Apple SNOW LEOPARD 10.6 manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197

Ir a la página of

Buen manual de instrucciones

Las leyes obligan al vendedor a entregarle al comprador, junto con el producto, el manual de instrucciones Apple SNOW LEOPARD 10.6. La falta del manual o facilitar información incorrecta al consumidor constituyen una base de reclamación por no estar de acuerdo el producto con el contrato. Según la ley, está permitido adjuntar un manual de otra forma que no sea en papel, lo cual últimamente es bastante común y los fabricantes nos facilitan un manual gráfico, su versión electrónica Apple SNOW LEOPARD 10.6 o vídeos de instrucciones para usuarios. La condición es que tenga una forma legible y entendible.

¿Qué es un manual de instrucciones?

El nombre proviene de la palabra latina “instructio”, es decir, ordenar. Por lo tanto, en un manual Apple SNOW LEOPARD 10.6 se puede encontrar la descripción de las etapas de actuación. El propósito de un manual es enseñar, facilitar el encendido o el uso de un dispositivo o la realización de acciones concretas. Un manual de instrucciones también es una fuente de información acerca de un objeto o un servicio, es una pista.

Desafortunadamente pocos usuarios destinan su tiempo a leer manuales Apple SNOW LEOPARD 10.6, sin embargo, un buen manual nos permite, no solo conocer una cantidad de funcionalidades adicionales del dispositivo comprado, sino también evitar la mayoría de fallos.

Entonces, ¿qué debe contener el manual de instrucciones perfecto?

Sobre todo, un manual de instrucciones Apple SNOW LEOPARD 10.6 debe contener:
- información acerca de las especificaciones técnicas del dispositivo Apple SNOW LEOPARD 10.6
- nombre de fabricante y año de fabricación del dispositivo Apple SNOW LEOPARD 10.6
- condiciones de uso, configuración y mantenimiento del dispositivo Apple SNOW LEOPARD 10.6
- marcas de seguridad y certificados que confirmen su concordancia con determinadas normativas

¿Por qué no leemos los manuales de instrucciones?

Normalmente es por la falta de tiempo y seguridad acerca de las funcionalidades determinadas de los dispositivos comprados. Desafortunadamente la conexión y el encendido de Apple SNOW LEOPARD 10.6 no es suficiente. El manual de instrucciones siempre contiene una serie de indicaciones acerca de determinadas funcionalidades, normas de seguridad, consejos de mantenimiento (incluso qué productos usar), fallos eventuales de Apple SNOW LEOPARD 10.6 y maneras de solucionar los problemas que puedan ocurrir durante su uso. Al final, en un manual se pueden encontrar los detalles de servicio técnico Apple en caso de que las soluciones propuestas no hayan funcionado. Actualmente gozan de éxito manuales de instrucciones en forma de animaciones interesantes o vídeo manuales que llegan al usuario mucho mejor que en forma de un folleto. Este tipo de manual ayuda a que el usuario vea el vídeo entero sin saltarse las especificaciones y las descripciones técnicas complicadas de Apple SNOW LEOPARD 10.6, como se suele hacer teniendo una versión en papel.

¿Por qué vale la pena leer los manuales de instrucciones?

Sobre todo es en ellos donde encontraremos las respuestas acerca de la construcción, las posibilidades del dispositivo Apple SNOW LEOPARD 10.6, el uso de determinados accesorios y una serie de informaciones que permiten aprovechar completamente sus funciones y comodidades.

Tras una compra exitosa de un equipo o un dispositivo, vale la pena dedicar un momento para familiarizarse con cada parte del manual Apple SNOW LEOPARD 10.6. Actualmente se preparan y traducen con dedicación, para que no solo sean comprensibles para los usuarios, sino que también cumplan su función básica de información y ayuda.

Índice de manuales de instrucciones

  • Página 1

    Mac O S X S e r v er Adv anced Ser ver A dministration V ersi on 1 0. 6 Sno w Le opar d[...]

  • Página 2

    Apple Inc. K © 2009 Apple Inc . All rights reser ved. The owner or authorized user of a v alid copy of Mac OS X Ser ver software may reproduce this publication for the purpose of learning to use such software. No par t of this publication may be reproduced or transmitted for commer cial purposes, such as selling copies of this publication or for p[...]

  • Página 3

    11 Pr eface: About This Guide 1 1 What’ s in This Guide 1 2 Using Onscreen Help 1 3 Document Road Map 1 4 Viewing PDF Guides Onscreen 1 4 Prin ting PDF Guides 1 5 Getting Documentation Updates 1 5 Getting Additional Information 1 6 Chapter 1: S ystem Over view and Suppor ted Standards 1 6 System Requiremen ts for Installing Mac OS X Ser ver v1 0.[...]

  • Página 4

    4 Cont ents 3 3 Understanding Backup T ypes 34 Understanding Backup Scheduling 34 Understanding Restores 35 Other Back up P olic y Considerations 36 Command-Line Backup and Restora tion T ools 36 Understanding Time Machine as a S er ver Backup T ool 38 Chapter 3: A dministration T ools 38 Ser ver Admin 38 Opening and Authenticating in Server Admin [...]

  • Página 5

    Cont ents 5 58 Single Sign-On 59 About Certicates, SSL, and Public Key Infrastructur e 59 Public and P rivate Keys 60 Certicate s 60 About Certicate Authorities (CAs ) 6 1 About Identities 6 1 About Self-Signed Certicate s 6 1 About Intermediate T rust 62 Certicate Manager in Ser ver Admi n 64 Readying Certicate s 65 Creating a Se[...]

  • Página 6

    6 Cont ents 84 About Starting Up for Installation 84 Before Starting Up 85 Starting Up from the Install DVD 85 Starting Up from an Alternate P ar tition 88 Remotely Acce ssing the Install DVD 90 About Ser ver Serial Numbers for Default Installation P asswords 90 Identifying Remote Servers When Installing Mac OS X Ser ver 9 1 Starting Up from a NetB[...]

  • Página 7

    Cont ents 7 1 24 Chapter 7: Ongoing S ystem Management 1 24 Computers Y ou Can Use to Administer a Server 1 24 Setting Up an Administrator C omputer 1 25 Using a Non-Mac OS X Computer f or Administration 1 2 6 Using the Administra tion T ools 1 2 6 W ork ing with Pre-v1 0.6 Computers fr om v1 0.6 Ser vers 1 2 7 P or ts Used for Administra tion 1 2 [...]

  • Página 8

    8 Cont ents 1 59 Eliminating Single P oints of F ailure 1 60 Using Xserve for High A vailability 1 6 1 Using Backup P ower 1 6 1 Setting Up Y our Ser ver f or Automa tic Restar t 1 62 Ensuring Proper Oper ational Conditions 1 62 Pr oviding Open Directory Replication 1 63 Link Aggregation 1 64 About the Link Aggrega tion Contr ol P rotocol (LA CP) 1[...]

  • Página 9

    Cont ents 9 1 88 Chapter 9: P ush Notication Ser ve r 1 88 About Push Notication Serve r 1 89 Starting and Stopping Push Noticatio n 1 90 Changing a Ser vice’ s Push Notication Serve r 1 9 1 Index[...]

  • Página 10

    10 Cont ents[...]

  • Página 11

    11 This guide pro vides a star ting point for administering Mac OS X Ser ver v1 0.6 using its advanced administr ation tools. It contains information about planning , prac tices , tools, installation, deployment, and more by using Server Admin. Adv anced Ser ver A dministration is not the only guide y ou need when administering advanced mode server[...]

  • Página 12

    12 Prefac e About This Guide Using Onscreen Help Y ou can get task instructions onscreen in Help Viewer while you ’ re managing Mac OS X Ser ver v1 0.6. Y ou can view help on a ser ver or an administrator comput er . (An administrator comput er is a Mac OS X computer with Mac OS X Ser ver v1 0.6 administration software installed on it.) T o get t[...]

  • Página 13

    Preface A bout This Guide 13 Document Road Map Mac OS X v1 0.6 has a suite of guides which can cover managemen t of individual ser vices. Each ser vice may be dependent on other services for maximum utility . The road map below sho ws some related documen tation that you ma y need to fully congure your de sired service to your specications . [...]

  • Página 14

    14 Preface About This Guide Viewing PDF Guides Onscreen While reading the PDF version of a guide onscr een: Show bookmarks to see the guide’ s outline, and click a book mark to jump to the  corresponding section. Search for a wor d or phrase to see a list of place s where it appears in the document.  Click a listed place to see the page wher [...]

  • Página 15

    Preface A bout This Guide 15 Getting D ocumentation U pdate s P eriodically , Apple posts revised help pages and new editions of guides. S ome revised help pages update the lat est editions of the guides . T o view new onscreen help topics for a server application, make sure your ser ver or  administrator comput er is connected to the Internet an[...]

