This section describes the steps required to upgrade the management server on the same computer. For information about moving the management server to a new computer, see Moving the Management Server to a New Computer.
If you have only one QDB in your environment, you must upgrade the QDB and the primary and secondary management servers that connect to the QDB. When you upgrade a management server, you also upgrade the agent on the management server computer. Otherwise, you can upgrade agents on an as-needed basis.
While a version 9.2 management server can communicate with version 7.0.4 8.x agents, version 9.2 agents cannot communicate with earlier management server versions.
For more information about supported management server versions in a multiple-QDB, Control Center environment, see Upgrading Components in a Multiple-QDB, Control Center Environment.
AppManager 9.2 includes an update of the OpenSSL version from 1-0-1m to 1-0-2j and replaces the DES encryption algorithm, which is not FIPS-compliant, with AES128, which is FIPS compliant.
With previous versions of AppManager, in environments using the authentication and encrypted communications security level, the management server used the DES encryption algorithm to encrypt and decrypt public key data that it shared with UNIX agents. In environments where FIPS is enabled, OpenSSL 1-0-2j does not allow using the DES encryption algorithm. However, when you upgrade a management server to version 9.2, the management server must decrypt public key data that was encrypted using the DES algorithm. To allow a version 9.2 management server to continue working with existing UNIX agents without requiring you to rekey the agents, when the management server starts, AppManager temporarily disables FIPS mode so that it can use the DES algorithm to decrypt the public key data and then restores FIPS mode when the decryption is complete.
If you choose to upgrade by running the Windows Installer package for the management server instead of the AppManager setup program, after the upgrade, the NetIQ AppManager Client Resource Monitor (NetIQmc) and NetIQ AppManager Client Communication Manager (NetIQccm) services will not start until you upgrade the agent.
NetIQ Corporation does not recommend clustering the management server. Instead, you can install multiple management servers and designate them as primary and secondary to provide failover support. For more information about installing additional management servers and designating primary and secondary management servers, see the Installation Guide for AppManager and the Administrator Guide for AppManager, available on the AppManager Documentation page. If you have a requirement to install a management server on Microsoft Cluster Service (MSCS), contact Technical Support.
To upgrade the management server on the same computer:
Ensure that the upgrade of the QDB to which the management server connects completed successfully.
Start the upgrade and generate a pre-installation check report.
For more information about generating the report, see Starting an Upgrade and Generating a Pre-Installation Check Report.
Complete the management server setup program.
Depending on your environment, you might need to update existing encryption keys after you upgrade the management server. For more information about updating encryption keys, see Using Existing Security Keys for Encrypted Communications.
You can also change the security level after you upgrade. For more information about changing the security level, see Changing the Security Level.
This section describes how to move the management server to a new computer. You might want to move the management server if the current computer does not support upgrading to an operating system that AppManager 9.2 supports.
Moving the management server to a new computer requires ensuring that it will be able to communicate with the QDB and agents after the move, installing a new version 9.2 management server on the new computer, and uninstalling the management server from the old computer.
To move the management server:
Upgrade the QDB with which the management server communicates to version 9.2.
For more information about upgrading the QDB, see Upgrading the QDB.
To allow agent computers that communicate with the management server to temporarily allow communication with anonymous management servers, run the AMAdmin_SetAllowMS Knowledge Script and set the New hostname(s) for AllowMS parameter to an asterisk (*).
For more information about the Knowledge Script, see the AppManager Knowledge Script Reference Guide, available on the AppManager Documentation page.
(Conditional) If the following registry keys on the agent computers are not set to an asterisk (*), use the NTAdmin_RegistrySet Knowledge Script to add the name of the new management server computer to the key values:
HKEY_LOCAL_MACHINE\SOFTWARE\NetIQ\AppManager\4.0\NetIQmc\Security\AllowDosCmd HKEY_LOCAL_MACHINE\SOFTWARE\NetIQ\AppManager\4.0\NetIQmc\Security\AllowMS HKEY_LOCAL_MACHINE\SOFTWARE\NetIQ\AppManager\4.0\NetIQmc\Security\AllowReboot
Otherwise, certain actions will not be allowed after you move the management server. For example, the AllowReboot registry key will no longer allow Action_RebootSystem. For information about the parameters to specify in the Knowledge Script, see the AppManager Knowledge Script Reference Guide.
Install a new version 9.2 management server on the new computer.
For more information about installing a new version 9.2 management server, see Installing a Management Site in the Installation Guide for AppManager.
For each agent that communicates with the management server, run the AMAdmin_SetAllowMS Knowledge Script and update the New hostname(s) for AllowMS parameter with the name of the new management server computer.
