This section provides information about upgrading Identity Applications and supporting software, which includes updating the following components:
Identity Manager User Application
One SSO Provider (OSP)
Self-Service Password Reset (SSPR)
Tomcat, JDK, and ActiveMQ
Identity Reporting
NetIQ provides an upgrade program to upgrade these components. This program is located in the products\CommonApplication\ directory in the Identity Manager installation package. Navigate to the directory that contains the ApplicationUpgrade.exe file.
After the upgrade, the components are upgraded to the following versions:
Tomcat – 8.5.27
ActiveMQ – 5.15.2
Java – 1.80_162
One SSO Provider – 6.2.1
Self-Service Password Reset – 4.2.0.4
Identity Applications – 4.7.0
Identity Reporting – 6.0.0
This section provides information about the following topics:
The upgrade process reads the configuration values from the existing components. This information includes ism-configuration.properties, server.xml, SSPRConfiguration.xml and other configuration files. Using these configuration files the upgrade process internally invokes the upgrade program for the components. In addition, this program also creates a backup of the current installation.
Before performing an upgrade, review the following considerations:
Identity Manager is upgraded to version 4.5.6: You cannot upgrade to version 4.7 from versions lesser than 4.5.6. For more information about how to upgrade to Identity Manager 4.5, see Upgrading Identity Manager in the NetIQ Identity Manager Setup Guide.
System Requirements: The upgrade process requires at least 3 GB free disk space for storing the current configuration and the temporary files that are created during upgrade. Ensure that your server has sufficient space to store the back-up and additional free space available for upgrade.
On a Windows server, the upgrade program stores the temporary files in a directory specified in the %TEMP% environment variable. If this directory does not have the required space, set TEMP and TMP environment variables to a directory on your file system that has sufficient free space. This will redirect the upgrade program to store the files in that directory.
To set these environment variables to a different directory, complete the following steps before starting the upgrade:
Open the command prompt and enter the following command:
SET TMP=D:\custom_tmp
SET TEMP=D:\custom_tmp
where D:\custom_tmp is the path to the directory that has sufficient free disk space.
NOTE:For cluster environment, backup the Identity Applications certificates (cacerts).
Start the upgrade program from the command line.
Tomcat as an application server: This version of Identity Manager supports only Tomcat as an application server.
NOTE:Ensure you have installed Tomcat application server using the convenience installer during your previous installation. The upgrade process allows you to upgrade only Tomcat that has been installed using the convenience installer.
Database platform is upgraded: This program does not upgrade the database platform for the identity applications. Manually upgrade your current version of the database to a supported version. For upgrading the PostgreSQL database, see Upgrading the PostgreSQL Database.
Identity applications and Identity Reporting drivers are upgraded: Ensure you have upgraded the following drivers for identity applications and Identity Reporting.
User Application Driver
Roles and Resource Driver
Manage System Gateway Driver
Data Collection Service Driver
For more information, see Upgrading Installed Packages in the NetIQ Designer for Identity Manager Administration Guide
Administrator user has the highest access privileges: Provide the highest access privileges to the administrator user.
User Account Control settings are changed to Never Notify: Go to Control Panel > User Accounts and Change User Account Control Settings to Never Notify.
Self Service Password Reset: If you are upgrading from SSPR 4.0, ensure you have updated CATALINA_OPTS property and -Dsspr.application.Path is set to the folder where your SSPR configuration is stored.
For example: set CATALINA_OPTS="-Dsspr.applicationPath=C:\sspr_data
Backup your SSPR LocalDB before upgrading. To export or download LocalDB, perform the following steps:
Log in to SSPR portal as an administrator.
Navigate to Your ID > Configuration Manager from the drop-down menu.
Click LocalDB.
Click Download LocalDB.
IMPORTANT:The upgrade process may take time depending on the size of the database. Therefore, plan your upgrade accordingly.
Stop the PostgreSQL service that is running on your server.
Rename the postgres directory from C:\Netiq\idm\apps.
For example, rename postgres to postgresql_9_3.
Install PostgreSQL version supported on your operating system.
You must choose a location other than the current installation location of PostgreSQL.