  • Página 16

    16 Mac OS X Ser ver giv es you ev er ything you need to pr ovide standards-based w orkgroup and Int ernet ser vices — delivering a w orld-class UNIX ser ver solution that’ s easy to deploy and easy to manage . This chapter con tains information to make decisions about where and ho w you deploy Mac OS X Ser ver . I t contains general inf ormatio[...]

  • Página 17

    Chapter 1 System Overview and Suppor ted Standards 17 What’ s New in Mac OS X S er ver v1 0.6 Mac OS X Ser ver v1 0.6 o ers major enhancements in several key areas: Addre ss Book Ser ver  Mac OS X Ser ver v1 0.6 introduces the rst open standards-based A ddress Book Ser ver Based on the emerging CardDA V specication, which uses WebDA V [...]

  • Página 18

    OpenCL suppor t  Mac OS X Ser ver v1 0.6 suppor ts OpenCL and mak es it possible for dev elopers to use the GPU for general computa tional tasks. What’ s New in Ser ver A dmin Included with Mac OS X Ser ver v1 0.6 is S er ver A dmin, Apple’ s power ful, exible, full- featured server administration tool. Ser ver Admin is reinfor ced with im[...]

  • Página 19

    Chapter 1 System Overview and Suppor ted Standards 19 The follo wing table highlights the capabilities of each congura tion tool. Ser vice Set in initial ser ver setup Ser ver P references S erver Admin Address book Optional Ye s Y es Backup your data (websites , database s, calendar les, etc.) No No , use command-line tools and third-part y [...]

  • Página 20

    Ser vice Set in initial ser ver setup Ser ver P references S erver Admin Open Director y master (user accounts and other data) Optional Optional Y es P odcast Producer No No Y es P olicies and managed preferenc es No Use Workgroup Manager Use Workgroup Manager Print No No Y es Push notication Automatic Aut omatic Y es Quick T ime Streaming No No[...]

  • Página 21

    Chapter 1 System Overview and Suppor ted Standards 21 A standards-based directory ser vices architecture o ers centraliz ed management of network resourc es using any LDAP server–even proprietary ser vers such as Microsoft Active Directory . The open source UNIX foundation makes it easy t o por t and deploy existing tools to Mac OS X Ser ver .[...]

  • Página 22

    Â W eb T echnologies: Mac OS X Ser ver is a complete AMP stack (a bundle of integrat ed Apache-MySQL-PHP/Perl/Python software). Mac OS X Ser ver web technologies are based on the open sourc e Apache web server , the most widely used HT TP ser ver on the Internet. With per formance optimized f or Mac OS X Ser ver , Apache provide s fast, reliable w[...]

  • Página 23

    Chapter 1 System Overview and Suppor ted Standards 23 Â XMPP: Ex tensible Messaging and P resenc e Pr otocol (XMPP) is an open XML-based messaging protocol used f or messaging and presence information. XMPP ser ves as the basis for Mac OS X Ser ver’ s Push Notication service, as well as iChat Ser ver , and all publish and subscribe functions [...]

  • Página 24

    24 Before installing and setting up Mac OS X Ser ver do a little planning and become familiar with your options . The major goals of the planning phase are to make sure that: Ser ver user and administrator needs are addr essed by the ser vers you deploy  Ser ver and ser vice prerequisit es that a ect installation and initial setup are  ident[...]

  • Página 25

    Chapter 2 Planning Server Usage 25 During the planning stage, you’ll also decide which installation and server setup options best suit your needs. For e xample, G etting Started contains an example that illustrates server installation and initial setup in a small business scenario with the ser ver in using Ser ver P references. Determining Whethe[...]

  • Página 26

    If you ’ve been planning to r eplace a Windows NT computer , consider using Mac OS X Ser ver with its extensive built-in suppor t for Windows clients. Mak e sure that administrat ors familiar with these other systems ar e par t of the planning process . What are the characteristics of the network int o which the ser ver will be installed? Â Do y[...]

  • Página 27

    Chapter 2 Planning Server Usage 27 Home folders f or network users can be consolidated on to one server or distributed  among various servers. Although you can move home f olders, you might need to change a large number of user and share poin t records , so devise a strategy that will persist for a reasonable amoun t of time. For inf ormation abo[...]

  • Página 28

    Dening a M igration Str ategy If you ’ re using Mac OS X Ser ver v1 0.4–1 0.5 or a Windows-based server , examine the oppor tunities for mo ving data and settings to Mac OS X Ser ver v1 0.6. Upgrading and Migrating from an Earlier V ersion of Mac OS X Ser ver If you ’ re using computers with Mac OS X Ser ver v1 0.4 or v1 0.5 , consider upg[...]

  • Página 29

    Chapter 2 Planning Server Usage 29 The rst aspect primarily involv es director y ser vices integration. Identify which Mac OS X Ser ver computers will use existing directories (such as Active Dir ector y , LDAPv3, and NIS directories) and existing authentication setups (such as Kerberos). F or options and instruc tions, see the additional inform[...]

  • Página 30

    F or example, if you use Mac OS X Ser ver to provide DHCP , network time, or BootP ser vices to other servers, you should set up the ser vers that provide these services and initiate the services before you set up servers that depend on those services. The amount of setup infrastructure y ou require depends on the complexity of your site and what y[...]

  • Página 31

    Chapter 2 Planning Server Usage 31 Making Sure Required Ser ver Hardwar e Is A vailable Y ou might want to postpone setting up a server until all its hardware is in plac e. F or example, you might not want to set up a server whose data you wan t to mirror until all disk drives y ou need for mirroring are available . Y ou might also want to wait unt[...]

  • Página 32

    Understanding Backup and Restore P olicies There are man y reasons to have a backup and rest ore policy . Y our data is subject to failure because of failed c omponents , natural or manmade disasters, or data corruption. Sometimes data loss is beyond your con trol to prevent, but with a backup and restor e plan, you can restor e your data. Y ou nee[...]

  • Página 33

    Chapter 2 Planning Server Usage 33 Y our organization must determine the follo wing: What must be backed up? Â What should not be backed up (as per organization policy)? Â How granular are the re storation needs? Â How often is the data backed up? Â How accessible is the data: in other words , how much time will it take to restore it? Â What p[...]

  • Página 34

    Understanding Backup Scheduling Backing up les requires time and resour ces. Before deciding on a backup plan, consider the follo wing questions: How much data will be backed up? Â How much time will the backup take? Â When does the backup need to happen? Â What else is the computer doing during that time? Â What sort of resource allocation [...]

  • Página 35

    Chapter 2 Planning Server Usage 35 Consider the f ollowing questions: How long will it take to restor e data at each lev el of granularity? Â F or example, how long will a deleted le or email take to restor e? How long will a full hard disk image take to restor e? H ow long would it take to return the whole network to its state thr ee days ago?[...]

  • Página 36

    Â Capacity . If you back up only a small amount of data, low-capacity storage media can do the job . But if y ou need to back up large amounts of data, use high-capacity devices , such as a RAID . Â Speed. When your goal is to keep your server available most of the time , restor ation speed becomes a big factor in deciding which type of media to [...]

  • Página 37

    Chapter 2 Planning Server Usage 37 F or example, T ime Machine doesn ’t back up user and group director y records , email, DNS records , A ddress Book shared groups, iCal Ser ver calendars, and so forth. It only save s the settings made in Ser ver P refer ences and Server Admin, and whether a ser vice is on or o . The follo wing service settin[...]

  • Página 38

    38 Manage Mac OS X S er ver using graphical applications or command-line tools . Mac OS X Ser ver v1 0.6 administration applications must be run from either Mac OS X Ser ver v1 0.6 or M ac OS X v1 0.6. Ser ver Admin Y ou use Ser ver Admin to administer services on Mac OS X Ser ver computers. Ser ver Admin also lets you s pecify settings that suppor[...]

  • Página 39

    Chapter 3 Administra tion T ools 39 Ser ver Admin In ter face The Ser ver Admin in ter face is shown here, with each element explained in the following table . O N M L K J I H G F E D C B A A Ser ver List: Shows ser vers, groups, smar t groups, and if desired, the administered services for each server Y ou selec t a group to view a status summary f[...]

  • Página 40

    D Main W ork Area: Shows status and conguration options . This looks di erent f or each service and for each context button selected. E A vailable ser vers: Lists the local-network scanner , which y ou can use to discover servers to add to your server list. F All Servers: Shows all computers added to Server Admin, regardless of status. G Ser [...]

  • Página 41

    Chapter 3 Administra tion T ools 41 Ser ver Assistant Ser ver Assistant is used f or : Remote ser ver installations  Initial setup of a local ser ver  Initial setup of remote servers  Pr eparing data for a utomated setup  The Ser ver Assistan t initial page is shown here . Ser ver Assistant is opened from the Server menu of Ser ver Admin. T[...]

