all these settings must be mirrored on the outside internet using the service from which you registered domain.com.
You are now ready to begin turning on your services. Here are a few important details and gotchas setting up cloud services.
Firewall
Server Admin>Firewall>Services> Open up all ports needed by whichever services you want to run and set up your router (assuming that your server sits behind a router) to port forward these ports to your router's LAN IP. This is most a straightforward exercise in grepping for the correct ports on this page, but there are several jaw-droppingly undocumented omissions of crucial ports for Push Services and Device Enrollment. If you want to enroll your iOS devices, make sure port 1640 is open. If you want Push Notifications to work (you do), then ports 2195, 2196, 5218, and 5223 must be open. The Unix commands "lsof -i :5218" and "nmap -p 5218 server.domain.com" (nmap available from Macports after installing Xcode from the App Store) help show which ports are open.
SSH
Do this with strong security. Server.app to turn on remote logins (open port 22), but edit /etc/sshd_config to turn off root and password logins.
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
I'm note sure if toggling the Allow remote logins will load this config file or, run "sudo launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist ; sudo launchctl load -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist" to restart the server's ssh daemon.
Then use ssh-keygen on remote client to generate public/private keys that can be used to remotely login to the server.
client$ ssh-keygen -t rsa -b 2048 -C client_name
[Securely copy ~/.ssh/id_rsa.pub from client to server.]
server$ cat id_rsa.pub > ~/.ssh/known_hosts
I also like DenyHosts, which emails detected ssh attacks to [email protected]. It's amazing how many ssh attacks there are on any open port 22. Not really an added security feature if you've turned off password logins, but good to monitor. Here's a Lion Server diff for the config file /usr/share/denyhosts:
$ diff denyhosts.cfg-dist denyhosts.cfg
12c12
< SECURE_LOG = /var/log/secure
> #SECURE_LOG = /var/log/secure
22a23
> SECURE_LOG = /var/log/secure.log
34c35
< HOSTS_DENY = /etc/hosts.deny
> #HOSTS_DENY = /etc/hosts.deny
40a42,44
> #
> # Mac OS X Lion Server
> HOSTS_DENY = /private/etc/hosts.deny
195c199
< LOCK_FILE = /var/lock/subsys/denyhosts
> #LOCK_FILE = /var/lock/subsys/denyhosts
202a207,208
> LOCK_FILE = /var/denyhosts/denyhosts.pid
> #
219c225
< ADMIN_EMAIL =
> ADMIN_EMAIL = [email protected]
286c292
< #SYSLOG_REPORT=YES
> SYSLOG_REPORT=YES
Network Accounts
User Server.app to create your network accounts; do not use Workgroup Manager. If you use Workgroup Manager, as I did, then your accounts will not have email addresses specified and iCal Server WILL NOT COMPLETELY WORK. Well, at least collaboration through network accounts will be handled clunkily through email, not automatically as they should. If you create a network account using Workgroup Manager, then edit that account using Server.app to specify the email to which iCal invitations may be sent. Server.app doesn't say anything about this, but that's one thing that email address entry is used for. This still isn't quite solid on Lion Server, as my Open Directory logs on a freshly installed Lion Server are filled with errors that read:
2011-12-12 15:05:52.425 EST - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':
User 'uname' (/LDAPv3/127.0.0.1) - ID 1031 - UUID 98B4DF30-09CF-42F1-6C31-9D55FE4A0812 - SID S-0-8-83-8930552043-0845248631-7065481045-9092
Oh well.
Email
Email aliases are handled with the file /private/etc/postfix/aliases. Do something like this
root: myname
admin: myname
sysadmin: myname
certadmin: myname
webmaster: myname
my_alternate: myname
Then run "sudo newaliases". If your ISP is Comcast or some other large provider, you probably must proxy your outgoing mail through their SMTP servers to avoid being blocked as a spammer (a lot of SMTP servers will block email from Comcast/whatever IP addresses that isn't sent by Comcast). Use Server.app>Mail to enter your account information. Even then, the Lion Server default setup may fail using this proxy. I had to do this with the file /private/etc/postfix/main.cf:
cd /etc/postfix
sudo cp ./main.cf ./main.cf.no_smtp_sasl_security_options
sudo echo 'smtp_sasl_security_options = noanonymous' >> ./main.cf
sudo serveradmin stop mail
sudo serveradmin start mail
Finally, make sure that you're running a blacklisting srevice yourself! Server Admin>Mail>Filter> Use spamhaus.org as a blacklister. Finally, set up mail to use strong Kerberos/MD5 settings under on Server Admin>Mail>Advanced. Turn off password and clear logins. The settings should be set to "Use" your SSL cert, NOT "Require". "Require" consistently breaks things for me.