For more information about the Knowledge Script, see the AppManager Knowledge Script Reference Guide.
For each agent that communicates with the management server, run the AMAdmin_SetPrimaryMS Knowledge Script to update the management server name.
Depending on whether the management server is primary or secondary for the agent, update the primary or secondary management server name.
For more information about the Knowledge Script, see the AppManager Knowledge Script Reference Guide.
Uninstall the management server from the old computer.
In the Operator Console tree view, select the old computer and press Alt+F8. Note the ObjID of the old management server computer.
In Microsoft SQL Server Management Studio, right-click the QDB with which the management server communicates and select New Query.
To change the status of the old management server computer to an agent computer so that you can remove it from the Operator Console, in the query window, type the following SQL statement and click Execute:
UPDATE dbo.Object SET Status = Status ^ 0x00000002 WHERE ObjID = ObjID_of_old_management_server AND Status & 0x00000002 != 0
where ObjID_of_old_management_server is the ObjID you noted in Step 8.
In the Operator Console, delete the old management server computer.
(Conditional) If the agent is still installed on the old computer, use Control Center to add the computer and rediscover it to establish a new ObjID for the computer.
(Conditional) If you edited registry keys in Step 3, use the NTAdmin_RegistrySet Knowledge Script to remove the name of the old management server computer from the key values.
For information about the parameters to specify in the Knowledge Script, see the AppManager Knowledge Script Reference Guide.
Depending on your environment, you might need to update existing encryption keys after you upgrade the management server. For more information about updating encryption keys, see Using Existing Security Keys for Encrypted Communications.
You can also change the security level after you upgrade. For more information about changing the security level, see Changing the Security Level.
If your AppManager environment uses encrypted communications between the management server and agents, the upgraded management server uses existing encryption keys to communicate with existing and upgraded agents. For an upgraded management server to use an existing encryption key to communicate with a new version 9.2 agent, you must use the NQKeyGenWindows.exe utility to export the key from the upgraded QDB and import it to the new agent. If the existing encryption key was generated using the NetIQ Encryption Utility, rpckey.exe, you must use the NQKeyGenWindows.exe utility to convert the older key file to the new key format before you import it to the new agent. The NQKeyGenWindows.exe utility is located in the NetIQ\AppManager\bin folder. For more information about the utility, see the Administrator Guide for AppManager, available on the AppManager Documentation page.
To convert a key generated using the NetIQ Encryption Utility to the new key format:
To convert the older key file to the new key format, run the following command on the management server:
NQKeyGenWindows -convert old_key_location new_key_location
To check the key information into the QDB, run the following command on the management server:
NQKeyGenWindows -db QDB_name:user_name:SQL_Server_name\instance -change new_key_location
To set the desired security level, run the following command on the management server:
NQKeyGenWindows -db QDB_name:user_name:SQL_Server_name\instance -seclev level
Restart the management server.
To import an existing encryption key to a new agent:
To extract the agent portion of the key from the QDB, run the following command on the management server:
NQKeyGenWindows -db QDB_name:user_name:SQL_Server_name\instance -ckey agent_key_file_location
To import the key to the new agent, run the following command on the agent computer:
NQKeyGenWindows -agentchange agent_key_file_locationAfter you upgrade, if you want to change the security level for a management site from encrypted communications to cleartext communications, run the AMAdmin_AgentConfigSecurityLevel Knowledge Script.
To change the security level for a management site:
To change the security level for the agents within your management site, run the AMAdmin_AgentConfigSecurityLevel Knowledge Script.
For more information about the Knowledge Script, see the AppManager Knowledge Script Reference Guide, available on the AppManager Documentation page.
Run the AMAdmin_AgentConfigSecurityLevel Knowledge Script again on each management server.
(Conditional) If you have not configured the QDB to store the security key information on each management server computer, edit the following Microsoft Windows registry key:
\HKEY_LOCAL_MACHINE\SOFTWARE\NetIQ\AppManager\4.0\NetIQMS\Config\ RPC Encryption
and change its value from 1 to 0. You must restart the management server to apply your changes. For more information about how to configure the QDB to store the security key information, see Using Existing Security Keys for Encrypted Communications.
WARNING:Be careful when editing your Windows registry. If there is an error in your registry, your computer might become nonfunctional. If an error occurs, you can restore the registry to its state when you last successfully started your computer. For more information, see the Help for the Windows Registry Editor
(Conditional) If you used the NQKeyGenWindows.exe utility to store security information in the QDB, use that utility again and set the ‑seclev option to 0.
Restart your management servers.
For more information about setting or changing the security level for an AppManager management site, see the Administrator Guide for AppManager, available on the AppManager Documentation page.