This section provides information about upgrading Identity Applications and supporting software, which includes updating the following components:
Identity Manager User Application
Self-Service Password Reset (SSPR)
Tomcat, JDK, and ActiveMQ
PostgreSQL database
One SSO Provider (OSP)
IMPORTANT:Identity Manager 4.7 requires Identity Applications and OSP installed on the same computer. When upgrading to this version, use OSP that is installed when Identity Applications are upgraded and then copy the OSP settings from your existing OSP server to the new OSP server. For more information, see Post-Upgrade Tasks for Identity Applications Components.
This section provides information about the following topics:
The Identity Applications upgrade process can vary based on how you want to upgrade the identity applications components. For example, if your Identity Applications and SSPR are installed on different servers, you can choose to upgrade SSPR separately.
Identity Manager supports a local installation of OSP on the Identity Applications server. The upgrade program does not support a standalone upgrade of OSP to this version and installs a new copy of OSP while upgrading Identity Applications. To restore your existing OSP settings to the newly installed OSP, see One SSO Provider in the Post-Upgrade Tasks for Identity Applications Components.
Table 7-1 Upgrade Process for Identity Applications
|
Identity Applications Deployment |
Upgrade Process |
|---|---|
|
Identity Applications, SSPR, and OSP are installed on the same server |
To upgrade all the components, follow the steps from Upgrading Identity Applications. |
|
Identity Applications and OSP are installed on the same server. SSPR is installed on a different server. |
|
|
Identity Applications are installed on a different server than SSPR and OSP. In this case, SSPR can be installed on the Identity Applications server or a separate server. However, OSP must be installed on the Identity Applications server. |
|
Identity Manager is upgraded to version 4.5.6 or later: You cannot upgrade to version 4.7 from versions lesser than 4.5.6. For more information about how to upgrade to Identity Manager 4.7, see Supported Upgrade Paths.
Tomcat as an application server: This version of Identity Manager supports only Tomcat as an application server.
If you are running your identity applications on an application server other than Tomcat, migrate the application server to Tomcat before you perform an upgrade. For more information, see Migrating from Websphere or JBoss to Tomcat.
Database platform is upgraded: This program does not upgrade the database platform for the identity applications. Manually upgrade your current version of the database to a supported version. For upgrading the PostgreSQL database, see Preparing the PostgreSQL Database for Upgrade.
User Application and Roles and Resource Service driver packages are upgraded: For more information, see Upgrading Installed Packages in the NetIQ Designer for Identity Manager Administration Guide.
Self Service Password Reset: If you are upgrading from SSPR 4.0, ensure you have updated CATALINA_OPTS property and -Dsspr.application.Path is set to the directory containing SSPR configuration.
For example,
export CATALINA_OPTS="-Dsspr.application.Path=/home/sspr_data/
Back up your SSPR LocalDB before upgrading. To export or download LocalDB, perform the following steps:
Log in to SSPR portal as an administrator.
In top-right corner for the page, click Configuration Manager from the drop-down menu.
Click LocalDB.
Click Download LocalDB.
The upgrade process creates a backup of the current configuration for the installed components. Ensure that your server has sufficient space to store the backup and additional free space available for upgrade. For more information, see the NetIQ Identity Manager Technical Information website.
The upgrade process reads the configuration values from the existing components. This information includes ism-configuration.properties, server.xml, SSPRConfiguration and other configuration files. When you use these configuration files, the upgrade process internally invokes the upgrade program for the specified components. The upgrade program also creates a backup of the current installation.
Perform the following steps before upgrading the PostgreSQL database:
Stop Tomcat.
systemctl stop netiq-tomcat
Stop the PostgreSQL service.
su -s /bin/sh - postgres -c "/opt/netiq/idm/apps/postgres/bin/pg_ctl stop -w -D /opt/netiq/idm/apps/postgres/data"
Disable the existing unit file for the PostgreSQL service.
For example,
systemctl disable postgresql-9.6.service
Clean up the existing unit file for the PostgreSQL service.
For example,
rm /usr/lib/systemd/system/postgresql-9.6.service
systemctl daemon-reload
systemctl reset-failed
Create a backup directory and take a backup of the existing PostgreSQL directory.
For example:
mkdir -p /home/backup
cp -rvf /opt/netiq/idm/apps/postgres/ /home/backup/
Navigate to the location where you have mounted Identity_Manager_4.7_Linux.iso.
Navigate to the /common/packages/postgres/ directory.
Install the new version of PostgreSQL.
rpm -ivh netiq-postgresql-9.6.6-0.noarch.rpm
NOTE:The PostgreSQL home directory is changed to /opt/netiq/idm/postgres/ from the previously installed custom location.
