9.3 Upgrading the Change Guardian Server

You can upgrade the following installation types:

  • Traditional installation on an existing Linux server

  • Appliance installation as a managed software appliance

9.3.1 Upgrading a Traditional Installation

If you are upgrading the Change Guardian Server on a computer running RHEL 6.6, ensure the 64-bit expect RPM is installed before you start the upgrade process.

IMPORTANT:Change Guardian requires the operating system to be IPv6-enabled. If IPv6 is not enabled before you upgrade your system, major components will fail to operate.

To upgrade the Change Guardian server in a traditional installation:

  1. Back up your configuration and event information using the backup_util.sh script. For information about using the backup utility, see Backing Up and Restoring Data in the NetIQ Sentinel Administration Guide.

  2. Download the latest installer from the Patch Finder website. You must be a registered user to download patches. If you have not registered, click Register to create a user account in the patch download site.

  3. Log in as root to the server where you want to upgrade Change Guardian.

  4. Specify the following command to extract the install files from the tar file:

    tar -zxvf <install_filename>

    where <install_filename> is the name of the install file.

  5. Change to the directory where the install file was extracted.

  6. Specify the following command to upgrade Change Guardian: 

    ./install-changeguardian.sh

  7. To proceed with a language of your choice, select the number next to the language.

  8. (Conditional) If there are changes to the end user license agreement, read and accept the changes.

  9. Specify yes to approve the upgrade.

  10. Reset the cgadmin password to leverage LDAP authentication.

  11. Verify whether the Change Guardian web console can connect to the server by specifying the following URL in your web browser:

    https://IP_Address_Change_Guardian_server:8443

9.3.2 Upgrading an Appliance Installation

To upgrade the Change Guardian server running as a managed software appliance, you can use Zypper (a command line package manager) or WebYaST (a web-based remote console). For more information, see Using Zypper for Interactive Updates and Using WebYaST for Remote Updates.

In some instances, such as an end user license agreement update, you must upgrade the Change Guardian server appliance using Zypper. For information about which methods of upgrade are supported for a release, see the Release Notes.

To upgrade the appliance using Zypper, perform the following steps:

  1. Back up your configuration and event information using the backup_util.sh script. For information about using the backup utility, see Backing Up and Restoring Data in the NetIQ Sentinel Administration Guide.

  2. Log in to the appliance console as the root user.

  3. To check for available updates, run the command zypper lp.

  4. Install the updates by running the command zypper patch.

    WARNING:Always use the zypper patch command to update/upgrade the Change Guardian appliance. The zypper up command is not compatible with the Change Guardian appliance and might cause serious damage to your environment.

  5. (Conditional) If a window asks you to resolve a merge conflict, select Solution 1.

  6. Restart the Change Guardian appliance by running the command reboot.

To upgrade the appliance using WebYaST, perform the following steps:

  1. Log in to the Change Guardian appliance as a user in the administrator role.

  2. Click Appliance to launch WebYaST.

  3. Back up your configuration and event information using the backup_util.sh script. For information about using the backup utility, see Backing Up and Restoring Data in the NetIQ Sentinel Administration Guide.

  4. (Conditional) If you have not already registered the appliance for automatic updates, register for updates. For more information, see Register the Appliance with Customer Center for Updates.

    If the appliance is not registered, Change Guardian displays a yellow warning indicator.

  5. To check if there are any updates, click Updates.

  6. Select and apply the updates.

    Before upgrading the appliance, WebYaST automatically stops the Change Guardian service. You must manually restart this service after the upgrade is complete. The updates might take a few minutes to complete.

  7. Restart the Change Guardian service.

Disabling RC4 Communication

In Change Guardian 4.2, the cipher suites are updated to disallow RC4 ciphers. By default, RC4 ciphers were left enabled on all upgraded environments to allow older versions of agents to work with the upgraded CG Server.

Perform the following steps to disable RC4 communication after upgrading:

  1. Navigate to cd /etc/opt/novell/sentinel/3rdparty/jetty

  2. Edit jetty-ssl.xml

  3. Under the excluded cipher suites section, add the following ciphers:

    • SSL_RSA_WITH_RC4_128_SHA

    • SSL_RSA_WITH_RC4_128_MD5

  4. Set the following attributes:

    • Owner: Novell

    • Permissions: 600

  5. Restart services using /opt/netiq/cg/scripts/cg_services.sh restart command.

Using Zypper for Interactive Updates

Use Zypper to perform interactive updates on the appliance.

  1. Log in to the appliance as root.

  2. Run the following command: zypper patch

    WARNING:Always use the zypper patch command to update/upgrade the Change Guardian appliance. The zypper up command is not compatible with the Change Guardian appliance and might cause serious damage to your environment.

  3. Restart the appliance.

For more information, see the Zypper Cheat Sheet.

Using WebYaST for Remote Updates

Use WebYaST to manage appliance updates from a web-based remote console. You can access WebYast in the following ways:

For more information, see the WebYaST documentation.