Mount the Identity_Manager_4.7_Windows.iso image file and navigate to the products\CommonApplication\postgre_tomcat_install directory containing the PostgreSQL installation files.
Install the PostgreSQL application by running the TomcatPostgreSQL.exe file.
Select only PostgreSQL option during installation.
NOTE:Do not provide any database details in PostgreSQL details page. Ensure that Create database login account and Create empty database are deselected.
Stop the newly installed PostgreSQL service. Go to Services, search for PostgreSQL 9.6 service, and stop the service.
NOTE:Appropriate users can perform stop operations after providing valid authentication.
Change the permissions for the newly installed PostgreSQL directory by performing the following actions:
Create a postgres user:
Go to Control Panel > User Accounts > User Accounts > Manage Accounts.
Click Add a user account.
In the Add a User page, specify postgres as the user name and provide a password for the user.
Provide permissions to postgres user to the existing and newly installed PostgreSQL directories:
Right click the PostgreSQL directory and go to Properties > Security > Edit.
Select Full Control for the user to provide complete permissions.
Click Apply.
Access the PostgreSQL directory as postgres user.
Login to the server as postgres user.
Before logging in, make sure that postgres can connect to the Windows server by verifying if a remote connection is allowed for this user.
Open a command prompt and set PGPASSWORD by using the following command:
set PGPASSWORD=<your pg password>
Change to the newly installed PostgreSQL directory.
For example: C:\Users\postgres>cd C:\NetIQ\idm\apps1\postgresql962\bin.
Upgrade PostgreSQL from new PostgreSQL bin directory. Run the following command and click Enter.
pg_upgrade.exe --old-datadir "C:\NetIQ\idm\apps1\postgres\data" --new-datadir "C:\NetIQ\idm\apps1\postgresql962\data" --old-bindir "C:\NetIQ\idm\apps1\postgres\bin" --new-bindir "C:\NetIQ\idm\apps1\postgresql962\bin"
Start the upgraded PostgreSQL database service.
Go to Services, search for PostgreSQL 9.6 service, and start the service.
NOTE:Appropriate users can perform start operations after providing valid authentication.
Disable the old PostgreSQL service to ensure that the service does not automatically start.
(Optional) Delete the old data files from the bin directory of the newly installed PostgreSQL service.
Login as postgres user.
Navigate to the bin directory and run analyze_new_cluster.bat and delete_old_cluster.bat files.
For example: C:\NetIQ\idm\apps1\postgresql961\bin
NOTE:You must run this step only if you want to delete the old data files.
The upgrade process creates a back-up of the current configuration for the installed components. Ensure that your server has sufficient space to store the back-up and additional free space available for upgrade.
This section explains how to update the packages for the User Application Driver and Roles and Resource Service drivers to the latest version. You must perform this task before upgrading Identity Applications.
In Designer, open your current project.
Right-click Package Catalog > Import Package.
Select the appropriate package. For example, User Application Driver Base package.
Click OK.
In the Developer View, right-click the driver and then click Properties.
Navigate to the Packages tab in the Properties page.
Click the Add package (+) symbol in the top right corner.
Select the package, and then click OK.
Deploy and restart the driver.
Repeat the same procedure to upgrade the package for the Roles and Resource Service driver.
NOTE:
Ensure that the User Application driver and Roles and Resource Service driver are connected to the upgraded Identity Manager.
If you install any notification templates while upgrading User Application Driver package, deploy the Default Notification Collection objects to your Identity Manager server.
The following procedure describes how to upgrade Identity Applications, OSP, SSPR, Tomcat, ActiveMQ, and Identity Reporting using wizard.
Log in to the server where you want to run upgrade process.
Mount the .iso image file, navigate to the directory containing the upgrade executable, located by default in the products\CommonApplication\ directory.
Stop Tomcat service and ensure that all the User Application related files are closed.
Launch the upgrade program. Right-click ApplicationUpgrade.exe and select Run as administrator.
On the Introduction page, you can view Identity Manager components that you can upgrade, then click Next.
Read and accept the license agreement, then click Next.
Review the Deployed Applications page, then click Next.
This page lists the currently installed components and lists their versions. If other applications are deployed on the server, the upgrade process displays a warning that those applications might not work properly after the upgrade.
