In this chapter, we are moving a GWIA to a new Linux server. Since we never run a GWIA on a server remote from its owning domain, that means we also must move our domain to the new Linux server. It’s also possible that this domain owns other gateways like a WebAccess Agent. If this is the case, and if you plan on moving the WebAccess Agent to the new Linux server as well, we can do this all at one time. However, if you only wanted to move the GWIA to the new Linux server, and leave the WebAccess Agent on your source server, you would essentially not be moving a domain to the new Linux server at all. Rather, you would be creating a new domain and GWIA on the new Linux server. If this is your situation, stop now and go to the Chapter entitled “Creating a New Domain on Linux to Relocate a Gateway”.
In the “Preparing your New Linux Server” chapter, we installed the DBCopy utility that we use to move the data from the source server to the new Linux server. Additionally, during the setup of your server, you installed ncpfs, which allows us to attach to a NetWare server via NCP and/or smbfs which allows us to attach to a Windows server to copy the data. The steps we will take are as follows
- Create a mount point for the source server. Technically, we do not need to create a mount point if your are moving your GWIA from one Linux server to another. We will do the copy of the files with scp (Secure Copy) when we get to the section on copying the files.
- Unload the existing Message Transfer Agent (MTA) for this domain. We will need exclusive access to the domain database, so we must also unload the GWIA and any other gateways that belong to this domain.
- Rename the domain directory to avoid any accidental access while we are relocating the domain.
- Ensure that all file and directory names for the domain are lowercase.
- Copy the domain directory structure from it’s current location to the new Linux server using DBCopy or scp.
- Load ConsoleOne and edit the domain location, agent address and link information if necessary.
- Configure the MTA on you new Linux server.
- Load the MTA with a GUI console for the relocated domain for testing.
- Verify that the MTA is communicating with any post offices it owns, and any other domains for which it has direct links.
- Install the GWIA software and configure the GWIA.
- Load the GWIA with a GUI console for testing.
- Unload the MTA and GWIA, and reload them as daemons.
So, let’s see how this all works.
Create a Mount Point for the NetWare Server
If you are moving your domain from NetWare, you need to attach to the NetWare server from your new Linux server. To mount the NetWare volumes into your Linux file system, perform the following steps:
- On the new Linux server, open up a terminal window.
- “su root” to become root for this session.
- Create a directory structure for your mount point. For our purposes, we have created /mnt/gw1 as the mount point for our NetWare server that is named gw1. It is suggested that you replace gw1 with the actual name of your NetWare server for ease of recognition later.
- We have chosen to connect to our NetWare server via ncpfs. To mount the NetWare server via ncpfs, issue the following command
ncpmount -S server -A 184.108.40.206 -U userid -P password /mnt/gw1
replacing your server name for “server” and your server’s IP address for 220.127.116.11. For example
ncpmount -S gw1 -A 192.168.100.200 -U danita.cnc -P password /mnt/gw1
NOTE: You might wonder about the “user.context” vs. “.user.context” in this example. While “.user.context” works on some versions of Linux, it fails on others. In my testing, “user.context” has always worked on all versions. You might keep this in mind if you experience any problems authenticating with ncpmount.
This will actually mount all volumes from the NetWare server to this location. So, if we cd to /mnt/gw1 will will see a directory called SYS, one called GWDATA, and any other volumes that are on that server.
Create a Mount Point for the Windows Server
If you are moving your domain from Windows, you need to attach to the Windows server from your new Linux server. To mount the Windows drives into your Linux file system, perform the following steps:
- On the new Linux server, open up a terminal window.
- ”su root” to become root for this session.
- Create a directory structure for your mount point. For our purposes, we have created /mnt/gw1 as the mount point for our Windows server that is named gw1. It is suggested that you replace gw1 with the actual name of your Windows server for ease of recognition later.