  • Página 42

    Ser ver Pr efer ences Ser ver Pr efer ences is the simplied administration applica tion you need for managing Mac OS X Ser ver v1 0.6. Y ou can use Ser ver Pref erences in addition to or instead of Ser ver Admin and W ork group Manager: Manage basic user and group settings. Â Congure e ssential service settings such as: le sharing ser vic[...]

  • Página 43

    Chapter 3 Administra tion T ools 43 W orkgroup Manager In ter face The W orkgroup Manager interface is shown here, with each element explained in the following table . J I H G F E D B C A A Ser ver Admin: Click to open the Ser ver Admin applica tion. B Settings Buttons: Click Accounts t o view or edit account settings , or click Prefer ences to vie[...]

  • Página 44

    Cust omizing the W orkgroup Manager En vironmen t There are sev eral ways to tailor the W orkgroup Manager environmen t: T o open W orkgroup Manager Preferenc es , choose W orkgroup Manager > Â Pr eferenc es. Y ou can congure options such as if DNS names are r esolved , if the Inspec tor is enabled , if you need to enter a sear ch quer y to [...]

  • Página 45

    Chapter 3 Administra tion T ools 45 T o identify the Xser ve computer to monit or , click Add Ser ver , iden tify the server , and enter user name and passw ord information f or an administrator of the ser ver . If adding the local ser ver , use ’1 27 .0.0. 1’ for the IP addre ss. I f adding a remote server , en ter the ser ver’ s L OM hostna[...]

  • Página 46

    iCal Ser vice Utility iCal Ser vice Utility gives users access to shared inf ormation about locations and resourc es. Users can use iCal Ser vice Utilit y to set up information about shared resourc es and locations for use with iC al Ser vice. iCal Ser vice Utility Interface The iCal Service Utilit y inter face is shown here , with each element exp[...]

  • Página 47

    Chapter 3 Administra tion T ools 47 Syst em Image Management Y ou can use the following Mac OS X Ser ver applications to set up and manage NetBoot and NetInstall images: Â System Image Utility creates Mac OS X disk images . It’ s installed with M ac OS X Ser ver software in the /Applications/Ser ver/ folder . The System Image Utility interface i[...]

  • Página 48

    Command-Line T ools If you ’ re an administrator who pref ers to work in a command-line environmen t, you can do so with Mac OS X Ser ver . F rom the T erminal application in Mac OS X, y ou can use the built-in UNIX shells (sh, csh, tsh, zsh, bash) to use tools for installing and setting up server soft ware and for conguring and monitoring ser[...]

  • Página 49

    Chapter 3 Administra tion T ools 49 P odcast Capture , Composer , and Producer P odcast Capture takes audio and video from a local or remot e camera, captures screen activity , or uploads Quick Time les into P odcast Producer f or encoding and distribution. P odcast Composer crea tes the w orkow instructions for P odcast Producer . Xgrid Admi[...]

  • Página 50

    Apple Remote Desktop Apple Remote Desktop (ARD), which you can optionally purchase, is an easy-to-use network-computer management applica tion. I t simplies the setup , monitoring , and maintenance of r emote computers and lets y ou interact with users. The ARD interface is shown here. Y ou can use ARD to: Contr ol and observe computer screens. [...]

  • Página 51

    51 By vigilantly adhering to security policies and practices , you can minimize the threa t to syst em int egrity and data privacy . Mac OS X Ser ver is built on a robust UNIX foundation that c ontains man y security feature s in its core architecture. State-of-the-art, standards-based technologies protect your server , network, and data. These tec[...]

  • Página 52

    About Network Security Network security is as impor tant to data integrity as physical security . Although someone might immediately see the need to lock do wn an expensive server , he or she might not immediately see the need to r estrict access to the data on that same server . The follo wing sections provide considerations , t echniques , and te[...]

  • Página 53

    Chapter 4 Enhancing Security 53 This allows an or ganization to pro vide ser vices to the external network while protecting the internal network from being compr omised by a host in the DMZ. I f someone compromises a DMZ host , he or she cannot connect to the internal network. The DMZ is often used to connect ser vers that need to be acc essible fr[...]

  • Página 54

    In theor y , MA C ltering allows a network administrator to permit or deny netw ork access to hosts and devic es associated with the MA C address, although in practice there are methods to a void this form of access contr ol through address modica tion (spoong) or the phy sical exchange of network car ds between hosts. T ranspor t Encr ypt[...]

  • Página 55

    Chapter 4 Enhancing Security 55 Most transport encr yption requires the par ticipation of both parties in the transac tion. Some ser vices (such as SMTP mail service) can’ t reliably use such techniques, so encr ypting the le itself is the only method of reliably securing the le conten t. T o learn more about le encr yption, see “ Abou[...]

  • Página 56

    Â Secure VM: Secure VM encr ypts system vir tual memor y (memor y data temporarily written to the hard disk), not user les. I t improve s system security by keeping vir tual memor y les from being read and exploit ed. Â Disk Utility : Disk Utility can create disk images whose conten ts are encrypted and password prot ected. Disk images act [...]

  • Página 57

    Chapter 4 Enhancing Security 57 In Mac OS X Ser ver , users trying to access services (like logging in to a director y-aware workstation, or tr ying to mount a remot e volume) must authen ticate by pr oviding a login name and password bef ore privileges f or the users can be determined. Y ou have sev eral options for a uthenticating users: Â Open [...]

  • Página 58

    W eb S er vice (Apache via the SPNEGO Simple and P rotected GSS-API Negotiation  Mechanism protocol) Xgrid   Storing passwor ds in user accounts . This approach might be useful when migrating user accounts from earlier server versions. However , this approach may not suppor t clients that requir e network-secure authen tication protoc ols, su[...]

  • Página 59

    Chapter 4 Enhancing Security 59 Kerberos also provide s a single sign-on envir onment where users must a uthenticate only once a day , week, or other period of time, easing authentication loads for users . Mac OS X Ser ver and Mac OS X versions 1 0.3 through 1 0.6 suppor t K erberos version 5 . About Certicates , SSL, and Public Key Infrastr uct[...]

  • Página 60

    W eb, mail, and director y ser vices use the public key with SSL to negotiate a shar ed key for the duration of the c onnection. F or example, a mail ser ver will send its public key to a connecting client and initiate negotiation for a secure c onnection. The connecting client uses the public key to encr ypt a response t o the negotiation. The mai[...]

  • Página 61

    Chapter 4 Enhancing Security 61 About Identitie s Identities are a c er ticate and a priva te key , together . The certicate identies the user , and the private key corre sponds to the c er ticate. A single user can have sever al identities; for any given user each certicate could hav e a di erent name, email address , or issuer .[...]

  • Página 62

    Several keychains can hold certicates: Â SystemRootC er ticates: This keychain holds root certicates that ship with Mac OS X. The certicates already ha ve trust given t o them. Â System: This keychain holds cer ticates that the comput er administrator can add . All users on a given client can r ead from this keychain. The trust set[...]

  • Página 63

    Chapter 4 Enhancing Security 63 The Ser ver Admin in ter face is shown below , with Cer ticates selected. Certicate Manager provides int egrated managemen t of SSL certicates in Mac OS X Ser ver for services that allow the use of SSL certicates. On installation, the ser ver creat es a self-signed certicate for immediate use fr om inf[...]

  • Página 64

    When certicates and keys are impor ted via Certicate Manager , they ar e put in the /etc/certicates/ director y . The director y contains four PEM f ormatted les f or every identity : The certicate  The public key  The trust chain  The concatena ted version of the c er ticate plus the trust chain (f or use with some  ser v[...]

  • Página 65

    Chapter 4 Enhancing Security 65 Creating a Self-Signed C er ticate A self-signed certicate is generated at server setup. Although it is available for use , you may w ant to customiz e the information in the cer ticate , so you would creat e a new self-signed certicate. This is especially important if you plan on having a CA sign your ce[...]

  • Página 66

    4 Click the Action button below the certicates list and choose “Generate Certicate Signing Request (CSR).” Certicate manager creates the signing r equest and shows the ASCII te xt version in the sheet. 5 Click Save t o save the CSR t o the disk. Y our CA will have instructions on how to transf er the CSR to the signer . S ome CAs requi[...]

  • Página 67

    Chapter 4 Enhancing Security 67 5 If you override the defaults , provide the f ollowing information in the next few screens: A unique serial number for the root certicate  The number of days the CA functions before e xpiring  The type of user cer ticate this CA is signing  Whether to creat e a CA website f or users to access f or CA cer[...]

  • Página 68

    Using a CA to Crea te a C er ticate f or Someone Else Y ou can use your CA certicate to issue a cer ticate to someone else . By doing so you are stating you w ant to be a trusted party that can cer tify the identity of the cer ticate holder . Before y ou can create a certicate for someone , that person must generate a CSR. The user c[...]