Create a data directory in the PostgreSQL installed location.
mkdir -p <POSTGRES_HOME>/data, where <POSTGRES_HOME> is /opt/netiq/idm/postgres
For example:
mkdir -p /opt/netiq/idm/postgres/data
Change the permissions for the newly installed PostgreSQL directory.
chown -R postgres:postgres <postgres directory path>
For example:
chown -R postgres:postgres /opt/netiq/idm/postgres
Create a postgres user home directory.
For example, mkdir -p /home/users/postgres
Change the permissions for the newly created PostgreSQL user home directory.
chown -R postgres:postgres <postgres home directory path>
For example:
chown -R postgres:postgres /home/users/postgres
Export the PostgreSQL home directory
export PGHOME=<postgres home directory path>
For example:
export PG_HOME=/opt/netiq/idm/postgres
Export the PostgreSQL password:
export PGPASSWORD=<enter the database password>
Initialize the database.
su -s /bin/sh - postgres -c "LANG=en_US.UTF-8 <POSTGRES_HOME>/bin/initdb -D <POSTGRES_HOME>/data"
For example:
su -s /bin/sh - postgres -c "LANG=en_US.UTF-8 /opt/netiq/idm/postgres/bin/initdb -D /opt/netiq/idm/postgres/data"
Change the postgres user’s home directory path to /opt/netiq/idm/postgres/ in the /etc/passwd file.
Navigate to the /etc/ directory.
Edit the passwd file.
vi /etc/passwd
Change the home directory of the postgres user to /opt/netiq/idm/postgres/.
Navigate to the /opt/netiq/idm/postgres/ directory.
Log in as postgres user.
For example:
su postgres
Migrate the existing data.
For example:
/opt/netiq/idm/postgres/bin/pg_upgrade --old-datadir /opt/netiq/idm/apps/postgres/data/ --new-datadir /opt/netiq/idm/postgres/data/ --old-bindir /opt/netiq/idm/apps/postgres/bin --new-bindir /opt/netiq/idm/postgres/bin/
Log out as postgres user.
Update the pg_hba.conf file to trust the server network:
Navigate to the /opt/netiq/idm/postgres/data/ directory.
Edit the pg_hba.conf file:
vi pg_hba.conf
Add the following line in the pg_hba.conf file:
host all all 0.0.0.0/0 md5
To ensure that your PostgreSQL instance listens on other network instances, other than localhost, update the configuration file:
Navigate to the /opt/netiq/idm/postgres/data/ directory.
Edit the postgresql.conf file:
vi postgresql.conf
Add the following line in the postgresql.conf file:
listen_addresses = '*'
NOTE:To listen on restricted network interfaces, specify a comma separated list of IP addresses.
Create pg_log directory under <postgres home directory path>/data.
For example:
mkdir -p /opt/netiq/idm/postgres/data/pg_log
Change the permissions for the pg_log directory.
chown -R postgres:postgres <postgres directory path>/data/pg_log
For example:
chown -R postgres:postgres /opt/netiq/idm/postgres/data/pg_log
Start the PostgreSQL service.
systemctl start netiq-postgresql
This will start the new PostgreSQL service.
Remove old postgres home from the system.
rm -rf /opt/netiq/idm/apps/postgres/
(Optional) Launch the new pgAdmin from GUI:
Copy scripts directory from old postgres home to new postgres home.
For example:
cp -rvf /opt/netiq/idm/apps/postgres/scripts /opt/netiq/idm/postgres
Navigate to the /opt/netiq/idm/postgres/scripts directory.
Edit launchpgadmin.sh and replace the old PostgreSQL path with the new path.
Replace /opt/netiq/idm/apps/postgres/ with /opt/netiq/idm/postgres.
Navigate to the /usr/share/applications directory and edit the .desktop application to provide the new path for launchpgadmin.sh.
SLES: Edit pg-pgadmin-9_6.desktop application and replace EXEC value with the new launchpgadmin.sh path
For example:
Change the value of "Exec=/opt/netiq/idm/apps/postgres/scripts/launchpgadmin.sh" to :"Exec=/opt/netiq/idm/postgres/scripts/launchpgadmin.sh"
RHEL: Navigate to the /usr/share/applications and create pg-pgadmin-9_6.desktop file with the following details:
For example:
[Desktop Entry] Version=1.0 Encoding=UTF-8 Name=pgAdmin 4 Exec=/opt/netiq/idm/postgres/scripts/launchpgadmin.sh Icon=pg-pgadmin-9_6.png Terminal=false Type=Application
You need to update the packages for the User Application Driver and Role and Resource Service drivers to the latest version. For information about upgrading packages to the latest version, see Upgrading Installed Packages of the NetIQ Designer for Identity Manager Administration Guide.
The following procedure describes how to upgrade Identity Applications.
Download the Identity_Manager_4.7_Linux.iso from the NetIQ Downloads website.
