In addition to the following prerequisites, ensure that you also meet the hardware requirements. For more information about hardware requirements, see the component-specific requirements in the NetIQ Access Manager 4.0 SP2 Installation Guide.
The 3.1 SP4 or 3.1 SP5 setup should be on Windows 2008 before upgrading to version 4.0. For more information, see the Access Manager 3.1 SP5 Installation Guide available in the Novell Access Manager Documentation website.
Before upgrading, back up your configuration using the ambkup.bat file. For instructions, see Backing Up the Access Manager Configuration
in the NetIQ Access Manager 4.0 SP1 Administration Console Guide.
If the upgrade fails, you need a way to recover your configuration. As a backup can be restored to only the version on which it was created, you must restore your Access Manager components to that version. You can then restore the configuration with the backup file and work with NetIQ Technical Support to solve the upgrade problem before attempting to upgrade again.
If you have downloaded the evaluation version and want to keep your configuration after purchasing the product, you need to upgrade each of your components with the purchased version. The upgrade to the purchased version automatically changes your installation to a licensed version.
After you have purchased the product, log in to the Novell Customer Center and follow the link that allows you to download the product. Then follow the instructions in Section 3.2.4, Upgrading Access Manager from 3.2.2 to 4.0 for upgrading components.
For verifying that Access Manager components have been upgraded, see Access Manager HF3 Readme.
You can upgrade Access Manager from version 3.1 SP4 and 3.1 SP5 to 3.2 Service Pack 2 or 4.0.
Log in to the NetIQ Downloads page and follow the link that allows you to download the product.
If you have installed the Administration Console and Identity Server on the same server, you must upgrade both of them at the same time. Upgrading 3.1 SP4 or 3.1 SP5 to 3.2.2 or 4.0 is supported only on Windows 2008.
NOTE:If your Access Manager 3.1 SP4 or 3.1 SP5 components are installed on Windows 2003, migrate them to 3.1 SP4 or 3.1 SP5 Windows 2008.
Manually back up your current Access Manager configuration using ambkup.bat file. For instructions, see Backing Up and Restoring
in the NetIQ Access Manager 4.0 SP1 Administration Console Guide.
If the Identity Server is installed on the same server, manually back up the JSP pages and related files in the C:\Program Files (x86)\Novell\Tomcat\webapps\nidp\jsp directory.
If you have customized the tomcat5.conf file or the server.xml file, back up these files before upgrading. These files are overwritten during the upgrade process.
IMPORTANT: We recommend that you have your own backup of customized files.
For upgrading to version 3.2.2: Download and run the Windows 64 exe file from NetIQ.
For upgrading to version 4.0: Download and run AM_40_AccessManagerService_Win64.exe file from NetIQ.
Run the installation program. When the installation program detects an installed version of the Administration Console, it automatically prompts you to upgrade.
Read the Introduction, then click Next.
Accept the License Agreement, then click Next.
Select the component to upgrade that is currently installed, then click Next.
At the upgrade prompt, click Continue.
Specify the following information for the administrator account on the Administration Console:
Administration user ID: Specify the name of the administration user for the Administration Console.
Password and Re-enter Password: Specify and re-enter the password for the administration user account.
Decide whether you want the upgrade program to create a backup of your current configuration:
If you have a recent backup, click Continue. If you choose to not create a backup when you do not have a recent backup and you then encounter a problem during the upgrade, you may be forced to re-create your configuration.
If you do not have a recent backup, click Run Config Backup. The program creates a backup and stores it in the root of the operating system drive in the nambkup directory.
Review the summary, then click Install.
If the upgrade seems to hang and you have been performing other tasks on the desktop, click the installation screen and check for a warning message. Some subcomponents of Access Manager do not send warning messages to the Installation screen when the focus of the mouse is not on the installation window.
When you are prompted, reboot the server.
View the upgrade log file found in the following location:
C:\Program Files(x86)\Novell\log\AccessManagerServer_InstallLog.log
If the Identity Server installed on the same server, copy any custom login pages to the C:\Program Files (x86)\Novell\Tomcat\webapps\nidp\jsp directory.
Restore any customized files from the backup taken earlier.
To restore the files, copy the content of the following files to the corresponding file in the new location.
server.xml:
If you have customized the server.xml file from the backup taken in 3.1 SP4 or 3.1 SP5, ensure that you apply the same to the new 3.2.2 or 4.0 server.xml located at C:\Program Files (x86)\Novell\Tomcat\conf\ directory.