  • Página 69

    Chapter 4 Enhancing Security 69 7 Click the Impor t button. If prompted , en ter the priva te key passphrase . Managing Cer ticate s After you creat e and sign a cer ticate, you won ’t do much more with it. Since certicates cannot be edited , you can either delete , replace, or revoke cer ticates after they are created . Y ou cannot c[...]

  • Página 70

    F or instruc tions on how to do this, see “ Replacing an Existing Cer ticate ” on page 71 . Distributing a CA Public Certicate to Clien ts If you ’ re using self-signed cer ticates , a w arning appears in most user applications saying that the CA is not recogniz ed. O ther software, such as the LDAP client, refuses to use SSL if the [...]

  • Página 71

    Chapter 4 Enhancing Security 71 5 Click Save . Renewing an Expiring Certicate Certicates hav e an expiration date and must be r enewed periodically . Renewing a certicate is the same as replacing a cer ticate with a newly generat ed one with an updated expiration da te. T o renew an expiring certicate: 1 Request a new certicate fr[...]

  • Página 72

    SSH and SSH Keys SSH is a network protocol that e stablishes a secure channel between y our computer and a remote comput er . It uses public-key cr yptography t o authen ticate the remot e computer . I t also provides trac encryption and data integrity exchanged between computers. SSH is frequently used to log in t o a remote machine to e xecute[...]

  • Página 73

    Chapter 4 Enhancing Security 73 The -b ag sets the length of the keys to 1,02 4-bits, -t indicates to use the RSA hashing algorithm, -f sets the le name as id_rsa, and -P follow ed by two single-quote marks sets the private key passwor d to be null. The null private key passwor d allows for automat ed SSH connections. Keys are equivilant to p[...]

  • Página 74

    $count = @{[$_ =~ /$match/g]}; if($count > 0) { $flag = 1; } } close SBUFF; if($flag == 1) { "ssh $server -x -o batchmode=yes shutdown -r now" } } Administr ation L evel Securit y Mac OS X Ser ver can use another level of access con trol for added security . Administrat ors can be assigned to services they can congure. These limitat[...]

  • Página 75

    Chapter 4 Enhancing Security 75 Y ou can determine which ser vices other admin group users can modify . T o do this, the administrator making the determination must have full, unmodied access. The proce ss for setting administration lev el pr ivileges is found in “ T iered Administration P ermissions” on page 1 49 . Ser vice Lev el S ecurit [...]

  • Página 76

    Securit y Best P ractices Ser ver administrators must make sure that adequat e secur ity measures are implemented to pr otect a ser ver from attacks . A compromised server risks the resourc es and data on the server and risks the resources and da ta on other connected systems. The compr omised system can then be used as a base to la unch attacks on[...]

  • Página 77

    Chapter 4 Enhancing Security 77 Do not use administrator (UNIX “admin ” group) accounts for daily use .  Restrict the use of administration privileges by keeping the admin login and password separa te from daily use . Back up critical data on the system regularly , with a copy stored at a secure o-site  location. Backup media is of littl[...]

  • Página 78

    Creating C omplex P asswor ds Use the follo wing tips to creat e complex passwords: Use a mix of alphabetic (upper and lower case), numeric, and special characters  (such as ! and @). Don ’t use w ords or combinations of w ords found in a dictionary of any language.  Don ’t append a number to an alphabetic w ord (for e xample, “wack y2”[...]

  • Página 79

    79 Whether you install Mac OS X Ser ver on a single ser ver or a cluster of ser vers , there are tools and proc esse s to help the installation and deploymen t succeed. Some computers come with Mac OS X Ser ver software already installed . Other computers need the ser ver software installed. For example , installing Mac OS X Ser ver v1 0.6 on a com[...]

  • Página 80

    Step 3: Set up the environmen t If you are not in complete c ontrol of the network en vironment (DNS ser vers, DHCP ser ver , rewall, and so for th) coordinate with your netw ork administrator bef ore installing. A func tioning DNS system with full rev erse lookups and a rewall to allow conguration constitut e a minimum for the setup en vi[...]

  • Página 81

    Chapter 5 Installation and Deployment 81 “ Â Installing Remotely with Ser ver Assistant” on page 101 “ Â Installing Remotely with Screen Sharing and VNC ” on page 1 02 “ Â Using the installer Command-Line T ool to Install Ser ver Software” on page 1 04 Step 7: Set Up Ser vices Restart from the target disk to proceed to setup . For mo[...]

  • Página 82

    Setting Up Network Ser vices Before y ou can install, you must set up the following f or your network ser vice: Â DNS: Y ou must have a fully qualied domain name for each server ’ s IP addess in the DNS system. The DNS zone must hav e the reverse-lookup rec ord for the name and address pair . Not having a stable, func tioning DNS system with [...]

  • Página 83

    Chapter 5 Installation and Deployment 83 Mac OS X Ser ver Install Disc The Install Disc has a Documentation folder with Getting Started , Installation & S etup W orksheet , and a Read Me le. I t also contains an Other Installs folder , which has the following installer packages: Ser verAdministrationSoftware .mpkg  Use this package to inst[...]

  • Página 84

    When you install and set up Mac OS X Ser ver on a computer tha t has a display and keyboard, it ’ s already an administrator computer . T o make a computer with Mac OS X into an administrat or computer , you must install additional software. Impor tant: If you have administrativ e applications and tools from Mac OS X Server v1 0.4 or earlier , do[...]

  • Página 85

    Chapter 5 Installation and Deployment 85 Star ting Up from the Install DVD This is the simplest method of starting the computer , if you hav e physical access the ser ver and it has DVD drive. Installer application or installer tool in T erminal application If the target ser ver is an Xserve with a built-in DVD drive, star t the ser ver using the I[...]

  • Página 86

    Howev er , if you are r einstalling regularly , or if you are cr eating an external Fir ewire drive-based installation to take to v arious computers , or if you need some other kind mass distribution (such as clustered Xserves without DVD drives installed), this method can be very ecient. This method is suited to installing on c omputers that yo[...]

  • Página 87

    Chapter 5 Installation and Deployment 87 4 Select File > New > Disk Image from <device>. 5 Give the image a name; select Read-only , R ead/Write , or Compr essed as the image type; and then click Save . 6 After the image is complete , select the image from list on the left. 7 In the menu, selec t Images > Scan Images for Rest ore. 8 [...]

  • Página 88

    Tip: ∏ Y ou can use asr to restor e a disk over a netw ork, multicasting the blocks to client computers. Using the multicast ser ver featur e of asr , you could put a copy of the installer image on a par tition of all computers that can rec eive the multicast packets. F or example, restoring an image called Installer .dmg to the par tition Ex tra[...]

  • Página 89

    Chapter 5 Installation and Deployment 89 This is usually the rst eight characters of the server ’ s built-in hardware serial number . F or more information about this password , see “ About S er ver Serial Numbers for Default Installation P asswords ” on page 90 . T o access the computer with VNC: 1 Start the target computer from the Insta[...]

  • Página 90

    2 Identify the target server . If you don ’t know the IP address and the remote server is on the local subnet, you can nd ser vers using the comannd line . F or more information about this pr ocess , see “Identifying Remote Servers When Installing Mac OS X Ser ver ” on page 90. 3 Use the T erminal to open a secure shell connection to the t[...]

  • Página 91

    Chapter 5 Installation and Deployment 91 Y ou can use the dns-sd tool to identify comput ers on the local subnetwhere you can install ser ver software. Enter the following fr om a computer on the same local network as the ser ver: dns-sd -B _sa-rspndr._tcp. This command returns the IP addre ss and the EthernetID (in addition to other information) o[...]

  • Página 92

    Step 1: Create a NetInstall image from the Install D VD This step doesn ’t need to be done on the tar get computer . I t can be done on an administrator comput er that has enough free s pace to image the entir e Install DVD . Step 2: Start up the computer from the NetBoot ser ver There are f our ways of doing this, dep ending on your en vironment[...]

  • Página 93

    Chapter 5 Installation and Deployment 93 If you ’ re using an installation disc for Mac OS X Ser ver v1 0.6, you can per form these tasks from another networked computer using VNC viewer software, such as Apple Remote Desktop , before beginning a clean installa tion. W ARNING: Before partitioning a disk, creating a RAID set, or erasing a disk or [...]

  • Página 94

    A case-sensitive volume is supported as a star t volume format. An HFSX le system for Mac OS X Ser ver must be specically selected when erasing a volume and preparing a disk before initial installation. If you are planning to use NFS, you should use case-sensitive HFSX. An HFSX volume can be case sensitive or case insensitiv e. Case sensitivi[...]