- We have chosen to connect to our Windows server via cifs. To mount the Windows server via cifs, issue the following command:
mount -t cifs //server/d$ /mnt/name -o username=user,password=password, domain=domain or workgroup
This command is all one line, and there is no space between the comma following password and the word domain. You can use the entire drive (d$) or a specific share name. We like to use the drive (d$) when possible, but the share works as well. If for some reason you have difficulty mounting by by server name, you can substitute the IP address of the Windows server in the //server/d$ portion (i.e. //192.168.100.201/d$).
So, for example, our command would be
mount -t cifs //192.168.100.228/d$ /mnt/gw1 -o username=danita,password=pass,domain=caledonia
Unload the MTA
First of all, go to the server where your MTA is loaded for the domain that you are moving:
- NetWare: press F7 at the agent console to unload the agent
- Windows: if the agent is running as an Application, you can also press F7, or use the File Menu and Exit. If the agent is running as a Service, you must stop the agent from the services applet.
- Linux: use rcgrpwise command. For example:
rcgrpwise stop DomainName
If you are not certain of the name that is defined for your domain in the rcgrpwise script, first run:
This will show you all agents that the rcgrpwise script controls. Find the name for your MTA and then issue the stop command for your MTA.
Also make sure that no administrators are accessing the domain database through ConsoleOne.
Unload Your GWIA and Any Other Gateways
Like the MTA, your GWIA and any other gateways that are running under this domain must be unloaded. The instructions are the same as for the MTA. Press F7 where appropriate to unload the gateways, shut down the services on Windows, or stop the daemons on Linux. Make sure all gateways have been shut down before you proceed.
Copy the Files to New Linux Server
After the MTA is unloaded, we will prepare to copy the domain structure to the new Linux server. Let’s look at the current directory structure of our domain. Figure 5-1 shows the domain directory for our domain. Notice that on NetWare and Windows, most files and directories are in all uppercase (this is also dependent on your GroupWise version and more recent versions create everything lowercase to avoid problems down the road).
All files and directories for the domain and post office on Linux must be all lowercase, otherwise the agents will simply not see the “proper” file and will fail to load. Prior to loading the MTA on our new Linux server, we will need to change the case of all files and directories for the domain. We will use DBCopy for this purpose. If you are moving your domain from one Linux server to another, your file names are already all lowercase, and you will not need to concern yourself with this step.
Once we are ready to move the domain directory structure to our new Linux server, we will rename the domain directory to avoid any accidental access by administrators using ConsoleOne, NWADMIN, etc. DBCopy makes no changes to the original files in the domain directory. If needed, you could simply rename your domain directory back to its original name and load your MTA back up on the source server.
NOTE: Make sure that you prune out unneeded log files, files in the problem directories, etc. The gwprob directory under the GWIA is especially prone to a lot of unneeded files. We’ve seen YEARS worth of files in this directory during health checks. Clean out all of the junk, and the copy of your domain will fly!
If you are moving your domain from one Linux server to another, there is very little reason to use DBCopy. Instead, you can simply use scp to copy the files over ssh. In order to use scp, you would issue a command like this:
scp -r /currentdomain user@newserver:/location
The -r switch tells scp to copy all subdirectories recursively from our current domain location to the requested location on the new server, and which user to log in as for the copy.
For example, if our current domain is at /grpwise/domains/cnc2.old (which we have now renamed to avoid accidental access), and it will go to server gw2 at /grpwise/domains/cnc2, our scp command would look like this:
scp -r /grpwise/domains/cnc2.old danita@gw2:/grpwise/domains/cnc2
If you ever have issues connecting to a source server from your Linux server by name, you can always replace the server name with the server’s IP address in the command. So, for example, danita@gw2 or firstname.lastname@example.org are both valid ways to use this command.
After you have copied your files over to the new server, skip down to “Edit Important information in ConsoleOne” and continue from there.
From NetWare or Windows
For those of you moving from NetWare or Windows, you will find that DBCopy on the Linux server does not run well from any directory other than /opt/novell/groupwise/agents/bin so we will cd to that location to run the utility. Run DBCopy to copy your files from the source server to the Linux location like this:
./dbcopy -m -d
so for our situation it would be
./dbcopy -m -d /mnt/gw1/GWDATA/domains/cnc2.old /grpwise/domains/cnc2
This will copy all needed data from the old domain directory into the directory structure that we’ve indicated for the destination. In our case, we have chosen to locate our domain in /grpwise/domains/cnc2.