An example below shows that the IP address is removed and ciphers added.<Connector NIDP_Name="connector" port="8443" address="" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, ... ../>
Tomcat properties:
Go to C:\Program Files\Novell\Tomcat\bin\tomcat5w. Double-click the tomcat5w file and make a note of any elements or attributes customized in 3.1 SP4 or 3.1 SP5.
On the 3.2.2 or 4.0 server, go to C:\Program Files (x86)\Tomcat\bin\tomcat7w. Change the values and attributes as required.
For example, if you have modified the heap size in tomcat5w file, ensure you make the same changes in the tomcat7w file too.
NOTE:If you have installed the Identity Server with the Administration Console and you have customized login pages, decide whether you want your customized pages restored automatically. Be aware that any new features introduced in JSP files that have the same name as your files are lost, when your file overwrites the installed file with the automatic restore.
Wait until upgrade is complete. Compare your customized file with the newly installed file and then decide whether you need to modify your file before restoring it.
For more information about the Administration Console requirements, see Installation Requirements on Windows
in the NetIQ Access Manager 4.0 SP2 Installation Guide.
If you have installed only the Identity Server on the server, use the following procedure to upgrade the Identity Server.
Manually back up the JSP pages and related files in the C:\Program Files (x86)\Novell\Tomcat\webapps\nidp\jsp directory.
IMPORTANT:We recommend that you have your own backup of the customized files.
If you have customized the tomcat5.conf file or the server.xml file at C:\Program Files (x86)\Novell\Tomcat\conf\, back up these files before upgrading. The registries and the file are overwritten during the upgrade process.
For upgrading to version 3.2 x: Download and run AM_32_AccessManagerService_Win64.exe file from NetIQ.
For upgrading to version 4.0: Download and run AM_40_AccessManagerService_Win64.exe file from NetIQ.
This file starts the installation program. When the program detects an installed version of the Identity Server, it automatically prompts you to upgrade.
On the Introduction page, click Next.
Accept the License Agreement.
At the upgrade prompt, click Continue.
Specify the following information for the Administration Console:
Administration user ID: Specify the name of the administration user for the Administration Console.
Password and Re-enter Password: Specify and re-enter the password for the administration user account.
If you have customized login pages, decide whether you want your customized pages restored automatically. Be aware that any new feature introduced in the JSP files that have the same name as your files are lost when your file overwrites the installed file with the automatic restore.
You may want to wait until after the upgrade, then compare your customized file with the newly installed file. You can then decide whether you need to modify your file before restoring it.
NOTE:Ensure that you sanitize the restored customized JSP file to prevent XSS attacks. For more information about how to sanitize the JSP file, see Preventing Cross-site Scripting Attacks
in the NetIQ Access Manager 4.0 SP1 Identity Server Guide.
Review the summary, then click Install.
View the upgrade log file found in the following location:
Windows 2008: C:\Program Files (x86)\Novell\log\AccessManagerServer_ InstallLog.log
Copy any custom login pages to the C:\Program Files (x86)\Novell\Tomcat\webapps\nidp\jsp directory.
Restore any customized files from the backup taken earlier.
To restore the files, copy the content of the following files to the corresponding file in the new location.
server.xml:
If you have customized the server.xml file from the backup taken in 3.1 SP4 or 3.1 SP5, ensure that you apply the same to the new server.xml located at C:\Program Files (x86)\Novell\Tomcat\conf\ directory.
An example below shows that the IP address is removed and ciphers added.<Connector NIDP_Name="connector" port="8443" address="" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, ... ../>
Tomcat properties: Go to C:\Program Files\Novell\Tomcat\bin\tomcat5w. Double-click the tomcat5w file and make a note of any elements or attributes customized in 3.1 SP4 or 3.1 SP5.
On the 3.2.2 or 4.0 server, go to C:\Program Files (x86)\Tomcat\bin\tomcat7w. Change the values and attributes as required.
For example, if you have modified the heap size in tomcat5w file, ensure you make the same changes in the tomcat7w file too.
Restart tomcat server using the Windows service. Go to Start > Control Panel > System and Security > Administrative Tools > Services.
IMPORTANT:If NetIQ Access Manager is federated with other service providers or if the users are redirected to Access Gateway protected resources from the Identity Server using the target_url, you may see errors regardless of successful authentication. The ConfigUpgrade script enables ‘Allow any target’ for the ‘Intersite Transfer Service’ configuration service for all the service providers.
