9.1 Upgrading on Linux

9.1.1 Upgrading the Access Manager from Version 3.2

To upgrade to a higher version of Access Manager, ensure that you are on Access Manager 3.2. For the supported upgrade paths see the following table.

Table 9-1 Supported Upgrade Paths

Source

Destination

3.2

3.2 SP2

3.2 IR1

3.2 SP2

3.2 SP1

3.2 SP2

3.2 SP1x

3.2 SP2

3.2 SP2

3.2 SP3

3.2 SP2x

3.2 SP3

For upgrading, you need to upgrade the components in the following order:

IMPORTANT:The J2EE agents upgrade is not supported.

While you are upgrading the components be aware of the following:

  • Ensure that you are on Access Manager 3.2 or a higher version.

  • You must backup the files that you have customized.

Upgrading the Administration Console

If the Identity Server and SSL VPN are installed on the same machine as the Administration Console, the Identity Server and SSL VPN are automatically upgraded with the Administration Console.

If the Identity Server is installed on the same machine as the Administration Console, the Identity Server is automatically upgraded with the Administration Console. If you are upgrading this configuration and you have custom JSP pages, you can either create your own backup of these files or allow the upgrade program to back them up for you.

If you have installed SSL VPN along with the Administration Console, the SSL VPN server must be upgraded along with the Administration Console.

If you select not to upgrade the SSL VPN server with the Administration Console, the upgrade stops.

  1. Back up any customized JSP pages and related files.

    Even though the upgrade program backs up the JSP directory and its related files in the /root/nambkup folder, it is a good practice to backup these files.

    /var/opt/novell/tomcat7/webapps/nidp/jsp

  2. Open a terminal window.

  3. Log in as the root user.

  4. Download the upgrade file from Patches and Security and extract the tar.gz file using the following command: tar -xzvf <filename>.

  5. (Conditional) If you have installed the SSL VPN server with the Administration Console and you have customized the SSL VPN user interface, back up the customized sslvpnclient.jsp file, then save it as /var/opt/novell/tomcat7/webapps/sslvpnsslvpnclient.jsp.rpmsave file.

    If a file with that name already exists, then either delete the existing file or move it to another location before saving the current .jsp file.

  6. Change to the directory where you unpacked the file, then enter the following command in a terminal window:

    ./upgrade.sh

  7. The system displays the confirmation message along with the list of installed components. For example, if the Administration Console and Identity Server are installed on the same machine, the following message is displayed: 

    The following components were installed on this machine 

1. Access Manager Administration Console 
2. Identity Server 
Do you want to upgrade the above components (y/n)?

  8. Type Y to upgrade. A Warning message regarding backup and restore of JSP files is displayed.

  9. Type Y to continue with the upgrade, then press Enter.

  10. Type Y to restore the custom login pages.

  11. Enter the Access Manager Administration Console user ID.

  12. Enter the Access Manager Administration Console password.

  13. Re-enter the password for verification.

  14. The system displays the following message when the upgrade is complete:

    Upgrade completed successfully.

  15. (Optional) To view the upgrade files:

    • To view the upgrade log files, see the files in the /tmp/novell_access_manager directory.

    • If you selected to back up your configuration and used the default directory, see the zip file in the /root/nambkup directory. The log file for this backup is located in the /var/log directory.

    • If the Identity Server is installed on the same machine, the JSP directory was backed up to the /root/nambkup directory. The file is prefixed with nidp_jps and contains the date and time of the backup.

If you encounter an error, see Troubleshooting a Linux Administration Console Upgrade in the NetIQ Access Manager 3.2 SP3 Installation Guide.

Upgrading the Identity Server

Use the following procedure to upgrade the stand-alone Identity Server or the Identity Server installed along with the SSL VPN server. If you have installed both the Identity Server and the Administration Console on the same machine, see Upgrading the Administration Console.

IMPORTANT:Make sure to complete the following before you begin:

  • If you are upgrading the Access Manager components on multiple machines, ensure that the time and date are synchronized on all machines.

  • Make sure that the Access Manager Administration Console is running. However, you must not perform any configuration tasks in the Administration Console during an Identity Server upgrade.

  1. Back up any customized JSP pages and related files.

    Even though the upgrade program backs up the JSP directory and its related files in the /root/nambkup folder, it is a good practice to backup these files.