You must restore them manually from the back-up created by the upgrade process.
To proceed with the upgrade, click Next.
Complete the guided process, using the following parameters. This program auto populates the values for existing components. Ensure that the correct values are specified for the parameters.
One SSO Provider Installation folder
Represents the path to a directory where the upgrade program creates the application files for OSP. If the path is not correct, browse to the path where OSP is installed.
SSPR Installation folder
Represents the path to a directory where the upgrade program creates the application files for SSPR. If the path is not correct, browse to the path where SSPR is installed.
User Application Installation folder
Represents the path to a directory where the upgrade program creates the application files for the User Application. If the path is not correct, browse to the path where User Application is installed.
Database Connection
Represents the settings for connecting to the User Application database, Identity Applications also connects to this database. The upgrade program includes these details in the User Application configuration file.
Represents the platform of the User Application database.
Specifies the name or IP address of the server that hosts the User Application.
Specifies the port that the database server uses for communication with the User Application.
Specifies jar file for the database platform.
The database vendor provides the driver JAR file, which represents the jar for the database server. For example, for PostgreSQL, you might specify postgresql-9.4-1212.jdbc42.jar, by default in C:\NetIQ\idm\apps\postgres. Similarly, specify the appropriate jar files for your database platform.
(Conditional) Reporting Database Connection
Represents the settings for connecting to the Identity Reporting database.
Specifies the name or IP address of the server that hosts the User Application.
Specifies the port that the database server uses for communication with the User Application.
Specifies the name of the database. By default, the database name is idmrptdb.
(Conditional) Reporting Database Credentials
Specifies the name of an account that allows the User Application to access and modify data in the databases. By default, the database username is postgres.
Specifies the password for the specified username.
Upgrade Database Now: The upgrade program updates the schema for the reporting database tables as part of the upgrade process.
Upgrade Database at Application Startup: The upgrade program leaves instructions to update the schema for the database tables when the User Application starts for the first time after the upgrade.
Write SQL to File: Generates a SQL script that the database administrator can run to update the databases. If you choose this option, you must also specify a name for Schema File. The setting is in the SQL Output File configuration.You might select this option if you do not have permissions to create or modify a database in your environment. For more information about generating the tables with the file, see Manually Creating the Database Schema.
Specifies jar file for the database platform.
The database vendor provides the driver JAR file, which represents the jar for the database server. For example, for PostgreSQL, you might specify postgresql-9.4-1212.jdbc42.jar, by default in C:\NetIQ\idm\apps\postgres. Similarly, specify the appropriate jar files for your database platform.
Upgrade Database
The upgrade program updates the schema for the database tables as part of the upgrade process.
The upgrade program leaves instructions to update the schema for the database tables when the User Application starts for the first time after the upgrade.
Generates a SQL script that the database administrator can run to update the databases. If you choose this option, you must also specify a name for Schema File. The setting is in the SQL Output File configuration.You might select this option if you do not have permissions to create or modify a database in your environment. For more information about generating the tables with the file, see Manually Creating the Database Schema.
Database Administrator
Represents the name and password for the database administrator.
Specifies the account for a database administrator that can create database tables, views, and other artifacts.
Specifies the password for the database administrator.
Reporting Database Connection
Represents the host name and password for the database administrator.
Specifies the account for a database administrator that can create database tables, views, and other artifacts.
Specifies the password for the database administrator.
Review the Pre-Upgrade Summary page, then click Install.
The upgrade process stops the Tomcat service and starts the upgrade, which might take some time to complete.
When the upgrade process completes, review the upgrade log files from /tmp/rbpm_upgrade/and you need to update few configurations manually, see Post-Upgrade Tasks.
Depending on where you installed the components, the process creates the backup directory in that location and appends a time stamp (indicating the time of backup) to the backed-up directory.
For example,
Tomcat – C:\NetIQ\idm\apps\tomcat_backup_02262018_033634
OSP and SSPR - C:\NetIQ\idm\apps\osp_sspr_backup_02262018_033634
ActiveMQ - C:\NetIQ\idm\apps\activemq_backup_02262018_033634
User Application - C:\NetIQ\idm\apps\UserApplication_backup_02262018_033634
Identity Reporting - C:\NetIQ\idm\apps\IdentityReporting_backup_02262018_033634
After upgrading Identity Applications, ensure you perform the following:
You must also restore the customized settings for Tomcat, SSPR, OSP, or Identity Applications, manually.