If you already installed the server's Trust Certificate as described above (and opened up the correct ports), email to your account should be pushed out to all clients.
iCal Server
Server.app>Calendar>Turn ON and Allow Email Invitations, Edit... . Whatever you do, do NOT enter your own email account information in this GUI. You must enter the account information for local user com.apple.calendarserver, and the password for this account, which is stored in the System keychain: Keychain Access>System> Item com.apple.servermgr_calendar. Double-click and Show Password, copy and paste into Server.app dialog. This is all described in depth here. If you enter your own account information here (DO NOT!), the iCal Server will delete all Emails in your Inbox just as soon as it reads them, exactly like it works for user com.apple.calendarserver. Believe me, you don't want to discover this "feature", which I expect will be more tightly controlled in some future update.
Web
The functionality of Server.app's Web management is pretty limited and awful, but a few changes to the file /etc/apache2/httpd.conf will give you a pretty capable and flexible web server, just one that you must manage by hand. Here's a diff for httpd.conf:
$ diff httpd.conf.default httpd.conf
95c95
< #LoadModule ssl_module libexec/apache2/mod_ssl.so
> LoadModule ssl_module libexec/apache2/mod_ssl.so
111c111
< #LoadModule php5_module libexec/apache2/libphp5.so
> LoadModule php5_module libexec/apache2/libphp5.so
139,140c139,140
< #LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
< #LoadModule encoding_module libexec/apache2/mod_encoding.so
> LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
> LoadModule encoding_module libexec/apache2/mod_encoding.so
146c146
< #LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
> LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
177c177
< ServerAdmin [email protected]
> ServerAdmin [email protected]
186c186
< #ServerName www.example.com:80
> ServerName domain.com:443
677a678,680
> # Server-specific configuration
> # sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart
> Include /etc/apache2/mydomain/*.conf
I did "sudo mkdir /etc/apache2/mydomain" and add specific config files for various web pages to host. For example, here's a config file that will host the entire contents of an EyeTV DVR, all password controlled with htdigest ("htdigest ~uname/.htdigest EyeTV uname"). Browsing to https://server.domain.com/eyetv points to /Users/uname/Sites/EyeTV, in which there's an index.php script that can read and display the EyeTV archive at https://server.domain.com/eyetv_archive. If you want Apache username accounts with twiddles as in https://server.domain.com/~uname, specify "UserDir Sites" in the configuration file.
Alias /eyetv /Users/uname/Sites/EyeTV
<Directory "/Users/uname/Sites/EyeTV">
AuthType Digest
AuthName "EyeTV"
AuthUserFile /Users/uname/.htdigest
AuthGroupFile /dev/null
Require user uname
Options Indexes MultiViews
AllowOverride All
Order allow,deny
Allow from all
</Directory>
Alias /eyetv_archive "/Volumes/Macintosh HD2/Documents/EyeTV Archive"
<Directory "/Volumes/Macintosh HD2/Documents/EyeTV Archive">
AuthType Digest
AuthName "EyeTV"
AuthUserFile /Users/uname/.htdigest
AuthGroupFile /dev/null
Require user uname
Options Indexes MultiViews
AllowOverride All
Order allow,deny
Allow from all
</Directory>
I think you can turn Web off/on in Server.app to relaunch apached, or simply "sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart".
Securely copy to all desired remote clients the file IntermediateCA_SERVER.DOMAIN.COM_1.cer, which you exported from System Keychain above. Add this certificate to your remote keychain and trust it, allowing secure connections between remote clients and your server. Also on remote clients: Firefox>Advanced>Encryption>View Certificates>Authorities>Import...> Import this certificate into your browser. Now there should be a secure connection to https://server.domain.com without any SSL warnings.
One caveat is that there should be a nice way to establish secure SSL to https://domain.com and https://www.domain.com, but the automagically created SSL certificate only knows about server.domain.com. I attempted to follow this advice when I originally created the cert and add these additional domains (under "Subject Alternate Name Extension"), but the cert creation UI failed when I did this, so I just gave up. I hope that by the time these certs expire, someone posts some documentation on how to manage and change Lion Server SSL scripts AFTER the server has been promoted to an Open Directory Master. In the meantime, it would be much appreciated if anyone can post either how to add these additional domain names to the existing cert, or generate and/or sign a cert with a self-created Keychain Access root certificate authority. In my experience, any attempt to mess with the SSL certs automatically generated just breaks Lion Server.