  2. Open a terminal window.

  3. Log in as the root user.

  4. Download the upgrade file from Patches and Security and extract the tar.gz file using the following command: tar -xzvf <filename>.

  5. Change to the directory where you unpacked the file, then enter the following command in a terminal window:

    ./upgrade.sh

  6. The system displays the following confirmation message: 

    The following components were installed on this machine

1. Identity Server

Do you want to upgrade the above components (y/n)?

  7. Type Y and press Enter. A Warning message regarding backup and restore is displayed.

  8. Would you like to continue this upgrade? Type Y to upgrade.

  9. The system displays the following message: 

    If old jsp pages need to be restored, ensure that you sanitize them to prevent possible Cross-site Scripting attacks. You can sanitize jsp pages after restoring them. Do you want to restore custom login pages? (y/n):

    Type Y to restore.

  10. Enter the Access Manager Administration Console user ID.

  11. Enter the Access Manager Administration Console password

  12. Re-enter the password for verification

  13. The system displays the following message when the upgrade is complete:

    Upgrade completed successfully.

  14. Restore any customized files from the backup taken earlier. To restore files, copy files to the respective locations:

    • /opt/novell/nam/idp/webapps/nidp/jsp

    • /opt/novell/nam/idp/webapps/nidp/html

    • /opt/novell/nam/idp/webapps/nidp/images

    • /opt/novell/nam/idp/webapps/nidp/config

    • /opt/novell/nam/idp/webapps/nidp/WEBINF/lib

    • /opt/novell/nam/idp/webapps/nidp/WEBINF/web.xml

    • /opt/novell/nam/idp/webapps/nidp/WEBINF/classes

    • /opt/novell/nam/idp/webapps/nidp/WEBINF/conf

    • /opt/novell/java/jre/lib/security/bcslogin.conf

    • /opt/novell/java/jre/lib/security/nidpkey.keytab

    • /opt/novell/nam/idp/webapps/nidp/classUtils

    • /opt/novell/nam/idp/conf/server.xml

    • /opt/novell/nam/idp/conf/tomcat7.conf

Upgrading the Access Gateway Appliance

Before you proceed to upgrade the Access Gateway Appliance, make sure you do the following:

If you have installed the SSL VPN server with the Access Gateway Appliance and you have customized the SSL VPN user interface, make a backup of the customized sslvpnclient.jsp file, then save it as /var/opt/novell/tomcat7/webapps/sslvpnsslvpnclient.jsp.rpmsave file.

If a file with that name already exists, then either delete or move the existing file to another location before saving the current .jsp file.

See Customizing SSL VPN User Interface in the NetIQ Access Manager 3.2 SP3 SSL VPN Server Guide.

  1. Back up any customized JSP pages and related files.

    Even though the upgrade program backs up the JSP directory and its related files in the /root/nambkup folder, it is a good practice to backup these files.

  2. Open a terminal window.

  3. Log in as the root user.

  4. Download the upgrade file from Patches and Security and extract the tar.gz file using the following command: tar -xzvf <filename>.

  5. Change to the directory where you unpacked the file, then enter the following command in a terminal window:

    ./ma_upgrade.sh

  6. (Optional) Before upgrading the Access Gateway Appliance it is important to upgrade the version of the underlying operating system. The upgrade script displays the following prompt:

    It is recommended that you upgrade the Appliance OS before continuing. Do you want to continue?

    Type Y to continue upgrading the Access Gateway Appliance without upgrading the base operating system. If you select N the upgrade will terminate.

    IMPORTANT:Even though upgrading the base operating system of Access Gateway Appliance is optional, it is recommended to upgrade the base operating system to SLES 11 SP3. Follow the instructions in Section 10.2, Upgrading the Operating System for Access Gateway Appliance to upgrade the operating system.

  7. A Warning message regarding backup and restore is displayed. If you have customized any files, take a backup and restore them after installation.

  8. Would you like to continue this upgrade? Type Y to continue.

  9. Do you want to restore custom login pages? Type Y to confirm.

  10. Enter the Access Manager Administration Console user ID.

  11. Enter the Access Manager Administration Console password

  12. Re-enter the password for verification

    NOTE:For upgrading the Access Gateway Service, see Upgrading the 3.1 SP4 Access Gateway Service in the NetIQ Access Manager 3.2 SP3 Migration and Upgrade Guide.

