6.2 Upgrading Change Guardian Traditional Installation

You can upgrade the following installation types:

If you are upgrading the Change Guardian server on a computer running RHEL, ensure that the 64-bit expect RPM is installed before you start the upgrade process.

To upgrade the Change Guardian Server in a traditional installation:

  1. Back up all your information using the backup_util.sh script. For information about using the backup utility, see Section 20.0, Backing Up and Restoring Data.

  2. Download the latest installer from the Micro Focus Patch Finder website and copy it to the server. You must be a registered user to download patches. If you have not registered, click Register to create a user account in the patch download site.

  3. Log in as root to the Change Guardian server you want to upgrade.

  4. Specify the following command to extract the install files from the tar file:

    tar -zxvf <install_filename>

    where <install_filename> is the name of the install file.

  5. Change to the directory where the install file was extracted.

  6. Specify the following command to upgrade Change Guardian: 

    ./install-changeguardian.sh

  7. (Conditional) If you want to upgrade from a custom path, specify the following command:

    ./install-changeguardian.sh --location= <custom_CG_directory_path>

    NOTE:You can only upgrade from a custom path used for the original installation and has 0755 permissions.

  8. To proceed with a language of your choice, select the number next to the language.

  9. (Conditional) If there are changes to the end user license agreement, read and accept the changes.

  10. Specify yes to approve the upgrade.

  11. Reset the cgadmin password to leverage LDAP authentication.

  12. Verify whether the Change Guardian web console can connect to the server by specifying the following URL in your web browser:

    https://IP_Address_Change_Guardian_server:8443

Based on your requirement, you must perform the post-upgrade tasks. For more information, see Post-Upgrade Configuration to Ensure Enhanced Keystore Security.

6.2.1 Performing an Operating System Upgrade in FIPS Mode

If the Change Guardian server is running a version of an operating system that is not certified and you need to upgrade the operating system, first upgrade the Change Guardian server and then upgrade the operating system.

If you upgrade the operating system ahead of the Change Guardian server, your existing Change Guardian installation will stop functioning and you will not be able to access the Change Guardian web console until you upgrade the Change Guardian server.

Follow the steps below to upgrade the operating system:

  1. Stop Change Guardian services:

    /opt/netiq/cg/scripts/cg_services.sh stop

  2. (Conditional) If Change Guardian was in FIPS mode before the operating system upgrade, NSS database files must be manually upgraded by running the following command:

    certutil -K -d sql:/etc/opt/novell/sentinel/3rdparty/nss -X

    Follow the on-screen instructions to upgrade the NSS database.

    Give full permissions to novell user for the following files in folder /etc/opt/novell/sentinel/3rdparty/nss:

    cert9.db
key4.db 
pkcs11.txt

  3. Upgrade the operating system.

  4. (Conditional) If you use Mozilla Network Security Services (NSS) 3.29 and later, two dependent RPM files libfreebl3-hmac and libsoftokn3-hmac are not installed. Manually install the following RPM files: libfreebl3-hmac and libsoftokn3-hmac.

  5. (Conditional) During the upgrade process, SLES renames the /etc/sysctl.conf file to /etc/sysctl.conf.rpmsave as a back up and creates a new /etc/sysctl.conf file. Once you upgrade, verify if the file rpmsave has entries for parameters net.core.wmem_max and vm.max_map_count.

    If either of the parameters are not present, add the following parameters to the sysctl.conf file as follows:

    net.core.wmem_max = 67108864
# Added by sentinel vm.max_map_count: 65530
vm.max_map_count = 262144

  6. (Conditional) For RHEL 7.x, run the following command to check whether there are any errors in the RPM database: rpm -qa --dbpath <install_location>/rpm | grep novell

    Example: # rpm -qa --dbpath /custom/rpm | grep novell

    • If there are any errors, run the following command to fix the errors:

      rpm --rebuilddb --dbpath <install_location>/rpm

      Example: # rpm --rebuilddb --dbpath /custom/rpm

    • Run the command mentioned in Step 6 to ensure that there are no errors.