Perform the post-upgrade steps for the required components:
Verify the certificates in newly upgrade JRE location: jre\lib\security\cacerts with your older JRE location. Manually import the missed certificates into your cacerts.
Import java cacerts using keytool command:
keytool -import -trustcacerts -file Cerificate_Path -alias ALIAS_NAME -keystore cacerts
NOTE:After upgrade, JRE is stored in the identity applications install location. For example: C:\NetIQ\idm\apps\jre
Verify JRE home location is tomcat\bin\setenv.bat.
Launch Configuration Update utility and verify the path of your cacerts.
(Conditional) To restore the customized files from the backup taken earlier by the upgrade process, perform the following tasks:
Restore customized https certificates. To restore these certificates, copy the Java Secure Socket Extension (JSSE) contents from the backed up server.xml to the new server.xml file in the \tomcat\conf directory.
Do not copy the configuration files from the backed-up Tomcat directory to the new Tomcat directory. Start with the default configuration of the new version and make changes as needed. For more information, see this Apache Website.
Verify that new server.xml file has the following entries
<Connector port="8543" protocol="HTTP/1.1"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="path_to_keystore_file"
keystorePass="keystore_password" />
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
or
<Connector port="8543" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="path_to_keystore_file"
keystorePass="keystore_password" />
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
NOTE:On a cluster environment, manually uncomment the Cluster tag in server.xml and copy osp.jks on to all nodes from the first node located at C:\netiq\idm\apps\osp_backup_<date>.
If you have customized keystore files, include the correct path in the new server.xml file.
Import identity applications certificates into the Identity Vault at C:\NetIQ\eDirectory\jre\lib\security\cacerts.
For example, you can use the following keytool command to import certificates into Identity Vault:
keytool -importkeystore -alias <User Application certificate alias> -srckeystore <backup cacert> -srcstorepass changeit -destkeystore C:\NetIQ\eDirectory\jre\lib\security\cacerts
(Conditional) Navigate to the User Application and restore the customized settings manually by reading the backed-up configuration.
Restore the customized identity applications configurations from the backup taken during the upgrade process.
If you are upgrading Identity Manager from 4.5.6 version, you must manually create the compound indexes for each attribute that you want to use to sort users in Identity Manager Dashboard, see Creating Compound Indexes.
Launch the configupdate utility (configupdate.bat) file.
In the configupdate.bat.properties file, ensure that the use_console value is set to false.
Connect to Identity Vault server and accept the eDirectory certificate.
In the SSO Clients tab, navigate to RBPM and click Show Advanced Options.
Set the RBPM to eDirectory SAML configuration to Auto.
By default, the LogHost entry located in the logevent.conf file is set to localhost.
To modify the LogHost entry, manually restore the customized OSP configurations from the backup taken during the upgrade process.
After upgrading SSPR, update SSO client parameter using Configuration Update Utility. For more information, see Self Service Password Reset in the SSO Clients Parameters.
To update the SSPR configuration details, perform the following steps:
Log in to SSPR portal as an administrator.
Update the audit server details:
Navigate to YourID > Configuration Editor, specify the configuration password.
Select Settings > Auditing > Audit Forwarding > Syslog Audit Server Certificates.
Import these certificates from the sever and click Save.
Import the LocalDB into SSPR:
Navigate to YourID > Configuration Manager from the drop-down menu.
Click LocalDB.
Click Import (Upload) LocalDB Archive File.
(Conditional) To restrict configuration for SSPR:
Navigate to YourID > Configuration Manager from the list.
Click Restrict Configuration.
Configure administrator permissions for SSPR, see Post-Installation Tasks.
To verify that the upgrade is successful, launch the upgraded components.
For example, launch the Identity Manager Dashboard, click About. Check whether the application displays the new version, such as 4.7.0.
The upgrade utility creates a new Tomcat folder on your computer. If any of the Kerberos files such as keytab and Kerberos_login.config resided in the old Tomcat folder, copy these files to the new Tomcat folder from backed-up folder.