You can upgrade using the same installer you used to install the product. The program detects that the Access Gateway Service is already installed and prompts you to upgrade.
Manually back up any customized tomcat files. If you have customized the tomcat5.conf file or the server.xml(C:\Program Files\Novell\Tomcat\conf )file, back up these files before upgrading. These files are overwritten during the upgrade process.
For upgrading to version 3.2 x: Download and run AM_32_AccessGatewayService_Win64.exe file from NetIQ.
For upgrading to version 4.0: Download and run AM_40_AccessGatewayService_Win64.exe file from NetIQ.
Run the installation program. When the installation program detects an installed version of the Access Gateway, it automatically prompts you to upgrade.
Answer Yes to the prompt to upgrade.
Read the Introduction, then click Next.
Review the Readme information, then click Next.
Accept the License Agreement, then click Next.
Specify the following information:
User ID: Specify the name of the administration user for the Administration Console.
Password and Re-enter Password: Specify the password and re-enter the password for the administration user account.
Review the installation summary, then click Install.
The Access Gateway Service is upgraded.
View the log files. The install logs are located in the C:\Program Files\Novell\log and C:\agsinstall.log directories.
Restore any customized files from the backup taken earlier.
To restore the files, copy the content of the following files to the corresponding file in the new location.
server.xml:
If you have customized the server.xml file from the backup taken in 3.1Sp4 or 3.1 SP5, ensure that you apply the same to the new server.xml located at C:\Program Files\Novell\Tomcat\conf\ directory.
An example below shows that the IP address is removed and ciphers added.<Connector NIDP_Name="connector" port="8443" address="" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, ... ../>
Tomcat properties: Go to C:\Program Files\Novell\Tomcat\bin\tomcat5w. Double-click the tomcat5w file and make a note of any elements or attributes customized in 3.1 SP4 or 3.1 SP5.
On the 3.2.2 or 4.0 server, go to C:\Program Files\Novell\Tomcat\bin\tomcat7w. Change the values and attributes as required.
For example, if you have modified the heap size in tomcat5w file, ensure you make the same changes in the tomcat7w file too.
Restart tomcat server using the Windows service. Go to Start > Control Panel > System and Security > Administrative Tools > Services.
Log in to the NetIQ Downloads page and follow the link that allows you to download the product.
If you have installed the Administration Console and Identity Server on the same server, you must upgrade both of them at the same time.
Manually back up your current Access Manager configuration using ambkup.bat file. For instructions, see Backing Up and Restoring
in the NetIQ Access Manager 4.0 SP1 Administration Console Guide.
If the Identity Server is installed on the same server, manually back up the JSP pages and related files in the C:\Program Files (x86)\Novell\Tomcat\webapps\nidp\jsp directory.
If you have customized the tomcat7.conf file or the server.xml file, back up these files before upgrading. These files are overwritten during the upgrade process.
IMPORTANT: We recommend that you have your own backup of customized files.
Run the installation program. When the installation program detects an installed version of the Administration Console, it automatically prompts you to upgrade.
Read the Introduction, then click Next.
Accept the License Agreement, then click Next.
Select the component to upgrade that is currently installed, then click Next.
At the upgrade prompt, click Continue.
Specify the following information for the administrator account on the Administration Console:
Administration user ID: Specify the name of the administration user for the Administration Console.
Password and Re-enter Password: Specify and re-enter the password for the administration user account.
Decide whether you want the upgrade program to create a backup of your current configuration:
If you have a recent backup, click Continue. If you choose to not create a backup when you do not have a recent backup and you then encounter a problem during the upgrade, you may be forced to re-create your configuration.
If you do not have a recent backup, click Run Config Backup. The program creates a backup and stores it in the root of the operating system drive in the nambkup directory.
Review the summary, then click Install.
If the upgrade seems to hang and you have been performing other tasks on the desktop, click the installation screen and check for a warning message. Some subcomponents of Access Manager do not send warning messages to the Installation screen when the focus of the mouse is not on the installation window.
When you are prompted, reboot the server.
View the upgrade log file found in the following location:
C:\Program Files(x86)\Novell\log\AccessManagerServer_InstallLog.log
If the Identity Server installed on the same server, copy any custom login pages to the C:\Program Files (x86)\Novell\Tomcat\webapps\nidp\jsp directory.
Restore any customized files from the backup taken earlier.