  • Página 95

    Chapter 5 Installation and Deployment 95 P artitioning a Disk Y ou can use the Installer to open Disk Utilit y and then use Disk Utility to par tition the installation target disk int o desired v olumes. Y ou can erase the target volume using the Mac OS Extended format, Mac OS Ex tended (Jour naled) format, M ac OS Extended format (Case-Sensitive) [...]

  • Página 96

    Additional inf ormation about diskutil and other uses can be found in Intr oduction to Command-Line Administr ation. F or complete command syntax for diskutil, consult the tool’ s man page. The specic command issued depends on y our disk format needs and the hardware in use. T ak e care to use command-line ar guments that apply to y our speci?[...]

  • Página 97

    Chapter 5 Installation and Deployment 97 Y ou can combine RAID sets to combine their benets. For example , y ou can create a RAID set that combines the fast disk access of a striped RAID set and the data protection of a mirrored RAID set. T o do this, create two RAID sets of one type and then create a RAID set of another type, using the rst t[...]

  • Página 98

    5 Drag the disks to the window . 6 F ollow the instruc tions in the window to set parameters . 7 Click Create . Y ou can nd instructions for par titioning the hard disk into multiple v olumes , creating a RAID set, and erasing the target disk or partition by viewing Disk Utilit y Help. T o view Disk Utility H elp , open Disk Utility on another M[...]

  • Página 99

    Chapter 5 Installation and Deployment 99 Erasing a Disk or P ar tition Y ou have sev eral options for erasing a disk, depending on your preferred tools and your computing en vironment: Â Erasing a disk using Disk Utility : Y ou can use the Installer to open Disk Utilit y and then use it to erase the target v olume or another volume. Y ou can erase[...]

  • Página 100

    Installing Locally fr om the Installation Disc Y ou can install Mac OS X Ser ver directly onto a computer with a displa y , a keyboard , and a DVD drive attached , as shown in the following illustra tion: Installer application or installer tool in T erminal application If you hav e an Install DVD , the optical driv e must be able to read DVD discs.[...]

  • Página 101

    Chapter 5 Installation and Deployment 10 1 After installation is complete , the target server restarts and you can per form initial ser ver setup . Chapter 6 , “ Initial Ser ver Setup,” on page 1 08 describes how . Installing Remotely with Ser ver Assistant T o install Mac OS X S er ver on a remote server from the server Install DVD , installat[...]

  • Página 102

    3 Select the target ser ver from the list of servers waiting for installation. If neither the target ser ver nor the list appear , mak e sure the target server is on the same local subnet as the administrator comput er . 4 If the target computer is not on the same local subnet as the administrat or computer , add the ser ver manually . a Choose Ins[...]

  • Página 103

    Chapter 5 Installation and Deployment 10 3 F or detailed instruc tions for connecting to a computer running fr om an Install DVD , see “Remotely Acce ssing the Install DVD” on page 88. Impor tant: If you per form an upgrade, make sure that saved setup da ta won ’t be detected and used by the server . I f saved setup da ta is used , the ser ve[...]

  • Página 104

    sudo shutdown -r now # Method 2 sudo systemsetup -liststartupdisks sudo systemsetup -setstartupdisk <path to disk root> Using the installer C ommand-Line T ool to Install Ser ver Soft ware Y ou use the installer tool to install server sof tware on a local or remote c omputer from the command line. For inf or mation about installer , see the i[...]

  • Página 105

    Chapter 5 Installation and Deployment 10 5 4 If you hav en ’t already done so , prepare the disks for installation. F or more information about preparing the disks for installation, see “Preparing Disks f or Installing Mac OS X Ser ver ” on page 92 . If the target volume has the late st M ac OS X Ser ver v1 0.5 or 1 0.4. 1 1 installed , when [...]

  • Página 106

    Installing Multiple Ser vers Most Ecient Methods of Installation The most ecient method of installation w ould be completely a utomated . Opening the T er minal application and using the installer tool to initiat e each ser ver software installation doesn ’t accomplish this eciently . Howev er , scripting the command-line tool (using kno[...]

  • Página 107

    Chapter 5 Installation and Deployment 10 7 Upgrading a C omputer from Mac OS X to Mac OS X Ser ver This is not supported in Mac OS X S er ver v1 0.6. P er form a clean installation instead . How to Keep C urrent After you ’ve set up your server , you’ll w ant to updat e it when Apple releases server software updates. There are sev eral ways to [...]

  • Página 108

    10 8 Basic characteristics of your Mac OS X Ser ver are established during ser ver setup . The ser ver can opera te in three di erent congura tions: advanc ed , standard , and workgroup . After installing ser ver software , the next task is to set up the ser ver . There are several ways t o set up a ser ver: Set up ser vers interactively . Â[...]

  • Página 109

    Chapter 6 Initial Server Setup 10 9 If you ’ re setting up a ser ver without a keyboard or display , y ou can enter the f ollowing in the T er minal application to shut down the server remotely: sudo shutdown now Connecting to the Network During Initial Ser ver Setup Before setting it up f or the rst time , tr y to place a ser ver in its na[...]

  • Página 110

    Default SSH and Apple Remote Desktop sta te is enabled . Â Network interfaces (por ts) are congured . Â T CP/IP and Ethernet settings are dened f or each por t you want t o activate . Network names are dened . Â The primar y DNS name, computer name are dened by the administrat or , and local hostname is derived from the computer name[...]

  • Página 111

    Chapter 6 Initial Server Setup 111 Â Impor t Users and Groups This setting connects the ser ver to an existing Open Directory or Active Director y system, impor ting the users and groups from an existing directory system. Y ou can impor t Open Director y users or Active Director y users. Y ou must provide a director y administrator name and passwo[...]

  • Página 112

    Even if y ou want to change the server ’ s director y setup, selec ting “Congur e Manually ” is the safest option, especially if you ’r e considering changing a ser ver’ s shared director y conguration. Changing from hosting a directory to using another ser ver ’ s shared director y or vice versa, or migrating a shared NetInfo dom[...]

  • Página 113

    Chapter 6 Initial Server Setup 11 3 T o interactively c onnect to an additional directory ser ver: 1 Open the Accoun ts pane of System P references on y our ser ver . 2 Click Login Options and then click Open Directory Utilit y . 3 Click the Add (+) button, and then choose the director y ser ver from the pop-up menu or enter the directory ser ver ?[...]

  • Página 114

    The follo wing illustration shows tar get servers on the same subnet as the administrator comput er in one scenario and target servers on a di erent subnet in the other scenario . Both setup scenarios can be used to set up ser vers on the same and di erent subnets. Subnet 1 Subnet 2 W elcome W elcome W elcome If a target ser ver is on a di[...]

  • Página 115

    Chapter 6 Initial Server Setup 11 5 If the computer you wan t to congure doe sn ’t appear in the list, you can add it manually by clicking the Add button and supplying the request ed information. 6 Remove comput ers from the conguration list tha t you don ’t want t o set up by selecting them and click ing the Remove button. 7 Authentica t[...]

  • Página 116

    The aut omatic approach is useful when you: Have mor e than a few servers to set up  W ant to prepare for setting up servers that aren ’t yet a vailable  W ant to save setup data f or backup purposes  Need to reinstall servers frequently  Y ou can keep backup copies of setup data les on a network le ser ver . Alternatively , you can[...]

  • Página 117

    Chapter 6 Initial Server Setup 11 7 Y ou can dene generic setup data that can be used to set up any ser ver . For example , you can dene generic setup data for a server that’ s on order , or to congure 50 Xser ve computers y ou want to be identically congured . Y ou can also save setup data that’ s tailored for a server . Impor tant[...]

  • Página 118

    Using Encryption with S etup Data F iles Saved setup data can be encrypted for extra security . Before a server sets itself up using encr ypted setup data, it must have acc ess to the pass phrase used when the data was encrypted. F or interactive setup, the passphrase is entered using Server Assistant during setup . If you want to st ore the passwo[...]

  • Página 119

    Chapter 6 Initial Server Setup 11 9 If setup data is encr ypted , the ser ver needs the correct passphrase befor e setting itself up . Y ou can use S er ver Assistan t to supply the passphrase in terac tively , or you can supply the passphrase in a le con taining the passphrase in the same f older as the corresponding a uto setup prole but wi[...]

  • Página 120

    T o use setup data from a le remotely: 1 Create the f older for the setup le on the remote ser ver . a Connect to the remote server . ssh root@<server address> b Create the saved setup f older on the remote ser ver . mkdir /Auto Server Setup 2 Copy the sa ved setup le from the administrator computer t o the remote tar get computer [...]

  • Página 121

    Chapter 6 Initial Server Setup 12 1 Handling Setup Errors When a server encounters a setup problem, Ser ver Assistant sho ws a description of the setup error , and gives some opportunit y to either x it or try again. If you are setting up the target server remotely , you are given the option to share its screen and inter act via the Ser ver Assi[...]