Finally, if you don't want a little Apple logo as your web page icon, create your own 16×16 PNG and copy it to the file /Library/Server/Web/Data/Sites/Default/favicon.ico. And request that all web-crawling robots go away with the file /Library/Server/Web/Data/Sites/Default/robots.txt:
User-agent: *
Disallow: /
Misc
VNC easily works with iOS devices -- use a good passphrase. Edit /System/Library/LaunchDaemons/org.postgresql.postgres.plist and set "listen_addresses=127.0.0.1" to allow PostgreSQL connections over localhost. I've also downloaded snort/base/swatch to build an intrusion detection system, and used Macports's squid+privoxy to build a privacy-enhanced ad-blocking proxy server.Privacy Enhancing Filtering Proxy and SSH Tunnel
Lion Server comes with its own web proxy, but chaining Squid and Privoxy together provides a capable and effective web proxy that can block ads and malicious scripts, and conceal information used to track you around the web. I've posted a simple way to build and use a privacy enhancing web proxy here. While you're at it, configure your OS and browsers to block Adobe Flash cookies and block Flash access to your camera, microphone, and peer networks. Read this WSJ article series to understand how this impacts your privacy. If you configure it to allow use for anyone on your LAN, be sure to open up ports 3128, 8118, and 8123 on your firewall.
If you've set up ssh and/or VPN as above, you can securely tunnel in to your proxy from anywhere. The syntax for ssh tunnels is a little obscure, so I wrote a little ssh tunnel script with a simpler flexible syntax. This script also allows secure tunnels to other services like VNC (port 5900). If you save this to a file ./ssht (and chmod a+x ./ssht), example syntax to establish an ssh tunnel through localhost:8080 (or, e.g., localhost:5901 for secure VNC Screen Sharing connects) looks like:
$ ./ssht 8080:[email protected]:3128
$ ./ssht 8080:alice@:
$ ./ssht 8080:
$ ./ssht 8018::8123
$ ./ssht 5901::5900 [Use the address localhost:5901 for secure VNC connects using OS X's Screen Sharing or Chicken of the VNC (sudo port install cotvnc)]
$ vi ./ssht
#!/bin/sh
# SSH tunnel to squid/whatever proxy: ssht [-p ssh_port] [localhost_port:][user_name@][ip_address][:remotehost][:remote_port]
USERNAME_DEFAULT=username
HOSTNAME_DEFAULT=domain.com
SSHPORT_DEFAULT=22
# SSH port forwarding specs, e.g. 8080:localhost:3128
LOCALHOSTPORT_DEFAULT=8080 # Default is http proxy 8080
REMOTEHOST_DEFAULT=localhost # Default is localhost
REMOTEPORT_DEFAULT=3128 # Default is Squid port
# Parse ssh port and tunnel details if specified
SSHPORT=$SSHPORT_DEFAULT
TUNNEL_DETAILS=$LOCALHOSTPORT_DEFAULT:$USERNAME_DEFAULT@$HOSTNAME_DEFAULT:$REMOT EHOST_DEFAULT:$REMOTEPORT_DEFAULT
while [ "$1" != "" ]
do
case $1
in
-p) shift; # -p option
SSHPORT=$1;
shift;;
*) TUNNEL_DETAILS=$1; # 1st argument option
shift;;
esac
done
# Get local and remote ports, username, and hostname from the command line argument: localhost_port:user_name@ip_address:remote_host:remote_port
shopt -s extglob # needed for +(pattern) syntax; man sh
LOCALHOSTPORT=$LOCALHOSTPORT_DEFAULT
USERNAME=$USERNAME_DEFAULT
HOSTNAME=$HOSTNAME_DEFAULT
REMOTEHOST=$REMOTEHOST_DEFAULT
REMOTEPORT=$REMOTEPORT_DEFAULT
# LOCALHOSTPORT
CDR=${TUNNEL_DETAILS#+([0-9]):} # delete shortest leading +([0-9]):
CAR=${TUNNEL_DETAILS%%$CDR} # cut this string from TUNNEL_DETAILS
CAR=${CAR%:} # delete :
if [ "$CAR" != "" ] # leading or trailing port specified
then
LOCALHOSTPORT=$CAR
fi
TUNNEL_DETAILS=$CDR
# REMOTEPORT
CDR=${TUNNEL_DETAILS%:+([0-9])} # delete shortest trailing :+([0-9])
CAR=${TUNNEL_DETAILS##$CDR} # cut this string from TUNNEL_DETAILS
CAR=${CAR#:} # delete :
if [ "$CAR" != "" ] # leading or trailing port specified
then
REMOTEPORT=$CAR
fi
TUNNEL_DETAILS=$CDR
# REMOTEHOST
CDR=${TUNNEL_DETAILS%:*} # delete shortest trailing :*
CAR=${TUNNEL_DETAILS##$CDR} # cut this string from TUNNEL_DETAILS
CAR=${CAR#:} # delete :
if [ "$CAR" != "" ] # leading or trailing port specified
then
REMOTEHOST=$CAR
fi
TUNNEL_DETAILS=$CDR
# USERNAME
CDR=${TUNNEL_DETAILS#*@} # delete shortest leading +([0-9]):
CAR=${TUNNEL_DETAILS%%$CDR} # cut this string from TUNNEL_DETAILS
CAR=${CAR%@} # delete @
if [ "$CAR" != "" ] # leading or trailing port specified
then
USERNAME=$CAR
