3.2 Upgrading on Windows

3.2.1 Prerequisites

In addition to the following prerequisites, ensure that you also meet the hardware requirements. For more information about hardware requirements, see Hardware Platform Requirements in the NetIQ Access Manager 3.2 SP2 IR2 Installation Guide.

  • The 3.1 SP4 setup should be on Windows 2008 before upgrading to version 3.2. For more information, see the Access Manager 3.1 SP4 Installation Guide available in the Novell Access Manager Documentation website .

  • Before upgrading, back up your configuration using the ambkup.bat file. For instructions, see Backing Up the Access Manager Configuration in the NetIQ Access Manager 3.2 SP2 Administration Console Guide.

    If the upgrade fails, you need a way to recover your configuration. As a backup can be restored to only the version on which it was created, you must restore your Access Manager components to that version. You can then restore the configuration with the backup file and work with NetIQ Technical Support to solve the upgrade problem before attempting to upgrade again.

3.2.2 Upgrading the Windows Administration Console

If you have installed the Administration Console and Identity Server on the same server, you must upgrade both of them at the same time. Upgrading 3.1 SP4 to 3.2 is supported only on Windows 2008.

NOTE:If your Access Manager 3.1 SP4 components are installed on Windows 2003, migrate them to 3.1 SP4 Windows 2008. For instructions, see Section 2.4.2, Migrating Administration Consoles From Windows 2003 to Windows 2008.

  1. Manually back up your current Access Manager configuration using ambkup.bat file. For instructions, see Backing Up and Restoring in the NetIQ Access Manager 3.2 SP2 Administration Console Guide.

  2. If the Identity Server is installed on the same server, manually back up the JSP pages and related files in the C:\Program Files (x86)\Novell\Tomcat\webapps\nidp\jsp directory.

  3. If you have customized the tomcat5.conf file or the server.xml file, back up these files before upgrading. These files are overwritten during the upgrade process.

    IMPORTANT: We recommend that you have your own backup of customized files.

  4. Download and run AM_32_AccessManagerService_Win64.exe upgrade file from NetIQ.

  5. Run the installation program. When the installation program detects an installed version of the Administration Console, it automatically prompts you to upgrade.

  6. Read the Introduction, then click Next.

  7. Accept the License Agreement, then click Next.

  8. Select the component to upgrade that is currently installed, then click Next.

  9. At the upgrade prompt, click Continue.

  10. Specify the following information for the administrator account on the Administration Console:

    Administration user ID: Specify the name of the administration user for the Administration Console.

    Password and Re-enter Password: Specify and re-enter the password for the administration user account.

  11. Decide whether you want the upgrade program to create a backup of your current configuration:

    • If you have a recent backup, click Continue. If you choose to not create a backup when you do not have a recent backup and you then encounter a problem during the upgrade, you may be forced to re-create your configuration.

    • If you do not have a recent backup, click Run Config Backup. The program creates a backup and stores it in the root of the operating system drive in the nambkup directory.

  12. Select the Enable SSL Renegotiation check box if you have a mutual SSL or X509 certificate authentication configured for this server, then click Next.

  13. Review the summary, then click Install.

  14. If the upgrade seems to hang and you have been performing other tasks on the desktop, click the installation screen and check for a warning message. Some subcomponents of Access Manager do not send warning messages to the Installation screen when the focus of the mouse is not on the installation window.

  15. When you are prompted, reboot the server.

  16. View the upgrade log file found in the following location:

    C:\Program Files(x86)\Novell\log\AccessManagerServer_InstallLog.log

  17. If the Identity Server installed on the same server, copy any custom login pages to the C:\Program Files (x86)\Novell\Tomcat\webapps\nidp\jsp directory.

  18. Restore any customized files from the backup taken earlier.

    To restore the files, copy the content of the following files to the corresponding file in the new location.

    server.xml:

    If you have customized the server.xml file from the backup taken in 3.1 SP4, ensure that you apply the same to the new 3.2 server.xml located at C:\Program Files (x86)\Novell\Tomcat\conf\ directory.

    An example below shows that the IP address is removed and ciphers added.<Connector NIDP_Name="connector" port="8443" address="" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, ... ../>

    Tomcat properties: Go to C:\Program Files\Novell\Tomcat\bin\tomcat5w. Double-click the tomcat5w file and make a note of any elements or attributes customized in 3.1 SP4.

    On the 3.2 server, go to C:\Program Files (x86)\Tomcat\bin\tomcat7w. Change the values and attributes as required.

    For example, if you have modified the heap size in tomcat5w file, ensure you make the same changes in the tomcat7w file too.

NOTE:If you have installed the Identity Server with the Administration Console and you have customized login pages, decide whether you want your customized pages restored automatically. Be aware that any new features introduced in JSP files that have the same name as your files are lost, when your file overwrites the installed file with the automatic restore.

Wait until upgrade is complete. Compare your customized file with the newly installed file and then decide whether you need to modify your file before restoring it.

For more information about the 3.2 Administration Console requirements, see Administration Console Requirements in the NetIQ Access Manager 3.2 SP2 IR2 Installation Guide.

3.2.3 Upgrading the Windows Identity Server

If you have installed only the Identity Server on the server, use the following procedure to upgrade the Identity Server.