To restore the files, copy the content of the following files to the corresponding file in the new location.
server.xml
If you have customized the server.xml file from the backup taken in 3.2.2, ensure that you apply the same to the new 4.0 server.xml located at C:\Program Files (x86)\Novell\Tomcat\conf\ directory.
An example below shows that the IP address is removed and ciphers added.<Connector NIDP_Name="connector" port="8443" address="" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, ... ../>
Tomcat properties:
Go to C:\Program Files\Novell\Tomcat\bin\tomcat7w. Double-click the tomcat7w file and make a note of any elements or attributes customized in 3.2.2.
On the 4.0 server, go to C:\Program Files (x86)\Tomcat\bin\tomcat7w. Change the values and attributes as required.
If you have installed only the Identity Server on the server, use the following procedure to upgrade the Identity Server.
NOTE:If you are upgrading the Identity Server from 4.o to 4.0 SP1 and have configured the Google Authenticator custom class, all the existing (registered) users are moved to the new implementation seamlessly. But if you are a new user planning to register with the Google Authenticator, you must configure the contract using the TOTP class implementation available as part of 4.x.x.
Manually back up the JSP pages and related files in the C:\Program Files (x86)\Novell\Tomcat\webapps\nidp\jsp directory.
IMPORTANT:We recommend that you have your own backup of the customized files.
If you have customized the tomcat7.conf file or the server.xml file at C:\Program Files (x86)\Novell\Tomcat\conf\, back up these files before upgrading. The registries and the file are overwritten during the upgrade process.
Download and run AM_40_AccessManagerService_Win64.exe file from NetIQ.
This file starts the installation program. When the program detects an installed version of the Identity Server, it automatically prompts you to upgrade.
On the Introduction page, click Next.
Accept the License Agreement.
At the upgrade prompt, click Continue.
Specify the following information for the Administration Console:
Administration user ID: Specify the name of the administration user for the Administration Console.
Password and Re-enter Password: Specify and re-enter the password for the administration user account.
If you have customized login pages, decide whether you want your customized pages restored automatically. Be aware that any new feature introduced in the JSP files that have the same name as your files are lost when your file overwrites the installed file with the automatic restore.
You may want to wait until after the upgrade, then compare your customized file with the newly installed file. You can then decide whether you need to modify your file before restoring it.
NOTE:Ensure that you sanitize the restored customized JSP file to prevent XSS attacks. For more information about how to sanitize the JSP file, see Preventing Cross-site Scripting Attacks
in the NetIQ Access Manager 4.0 SP1 Identity Server Guide.
Review the summary, then click Install.
View the upgrade log file found in the following location:
C:\Program Files (x86)\Novell\log\AccessManagerServer_ InstallLog.log
Copy any custom login pages to the C:\Program Files (x86)\Novell\Tomcat\webapps\nidp\jsp directory.
Restore any customized files from the backup taken earlier.
To restore the files, copy the content of the following files to the corresponding file in the new location.
server.xml
If you have customized the server.xml file from the backup taken in 3.2.2, ensure that you apply the same to the new server.xml located at C:\Program Files (x86)\Novell\Tomcat\conf\ directory.
An example below shows that the IP address is removed and ciphers added.<Connector NIDP_Name="connector" port="8443" address="" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, ... ../>
Tomcat properties:
Go to C:\Program Files\Novell\Tomcat\bin\tomcat7w. Double-click the tomcat7w file and make a note of any elements or attributes customized in 3.2.2.
On the 4.0 server, go to C:\Program Files (x86)\Tomcat\bin\tomcat7w. Change the values and attributes as required.
Restart tomcat server using the Windows service. Go to Start > Control Panel > System and Security > Administrative Tools > Services.
IMPORTANT:If NetIQ Access Manager is federated with other service providers or if the users are redirected to Access Gateway protected resources from the Identity Server using the target_url, you may see errors regardless of successful authentication. The ConfigUpgrade script enables ‘Allow any target’ for the ‘Intersite Transfer Service’ configuration service for all the service providers.
You can upgrade by using the same installer you used to install the product. The program detects that the Access Gateway Service is already installed and prompts you to upgrade.
Manually back up any customized tomcat files. If you have customized the tomcat7.conf file or the server.xml(C:\Program Files\Novell\Tomcat\conf )file, back up these files before upgrading. These files are overwritten during the upgrade process.
Download and run AM_40_AccessGatewayService_Win64.exe file from NetIQ.
Run the installation program. When the installation program detects an installed version of the Access Gateway, it automatically prompts you to upgrade.