Mount the downloaded .iso.
Run the following command:
./install.sh
Read through the license agreement.
Enter y to accept the license agreement.
Specify whether you want to upgrade the Identity Applications. The available options are y and n.
If you proceed with the upgrade, specify the following details:
This applies only when you have OSP and Identity Applications on the same server.
Specify the backup installation folder for OSP.
This applies only when you have SSPR and Identity Applications on the same server.
Specify the SSPR installation folder.
This applies only when you have Identity Applications and SSPR on different servers.
If you select y, then SSPR will be installed on the same server as Identity Applications. You need to copy the existing customization settings to the new SSPR installed server.
SSPR Configuration Password: Specify the SSPR configuration password.
One SSO Server DNS/IP Address: Specify the IP address of the server where OSP is installed.
One SSO Server SSL Port: Specify the OSP SSL port.
If you select n, then SSPR will not be installed and Identity Applications will be upgraded.
Specify the User Application installation folder.
Specify the One SSO password.
Specify the database JAR file. For example, if you are using PostgresQL database and it is installed on the same server, the default location of the existing database jar file is /opt/netiq/idm/postgres/postgresql-9.4.1212.jar.
Specify when you want to create database schema. The available options are Now, Startup, and File. The default option is Now.
Specify the database user password.
Specify the database administrator password.
Start Tomcat.
systemctl start netiq-tomcat
Use this method when SSPR is installed on a different server than the identity applications server in an Advanced Edition.
This is the only method to upgrade SSPR in a Standard Edition.
To upgrade SSPR:
Download the Identity_Manager_4.7_Linux.iso from the NetIQ Downloads website.
Mount the downloaded .iso.
From the root directory of the .iso file, navigate to the sspr directory.
Run the following command:
./install.sh
Read through the license agreement.
Enter y to accept the license agreement.
Specify y to upgrade SSPR.
Specify Identity Vault Administrator Password and complete the upgrade.
Perform the following tasks before starting to use Identity Applications:
Manually delete the previous version of Tomcat and ActiveMQ services. For example, run the following commands:
/etc/init.d/idmapps_tomcat_init
/etc/init.d/idmapps_activemq_init
You must manually restore the customized settings for Tomcat, SSPR, OSP, and Kerberos.
In a cluster environment, manually uncomment the Cluster tag in server.xml and copy osp.jks on to all nodes from the first node located at /opt/netiq/idm/apps/osp_backup_<date>.
If you have customized keystore files, include the correct path in the new server.xml file.
If Identity Applications and SSPR are deployed on different servers, and you choose to restore the existing SSPR customized settings to the new server where SSPR is installed, ensure that you modify the SSPR settings on the new SSPR server by using the ConfigUpdate utility. For more information, see SSO Clients Parameters.
If Identity Applications and OSP are deployed on different servers in your pre-upgrade setup, copy the existing OSP settings to the new server where OSP is installed (Identity Applications server), then run the merge_jars method from the installation kit on this server to restore your settings.
Stop Tomcat on the server where you upgraded Identity Applications. (OSP is installed with Identity Applications upgrade)
Restore the customization.
Navigate to the OSP installation directory in your existing OSP server and locate the osp-custom-resource.jar file.
For example, /opt/netiq/backup_idm/osp/osp-extras/l10n-resources/osp-custom-resource.jar.
Copy the osp-custom-resource.jar file to a location on the server where you upgraded Identity Applications.
Navigate to <location where you have mounted the Identity_Manager_4.7_Linux.iso>/osp/scripts/merge_cust_loc.sh.
This script contains merge_jars method that takes care of merging the existing customization with the newly installed OSP.
Open a command prompt and run the following command:
merge_jars ${IDM_BACKUP_FOLDER in the remote OSP server}/tomcat/lib/osp-custom-resource.jar ${IDM 4.7_OSP_INSTALLED_HOME}/osp-extras/l10n-resources/osp-custom-resource.jar)
For example:
merge_jars /opt/netiq/backup_idm/osp/osp-extras/l10n-resources/osp-custom-resource.jar /opt/netiq/idm/apps/osp/osp-extras/l10n-resources/osp-custom-resource.jar
where backup_idm directory contains OSP settings in the existing OSP server.
Start Tomcat on the new server where OSP is installed.
For updating other settings, see SSO Clients Parameters.
The upgrade utility creates a new Tomcat folder on your computer. If any of the Kerberos files such as keytab and Kerberos_login.config resided in the old Tomcat folder, copy those files to the new Tomcat folder from the backed-up folder.
After upgrading to Identity Manager 4.7, verify that the components are upgraded to the following versions:
Tomcat – 8.5.27
ActiveMQ – 5.15.2
Java – 1.8.0_162
One SSO Provider – 6.2.1
Self-Service Password Reset – 4.2.0.4