  • Página 122

    Setting Up Ser vices After installation and initial startup, the rst time you open Ser ver Admin, you see any ser vices that w ere congured during server setup listed underneath the ser ver’ s name in the ser ver list. If no ser vices were c ongured during ser ver setup , Ser ver Admin prompts you to select the services you want to c on?[...]

  • Página 123

    Chapter 6 Initial Server Setup 12 3 Setting Up Open Director y Unless your server must be integrat ed with another vendor’ s director y system or the director y architecture of a server you’ re upgrading needs changing immediately , you can begin using the directories you c ongured during ser ver setup . The online help and Mac OS X Ser ver [...]

  • Página 124

    12 4 This chapter sho ws you ho w to complete ongoing management f or your systems , including setting up administrat or computers , designating administra tors , and maintaining ser vice uptime . Read the following sections as a basic introduction to Mac OS X Ser ver management: “ Â Computers Y ou Can Use to Administer a Server ” on page 12 4[...]

  • Página 125

    Chapter 7 Ongoing System Managemen t 12 5 In the following illustra tion, the arrows originate from administrat or computers and point to servers the administrator computers migh t be used to manage. Mac OS X Ser vers Mac OS X administrator computer When you ’ve installed and set up a Mac OS X Ser ver that has a display , keyboard, and optical dr[...]

  • Página 126

    Using the A dministration T ools Information about administration t ools can be found on the pages indicat ed in the following table . Use this application or tool To See Command-line tools Administer a server using a UNIX command shell. “Command-Line T ools” (page 48) iCal Service Utility Add locations and re sources to your iCal server . “i[...]

  • Página 127

    Chapter 7 Ongoing System Managemen t 12 7 Y ou can use Workgroup Manager on a v1 0.6 ser ver to manage Mac OS X clients running the latest Mac OS X v1 0.5 . Ho wever , after y ou edit a user record using W ork group Manager on v1 0.6, you can only access it using Workgroup Manager on v1 0.6. P or ts Used for A dministration F or Apple’ s administ[...]

  • Página 128

    Ser ver Admin Basics Y ou use Ser ver Admin to administer services on Mac OS X Ser ver computers. Ser ver Admin also lets you s pecify settings that suppor t multiple ser vices, such as creating and managing SSL certicates and specifying which users and groups can access ser vices. Adding and Remo ving Ser vers in Ser ver A dmin The servers you [...]

  • Página 129

    Chapter 7 Ongoing System Managemen t 12 9 If a ser ver in the Ser vers list appears gray , double-click the ser ver or click the Connect button in the toolbar to log in again. T o enable auto-rec onnect the next time you open Ser ver Admin, selec t the “Remember this password in my keychain ” while you log in. Grouping Ser vers Manually Ser ver[...]

  • Página 130

    IP address  OS version  T o create a server smart group: 1 Under the Ser ver list at the bottom of the Server Admin window , click the A dd (+) button. 2 Select Add Smar t Group. 3 Name the smar t group . 4 Dene the criteria that ser vers will appear in the list and click OK. The group appears in the Server list. W ork ing with Settings for [...]

  • Página 131

    Chapter 7 Ongoing System Managemen t 131 The follo wing table contains a summary of what you nd for each button: T oolbar button Shows Overview Information about the server ’ s hardware, software, ser vices, and status. Logs The system log and security systems log. Graphs A pictorial histor y of server ac tivity . Sharing Conguration option[...]

  • Página 132

    Ser ver-side le tracking for mobile home-sync is a featur e of mobile home folders. F or information about when to enable this feature , see the online help and Mac OS X Ser ver Resources w ebsite at www .apple.com/server/macosx/resour ces/. Â Network pane: Click Network to view or change the ser ver’ s computer name or local hostname, or to [...]

  • Página 133

    Chapter 7 Ongoing System Managemen t 13 3 The follo wing sections give guidance regarding the types of changes will be necessary for a name or IP addre ss change. Understanding Mac OS X Ser ver Names Three names ar e used by Mac OS X Ser ver: computer name, local hostname, and DNS name. T hey are used by di erent parts of the system for di er[...]

  • Página 134

    Y our network conguration might hav e other domains, computers, and record types that are impacted by a server ’ s IP address change (SR V records , for instance). These other records should be examined thoroughly after an y change to a ser ver ’ s IP address . If the ser ver is a DNS ser ver , use the tool changeip to change the NS, A, and [...]

  • Página 135

    Chapter 7 Ongoing System Managemen t 13 5 Changing the DNS name of the director y ser ver require s that all bound machines be rebound to the new directory name and address. If you hav e set up a Kerberos envir onment, the Kerberos realm does not change when the hostname is changed. F irewall Changing the IP address of the F irewall can signican[...]

  • Página 136

    VPN VPN ser vers allocate IP addr ess ranges t o VPN clients and mediate DNS queries of VPN clients. Any of these can be a ec ted by a change to the VPN ser ver ’ s IP address or domain name. Additionally , the VPN ser ver con tains routing denitions based on IP addresses . A change to the IP address can make those routing addre sses unreac[...]

  • Página 137

    Chapter 7 Ongoing System Managemen t 13 7 MySQL In general, MySQL is not a ected by changing an IP address or DNS name. However , none of the data in the databases is alter ed when the DNS name or IP address are changed. Y ou are res p onsible for replacing r efer ences to the DNS name and addr ess (if used) in your databases . If you set a data[...]

  • Página 138

    F or the most par t, changing the network address or DNS name of a le server has no internal a ec t on le ser vices. The le ser vice processes monitor netw ork interfaces for changes and adapt as nec essary without administrator intervention. No fur ther conguration is requir ed. A few places migh t need conguration settings chang[...]

  • Página 139

    Chapter 7 Ongoing System Managemen t 13 9 IMAP and POP Dovecot , the IMAP and POP ser vice, loads the fully-qualied domain name at star tup and conguration reload . Af ter a change , Dovecot must be restarted or given a SIGHUP command , at a minimum). Y ou must also restart if you manually edited the listen or ssl_listen parameters . SMTP P o[...]

  • Página 140

    Addre ss Book Ser vice Changing the IP address of an A ddress Book server does not a ec t new connections to the server; however , it can disc onnect existing client connections. If you manually edited the BindHT TPP or ts or BindSSLPorts options in the carddavd .plist le, edit them again and restart the ser vice. Changing the DNS name of an [...]

  • Página 141

    Chapter 7 Ongoing System Managemen t 141 Certicates for C ollaboration Ser vices Addre ssBook, iCal, and iChat ser vers that use SSL will need new cer ticates . Y ou might need regenerate or r epurchase the certicates. Use Ser ver Admin to import the new certicates, then congure each service’ s new cer ticate. Understanding IP A[...]

  • Página 142

    T o change the IP address of the P odcast Producer c omputer: 1 Stop the Xgrid job queue when empty (or stop and empty it). 2 Recongure DNS, Open Director y , DHCP , and other infrastructure ser vices. F or example, in DNS, change the A record IP address of the P odcast Produc er ser ver . 3 Use changeip to change the IP addre ss of the P odcast[...]

  • Página 143

    Chapter 7 Ongoing System Managemen t 14 3 Software Update Ser vice  Xgrid  After Software Update changes the DNS name or IP addre ss, a number of changes must be made by the clients. However , the following guidelines f or the ser ver should be follow ed . Prin t Prin t ser vice needs no changes if the IP addre ss changes. I f the DNS name chan[...]

  • Página 144

    Changing the IP A ddress of a Server Y ou can change the IP address of a server using the Network pane of System Pr eferenc es or the networksetup tool. Do not turn o the primar y network inter face and then turn it back on with a di erent address. S everal services will not get the needed notication to update their conguration. Changin[...]

  • Página 145

    Chapter 7 Ongoing System Managemen t 14 5 Y ou can use the scutil command-line tool to set the local hostname and local hostname. For more inf ormation, see the scutil man page. Do not use the changeip command-line tool to change computer name s, even though the tool is still av ailable. T o change computer name and local hostname: Change the names[...]

  • Página 146

    Adding and Remo ving Ser vices in Ser ver A dmin Ser ver Admin can only show y ou the ser vices you are administering , hiding all other ser vice conguration pane s until needed . Before you can administ er a ser vice , it must be enabled for the specic server; then that ser vice appears under the ser ver name in the main Ser ver list. T o ad[...]

  • Página 147

    Chapter 7 Ongoing System Managemen t 14 7 Con trolling Access t o S er vices Y ou can use Ser ver Admin to congur e which users and groups can use services hosted by a server . Y ou set up access to ser vices to users and groups using SA CLs. Y ou can set up the same access to all services, or you can select a ser vice and customize its acce ss [...]

  • Página 148

    Using SSL f or Remote Ser ver A dministration Y ou can control the lev el of security of communications between Ser ver Admin and remote servers by choosing Ser ver Admin > P references . By default, Ser ver Admin trea ts communications with remot e ser vers as encrypted using SSL. This uses a self-signed 1 28-bit certicate installed in /etc/[...]

