You can upgrade the following installation types:
Traditional installation on an existing Linux server
Appliance installation as a managed software appliance
If you are upgrading the Change Guardian server on a computer running RHEL, ensure the 64-bit expect RPM is installed before you start the upgrade process.
To upgrade the Change Guardian server in a traditional installation:
Back up all your information using the backup_util.sh script. For information about using the backup utility, see Section 18.0, Backing Up and Restoring Data.
Download the latest installer from the Patch Finder website and copy it to the server. You must be a registered user to download patches. If you have not registered, click Register to create a user account in the patch download site.
Log in as root to the server where you want to upgrade Change Guardian.
Specify the following command to extract the install files from the tar file:
tar -zxvf <install_filename>
where <install_filename> is the name of the install file.
Change to the directory where the install file was extracted.
Specify the following command to upgrade Change Guardian:
./install-changeguardian.sh
(Conditional) If you want to upgrade from a custom path, specify the following command:
./install-changeguardian.sh --location= <custom_CG_directory_path>
To proceed with a language of your choice, select the number next to the language.
(Conditional) If there are changes to the end user license agreement, read and accept the changes.
Specify yes to approve the upgrade.
Reset the cgadmin password to leverage LDAP authentication.
Verify whether the Change Guardian web console can connect to the server by specifying the following URL in your web browser:
https://IP_Address_Change_Guardian_server:8443
Based on your requirement, you must perform the post upgrade tasks. For more information, see Post-Upgrade Configuration for Change Guardian in FIPS mode
To upgrade the Change Guardian server running as a managed software appliance, you can use zypper (a command line package manager).
When you want to update end user license agreement, you must upgrade the Change Guardian server appliance using zypper. For information about which methods of upgrade are supported for a release, see the Release Notes.
To upgrade the appliance using zypper, perform the following steps:
Back up your configuration and event information using the backup_util.sh script. For information about using the backup utility, see Section 18.0, Backing Up and Restoring Data.
Log in to the appliance as the root user.
To check for available updates, run the command zypper lp.
Install the updates by running the command zypper patch.
WARNING:Always use the zypper patch command to update/upgrade the Change Guardian appliance. The zypper up command is not compatible with the Change Guardian appliance and might cause serious damage to your environment.
(Conditional) When prompted select Solution 1 to downgrade openssh.
(Conditional) When prompted select Solution 2 to change the architecture of ncgContent.
(Conditional) If a window asks you to resolve a merge conflict, select Solution 1.
Restart the Change Guardian appliance by running the command reboot.
For more information, see the zypper Cheat Sheet.
Based on your requirement, you must perform the post upgrade tasks. For more information, see Post-Upgrade Configuration for Change Guardian in FIPS mode
In Change Guardian 4.2, the cipher suites are updated to disallow RC4 ciphers. By default, RC4 ciphers were left enabled on all upgraded environments to allow older versions of agents to work with the upgraded CG Server.
Perform the following steps to disable RC4 communication after upgrading:
Navigate to cd /etc/opt/novell/sentinel/3rdparty/jetty
Edit jetty-ssl.xml
Under the excluded cipher suites section, add the following ciphers:
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_MD5
Set the following attributes:
Owner: Novell
Permissions: 600
Restart services using /opt/netiq/cg/scripts/cg_services.sh restart command.
Change Guardian now provides the chg_keystore_pass.sh script that allows you to change the keystore passwords. As a security best practice, NetIQ recommends that you change the keystore passwords immediately after upgrading to Change Guardian 5.0.
NOTE:You need not perform this procedure if Change Guardian server is in FIPS mode.
Perform the following procedure to change the keystore passwords:
Log in to the Change Guardian server as the novell user.
Go to the /opt/novell/sentinel/bin directory.
Run the chg_keystore_pass.sh script and follow the on-screen prompts to change the keystore passwords.
After you upgrade Change Guardian in FIPS mode, to ensure that Agent Manager works seamlessly, you must perform the post-upgrade configuration.
Perform the following tasks:
From the command prompt, change directory to /opt/netiq/ams/ams/bin and enter the following command:
./ams_cert_setup.sh --enable --profile=profile_ams.
Back up the following file: /opt/netiq/ams/ams/agent-manager.yml.
Copy /opt/netiq/ams/ams/security/profiles/profile_ams/agent-manager.yml file to /opt/netiq/ams/ams/ directory and ensure that you set user or group permissions novell user.
Rerun the FIPS conversion script on AMS. From a command prompt, change directory to /opt/netiq/ams/ams/bin and enter the following command:
./convert_to_fips.sh
Provide the requested input:
Create the password for the FIPS keystore database.
When asked whether to restart the Agent Manager service, select y.
Ensure that the ams.log file (located in ams/log) contains the following entry:
INFO [Date_Timestamp,446] com.netiq.commons.security.FIPSProvider: Running in FIPS mode. Changing the SSL security provider from JSSE to FIPS. /opt/netiq/ams/ams/security/nss