fi
TUNNEL_DETAILS=$CDR
# HOSTNAME
HOSTNAME=$TUNNEL_DETAILS
if [ "$HOSTNAME" == "" ] # no hostname given
then
HOSTNAME=$HOSTNAME_DEFAULT
fi
ssh -p $SSHPORT -L $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT -l $USERNAME $HOSTNAME -f -C -q -N \
&& echo "SSH tunnel established via $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT\n\tto $USERNAME@$HOSTNAME:$SSHPORT." \
|| echo "SSH tunnel FAIL." -
SBS2008: Move email from Exchange 2007 to new server with Exchange 2013
We have an old server (SBS2008) and plan to buy a new server with (Server 2012). I need to move all the exchange emails, contacts & calendars to the new server. We will no longer use the old server.
Is there a document or migration tool that will help me understand how to move this data form the old exchange server to the new one?
Old Server:
SBS2008 running Exchange 2007
New Server:
Server 2012
Exchange 2013
Any help is appreciated!Hi Dave,
It can be done, and as Larry suggested you will consider two Server 2012 installs in order to achieve an environment that looks like your current SBS roles; Exchange 2013 on an Active Directory controller isn't a good long-term solution (SBS did this for
you in the past).
For your size operation, a virtual server host, with a Windows Server 2012 license, and two virtual machines would probably be a suitable design model. In this manner, you have Server 2012 license that permits 1 +2 licenses (one host for virtualization,
up to 2 Virtual Machines on same host).
There's no migration tool. That comes with experience and usually trial and error. You earn the skills in this migration path, and for the average SBS support person you should plan on spending 3x (or more) your efforts estimate in hours planning your migration.
You can find a recommended migration path at this link to give you an idea of the steps, but its not exactly point by point going to cover you off for an sbs2008 to server 2012 w/exchange 2013 migration. But the high points are in here. If it looks
like something you would be comfortable with then you should research more.
http://blogs.technet.com/b/infratalks/archive/2012/09/07/transition-from-small-business-server-to-standard-windows-server.aspx
Specific around integrating Exchange 2013 into an Exchange 2007 environment, guidance for that can be found here:
http://technet.microsoft.com/en-us/library/jj898582(v=exchg.150).aspx
If that looks like something beyond your comfort level, then you might consider building a new 2012 server with Exchange 2013 environment out as new, manually export your exchange 2007 mailbox contents (to PST) and then import them into the new mail server,
and migrate your workstations out of old domain into new domain. Whether this is more or less work at your workstation count is dependent upon a lot of variables.
If you have more questions about the process, update the thread and we'll try to assist.
Hopefully this info answered your original question.
Cheers,
-Jason
Jason Miller B.Comm (Hons), MCSA, MCITP, Microsoft MVP
Maybe you are looking for
-
Daily Kernel Panic while web browsing
Hello, I'm receiving nearly daily kernel panics while web browsing. At first this was happening in Chrome, so I uninstalled it and went back to using Safari. The problem occurs in Safari as well. It seems to occur most often when I launch additional
-
How to save particular variable values for all users
Hi Experts, I have variables posting period with user entry default value and fiscal year(with entry vulaue mandataory)in 30 queries.Now user wants to set this values i.e.posting period to 0 -16 (interval) and fiscal year to 2008. whoever opnes the
-
Does anyone know if there is a way to DESELECT the "Automatically update the date and time when the document is opened" dialog? Thanks. Paul
-
Every time I open Firefox, I get a pop-up asking me to install the Alexa Sparky toolbar--which I do not want. The pop-up box does not offer an option to say "no" or "do not ask me again", which is VERY annoying. How can I permanently stop the popup?
-
I'm on my way to build a XML parser for my program. How do you make Variant display it's Data and Data (Type) like the one on my screenshot? I dont want my data type be a string. I want it to be the same as my cluster. Is there a way to edit the data