  13. The system displays the following message when the upgrade is complete:

    Upgrade completed successfully.

  14. Restore any customized files from the backup taken earlier. To restore the files, copy the files to the respective locations below:

    • /opt/novell/nam/mag/tomcat7/conf/web.xml

    • /opt/novell/nam/mag/tomcat7/webapps/nesp/WEB-INF/web.xml

    • /opt/novell/nam/mag/tomcat7/webapps/nesp/jsp

    • /opt/novell/nam/mag/tomcat7/webapps/nesp/html

    • /opt/novell/nam/mag/tomcat7/webapps/nesp/images

    • /opt/novell/nam/mag/webapps/agm/WEB-INF/config/current

    • /opt/novell/nam/mag/tomcat7/webapps/nesp/config

    • /opt/novell/devman/jcc/scripts/presysconfig.sh

    • /opt/novell/devman/jcc/scripts/postsysconfig.sh

Upgrading the SSL VPN

If you have installed both the SSL VPN and the Administration Console on the same machine, see Upgrading the Administration Console.

Make sure that you have done the following before you proceed with the upgrade:

  • Upgrade the Administration Console, Identity Server, and Access Gateway Appliance before upgrading SSL VPN servers that are installed on separate machines.

    If the SSL VPN server was installed with the other Access Manager components, the SSL VPN server is automatically upgraded along with the other components.

  • If you have installed high bandwidth SSL VPN, make sure you download and install the high bandwidth SSL VPN RPM. SSL VPN has a high bandwidth RPM that needs to be installed once to get its capabilities. This RPM should be installed before upgrading the SSL VPN server. For information on how to install the high bandwidth SSL VPN RPM, see Section 7.3, Installing the Key for the High-Bandwidth SSL VPN.

  • The Access Manager Administration Console must be up and running before you begin upgrading SSL VPN servers. Do not perform any configuration tasks in the Administration Console during an SSL VPN Server upgrade

  • If you have customized the SSL VPN user interface, make a backup of the customized sslvpnclient.jsp file, then save it as /var/opt/novell/tomcat7/webapps/sslvpnsslvpnclient.jsp.rpmsave file. If a file with that name already exists, then either delete or move the existing file to another location before saving the current .jsp file.

    See Customizing SSL VPN User Interface in the NetIQ Access Manager 3.2 SP3 SSL VPN Server Guide.

  1. Open a terminal window.

  2. Log in as the root user.

  3. Download the upgrade file from Patches and Security and extract the tar.gz file using the following command: tar -xzvf <filename>.

  4. Change to the directory where you unpacked the file, then enter the following command in a terminal window:

    ./upgrade.sh

  5. The system displays the following confirmation message: 

    Do you want to upgrade the above components (y/n)?

  6. A Warning message regarding backup and restore is displayed. If you have customized any files, take a backup and restore them after installation. For more information, see

  7. Would you like to continue this upgrade? Type Y to continue.

  8. Enter the Access Manager Administration Console user ID.

  9. Enter the Access Manager Administration Console password

  10. Re-enter the password for verification

  11. The system displays the following message when the upgrade is complete:

    Upgrade completed successfully.

  12. Restore any customized files from the backup taken earlier. To restore the files, copy the files to the respective locations below:

    • /var/opt/novell/tomcat7/conf/server.xml

    • /var/opt/novell/tomcat7/conf/tomcat7.conf

    • /var/opt/novell/tomcat7/webapps/sslvpn/WEB-INF/web.xml

    • /var/opt/novell/tomcat7/webapps/sslvpn/WEB-INF/conf

    • /var/opt/novell/tomcat7/webapps/sslvpn/*.jsp

    • /var/opt/novell/tomcat7/webapps/sslvpn/pages*

    • /var/opt/novell/tomcat7/webapps/sslvpn/jsp

    • /var/opt/novell/tomcat7/webapps/sslvpn/html

    • /var/opt/novell/tomcat7/webapps/sslvpn/images

    • /var/opt/novell/tomcat7/webapps/sslvpn/common

    • /var/opt/novell/tomcat7/webapps/sslvpn/SSLVPNClientHelp

9.1.2 Upgrading from Access Manager 3.2 SP1 to 3.2 SP1 IR1a Using the Patch

The patch helps you upgrade to the latest Access Manager patches with ease. Instead of downloading tar files that contain the entire set of binaries, you can download a .zip file that contains incremental changes in form of a patch file. This patch file can be used to update all your Access Manager components.

