12.1 Upgrading Identity Server on Linux

IMPORTANT:If the base operating system is RHEL 7.6, you must first upgrade to Access Manager 4.5, then upgrade to RHEL 7.9.

12.1.1 Upgrading the Evaluation Version to the Purchased Version

If you have downloaded the evaluation version and want to keep your configuration after purchasing the product, you need to upgrade each of your components with the purchased version. The upgrade to the purchased version automatically changes your installation to a licensed version.

After you have purchased the product, log in to the NetIQ Customer Center and follow the link that allows you to download the product.

Use the following procedure to upgrade stand-alone Identity Server. If you have installed both Identity Server and Administration Console on the same machine, see Upgrading the Evaluation Version to the Purchased Version.

NOTE:If you have modified the JSP file to customize the login page, logout page, and error messages, you can restore the JSP file after installation. You should sanitize the restored JSP file to prevent XSS attacks. For more information, see Preventing Cross-site Scripting Attacks in the Access Manager 4.5 Administration Guide.

  1. Open a terminal window.

  2. Log in as the root user.

  3. Download the upgrade file from dl.netiq.com and extract the tar.gz file using the following command: tar -xzvf <filename>.

    NOTE:For information about the name of the upgrade file, see the specific Release Notes on the Access Manager Documentation website.

  4. Change to the directory where you unpacked the file, then enter the following command in a terminal window:

    ./upgrade.sh

  5. The system displays the following confirmation message:

    The following components were installed on this machine

1. Identity Server

Do you want to upgrade the above components (y/n)?

  6. Type Y and press Enter.

  7. Type Y to continue with the upgrade, then press Enter.

  8. Enter the Access Manager Administration Console user ID.

  9. Enter the Access Manager Administration Console password.

  10. Re-enter the password for verification.

  11. The system displays the following message when the upgrade is complete:

    Upgrade completed successfully.

    The upgrade logs are located in the /tmp/novell_access_manager/ directory. The logs have time stamping.

NOTE:If OAuth and OpenID Connect protocol is enabled, then after upgrading all members of Identity Server cluster, you must update Administration cluster to use the JSON Web Token (JWT token). For more information about JWT token, see Understanding How Access Manager Uses OAuth and OpenID Connect in the Access Manager 4.5 Administration Guide.

12.1.2 Upgrading Identity Server

Use the following procedure to upgrade stand-alone Identity Server. If you have installed both Identity Server and Administration Console on the same machine, see Upgrading Administration Console.

IMPORTANT:Ensure to complete the following actions before you begin:

  • If you are upgrading Access Manager components on multiple machines, ensure that the time and date are synchronized among all machines.

  • Ensure that Administration Console is running. However, you must not perform any configuration tasks in Administration Console during an Identity Server upgrade.

NOTE:To prevent security vulnerability, Access Manager uses the jQuery version that is higher than the version used in the earlier release of Access Manager. The higher version of jQuery is not compatible with the Skype for Business 2016 application. Hence, after the upgrade, you cannot log in to Skype for Business 2016 using the Identity Server login page.

If you want to continue using an old version of jQuery, which is less secure, see Single Sign-on Fails in Skype for Business 2016 in the Access Manager 4.5 Administration Guide.

  1. Back up any customized JSP pages and related files.

    Even though the upgrade program backs up the JSP directory and its related files in the /root/nambkup folder, it is a good practice to backup these files.

  2. Open a terminal window.

  3. Log in as the root user.

  4. Download the upgrade file from dl.netiq.com and extract the tar.gz file by using the tar -xzvf <filename> command.

    NOTE:For information about the name of the upgrade file, see the specific Release Notes on the Access Manager Documentation website.

  5. Change to the directory where you unpacked the file, then enter the following command in a terminal window:

    ./upgrade.sh

  6. The system displays the following confirmation message:

    The following components were installed on this machine

1. Identity Server

Do you want to upgrade the above components (y/n)?

  7. Type Y and press Enter.

    The system displays two warning messages. The first message is for backing up all JSPs before proceeding with the upgrade, and the next is for including security settings.

  8. Type Y to continue with the upgrade, then press Enter.

    If you do not want to include the security configurations, then type n. This stops the upgrade.

  9. Enter the Access Manager Administration Console user ID.

  10. Enter the Access Manager Administration Console password.

  11. Re-enter the password for verification.

  12. The system displays the following message when the upgrade is complete:

    Upgrade completed successfully.

  13. Restore any customized files from the backup taken earlier. To restore files, copy files to the respective locations:

    • /opt/novell/nam/idp/webapps/nidp/jsp

    • /opt/novell/nam/idp/webapps/nidp/html

    • /opt/novell/nam/idp/webapps/nidp/images

    • /opt/novell/nam/idp/webapps/nidp/config

    • /opt/novell/nam/idp/webapps/nidp/WEB-INF/lib

    • /opt/novell/nam/idp/webapps/nidp/WEB-INF/web.xml

    • /opt/novell/nam/idp/webapps/nidp/WEB-INF/classes

    • /opt/novell/nam/idp/webapps/nidp/WEB-INF/conf

    • /opt/novell/java/jre/lib/security/bcslogin.conf

    • /opt/novell/java/jre/lib/security/nidpkey.keytab

    • /opt/novell/nids/lib/webapp/classUtils

    • /opt/novell/nam/idp/conf/server.xml

      Also, add the following line to the server.xml file:

      <Connector NIDP_Name="localConnector" URIEncoding="utf-8" acceptCount="100" address="127.0.0.1" connectionTimeout="20000" maxThreads="600" minSpareThreads="5" port="8088" protocol="HTTP/1.1" />

      An example below shows that the IP address is removed and ciphers added.<Connector NIDP_Name="connector" port="8443" address="" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, ... ../>

    • /opt/novell/nam/idp/conf/tomcat.conf

Important Notes:

  • If you are using Kerberos and you have renamed nidpkey.keytab and bcsLogin.conf with any other name, ensure that you modify the upgrade_utility_functions.sh script located in the novell-access-manager-x.x.x.x-xxx/scripts folder with these names before upgrading Access Manager.

  • If you have customized the Java settings in the /opt/novell/nam/idp/conf/tomcat.conf file, then after the upgrade, you must copy the customized setting to the new file.

  • If you have modified the JSP file to customize the login page, logout page, and error messages, you can restore the JSP file after installation. You should sanitize the restored JSP file to prevent XSS attacks. For more information, see Preventing Cross-site Scripting Attacks in the Access Manager 4.5 Administration Guide.