Install and update IBM Security Directory Server V6.4

Basic guide to install and configure IBM SDS V6.4.

Author(s): Tamas Bures | Created: 06 May 2018 | Last modified: 06 May 2018
Tested on: -

Install and update IBM Security Directory Server V6.4

Note: IBM DB2 installation is not included in this manual, the minimum required DB2 level for SDS: IBM DB2 10.5.0.9

All steps below must be executed as root user!

Install prerequisites packages on RHEL

  1. Enable RHEL extra repository

     yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional

  2. Update the repository list with command:

     yum clean all

  3. Install the required packages with the following command (including 32 and 64 bit packages as well)

     yum install \ 
     xorg-x11-xauth xorg-x11-apps xterm compat-libstdc++-33.i686 compat-libstdc++-33.x86_64 \
     compat-db.x86_64 gtk2.i686 gtk2.x86_64 gtk2-engines.x86_64 libXp.i686 libXp.x86_64 libXmu.i686 \
     libXmu.x86_64 libXtst.i686 libXtst.x86_64 elfutils.x86_64 elfutils-libs.i686 elfutils-libs.x86_64 \
     pam.i686 pam.x86_64 rpm-build.x86_64 libXft.i686 libXft.x86_64 libstdc++.i686 libstdc++.x86_64 \
     ksh.x86_64  libgcc.i686 libgcc.x86_64 libcanberra-gtk2.i686 libcanberra-gtk2.x86_64 \
     PackageKit-gtk3-module PackageKit-gtk3-module.i686

  4. Mounting IBM SDS iso file

     mount -o loop <path to ISO>/sds64-linux-x86-64.iso <path to mount, i.e.: /mnt>

  5. Adjust the RHEL kernel parameters to avoid DB2 errors when creating SDS instance. Add or modify the kernel.shmmax parameter and define a value to 3221225472 in /etc/sysctl.conf file

    The complete line should look like: kernel.shmmax=3221225472

  6. Actualize the new setting with this command (without this command, the new setting will be activated on a reboot)

     sysctl -w kernel.shmmax=3221225472

  7. Create the neccessary directories where the SDS instance and belonging DB2 instance will be stored

     mkdir -p /sdsdata/isaminst
 mkdir -p /db2data/isamdb2i

  8. Create the neccessary users and groups:

     groupadd idsldap
 useradd isamdb2i
 useradd isamldap

  9. Set the primary groups for both users

     usermod -g idsldap isamdb2i
 usermod -g idsldap isamldap

  10. Set privileges on instance folders

     chown isamdb2i:idsldap /db2data/isamdb2i
 chown isamldap:idsldap /sdsdata/isaminst

  11. Enable X11 forwarding (use your own solution to accomplish this) and test it that works

    Issue the xclock command and if the xclock window appears, go on.

Installing IBM Installation Manager 1.8.0 (IM)

  1. Navigate to IM installaion package on the mounted ISO file folder (/mnt)

     cd /mnt/ibm_im_64bit

  2. Start the installer

     ./install

  3. Follow the on screen instructions to install IBM Installation Manager to directory /opt/IBM/InstallationManager

  4. When installation finished, click Restart Installation Manager button.

Upgrading IBM IM to version 1.8.8

  1. Navigate to directory where you store the update packages (in this manual it is /home/admin/updates)

     cd /home/admin/updates

  2. Create a directory to store the unzipped file

     mkdir -p /home/admin/updates/im_188

  3. Extract the IM update file the file to a directory

     unzip /home/admin/updates/agent.installer.linux.gtk.x86_64_1.8.8000.20171130_1105.zip \ 
 -d /home/admin/updates/im_188

  4. Navigate to the extracted files

     cd /home/admin/updates/im_188

  5. Start the Installation Manager installer

     ./install

  6. Follow the on screen instructions to update IBM Installation Manager

  7. When installation finished, click Restart Installation Manager button

  8. Once it is restarted, quit the application

  9. Clean up the temp directory

Command: rm -rf /home/admin/updates/im_188

Installing IBM Security Directory Server (SDS)

  1. Locate the response file /home/admin/SDSInstall-Response.xml

  2. If you work with different paths, adjust the paths of the mount point (/mnt) in the XML file (edit the file):

     <?xml version='1.0' encoding='UTF-8'?>
 <agent-input>
   <variables>
     <variable name='sharedLocation' value='/opt/IBM/IBMIMShared'/>
   </variables>
   <server>
     <repository location='/mnt/ibm_sds'/>
   </server>
   <profile id='IBM Security Directory Server' installLocation='/opt/ibm/ldap/V6.4'>
     <data key='cic.selector.arch' value='x86_64'/>
     <data key='user.use.existing.db2.installpath,com.ibm.security.directoryserver.v64' value='/opt/ibm/db2/V10.5'/>
     <data key='user.use.existing.db2,com.ibm.security.directoryserver.v64' value='true'/>
     <data key='user.gskit.executable.path,com.ibm.security.directoryserver.v64' value='/mnt/ibm_gskit'/>
     <data key='user.use.existing.gskit,com.ibm.security.directoryserver.v64' value='false'/>
     <data key='user.jdk.executable.path,com.ibm.security.directoryserver.v64' value='/mnt/ibm_jdk/6.0.16.2-ISS-JAVA-LinuxX64-FP0002.tar'/>
   </profile>
   <install>
     <!-- IBM Security Directory Server 6.4.0.0 -->
     <offering profile='IBM Security Directory Server' id='com.ibm.security.directoryserver.v64' version='6.4.0.20150225_0826' features='main.feature.db2,main.feature.gskit,main.feature.jdk,main.feature.javaclient,main.feature.server,main.feature.cclient'/>
   </install>
   <preference name='com.ibm.cic.common.core.preferences.eclipseCache' value='${sharedLocation}'/>
 </agent-input>