  1. Manually back up the JSP pages and related files in the C:\Program Files (x86)\Novell\Tomcat\webapps\nidp\jsp directory.

    IMPORTANT:We recommend that you have your own backup of the customized files.

  2. If you have customized the tomcat5.conf file or the server.xml file at C:\Program Files (x86)\Novell\Tomcat\conf\, back up these files before upgrading. The registries and the file are overwritten during the upgrade process.

  3. Download and run AM_32_AccessManagerService_Win64.exe file from Novell.

    This file starts the installation program. When the program detects an installed version of the Identity Server, it automatically prompts you to upgrade.

  4. On the Introduction page, click Next.

  5. Accept the License Agreement.

  6. At the upgrade prompt, click Continue.

  7. Specify the following information for the Administration Console:

    Administration user ID: Specify the name of the administration user for the Administration Console.

    Password and Re-enter Password: Specify and re-enter the password for the administration user account.

  8. If you have customized login pages, decide whether you want your customized pages restored automatically. Be aware that any new feature introduced in the JSP files that have the same name as your files are lost when your file overwrites the installed file with the automatic restore.

    You may want to wait until after the upgrade, then compare your customized file with the newly installed file. You can then decide whether you need to modify your file before restoring it.

    NOTE:Ensure that you sanitize the restored customized JSP file to prevent XSS attacks. For more information about how to sanitize the JSP file, see Preventing Cross-site Scripting Attacks in the NetIQ Access Manager 3.2 SP2 Identity Server Guide.

  9. Review the summary, then click Install.

  10. View the upgrade log file found in the following location:

    Windows 2008: C:\Program Files (x86)\Novell\log\AccessManagerServer_ InstallLog.log

  11. Copy any custom login pages to the C:\Program Files (x86)\Novell\Tomcat\webapps\nidp\jsp directory.

  12. Restore any customized files from the backup taken earlier.

    To restore the files, copy the content of the following files to the corresponding file in the new location.

    server.xml:

    If you have customized the server.xml file from the backup taken in 3.1 SP4, ensure that you apply the same to the new 3.2 server.xml located at C:\Program Files (x86)\Novell\Tomcat\conf\ directory.

    An example below shows that the IP address is removed and ciphers added.<Connector NIDP_Name="connector" port="8443" address="" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, ... ../>

    Tomcat properties: Go to C:\Program Files\Novell\Tomcat\bin\tomcat5w. Double-click the tomcat5w file and make a note of any elements or attributes customized in 3.1 SP4.

    On the 3.2 server, go to C:\Program Files (x86)\Tomcat\bin\tomcat7w. Change the values and attributes as required.

    For example, if you have modified the heap size in tomcat5w file, ensure you make the same changes in the tomcat7w file too.

  13. Restart tomcat server using the Windows service. Go to Start > Control Panel > System and Security > Administrative Tools > Services.

IMPORTANT:If NetIQ Access Manager is federated with other service providers or if the users are redirected to Access Gateway protected resources from the Identity Server using the target_url, you may see errors regardless of successful authentication. The ConfigUpgrade script enables ‘Allow any target’ for the ‘Intersite Transfer Service’ configuration service for all the service providers.

3.2.4 Upgrading the Windows Access Gateway Service

You can upgrade using the same installer you used to install the product. The program detects that the Access Gateway Service is already installed and prompts you to upgrade.

  1. Manually back up any customized tomcat files. If you have customized the tomcat5.conf file or the server.xml(C:\Program Files\Novell\Tomcat\conf )file, back up these files before upgrading. These files are overwritten during the upgrade process.

  2. Download and run AM_32_AccessGatewayService_Win64.exe.

  3. Run the installation program. When the installation program detects an installed version of the Access Gateway, it automatically prompts you to upgrade.

  4. Answer Yes to the prompt to upgrade.

  5. Read the Introduction, then click Next.

  6. Review the Readme information, then click Next.

  7. Accept the License Agreement, then click Next.

  8. Specify the following information:

    User ID: Specify the name of the administration user for the Administration Console.

    Password and Re-enter Password: Specify the password and re-enter the password for the administration user account.

  9. Review the installation summary, then click Install.

    The Access Gateway Service is upgraded.

  10. View the log files. The install logs are located in the C:\Program Files\Novell\log and C:\agsinstall.log directories.

  11. Restore any customized files from the backup taken earlier.

    To restore the files, copy the content of the following files to the corresponding file in the new location.

    server.xml:

    If you have customized the server.xml file from the backup taken in 3.1 SP4, ensure that you apply the same to the new 3.2 server.xml located at C:\Program Files (x86)\Novell\Tomcat\conf\ directory.

    An example below shows that the IP address is removed and ciphers added.<Connector NIDP_Name="connector" port="8443" address="" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, ... ../>

    Tomcat properties: Go to C:\Program Files\Novell\Tomcat\bin\tomcat5w. Double-click the tomcat5w file and make a note of any elements or attributes customized in 3.1 SP4.

    On the 3.2 server, go to C:\Program Files (x86)\Tomcat\bin\tomcat7w. Change the values and attributes as required.

    For example, if you have modified the heap size in tomcat5w file, ensure you make the same changes in the tomcat7w file too.

  12. Restart tomcat server using the Windows service. Go to Start > Control Panel > System and Security > Administrative Tools > Services.