OES 2018 Quick Start Guide For Administrators – Changes you should know about

The latest release of Micro Focus Open Enterprise Server, Open Enterprise Server 2018, comes with a set of new features, as well as performance and security enhancements.  More details on what is coming on OES 2018 can be found in the accompanying ‘What’s New’ article.  Key updates include SMB stack enhancements such as SMB 3.0 encryption, MAC platform support enhancements, NSS enhancements, and a brand new Cloud Integrated Storage (CIS) feature which is being introduced as a  technical preview.  Along with this, the underlying SLES platform is updated to SLES 12 SP2 and we now include eDirectory 9.0.3.  iPrint for OES 2018 is also available as an add-on which will allow hosting iPrint Appliance capabilities on OES. The new user interfaces, colours, and logos in OES 2018 give a fresh look and feel to the product.  In this article we take a quick look at some key changes that existing OES administrators should be aware of with respect to OES 2018.

Platform level changes

Beginning with OES 2018, OES is installed only through OES Install Media, which is a single integrated install that includes both SLES and OES. The SLES Mini ISO cannot be used to install OES 2018 and the support for the add-on install is deprecated. There is no SLES product available in OES 2018; the SLES product is deprecated by OES. However the Operating System Identification is not affected, it stays as is. So, any third party looking for compatibility of files @ /etc/os-release, /etc/SuSE-release etc should still report SLES information.

SLES12 SP2 and OES 2018 update channels are both now available via NCC. Access to these channels will be controlled ONLY by the OES Registration Key. The OES Server needs to talk to NCC only, to obtain updates for the entire OES system. This will enable us to qualify all the patches on OES Servers including SLES patches before releasing them on the patch channels and hitting the customer’s OES Servers. No more cases of a base kernel update or a base apache update – impacting OES production servers. SLES patches for OES servers also will get into the OES Patch cadence.

Two new patterns, Cloud Integrated Storage (CIS) and Cloud Integrated Storage (CIS) Data Scale are available. CIS allows the movement of cold data to cloud or object store based on policy with seamless user access to the data. The CIS pattern which can be installed independently without any additional OES pattern needs to be selected to install and configure CIS server. CIS Data Scale pattern will be supported in future for installing an additional data server for scaling. CIS is currently a Technical Preview only, please refer to the EULA before using it in a production environment.

The Btrfs filesystem is the default filesystem for the root (/) partition on SLES12 SP2. However, in OES we have made EXT4 the default file system the reason being that eDirectory does not support the Btrfs file system at this time. The Administrator has the option to choose Btrfs for the root partition provided that the eDirectory DIB path is configured to not be on Btrfs.

Systemd replaces the traditional System V init daemon in OES 2018. It is a new way of managing services. Instead of init scripts you will find the unit files. Init commands will continue to work for now as SLES provides backward compatibility. Unlike earlier behaviour, services should not be started using the binary directly as systemd will not have a view and would report incorrect status and behaviour. Even though cluster scripts for some of the services like DFS, DNS and DHCP refer to the binary directly, we have taken care by making appropriate changes in OES 2018. So, all existing cluster scripts should work seamlessly in a mixed node cluster environment.

The iSCSI service is disabled by default on SLES12 SP2 so because of the iSCSI service being down, the SBD partition might not be available and cause NCS (Cluster Services) to not come up after an upgrade. Ensure the iSCSI service is enabled and up after upgrade.

39-stock-5-800x92

eDirectory 9.0.3

eDirectory 9.0.3 is now included in OES 2018, which comes with many new features, performance enhancements and resolves several known issues. Customers get benefits from features like Proxied Authorization Control and monitoring through LDAP, an Enhanced Nested Group feature and better sync performance. But, for now the security features like SuiteB support, EBA (Enhanced Background Authentication), FIPS (Federal Information Processing Standard 140-2 Certification) are not supported on OES.

Prior to OES 2018, we had OpenSSL 0.9.8x on OES and consequently only TLS 1.0 was supported. With both eDirectory and SLES coming with OpenSSL 1.0.2, all OES services which were supporting only TLS 1.0 including eDirectory, now support TLS 1.2.

NSS

As part of the NSS pattern, three CIS agent services (oes-cis-agent.service, oes-cis-recall-agent.service and oes-cis-scanner.service) including a kernel module are installed and a schema extension for the new CIS attribute is attempted. The attribute is used to store information about CIS server, which is used by CIS agent services to discover the CIS server and register itself. The services will be seen running even if a CIS server is not configured in your environment. The services will only do periodic lookup for the CIS configuration attribute in eDirectory, which only performs a few eDirectory read operations before it goes to sleep. It doesn’t open any port unless the CIS server is configured.

iManager and nssmu do not provide the option to create NSS32 anymore. By default, all newly created pools will be of NSS64 type. By default, nlvm command also creates NSS64-bit. You can only create a NSS32 pool type by explicitly specifying NSS32 via the nlvm command.

64-bit ZID support is now available on OES 2018, and with that new salvage/purge NCP verbs are added for 64-bit ZID. For all local volumes and shared volumes in homogeneous cluster environment, the 64-bit ZID support is enabled by default. In case of a mixed node cluster the administrator can choose to force enable 64-bit ZID using the nsscon/nss command. Also, note that if May 2017 or later patches are applied on OES 11 SP2/SP3, OES 2015/SP1, then 64-bit ZID can also be force enabled.

Further, the nss utility is now enhanced to support all the existing and new commands that the nsscon utility supports.

DSfW (Domain Services for Windows)

DSfW now supports the AD2012 schema and functions, and other enhanced security features. The functional level upgrade is basically updating some aspects of domain controllers that are part of a DSfW domain. It happens when all domain controllers install or upgrade to OES2018 DSfW. The eDirectory or LDAP schema is extended with the new schema when the Primary Domain Controller is upgraded to OES 2018.

Services or Packages not available on OES 2018

  • CASA (Common Authentication Service Adapter): The CASA store is no longer available due to the removal of Mono from SLES12 SP2.  OCS (OES Credential Store) replaces CASA. It has oescredstore similar to CASACli and only root user has access to the credential store. As part of the upgrade the common proxy password will be reset and stored in OCS. We recommend that all services be configured with common proxy prior to upgrade. If a service proxy is still needed for specific services, configure the service proxy after upgrading for the services to work.
  • 32-bit packages: All OES services run as 64-bit applications, except for SMS (backup engine) and NRM (Remote Manager). 32-bit packages of SMS and NRM and their dependent packages are retained. All other OES 32-bit packages that were made available in prior releases have been removed.
  • Modules and Extensions: OES 2018 does not include Modules and Extensions from SLES12 SP2.  A few of the packages from the containers module and web and scripting modules, like Docker, containerd and PHP5 are included as they are needed by CIS and NURM.
  • iFolder: iFolder has been deprecated and is no longer part of OES 2018, Micro Focus Filr replaces iFolder, for most use-cases.  If you are still using iFolder and have use-cases which you think are not supported by Filr – drop a note to the OES Product Manager (pmadhan@microfocus.com or OES@microfocus.com) and we’ll get in touch to understand your issues and identify a way forward.

 

This article was first published in Open Horizons Magazine, Issue 39, 2017/4, p7-8.
....To view the full article you must have a full Digital Subscription.

Leave a Reply