6.3 Upgrading Change Guardian Appliance from 5.0 to 5.1

This section provides information about upgrading from Change Guardian 5.0.0.0 appliance to Change Guardian 5.1.0.0 appliance.

6.3.1 Planning

This section describes the guidelines and best practices to plan the upgrade.

Upgrade Checklist

Complete the following checklist before proceeding with the upgrade:

  • Ensure that the CG server is on version 5.0 and updated with all the available updates.

    NOTE:Run the Command rpm -qa | grep netiq to know the version of your Change Guardian installation.

  • Email ID and Registration code required to access the appliance update channel.

  • Ensure that the following partitions have the recommended free disk space:

    • /var/opt should have 12 GB

    • /opt should have 4 GB

    • / should have 5 GB

  • Backup the data.

    For more information, see Section 20.0, Backing Up and Restoring Data

  • Download the following files from the Micro Focus Downloads website:

    • The Change Guardian Server install file: cgserver-5.1.0.0-457.x86_64.tgz

    • The operating system install file: SLES-12-SP3-Server-DVD-x86_64-GM-DVD1.iso. Download this file on the location that is accessible to a Hyper-V or VMWare ESX console.

    • The appliance configuration utility install file changeguardian_appliance_configuration_utility_5100-32.tar.gz

  • Ensure that you have not used Change Guardian appliance for any other purpose, as recommended by the End User License Agreement. For example, you have not deployed any application packages other than Change Guardian.

  • Ensure that you have updated the appliance only through the supported Change Guardian release channels. For example, applying any updates directly through SUSE update channel may render your appliance in inconsistent state.

Upgrade Overview

The following table gives a high-level overview of the steps, the prerequisites to complete the steps, and other considerations:

Step

Purpose

Prerequisite

Other Consideration

Upgrade Change Guardian

To upgrade to Change Guardian 5.1.0.0 appliance

Change Guardian 5.0.0.0 appliance

None

Upgrade the base operating system

To upgrade the operating system to SLES12 SP3

Change Guardian 5.1.0.0

Experience is similar to SLES11 to SLES12 OS upgrade procedure

Configure Change Guardian

To configure Change Guardian 5.1 appliance to receive future updates

Upgrade the operating system to SLES 12 SP3

None

6.3.2 Upgrading the Appliance

This section provides information about upgrading Change Guardian 5.0 appliance to Change Guardian 5.1 appliance.

Upgrading Change Guardian

Perform the following steps to upgrade:

  1. Log in to the Change Guardian server as root

  2. Copy the following file to the Change Guardian server: cgserver-5.1.0.0-457.x86_64.tgz

    NOTE:The downloaded file and the extracted file together needs 7 GB of space, which you can clear after the upgrade is complete.

  3. Run the following command to extract the install files: tar -zxvf cgserver-5.1.0.0-457.x86_64.tgz

  4. Use the cd command to change to the directory where the install files are extracted.

  5. Start the upgrade by running the following command:./install-changeguardian.sh

  6. Follow the prompts to select the language and accept the license agreement.

  7. Accept to upgrade Change Guardian internal component to 8.2.0.0.

  8. Approve the upgrade process by entering yes.

    NOTE:Stopping services take several minutes.

    Result: The upgrade finishes with the following messages: “Change Guardian upgrade configuration is complete.”

  9. Open the Change Guardian web console, once services come up, by using the following URL: https://IP_Address_Change_Guardian_server:8443

    NOTE:Starting Change Guardian services take a few minutes.

Upgrading the Operating System

Perform the following steps to start the SLES upgrade:

  1. Stop the Change Guardian services by running the following command: /opt/netiq/cg/scripts/cg_services.sh stop

  2. (Conditional) If Change Guardian is in FIPS mode at this stage, NSS database files must be manually upgraded by running the following command:

    certutil -K -d sql:/etc/opt/novell/sentinel/3rdparty/nss -X

    Follow the on-screen instructions to upgrade the NSS database.