The -m switch copies the files over in all lower case. The -d switch tells DBCopy that it is migrating a domain. Generally this will not take long at all to perform the copy. Unless you have many files in your existing MTA queues, there is not really much to copy!
Now that your domain directory has been migrated to the new Linux server, we need to edit the location of the domain directory and fix some information in the agent’s network address configuration.
Since it’s a good exercise to learn to access ConsoleOne directly on your Linux server, we’ll do that for this task.
- When we installed ConsoleOne earlier, the installation routine should have created a shortcut to the application on your desktop. If you cannot find this shortcut, we can load the application by hand simply by running /usr/ConsoleOne/bin/Consoleone.
- The first time you launch ConsoleOne for Linux with GroupWise snapins, you will be presented with a screen like Figure 5-2.
- Assuming you wish to have your GroupWise server mount points in /mnt, leave the setting as it is and click okay. This mount point location for GroupWise is very important, and we discuss this in detail in the chapter entitled “Tips and Tricks for GroupWise on Linux”.
- You should now be presented with a login prompt. If for some reason the login prompt does not appear, click on NDS under My World, and then click on the tree icon in the toolbar. Log into your tree as you normally would if this were a Windows workstation. Note, however, that if you cannot find the tree, putting the IP address of one of the eDirectory servers in the tree field should help you with that. On our systems, sometimes the login box seems to not allow us to click in the password field to enter a password. If that happens, simply attempt to login with no password. You will receive an error that the password is incorrect, but then the login box will refresh and correct itself.
- Once you have logged into your tree, click on the “GroupWise System” next to the Globe.
- Now, from the menu choose Tools|GroupWise System Operations|Select Domain.
- Enter the Linux location for your domain. In our case, we put our domain in /grpwise/domains/cnc2. You can also browse for your domain directory if necessary.
- Once GroupWise opens the domain database, you should see your GroupWise system under the globe. This is a really good time to point out that you will be required to open your domain every time you load ConsoleOne on Linux. Unlike on Windows, where ConsoleOne remembers where your domain last was and automatically connects you back to the last domain you accessed, ConsoleOne on Linux requires you to go through the Tools|GroupWise System Operations|Select Domain process each time. You will find this particularly frustrating once you see that this location is remembered for you and filled into the Select Domain field, but will not automatically connect until you perform these steps.
- Right-click on the GroupWise domain you have moved to your new Linux server, and choose Properties.
- For now, you will see that your domain says it is location somewhere like /mnt/gw1/GWDATA/domains/CNC2 (which is the source server location in your mount point). Change this to reference the actual Linux path in the UNC Path field – you can browse for this if necessary. In our case our path is /grpwise/domains/cnc2. Note that this really isn’t a UNC path, but we will change this later when we discuss mount points and UNC paths in the “Tips and Tricks for GroupWise on Linux” chapter. When you have your Linux path in this field, click OK.
- Now, in the dropdown list that shows “Users”, change the setting to “Message Transfer Agents.”
- Find the MTA for your domain, right-click and choose Properties.
- On the first screen, change the Platform to Linux.
- Now click on the triangle in the GroupWise tab and change to Network Address. Here you must change the IP address to that of the new Linux server.
- Before you leave the Network Address tab, make special note of the HTTP port that is defined for this agent. By default, the HTTP port for the MTA is 7180. As we noted earlier in this book, since we will not have a GUI console for the MTA, you will want to ensure that you have the HTTP monitor configured properly so that you can access it for monitoring your MTA. If there is nothing in the HTTP port field, put 7180 (or another port of your choosing).