  • Página 149

    Chapter 7 Ongoing System Managemen t 14 9 The follo wing is the F ile Sharing conguration pane in Server Admin. Tiered Administr ation Permissions In previous releases of Mac OS X Server , there were two classes of users: admin and everyone else. Admin users could make any change t o the settings of any service or change any directory data inclu[...]

  • Página 150

    Ser ver Admin updat es to reect what operations ar e possible for a user’ s permissions. F or example, some ser vices are hidden or the Settings pane is dimmed when you can only monitor that service. Because the featur e is enforced on the ser ver side , the permissions also impact the usage of ser veradmin, dscl, dsimpor t, and pwpolic y comm[...]

  • Página 151

    Chapter 7 Ongoing System Managemen t 151 The follo wing topics describe general W ork group Manager usage. Instruc tions for conducting specic administration tasks are a vailable in Workgroup Manager help and the Mac OS X Ser ver Resources w ebsite at www .apple.com/server/macosx/resour ces/. Opening and Authen ticating in W orkgroup Manager W o[...]

  • Página 152

    The follo wing is a sample user record c onguration pane in W or kgroup Manager: Initially , accounts listed ar e those stored in the last directory node of the ser ver ’ s search path. When y ou use other W orkgroup Manager windows, such as Prefer ences , click Accoun ts in the toolbar to return to the acc ount window . T o specify the direct[...]

  • Página 153

    Chapter 7 Ongoing System Managemen t 15 3 Dening Managed Pref erences T o work with managed preferenc es for user acc ounts , group accounts , or computer lists, click the Prefer ences icon in the Workgroup Manager toolbar . The follo wing is the User P refer ence M anagement Overvie w pane in Workgroup Manager : Click Details to use the prefer [...]

  • Página 154

    W orking with Direc tor y Data T o work with raw directory data, use Workgroup Manager’ s Inspector . The follo wing is the record Ins pec tor pane in Workgroup Manager: T o display the ins p ector: 1 Choose Workgroup Manager > P references . 2 Enable “Show ‘ All Records’ tab and inspector ” and click OK. 3 Select the “ All records?[...]

  • Página 155

    Chapter 7 Ongoing System Managemen t 15 5 Ser vice Congura tion Assistants Ser ver Admin has congur ation assistants to guide y ou through setting up services that require more setup than a single c onguration pane . The assistants present y ou with all conguration panes nec essary to fully enable a ser vice. Assistants are a vailable f[...]

  • Página 156

    Addre ss Book Ser vice File type L o cation Conguration le s /etc/cardav d/cardav d.plist Data /Librar y/AddressBookServer/Documents/ iCal Service File type L o cation Conguration le s /etc/caldavd/calda vd.plist Data /Librar y/CalendarServer/Documents/ iChat Server File type L o cation Conguration le s /etc/jabberd/* Data mysqldu[...]

  • Página 157

    Chapter 7 Ongoing System Managemen t 15 7 Mail—Amavisd File type L o cation Conguration le s /etc/amavisd .conf Data: (default locations) /var/amavis/ Mail—Clam A V File type L o cation Conguration le s /etc/clamav .conf /etc/freshclam.conf Data: (default locations) /var/clamav/ /var/virusmails/ Mail—Mailman File type L o cation C[...]

  • Página 158

    Notications File type L o cation Conguration le s /etc/emond.d/ /etc/emond.d/rule s/ /Library/Keychains/System.keychain OpenDirector y Ser vice The entire Open Dir ector y conguration can be sav ed with the archive f eature. Filetype Location Conguration le s /etc/openldap/slapd.c onf Data: (default locations) /etc/openldap/ (stop[...]

  • Página 159

    Chapter 7 Ongoing System Managemen t 15 9 W eb Ser vice File type L o cation Conguration le s /etc/apache2/* (for Apache 2.2) /etc/httpd/* (for A pache 1 .3) /etc/webperfcache/* /Library/Keychains/System.keychain Data: (default locations) /Librar y/WebServer/Documents/ /Library/Logs/WebServer/* /Library/Logs/Migration/webcongmigrator .log [...]

  • Página 160

    Some single points of failure include: Computer syst em  Hard disk  P ower supply  Although it is almost impossible to eliminate all single poin ts of failure , you should minimize them as much as possible. For example , using a backup computer and a le storage pool for Mac OS X Server eliminates the computer as a single poin t of failure.[...]

  • Página 161

    Chapter 7 Ongoing System Managemen t 161 Using Backup P ower In the architecture of a server solution, p ower is a single poin t of failure. If power goes out, your servers go down without warning. T o prevent a sudden disruption in services, consider adding a backup source of pow er . Depending on your application, you might choose to use a standb[...]

  • Página 162

    The aut omatic restart options are: Â Restart automatically after a power failure . The power management unit automatically starts up the ser ver after a power failure . Â Restart automatically if the computer fr eezes . The power managemen t unit automatically starts up the ser ver after the ser ver stops re sponding , has a kernel panic, or fre[...]

  • Página 163

    Chapter 7 Ongoing System Managemen t 16 3 Link Aggr egation Although not common, the failure of a switch, cable, or net work interface card can cause your server to become una vailable . T o eliminate these single points of failur e , you can use link aggregation or trunking. This technology , also known as IEEE 802.3ad , is built into Mac OS X and[...]

  • Página 164

    About the Link Aggr egation C ontrol Pr otocol (LA CP) IEEE 802.3ad Link Aggregation dene s a protocol called Link A ggregation Control Pr otocol (LA CP) that is used by Mac OS X Ser ver to aggrega te (combine) multiple ports into a link aggrega te (a virtual por t) that can be used for TCP and UDP connections. When your dene a link aggrega t[...]

  • Página 165

    Chapter 7 Ongoing System Managemen t 16 5 Comput er to Swit ch In this scenario shown in the follo wing illustration, you connect your server to a switch congured f or 802.3ad link aggregation. server1 .example.com Clients 4 x 1 Gbit/s 1 0 Gbit/s The switch should ha ve bandwidth f or handling incoming trac equal to or grea ter than that of t[...]

  • Página 166

    F or example, you can connect two links to the master switch and the remaining links to the backup switch. As long as the master switch is active , the backup switch remains inactive. I f the master switch fails , the backup switch takes o ver trans parently . Although this scenario adds redundancy that protects the ser ver from becoming unav ailab[...]

  • Página 167

    Chapter 7 Ongoing System Managemen t 16 7 The interface name bond <num> assigned by the system is di erent from the name you give t o the link aggregate port conguration. The interface name is for use at the command line , but the por t conguration name is for use in the Network pane of System P references . F or example, if you ente[...]

  • Página 168

    Load Balancing One factor that can cause services to become unav ailable is server overload. A ser ver has limited resour ces and can service a limited number of requests simultaneously . If the ser ver gets overloaded , it slows down and can eventually crash. One way to o vercome this problem is to distribute the load among a group of servers (a s[...]

  • Página 169

    Chapter 7 Ongoing System Managemen t 16 9 Daemon Over view By the time a user logs in to a Mac OS X system, a number of processes are running . Many of these proce sses are k nown as daemons. A daemon is a background process that provide s a ser vice to users. For example , the cupsd daemon coordinates printing requests , and the httpd daemon respo[...]

  • Página 170

    The launchctl utility is the command-line tool used to contr ol launchd . It can: Load and unload daemons  Start and stop launchd controlled jobs  Get system utilization statistics for la unchd and its child processes  Set environmen t settings  17 0 Chapter 7 Ongoing System Management[...]

  • Página 171

    17 1 E ective monitoring allows y ou to detect potential pr oblems befor e they occur and give s you early warning when they occur . Detecting potential problems allows y ou to take steps to re solve them befor e they impact ser ver availability of your servers. In addition, getting an early warning when a problem occurs allows you t o take corr[...]

  • Página 172

    Several factors can be considered f or a monitoring res ponse: What are relev ant response methods? In other wor ds, how will the response take  place? What is the time to re sponse? What is an acceptable int er val between failur e and  response? What are the scaling consider ations? Can the re sponse plan work with all expected  (and even u[...]

  • Página 173

    Chapter 8 Monitoring Y our System 17 3 A green status indicator sho ws the component is OK, a yellow status indicator note s a warning, and a red status indicator notes an error . Ser ver Monitor works for Xserves only . F or more information about Ser ver Monitor , choose Ser ver Monitor Help from Ser ver Monitor’ s Help menu. Using RAID Admin f[...]

  • Página 174

    df -Hl Filesystem Size Used Avail Capacity Mounted on /dev/disk0s9 40G 38G 2.1G 95% / In this example, the hard disk is almost full with only 2. 1 GB lef t. This tells you that you should act immediately to free s pace on your hard disk before it lls up and causes problems f or your users. Â du . This command tells you how much s pace is used b[...]