    Give full permissions to novell user for the following files in folder /etc/opt/novell/sentinel/3rdparty/nss:

    cert9.db
key4.db 
pkcs11.txt

  3. Configure the Change Guardian virtual machine:

    • Mount the SLES-12-SP3-Server-DVD-x86_64-GM-DVD1.iso to the DVD in the virtual machine configuration.

    • Change the BIOS setting of the virtual machine to boot from the mounted media.

  4. Boot the virtual machine.

  5. Select Upgrade in the boot menu.

    WARNING: If you select Installation instead of Upgrade, data may be lost.

  6. Select the Language, Keyboard, and License Agreement on the screen and click Next.

  7. (Conditional) At the Network Settings screen, ignore the following message: The device is not configured. Press Edit to configureto retain existing settings, and click Next.

    NOTE:This screen appears based on your network configuration.

  8. At the Select for Update screen, select the appropriate partition and click Next

  9. Click OK to ignore the warning about the partition mount location.

  10. (Conditional) At the Repositories screen, select the appropriate repository and click Next.

    NOTE:This screen appears if you had configured a repository in the Change Guardian 5.0 appliance.

  11. At the Registration screen, do the following:

    • Ignore any error messages or warnings for registration.

    • Select Skip Registration and select Next

  12. At the Add On Product screen, do not modify the options, select Next.

  13. At the Installation Settings screen, review the text and select Update

  14. On the confirmation page, select Start Update.

    After the upgrade completes, the system reboots.

  15. After the reboot completes, select Boot from the Hard Disk.

  16. Log in to the Change Guardian server as the root user.

    NOTE:You can safely ignore the message No IP address is found. Please check appliance network configuration. The network is configured at a later step.

  17. Verify the SLES version by running the following command: cat /etc/SuSE-release

  18. (Conditional) If Change Guardian was in FIPS mode before the operating system upgrade or you use Mozilla Network Security Services (NSS) 3.29 and later; two dependent RPM files libfreebl3-hmac and libsoftokn3-hmac may not be installed. You must manually install both of these RPM files if not present.

Configuring the Change Guardian 5.1 Appliance

This section provides information about packages required to manage the appliance, configure network settings and the password for root and vaadmin users. The vaadmin user is used to manage the Change Guardian appliance.

Perform the following steps to configure the appliance configuration utility:

  1. Copy the following file to the Change Guardian server: changeguardian_appliance_configuration_utility_5100-32.tar.gz

  2. Extract the file.

    Run the command: tar -xvf changeguardian_appliance_configuration_utility_5100-32.tar.gz

  3. Use the cd command to change to the directory where you extracted the utility.

  4. To configure the appliance, keep your existing network configuration information ready for use and then run the following script:

    ./cg5100-appliance_configuration.sh

    This script configures the required packages to manage the appliance.

    WARNING:Do not run this script remotely as it involves network reconfiguration, which in turn might interrupt the configuration.

  5. On the Yast-Change Guardian Appliance 5.1.0.0 screen, select Configure.

  6. Follow the on-screen instructions to set the root and the vaadmin password.

    NOTE:You can use an existing or a new password for root user. However, you must set a new password for the vaadmin user.

  7. Select Static IP Address or DHCP IP Address based on your environment.

  8. (Conditional) Enter the IP details if your network is configured to static IP address.

  9. Select Exit to save the configuration, press Enter to reboot.

    NOTE: Reboot might take several minutes to complete.

  10. Using your existing registration code, register for updates again to receive Change Guardian and latest operating system updates.

    Log in to the following URL to register to the Change Guardian appliance update channel, using your existing registration code, to register for updates again to receive both Change Guardian and SLES 12 SP3 updates: https://IP_Address_Change_Guardian_server:9443

    For more information, see Registering the Appliance for Updates.

  11. Allow a few minutes to let the services start, then log in to Change Guardian web console by using the following URL: https://IP_Address_Change_Guardian_server:8443

  12. Use the appliance update channel to receive Change Guardian and operating system updates.

    For more information, see Applying Appliance Updates.