- Now, on the GroupWise tab, change to the Agent Settings screen. Notice the HTTP Monitor settings. If you have never enabled the HTTP monitors for your agents, you will need to decide on a good userid and password for the HTTP monitors. Please note that this is neither an eDirectory user nor a GroupWise user. This is an entirely made up user and password solely for the use of the HTTP monitors. If all administrators in your organization will have rights to use the HTTP monitors, then it is a good idea to have the same userid and password for all agents. If you need to limit rights to some agents to various groups, set up a userid and password for each group of agents that will be monitored. Enter the userid and password that you have decided on here in this screen.
- On the GroupWise tab, change to the log settings. If you have a custom path for the log settings, remove it. While it is technically okay to make a new custom path for your Linux agent logs, unless you have an overriding reason to have the logs somewhere other than the default, it’s best to just leave this field blank.
- On the GroupWise tab, change to the Message Log Settings tab. As above, delete any custom location you may have defined there.
- If you use SSL to communicate between agents, you will need to regenerate your GroupWise SSL Certificate for this server and make the changes on the SSL settings tab.
You can find information on generating your SSL certificates for GroupWise at http://www.novell.com/documentation/gw8/gw8_admin/data/adqul6f.html. This information is for GroupWise 8.Similar information can be found for all versions of GroupWise, but the instructions for GroupWise 8 are the same as prior versions.
- After you have made all of the above changes, click OK to save the settings.
Configuring the MTA on Your New Linux Server
Now we will go back and configure the agent for your new Linux server. The configuration process will create a new startup file for the MTA, and configure the agent to launch upon startup.
In a terminal window, go back to the location where you extracted your GroupWise distribution above in “Preparing your New Linux Server”. Run the install script as root. For example:
gwlinux:/grpwise # ./install
- Choose Install Products.
- Choose GroupWise Agents.
- Choose Configure Agents.
- At the License Agreement screen, accept the license.
- The next screen will look very familiar to GroupWise administrators (see Figure 5-3). This is where we list the agents that will run on this server to create startup files and the startup script for Linux.
While we are looking at this screen, we should explain its usage so that it’s more easily understood the next time you encounter it. There are a few misconceptions about what is done here, and what you need to put in this location, so we will try to clear those up.
First, this screen is a template for creating new agent startup files (for example the cnc2.mta file), and for configuring your gwha.conf file. Let’s take the example of our groupwise system. Our domain is called CNC. If we want to create a new startup file for the CNC file, and place it in our gwha.conf (provided that we checked the option above to “Launch the GroupWise agents on system startup”), we would click the Add button as shown in Figure 2-3 and enter the information for our domain.
- Enter the information for your domain, using the local Linux path (see Figure 5-4)
By entering this information, we are instructing the installation routine to create us a startup file called cnc2.mta with a –home switch of “/grpwisedomains/cnc2, place it in the /opt/novell/groupwise/agents/share directory and include the information in the gwha.conf file.
- After your domain information is entered, click next to move on to the startup screen.
- You will be asked if you wish for your agent to load on startup. This box is already checked, but really just looks like a red box. You will notice that if you click on the box, it becomes white (unchecked) and clicking again will recheck the box. It is advisable to have your agents load on startup.
- Click Exit to leave this setup, and then click the Exit icon (at the bottom right of the screen) to leave the GroupWise installation program.
When you perform these tasks, a startup file is created for the domain’s MTA, and if you chose to launch on startup, symbolic links were created in the proper run level directories to start the agent automatically. Looking at the /opt/novell/groupwise/agents directory you will see directories named bin, lib and share. Under bin you will see the agent executables, as well as default startup templates. Under the share directory are a couple of directories, and the cnc2.mta startup file that was created by our installation. Let’s run this agent now and see what it looks like.
Starting the GroupWise MTA with the GUI for Testing
The first time we start a new agent on a Linux server, we like to start it with a GUI console to test that everything is working properly. It’s important to know that you will not run your agents with the GUI console as standard practice. We will load our MTA up for the first time with the GUI console solely to verify that there are no problems with our installation.