If you have multiple components installed on the same system, the patch installation process will take care of updating all the binaries of these components. For example, if you have both Identity Server and Administration Console installed on a system, installing the patch takes care of updating the binaries of Identity Server and Administration Console.

IMPORTANT:In a cluster setup, ensure that you install the patch on each node of the Access Manager setup.

Prerequisites

  • Before upgrading, back up your current configuration. If the upgrade fails for any reason, you can use the backup file to recover your configuration.

    To back up your Access Manager configuration, do the following on the primary Administration Console go to the /opt/novell/devman/bin directory. Run ambkup.sh script

  • To use the patch to upgrade to the latest Access Manager patches, verify that your current version of Access Manager is 3.2.1-57.

    1. In the Administration Console, click Access Manager > Auditing > Troubleshooting > Version.

    2. Examine the value of the Version field to see if it displays 3.2 SP1 version 3.2.1-57.

Downloading the Patch

To download the patch

  1. Go to download.novell.com/patch/finder and specify AM_32_SP1_IR1a.zip in the search box.

  2. Download and save the file to the server running Access Manager. If you have multiple servers in your set up, ensure that you copy this .zip file to all the servers.

  3. Unzip the file using the unzip AM_32_SP1_IR1a.zip command.

  4. After extraction, the following files and folders are created in the AM_32_SP1_IR1a folder:

File/Folder Name

Description

rpm

Contains rpm files for the patch to run on a Linux server.

Patchtool

Contains logging properties file and files necessary for the patch to run on a Windows server.

installPtool.sh

Script to install the patch on a Linux server.

installPtool.cmd

Script to install the patch on a Windows server.

AM_32_SP1_IR1a_201.patch

The patch file. The name of the patch file changes for each IR release.

Installing the Patch

Install the patch after extracting files from the AM_32_SP1_IR1a.zip file.

  1. Log in as the root user.

  2. Run the sh installPtool.sh command.

    This command installs the patch and the bundled patch file.

    HINT:To manage the Access Manager patch file, go to /opt/novell/nam/patching/bin folder.

If the patch is already installed, the existing patch files are replaced.

Administering Patches

After the patch is installed, go to the /opt/novell/nam/patching/bin folder.

Use the following options to administer the Access Manager patch file.

Option

Description

Command on Linux server

-qa

Lists all the installed patches.

./patch -qa

-q

Lists the details of a patch that is installed.

./patch –q

Example: If you have installed AM_32_SP1_IR1a_201.patch, use the following command:./patch –q IR1-197

-i

Installs a patch. During installation of the patch, all running services are stopped temporarily. After the patch is installed, all the services are restarted and details of the operation are written to log files.

./patch –i <location and name of the patch>

Example:./patch –i /tmp/ AM_32_SP1_IR1a_201.patch

-e

Removes a patch. Use this option to remove an installed patch. The patch maintains content relationship between patches. So, if you have installed patch 1 and patch 2, patch 1 cannot be removed without removing patch 2. This is because patch 2 contains details of patch 1 as well.During the patch process, all the running services are stopped temporarily.

./patch –e <patch name>

Example:./patch –e IR1-197

-qpl

Lists details of a patch that is not installed. If you want to view the changes that are included in the patch file without installing it on your server, use this option

./patch –qpl <location and name of the patch>

Example:./patch –qpl /tmp/AM_32_SP1_IR1a_201.patch

-v

Verifies a patch. Use this option to verify the integrity of a patch file.

./patch –v <location and name of the patch>

Example:./patch –v /tmp/AM_32_SP1_IR1a_201.patch

-t

Verifies if services can be restored by the installer.