  3. Save the file

  4. Navigate to the installed path of Installation Manager

     cd /opt/IBM/InstallationManager/eclipse

  5. Execute the following command to silently install SDS with the response file

     ./imcl input <path to response file >/SDSInstall-Response.xml -acceptLicense -showProgress

  6. Once the process finished, you have an installed IBM SDS with the following versions:

    • IBM Security Directory Server 6.4.0.0
    • IBM GSKit 8.0.50.34
    • IBM Java 6.0.16.2

  7. You can now umount the ISO file, it will no longer needed.

     umount /mnt (or the path where you mounted the iso)

Upgrading IBM SDS

Updating IBM Java

  1. Create a backup of the previous version of Java

     mv /opt/ibm/ldap/V6.4/java /opt/ibm/ldap/V6.4/java_old

  2. Create a temp directory to hold the extracted files

     mkdir -p /home/admin/updates/sds_java_fix

  3. Extract the Java update package to the newly created directory

     tar -xvf /home/admin/updates/6.0.16.26-ISS-JAVA-LinuxX64-FP0026.tar -C /home/admin/updates/sds_java_fix

  4. Put the extracted files to SDS

     mv /home/admin/updates/sds_java_fix/java/ /opt/ibm/ldap/V6.4/

  5. Verify that new Java is in the correct place:

     ls -l /opt/ibm/ldap/V6.4

    You should have a java folder and a java_old folder as well.

  6. Check new Java version

     /opt/ibm/ldap/V6.4/java/bin/java -version

    Check the second line of the output, it should match with

    Java(TM) SE Runtime Environment (build pxa6460sr16fp26-20160508_01(SR16 FP26))

  7. Clean up the temp directory

    rm -rf /home/admin/updates/sds_java_fix

Updating IBM GSKit

  1. Create a temp directory to hold the extracted files

     mkdir -p /home/admin/updates/sds_gskit_fix

  2. Extract the GSKit update package to the newly created directory

     tar -xvf /home/admin/updates/8.0.50.84-ISS-GSKIT-LinuxX64-FP0084.tar.gz -C /home/admin/updates/sds_gskit_fix

  3. Update 32 bit GSkit packages

     rpm -Uhv /home/admin/updates/sds_gskit_fix/8.0.50.84-ISS-GSKIT-LinuxX64-FP0084/32/*.rpm

  4. Update 64 bit GSKit packages

     rpm -Uhv /home/admin/updates/sds_gskit_fix/8.0.50.84-ISS-GSKIT-LinuxX64-FP0084/64/*.rpm

  5. Check that new version is applied

     gsk8ver_64

    The command will print a lot of information on the screen, pick a block and locate any lines starts with @(#)FileVersion and check the version to match 8.0.50.84

  6. Clean up the temp directory

     rm -rf /home/admin/updates/sds_gskit_fix

Updating SDS binaries

  1. Create a temp directory to hold the extracted files

     mkdir -p /home/admin/updates/sds_fix

  2. Extract the SDS update package to the newly created directory

     tar -xvf /home/admin/updates/6.4.0.15-ISS-ISDS-LinuxX64-IF0015.tar.gz -C /home/admin/updates/sds_fix/

  3. To start the update process, issue the following command from the extracted directory

     /home/admin/updates/sds_fix/idsinstall -u -f

  4. Once the update is finished, check that the new version is applied

     rpm -qa | grep idsldap

    The command will print a lot of information on the screen, check the first line of the output, and it should match with idsldap-srvbase64bit64-6.4.0-15.x86_64

  5. Clean up the temp directory

     rm -rf /home/admin/updates/sds_fix

Creating and configuring SDS instance

  1. Creating the directory server instance (replace the placeholders with values fulfill your needs - if you are fine with provided values, remove the <> from the command before executing except passwords)

     /opt/ibm/ldap/V6.4/sbin/idsicrt \ 
     -I <isamldap> \
     -a <4538> \
     -c <4539> \
     -e <encrypt seed> \
     -g <encrypt salt> \
     -p <1389> \
     -s <1636> \
     -l </sdsdata/isaminst> \
     -r "<SDS instance for ISAM>"

    Where

    • -I name of SDS instance
    • -a admin server port
    • -c admin server secure port
    • -e encryption seed
    • -g encryption salt
    • -p ldap port
    • -s ldap secure port
    • -l location where instance configuration will be stored
    • -r description of the instance

  2. Configuring database for isamldap SDS instance (replace the placeholders with values fulfill your needs - if you are fine with provided values, remove the <> from the command before executing except passwords)

     /opt/ibm/ldap/V6.4/sbin/idscfgdb \
     -n \
     -I isamldap \
     -a isamdb2i \
     -t isamdb2i \
     -w <password> \ 
     -l /db2data/isamdb2i

    Where

    • -n run in no prompt mode (required to -w)
    • -I name of SDS instance (must match the value with you used in the previous command)
    • -a DB2 admin ID
    • -l location where db instance date will be stored
    • -t name of the database
    • -w password of DB2 admin ID

  3. Configure the primary administrator for isamldap SDS instace

     /opt/ibm/ldap/V6.4/sbin/idsdnpw \
     -I <isamldap> \
     -u <cn=root> \
     -p <passford for user cn=root>

    Where

    • -I name of SDS instance (must match the value with you used in the previous command)
    • -u the name of the primary instance administrator (best practice to use cn=root)
    • -p the password value for user cn=root

  4. Creating the top entry in instance (suffix)

     idscfgsuf -I isamldap -s <o=ibm,c=hu>

    Where

    • -I name of SDS instance (must match the value with you used in the previous command)
    • -s the suffix string to be added