The easiest way to start the GUI agent is as follows:
From a terminal window, change to the /opt/novell/groupwise/agents/bin directory. From here, type the following:
./gwmta –show @cnc2.mta &
This should bring up the agent screen as shown in Figure 5-5.
If this domain owns any post offices, and you had them configured as “mapped” or “UNC” locations, the post offices will be closed, as you can see in this figure. If we choose Configuration|Status, we see that these post offices had their link configuration as “mapped” before. Now that we are on a different server, we need to fix this. Of course, if your MTA and POA were talking IP prior to the domain move, your post offices should come up and be just fine. This example is merely to show what might happen if you have direct links.
- Configuration Status showing Post Office Closed
- Back in ConsoleOne (/usr/ConsoleOne/bin/ConsoleOne if you’ve closed it down), right-click on the domain and choose GroupWise Utilities|Link Configuration.
- From the menu choose View|Post Office Links.
- Double-click on the Post Office that cannot be accessed, and fix the link. It should, of course, be a TCP/IP connection, pointing to the IP address and port on the old NetWare server. See Figure 5-7
If all goes according to plan, your MTA will now show your POA open. Verify all of the links for this MTA (other post offices and domains). We will leave the MTA loaded with the GUI Console now while we install and configure the GWIA.
Now that the MTA for this domain is up and running in testing mode, we will continue to install the GWIA software and configure the GWIA on this server.
In a terminal window, go back to the location where you extracted your GroupWise distribution above in Preparing Your Server. Run the install script as root. For example:
gwlinux:/grpwise # ./install
- Choose Install Products.
- Choose GroupWise Internet Agent
- Choose Install Internet Agent. The software will install and you will be presented with an “OK” screen when the installation has finished.
- Now choose Configure Internet Agent.
- When prompted, accept the License agreement
- At the server information enter the information for your GWIA (See Figure 5-8). Note the Message Transfer Port. This is the port that the GWIA would listen on if you were talking IP to the MTA. The only reason you would enter this information is if you have multiple GWIAs and are providing for failover. Most sites will leave this at 0. In no case should you put 25 in this port field. Otherwise your GWIA will not work at all! You must also put in the DNS host name of your GWIA here.
- At the relay host screen indicate whether you send directly to the internet, or put in the information for your relay host.
- At the Internet Domain Name screen, put in your domain name. For example, caledonia.net. You can also choose to enter this later in ConsoleOne, but since you know the information it’s quicker to do it here.
- At the Domain Directory screen, put in the local Linux path location for your domain. Also verify the directory name for your GWIA. This is typically just “gwia”.
- Next you must authenticate to your eDirectory tree via LDAP. This is necessary even if you are already logged into eDirectory in ConsoleOne. It is easier if your LDAP server allows for clear-text passwords. Otherwise you must check the “Use SSL” box and have your certificate available to this server.
TIP: If you need to temporarily allow access to your LDAP server without SSL, edit the LDAP Group for the LDAP server in ConsoleOne and uncheck the box that says “Require TLS for simply binds with password”. You can turn it back on afterwards. Of course, if you have easy access to the SSL Certificate on your Linux server, you will not need to bother with this.
- At the Gateway screen, you will see the name of your GWIA (typically just GWIA), and you will be asked to enter the LDAP context for your GroupWise domain. You can browse for this if you like. See Figure 5-9.
- Now, indicate that you want the GWIA to load at startup, and click Exit, and then exit from the GroupWise installation application.
- Compare the gwia.cfg from your source server to the new gwia.cfg in the /opt/novell/groupwise/agents/share directory to ensure that all of the settings are as you desire. Note that whereas on NetWare or Windows the gwia.cfg used switches starting with a slash (/home, /dhome, etc.) on Linux these start with a double-dash (–home, –dhome, etc.).
- If you have special Access Control Rules defined, these are located in the gwac.db file. If you have moved your GWIA to this server, then these rules will have moved with you. If you are returning to this section from the Chapter on “Creating a New Domain on Linux to Relocate a Gateway”, then you need to copy this gwac.db file from the original gateway directory to the GWIA directory on the new Linux server.