Answer Yes to the prompt to upgrade.
Read the Introduction, then click Next.
Review the Readme information, then click Next.
Accept the License Agreement, then click Next.
Specify the following information:
User ID: Specify the name of the administration user for the Administration Console.
Password and Re-enter Password: Specify the password and re-enter the password for the administration user account.
Review the installation summary, then click Install.
The Access Gateway Service is upgraded.
View the log files. The install logs are located in the C:\Program Files\Novell\log and C:\agsinstall.log directories.
Restore any customized files from the backup taken earlier.
To restore the files, copy the content of the following files to the corresponding file in the new location.
server.xml:
If you have customized the server.xml file from the backup taken in 3.2.2, ensure that you apply the same to the new server.xml located at C:\Program Files\Novell\Tomcat\conf\ directory.
An example below shows that the IP address is removed and ciphers added.<Connector NIDP_Name="connector" port="8443" address="" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, ... ../>
Tomcat properties:
Go to C:\Program Files\Novell\Tomcat\bin\tomcat7w. Double-click the tomcat7w file and make a note of any elements or attributes customized in 3.2.2
On the 4.0 server, go to C:\Program Files\Novell\Tomcat\bin\tomcat7w. Change the values and attributes as required.
Restart the tomcat server by using the Windows service. Go to Start > Control Panel > System and Security > Administrative Tools > Services.
You can upgrade Access Manager 4.0 to 4.0 Hotfix by applying the Hotfix patch.
NOTE:Hotfix* is used to represent the hotfix number released for Access Manager 4.0.
The patch helps you upgrade to the latest Access Manager with ease. Instead of downloading tar files that contain the entire set of binaries, you can download a .zip file that contains incremental changes in form of a patch file. You can use this patch file to update all components of your Access Manager
If you have multiple components installed on the same system, the patch installation process will take care of updating all the binaries of these components. For example, if you have both Identity Server and Administration Console installed on a system, installing the patch takes care of updating the binaries of Identity Server and Administration Console.
IMPORTANT:In a cluster setup, ensure that you install the patch on each node of the Access Manager setup.
Ensure that you have installed the latest version of the product. Refer to the following readmes for verifying the version numbers of a specific Hotfix release:
Perform Step 1 and Step 2 to extract the files.
After extracting files from the <patch name>.zip file, install the patch by using the following command:
Log in as an administrator and from the command prompt, run the installPtool.cmd command. It will install the 4.0 HF* binaries on the Windows system.
HINT:To manage your Access Manager patch file, go to the C:\Program Files\Novell\patching\bin folder.
After the patch is installed, go to the C:\Program Files\Novell\patching\bin folder.
Use the following options to administer the Access Manager patch file.
NOTE:xxx represents the build number which is available in the respective release readme.
|
Option |
Description |
Command on Windows server |
|---|---|---|
|
-qa |
Lists all installed patches. |
patch.cmd -qa |
|
-q |
Lists details of an installed patch. |
patch.cmd –q Example: If you have installed AM_400_HF*-xxx.patch, use the following command: patch.cmd –q HF*-xxx |
|
-i |
Installs a patch. During installation of a patch, all running services are stopped temporarily. After a patch is installed, all services are restarted and details of the operation are written to log files. |
patch.cmd –i <location and patch name> Example: patch.cmd –i C:/Patches/AM_400_HF*/AM_400_HF*-xxx.patch |
|
-e |
Removes an installed patch. The patch maintains content relationship among patches. So, if you have installed patch 1 and patch 2, patch 1 cannot be removed without removing patch 2. This is because patch 2 contains details of patch 1 as well.During the patch process, all the running services are stopped temporarily. |
patch.cmd –e <patch name> Example: patch.cmd –e HF*-xxx |
|
-qpl |
Lists details of a patch that is not installed. If you want to view the changes that are included in the patch file without installing it on your server, use this option |
patch.cmd –qpl <location and patch name> Example: patch.cmd –qpl C:/Patches/AM_400_HF*/ AM_400_HF*-xxx.patch |
|
-v |
Verifies integrity of a patch. |
patch.cmd –v <location and patch name> Example: patch.cmd –v C:/Patches/AM_400_HF*/ AM_400_HF*-xxx.patch |
|
-t |
Verifies if services can be restored by the installer. Use this option to stop/start all services after the installation of patch. |
patch.cmd –t <location and patch name> Example: patch.cmd –t C:/Patches/AM_400_HF*/ AM_400_HF*-xxx.patch |