./patch –t <location and name of the patch>

Example:./patch –t /tmp/AM_32_SP1_IR1a_201.patch

9.1.3 Upgrading Access Manager 3.2 SP2 Using the Patch Process for Linux

You can upgrade the following versions of Access Manager using the patch process:

  • 3.2 SP2 to 3.2 SP2 IR1

  • 3.2 SP2 or 3.2 SP2 IR1 to 3.2 SP2 IR2

The patch helps you upgrade to the latest Access Manager patches with ease. Instead of downloading tar files that contain the entire set of binaries, you can download a .zip file that contains incremental changes in form of a patch file. This patch file can be used to update all your Access Manager components.

If you have multiple components installed on the same system, the patch installation process will take care of updating all the binaries of these components. For example, if you have both Identity Server and Administration Console installed on a system, installing the patch takes care of updating the binaries of Identity Server and Administration Console.

IMPORTANT:In a cluster setup, ensure that you install the patch on each node of the Access Manager setup.

Prerequisites

  • Before upgrading, back up your current configuration. If the upgrade fails for any reason, you can use the backup file to recover your configuration.

    To back up your Access Manager configuration, do the following on the primary Administration Console go to the /opt/novell/devman/bin directory. Run ambkup.sh script

  • To use the patch to upgrade to the latest Access Manager patches, verify the installed product version is as per the latest release.

    1. In the Administration Console, click Access Manager > Auditing > Troubleshooting > Version.

    2. Examine the value of the Version field to see if it displays as follows:

      • 3.2 SP2: 3.2.2-77

      • 3.2 SP2 IR1:3.2.2-77 + IR1-107

Downloading the Patch

To download the patch

  1. Go to download.novell.com/patch/finder and specify AM_32_SP2_IR2.zip in the search box.

  2. Download and save the file to the server running Access Manager. If you have multiple servers in your set up, ensure that you copy this .zip file to all the servers.

  3. Unzip the patch file using the AM_32_SP2_IR2.zip command.

  4. After extraction, the following files and folders are created in the AM_32_SP2_IR2 folder:

File/Folder Name

Description

rpm

Contains rpm files for the patch to run on a Linux server.

Patchtool

Contains logging properties file and files necessary for the patch to run on a Windows server.

installPtool.sh

Script to install the patch on a Linux server.

installPatch.sh

Script to install the patch and patch on Linux server.

installPtool.cmd

Script to install the patch on a Windows server.

AM_32_SP2_IR2-117.patch

The patch file. The name of the patch file changes for each IR release.

Installing the Patch

Install the patch after extracting files from the AM_32_SP2_IR2.zip file.

  1. Log in as the root user.

  2. Go to the location where you have extracted the patch files.

  3. Run the sh installPatch.sh command.

    This command installs the patch and the bundled binaries.

    HINT:To manage the Access Manager patch file, go to /opt/novell/nam/patching/bin folder.

If the patch is already installed, the installer exits with a message.

Administering Patches

After the patch is installed, go to the /opt/novell/nam/patching/bin folder.

Use the following options to administer the Access Manager patch file.

Option

Description

Command on Linux server

-qa

Lists all the installed patches.

./patch -qa

-q

Lists the details of a patch that is installed.

./patch –q

Example: If you have installed <latest release patch name>, use the following command:./patch –q IR2-117

-i

Installs a patch. During installation of the patch, all running services are stopped temporarily. After the patch is installed, all the services are restarted and details of the operation are written to log files.

./patch –i <location and name of the patch>

Example:./patch –i /tmp/ AM_32_SP2_IR2-117.patch

-e

Removes a patch. Use this option to remove an installed patch. The patch maintains content relationship between patches. So, if you have installed patch 1 and patch 2, patch 1 cannot be removed without removing patch 2. This is because patch 2 contains details of patch 1 as well.During the patch process, all the running services are stopped temporarily.

./patch –e <patch name>

Example:./patch –e IR2-117

-qpl

Lists details of a patch that is not installed. If you want to view the changes that are included in the patch file without installing it on your server, use this option

./patch –qpl <location and name of the patch>

Example:./patch –qpl /tmp/AM_32_SP2_IR2-117.patch

-v

Verifies a patch. Use this option to verify the integrity of a patch file.

./patch –v <location and name of the patch>

Example:./patch –v /tmp/AM_32_SP2_IR2-117.patch

-t

Verifies if services can be restored by the installer.

./patch –t <location and name of the patch>

Example:./patch –t /tmp/AM_32_SP2_IR2-117.patch