Starting the GroupWise Internet Agent with the GUI for Testing
As with the MTA, the first time we start a new GWIA on a Linux server, we like to start it with a GUI console to test that everything is working properly. It’s important to know that you will not run your GWIA with the GUI console as standard practice. We will load our GWIA up for the first time with the GUI console solely to verify that there are no problems with our installation.
The easiest way to start the GUI agent is as follows:
From a terminal window, change to the /opt/novell/groupwise/agents/bin directory. From here, type the following:
./gwia –show @gwia.cfg &
This should bring up the agent screen as shown in Figure 5-10.
As long as the GWIA looks okay, we can unload both the GWIA and the MTA (which is still loaded in GUI mode above) by pressing F7 and the console windows, and reload them as daemons.
A few things to remember about moving a GWIA.
- You may need to change your MX records if the public IP address for your GWIA will change due to the move to the new server. Otherwise, you may have to change the natting at your firewall, or change the IP address that an anti-spam appliance or other GWIA front-end sends to.
- You may need to change the firewall settings for outbound SMTP if you limit the IP addresses on your network that are allow to sent mail on port 25.
- If your outbound IP address will change for your GWIA, you should also have your PTR (reverse dns lookup) changed to reflect this, as well as any SPF records that are maintained for your domain.
Starting Your MTA and GWIA as Daemons
When you configured your MTA above, a couple of scripts were created for GroupWise. One is in the /etc/init.d directory named grpwise, and can only be called from that directory. The other is rcgrpwise, which is essentially in your “search path” and can be called from any location. If you go to a terminal window and type
your MTA and GWIA will be launched. The options for this script are:
- rcgrpwise start (starts the agents)
- rcgrpwise stop (stops the agents)
- rcgrpwise status (shows the status of the agents).
The rcgrpwise script handles MTAs, POAs, GWIAs and WebAccess Agents. We will see more on how the rcgrpwise script works in the “Tips and Tricks for GroupWise on Linux” chapter.
Important Information If You Create a New GWIA
If you came to this section from the chapter on “Creating a New Domain on Windows to Relocate a Gateway”, there are a few things you should check about your GWIA prior to creating a new one.
- If your current GWIA relies heavily on gateway aliases and you decide to create a new GWIA rather than moving the current one, you will need to be careful when you create the new GWIA to ensure that all of your gateway aliases continue to work. If you are on GroupWise 7.0 or GroupWise 8.0, we strongly recommend that you get rid of your gateway aliases. The best way to do this is to use the Gateway Alias Migration tool in ConsoleOne. This is new with GroupWise 7.0, and while it is conceivable that you are moving your GroupWise 6.5 system to Linux, we sincerely hope that you are upgrading to at least GroupWise 7.0 (even better 8.0) before you do your move to NetWare! Changing the Gateway Alias Type for the new GWIA to match the old GWIA should allow your existing Gateway Aliases continue to work.
- Another “legacy” option for the GWIA that can cause difficulties when creating a new GWIA is that some older versions of GroupWise allowed administrators to treat the GWIA like a post office, and create “external system users” under the gateway. If such a situation exists in your organization, you would need to convert those users to users under an external foreign domain before you move the GWIA. Otherwise the users would not be accessible. Information on this is found on the Novell documentation site at http://www.novell.com/documentation/gw65/gw65_admin/data/bsy1t7v.html. There is, of course, similar information in the documentation for GroupWise 7 and GroupWise 8.
Loading the HTTP Monitor
Now, since we have enabled out HTTP Monitor, we can verify that both the MTA and the GWIA are loaded by going to the monitor screens in a browser. For the MTA, go to http://server:7180. For the GWIA, go to http://server:9850.
Your domain is moved and your MTA and GWIA are up and running. If this domain also owns a WebAccess Agent (GroupWise 8.0 or earlier), you can jump ahead to “Domain Directory Structure” in the chapter regarding “Moving WebAccess – Linux” to install the WebAccess Agent software and configure your WebAccess agent.