  • Página 175

    Chapter 8 Monitoring Y our System 17 5 If you detect an unusual number of requests coming from the same sour ce , use Fir e wall service to block trac from that source . F or more information about tcpdump, see the corresponding man page . Consider using Ruby , P erl, shell scripts , or A ppleScript to automa te the monitoring  process . F or [...]

  • Página 176

    The follo wing shows a sample Over view pane for a single server . This ov er view shows basic hardwar e, operating system versions , active ser vices, and graphs of CPU history , net work throughput history , and disk space. Use the m serveradmin XML web int er face. a Open Safari to the following URL: https://<ser ver addre ss>:3 1 1/server[...]

  • Página 177

    Chapter 8 Monitoring Y our System 17 7 When a server ker nel panics it abruptly halts all normal system operations. Usually , a kernel process named panic() outputs an error message to the console and st ores debugging information in non volitile memor y to be written to a crash log le upon restarting the computer . Saving the memor y conten ts [...]

  • Página 178

    Setting Up a Core Dump Server Y ou can use any Mac OS X v1 0.5 or later computer to be a cor e dump ser ver that ts the following criteria. The core dump server must: Have a sta tic IP address. Â Be IPv4 network-accessible to all clients using UDP port 1 069 . Â Y ou cannot put the core dump server behind a rewall or NA T unless all clients[...]

  • Página 179

    Chapter 8 Monitoring Y our System 17 9 Setting Up a Core Dump Clien t A core dump client sends its kernel panic debug information t o the core dump server address specied in its NVRAM settings . The information is transmitt ed at the time of the panic, so before restarting the computer , allow some time for the data to be sent t o the server . T[...]

  • Página 180

    Conguring C ommon Core Dump Options By default, core dumps happen using UDP port 1 069 o ver the built-in Ethernet (en0) interface, and the resulting les are st ored in /P anicDumps on the core dump server . Howev er , you can congur e the core dump to use: An alternate UDP port  An alternate network int er face  An alternate le des[...]

  • Página 181

    Chapter 8 Monitoring Y our System 181 SNMPv2 is the default access pr otocol and the defa ult read-only community string is “public .” Enabling SNMP reporting SNMP access isn ’t enabled by default on Mac OS X Server . T o use SNMP tools to poll your Mac OS X Ser ver for data, you must congure and then enable the service. T o enable SNMP 1 [...]

  • Página 182

    T o enable and congure SNMP: Use the /usr/bin/snmpconf command , which takes you through a basic t ext-based m setup assistant for c onguring the community name and saves the inf o in the conguration le . The snmp cong le is located in /usr/shar e/snmp/snmpd .conf . SNMP Congur ation Example Step 1: Customiz e data 1 T o custom[...]

  • Página 183

    Chapter 8 Monitoring Y our System 18 3 Step 3: Collect SNMP information from the host T o get the SNMP-available inf ormation you added , execut e this command from a host m that has SNMP tools installed: /usr/bin/snmpget -c public <hostname> system.sysLocation.0 Replace <hostname> with the name of the target host. Y ou should see locat[...]

  • Página 184

    There are tw o main notication daemons: syslogd and emond. Â syslogd: The syslogd daemon is a standard UNIX method of monitoring systems . It logs messages in accordance with the settings found in /et c/syslog.conf . Y ou can examine the output les specied in that c onguration by using a le prin ting or editing utility because they [...]

  • Página 185

    Chapter 8 Monitoring Y our System 18 5 Logging Mac OS X Ser ver maintains standard UNIX log les and A pple-specic proce ss logs. Logs f or the OS can be found in: /var/log  /Library/Logs  ~/Library/Logs  Each process is r esponsible f or its own logs, the log level, and verbosit y . E ach process or application can write its own log [...]

  • Página 186

    Syslog C onguration File The Syslog congur ation le can be found at /et c/syslog .conf . Each line has the following f or mat: <facility>.<loglevel> <path to logle> Replace <facility> with the process name writing to the log. The path is the standard POSIX path to the log le. Y ou can use asterisks (*) as wild[...]

  • Página 187

    Chapter 8 Monitoring Y our System 18 7 T o run slapd in debugging mode: 1 Stop and remo ve slapd from la unchd’ s watch list: launchctl unload /System/Library/LaunchDaemons/org.openldap.plist 2 Restart slap d in debug mode: sudo /usr/libexec/slapd -d 99 AFP Logging The server side of Apple File Service Prot ocol (AFP) keeps track of access and er[...]

  • Página 188

    18 8 P rovide incr eased ser ver re sponsiveness t o clients and reduce server load with Push Notica tion Ser ver . Mac OS X Ser ver v1 0.6 uses an XMPP Pubsub architecture f or the Push Notication Ser ver . XMPP P ubsub is an open standard extention to XMPP (XEP-060) that allows ser vers and clients to c ommunicate as needed , rather than cl[...]

  • Página 189

    Chapter 9 Push Notica tion Ser ver 18 9 Star ting and Stopping P ush Notication When you start push notication on a ser ver , the ser vice broadcasts its a vailability on the local network to other services that suppor t it. This means that when a di erent ser ver turns on a ser vice that supports push notication, the push noticat[...]

  • Página 190

    Changing a Ser vice ’ s Push Notication Ser ver If push notication is congured on the server , it is listed in the location on the ser vice ’ s settings pane. I f another computer on the subnet is congured as a push notication server , it appears in the ser vice’ s setting pane. Y ou can use these instructions to specify a di?[...]

  • Página 191

    A access ACLs 5 5 , 75 IMAP 13 9 IP address restrictions 5 2 Keychain Acce ss Utility 66 LDAP 2 1 , 58 Mac address 5 3 , 90 remote installation 84 , 88 , 90 , 10 1 , 10 2 SACLs 7 5 user 13 2 , 14 7 See also permissions accounts. See user accounts, W or kgroup Manager ACLs (access c ontrol lists) 5 5 , 7 5 Address Book service 1 7 , 14 0 , 15 6 addr[...]

  • Página 192

    19 2 Index preparing 64 private keys 5 9 public keys 59 renewing 7 1 requesting 63 , 64 , 65 root 66 self-signed 6 1 , 65 Ser ver Admin 62 , 14 8 services using 7 1 web service 13 7 wiki ser vices 13 7 changip tool 14 5 chat service. S ee iChat service ClamA V 13 9 clients certicates 70 client-side logging 18 7 core dump information 17 9 group a[...]

  • Página 193

    Index 19 3 E email. S ee mail service emond daemon 18 4 encryption 54 , 5 5 , 59 , 11 8 See also SSL Ethereal packet sning tool 17 5 Ethernet 5 3 , 10 9 , 16 6 exporting ser vice settings 14 6 Extensible Messaging and Presenc e Prot ocol. See XMPP F le services 22 , 13 7 , 18 7 le sharing 14 8 le systems backing up 36 choosing 93 See al[...]

  • Página 194

    19 4 Index server 14 4 static 82 See also identity IPv6 addressing 22 J journaling, le system 93 junk mail screening 13 9 K Kerberos 2 1 , 57 , 58 , 13 4 kernel panic 17 6 , 17 8 , 17 9 , 18 0 key-based authentication 7 2 , 7 3 Keychain Acce ss Utility 66 keychain services 62 , 15 5 L LACP (Link Aggr egation Contr ol Pr otocol) 16 4 launchctl to[...]

  • Página 195

    Index 19 5 See also Open Director y OpenCL 1 8 OpenLDAP 2 1 OpenSSL 54 operating envir onment requiremen ts 16 2 P P ack ageMaker 47 packets, data, lt ering of 5 2 partitions, disk 86 , 94 , 95 , 97 , 99 passwords 7 7 , 78 , 90 permissions administrator 7 4 , 75 , 14 9 , 15 0 les 5 5 folder 5 5 SACL 7 5 types 55 PHP (PHP Hypertex t Prepr oces[...]

  • Página 196

    19 6 Index Ser ver Admin access contr ol 14 7 as administration tool 12 8 authentication 3 8 certicates 62 , 14 8 conguration methods 1 8 customizing 40 notication system 17 5 opening 38 overview 1 1 , 1 8 , 38 , 39 server status 17 5 service management 14 6 system imaging 47 Ser ver Assistant 4 1 , 10 1 , 10 8 , 15 5 Ser ver Message Block[...]

  • Página 197

    Index 19 7 U UDP (User Datagram P rotocol) 5 2 , 18 0 UNIX 23 updating software 10 7 upgrading from previous server versions 25 , 28 saved setup data 11 7 vs. migration 25 , 28 UPS (uninterruptible power supply) 16 1 user accounts group 15 3 managed preferenc es 15 3 management of 15 1 mobile 13 2 setup 12 3 See also users User Datagram P rotocol. [...]