In this release of Access Manager, all components are native 64-bit applications running on 64-bit architecture.
IMPORTANT:Migration from Access Manager 3.1 SP4 or 3.1 SP5 to Access Manager 4.0 SP1 or a higher version is not supported.
To move to Access Manager 4.0 SP1 or a higher version, first migrate Access Manager 3.1 SP4 or 3.1 SP5 to 4.0 and then upgrade to the latest release of Access Manager 4.0 Service Pack 1. For information about upgrading and migrate upgrade paths, Upgrading Access Manager.
This section contains details on the following:
Ensure that you meet the following requirements before you decide to move to Access Manager 4.0 Service Pack 1:
For upgrade: You are currently on Access Manager 3.2 SP2 or higher.
All components are configured to the same Network Time Protocol (NTP) server. This is required to synchronize the time across all components.
You have physical access to the server or server console (in case of VMWare setups) as a root user and are familiar with firewall configurations. The required ports also must be opened in the firewall. For more information about the ports, see Section 1.1.4, Port Details.
You have read and understood the network requirements. For details, see Network Requirements
in the NetIQ Access Manager 4.0 SP2 Installation Guide.
Migration is the process in which you install the latest version of Access Manager on a new server and then migrate the existing data to the new server.
During the migration process you can either provide a new IP address and host name or reuse an existing IP address.
IMPORTANT:The host name of the new 4.0 Administration Console must be different from the existing primary and secondary Administration Consoles.
Migration can be used in the following cases:
You are on a 32-bit architecture and you need to move to a 64-bit architecture. For example, your existing setup is on a 32-bit SLES (SUSE Linux Enterprise Server) 10 SP2 and you plan to move to a 64-bit SLES 11 SP2 or SP3 operating system.
You are on a 32-bit architecture and you need to move to a 64-bit architecture. For example, your existing setup is on a 32-bit Windows 2003 and you plan to move to a 64-bit Red Hat 6.4, 6.5 or 6.6 version.
You have an existing 64-bit architecture but your operating system is 32-bit. For example, you have a 64-bit server on which a 32-bit operating system is installed.
You plan to re-architecture your Access Manager setup. For example, you already have one Administration Console installed but you plan to add one more Administration Console to the setup.
Upgrade is the process through which the existing components are moved to a higher version on the same machine. As the underlying operating system does not change, this process is also referred to as an in-place upgrade.
Upgrade can be used in a scenario where you are already on a 64-bit architecture setup.During the process of upgrade, the existing IP addresses and hardware are reused.
For example: If you are already on Windows 2008 64-bit platform, you can directly upgrade to Access Manager 4.0. For more information, see Upgrading Access Manager from 3.1 SP4 and 3.1 SP5 to 3.2.x or 4.0 in the NetIQ Access Manager 4.0 Migration and Upgrade Guide.
In addition to the migrate and upgrade process described above, you can also choose to install Access Manager 4.0 Service Pack 1 on a new 64-bit setup. After manually reconfiguring and confirming that the new 4.0 Service Pack 1 setup is working fine, you can decommission the old setup.
IMPORTANT:To avoid service disruptions, you can install Access Manager 4.0 Service Pack 1 devices such as Identity Provider, Access Gateway Service and SSL VPN on a new 64-bit server and then add them to the existing cluster. When the version 4.0 Service Pack 1 setup is functional, you can de-commission the old setup.
Before you decide to upgrade or migrate, it is important to assess your current setup in terms of version of Access Manager and components installed, hardware, and operating system.
Current Version of Access Manager: Before you upgrade to Access Manager 4.0 Service Pack 1, ensure that you are on Access Manager 3.2 Service Pack 2 or higher.
Current Hardware: If your current operating system is on a 32-bit architecture, migrate to a 64-bit architecture. This is required because all the components of Access Manager 4.0 are on 64-bit architecture.
Current Operating System: You can move to Access Manager 4.0 from a SLES platform or a Windows platform.
Access Manager components: Identify the combination of Access Manager components that are currently installed in your setup. This will help you determine if you need to upgrade, migrate or do a combination of both.
For example, assume you have Administration Console and Identity Server installed in Windows 2008 and the 3.1 SP4 or 3.1 SP5 Access Gateway Appliance.
In this scenario, you will first upgrade the Administration Console and the Identity Server. But the 3.1 SP4 or 3.1 SP5 Access Gateway Appliance needs to be migrated to 4.0 Access Gateway Appliance.
The following table indicates if you must migrate or upgrade based on your existing setup:
Table 1-1 Determining the Path to Move to Access Manager 4.0
|
Platforms |
Windows 2003 |
Windows 2008 |
SLES |
|---|---|---|---|
|
Administration Console/Identity Server |
Migrate |
Upgrade For more information see, Migrate |
Migrate |
|
Access Gateway Appliance (also known as Linux Access Gateway) |
NA |
Migrate |
Migrate |
|
Access Gateway Service |
NA |
Upgrade For more information, see Upgrading the Access Gateway Service |
Upgrade For more information see, Upgrading the 3.1 SP4 or 3.1 SP5 Access Gateway Service |
|
SSL VPN |
NA |
NA |
Migrate |
In version 4.0, the Administration Console, Identity Server and SSL VPN run in separate instances of tomcat. By default, each component's tomcat uses ports 8080 (http) and 8443 (https). Installing multiple components on the same server can cause a port conflict. To avoid this conflict, each component is assigned a unique port number on which the device can listen.
If a component is installed on a dedicated server no port changes are required. By default, the http port is 8080 and the https port is 8443.
The browser requests made to ports 8080/8443 are automatically redirected to the port on which the component is listening. Depending on the configuration, you must open ports 2080, 2443, and 3443 in the firewall.
The following table describes the ports for all the components of Access Manager:
|
Configuration |
Identity Server |
Administration Console |
SSL VPN |
|---|---|---|---|
|
Access Gateway + SSL VPN |
NA |
NA |
8080/8443 |
|
Administration Console + SSL VPN |
NA |
2080/2443 |
8080/8443 |
|
Administration Console only |
NA |
8080/8443 |
NA |
|
Identity Server + Administration Console |
8080/8443 |
2080/2443 |
NA |
|
Identity Server + Administration Console + SSL VPN |
8080/8443 |
2080/2443 |
3080/3443 |
|
Identity Server + SSL VPN |
8080/8443 |
NA |
3080/3443 |
|
Identity Server only |
8080/8443 |
NA |
NA |
|
SSL VPN only |
NA |
NA |
8080/8443 |
Before you migrate to the Access Manager 4.0 setup, you must decide if you want to reuse your existing IP address or use a new IP address to setup the system.
If you are already on a 64-bit architecture (the older version of Access Manager is installed on a 64-bit hardware), you can choose to reuse the existing IP address, whereas if you have decided to move to new 64-bit servers, you must use new IP addresses.
NOTE:For the primary Administration Console migration, you will need a new IP address, that will be temporarily used by the new 4.0 Administration Console. During the migration process, this new IP address is replaced with the original old Administration Console IP address.