Access Manager has three services that can be stopped and started: the Identity Server, the Access Gateway, and the embedded service provider within the Access Gateway. Normally, you do not need to stop and start these services. However, if you need to change certain configuration options, you can be prompted to update the Identity Server or to restart the embedded service provider.
The following sections explain how to update, stop, start, and schedule a restart of the various Access Manager components:
Whenever you change an Identity Server configuration, the system prompts you to update the configuration. An status is displayed under the column on the Servers page. You must click to update the configuration so that your changes take effect.
When clicked, this link sends a reconfigure command to all servers that use the configuration. The servers then begin the reconfiguration process. This process occurs without interruption of service to users who are currently logged in.
When you update a configuration, the system blocks inbound requests until the update is complete. The server checks for any current requests being processed. If there are such requests in process, the server waits five seconds and tests again. This process is repeated three times, thus waiting up to fifteen seconds for these requests to be serviced and cleared out. After this period of time, the update process begins. Any remaining requests might have errors.
During the update process, all settings are reloaded with the exception of the base URL. In most cases, user authentications are preserved; however, there are conditions during which some sessions are automatically timed out. These conditions are:
A user logged in via an authentication contract that is no longer valid. This occurs if an administrator removes a contract or changes the URI that is used to identify it.
A user logged in to a user store that is no longer valid. This occurs if you remove a user store or change its type. Changing the LDAP address to a different directory is not recommended, because the system does not detect the change.
A user received authentication from an identity provider that is no longer trusted. This occurs if you remove a trusted identity provider or if the metadata for the provider changed.
Additionally, if you remove a service provider from an identity provider, the identity provider removes the provided authentication to that service provider. This does not cause a timeout of the session to occur.
Changes to the SAML and Liberty protocol profiles can result in the trusted provider having outdated metadata for the Identity Server being reconfigured. This necessitates an update at the other provider and might cause unexpected behavior until that occurs.
In the Administration Console, click > , then click the tab.
Select the Identity Server configuration, then click .
This link is available only when you have made changes that require a server update.
Starting and stopping an Identity Server terminates active user sessions. These users receive a prompt to log in again.
In the Administration Console, click > and select the Identity Server to stop.
Click .
Wait for the to change from to .
Select the Identity Server, then click .
When the changes to , click .
The status icon of the Identity Server should turn green.
When a configuration change has been made, but not applied, the Access Gateway is in an status on the Access Gateways page. If the Access Gateway is a member of a cluster, the cluster is in an status. You can click to apply the configuration change to a single Access Gateway or to apply the configuration change to all members of a cluster.
If the changes have been saved to browser cache, but not to the configuration store, the changes are lost if your session times out before you apply the changes. The Access Gateway remains in an status, but when you click , there are no changes to apply. If you prefer to update members of a cluster one at a time, it is best to save the changes to the configuration datastore before applying them. Click , then click .
When you click , three options are displayed:
When you have modified services of the Access Gateway, the update option for is available. Depending upon what has been modified, updating might cause logged in users to lose data and their connections.
When the ESP logging settings have been modified on the Identity Server, the update option for is available. The option causes no interruption in services.
If a policy is modified that the server has enabled for a protected resource or a protected resource has a policy enabled or disabled and the policy changes are the only modifications that have occurred, the update option for is available. The Policy Settings option causes no interruption in services.
When you make the following configuration changes, the option is the only option available and your site will be unavailable while the update occurs:
The Identity Server configuration that is used for authentication is changed ( > > then select a different value for the option).
A different reverse proxy is selected to be used for authentication ( > > , then select a different value for the option).
The protocol or port of the authenticating reverse proxy is modified ( > > > , then change the SSL options or the port options).
The published DNS name of the authentication proxy service is modified ( > > > > , then modify the option).
To stop and start the Access Gateway service provider:
In the Administration Console, click > , then select the Access Gateway, then click .
Click > , then click .
In a few seconds, the icon of the Access Gateway should turn green.
When an Access Gateway is removed from a cluster configuration, the embedded service provider is stopped. It should remain stopped until you have reconfigured the Access Gateway. When you have finished the reconfiguration, you should start the embedded service provider.
In the Administration Console, click > , then select the Access Gateway, then click .
Click > , then click .
In a few seconds, the Health icon of the Access Gateway should turn green.
Stopping the embedded service provider is a quick way to make the Access Gateway inaccessible to users.
In the Administration Console, click > , then select the Access Gateway, then click .
Click > , then click .
In a few seconds, the status icon of the Access Gateway should turn red.
Rebooting the Access Gateway makes all protected resources unavailable until the Access Gateway returns to a server status of green. The Access Gateway is stopped, and the operating system is rebooted.
In the Administration Console, click > , then select the Access Gateway.
Click .
In a few minutes, the status icon of the Access Gateway should turn green.
Rebooting the Access Gateway makes all protected resources unavailable until the Access Gateway returns to a server status of green. Scheduling this event allows you to pick the best time for your resources to be momentarily unavailable.
In the Administration Console, click > , select the Access Gateway, then click .
Click .
The following field displays information about the command you are scheduling.
Type: Displays the type of command that is being scheduled, such as .
Fill in the following fields:
Name Scheduled Command: (Required) Specifies a name for this scheduled command. This name is used in log and trace files.
Description: (Optional) Provides a field to describe the reason for the command.
Date & Time: The drop-down menus allow you to select the day, month, year, hour, and minute when the command should execute.
Click .
You should stop the Access Gateway only when you plan to turn off the power or to configure boot options for troubleshooting. After you have stopped the Access Gateway, you must have physical access to the machine to start it.
In the Administration Console, click > , select the Access Gateway, then click .
To confirm the shutdown, click .
The machine is physically turned off. Before you start the Access Gateway again, you can modify the boot options on a NetWare Access Gateway. For information about these boot options, see Section 40.3.1, Additional Options During the Boot Process.
You should stop the Access Gateway only when you plan to turn off the power or to configure boot options for troubleshooting. After you have stopped the Access Gateway, you must have physical access to the machine to start it. Scheduling this event allows you to pick the best time for the Access Gateway to be unavailable.
In the Administration Console, click > , select the Access Gateway, then click .
Click .
The following field displays information about the command you are scheduling.
Type: Displays the type of command that is being scheduled, such as .
Fill in the following fields:
Name Scheduled Command: (Required) Specifies a name for this scheduled command. This name is used in log and trace files.
Description: (Optional) Provides a field to describe the reason for the command.
Date & Time: The drop-down menus allow you to select the day, month, year, hour, and minute when the command should execute.
Click .
The machine is turned off when the scheduled command executes.
Before you start the Access Gateway again, you can modify the boot options on a NetWare Access Gateway. For information about these boot options, see Section 40.3.1, Additional Options During the Boot Process.