Objective:

 
With the release of Identity Manager 4.6, we have designed a Simplified Identity Applications Upgrade Program Utility to upgrade Identity Applications and supported components from Identity Applications version 4.5.x/4.5.5 to our new Identity Applications 4.6. This article will walk through how to upgrade in a simplified way.

Use Case to Solve:

 
Consider the Use Case below that we are going to solve with the Identity Application Upgrade Program.

We have installed Identity Manager 4.5.5 and server component versions:

1. eDirectory - 9.0.1 Identity Manager Engine - 4.5.5 iManager 3.0.x and its plugins

• PostgreSQL - 9.3.x

• Tomcat - 7.0.55.0 [got installed through "Identity Manager Convenience Installation"]

• Java - 1.8.0_x

• ActiveMQ - 5.9

• One SSO Platform - 6.0.0.x

• Self Service Password Reset 3.3.1.x

• ConfigUpdate 4.5.0.x

• Identity Applications 4.5.5 [default portal context 'IDMProv', rra, landing, dash]

Stage I: Before invoking Identity Manager 4.6 'RBPM_Upgrade.bin/exe' we need to consider following:

• If your current Identity Manager and its components version is 4.0.x, plan to upgrade to 4.5.x/4.5.5. Refer to the upgrade steps in the NetIQ Identity Manager 4.5 documentation.

• Upgrade eDirectory to 902 and apply HotFixes-2.

• Upgrade Identity Manager Engine to 4.6 and its drivers.

• Upgrade PostgreSQL database platform to 9.6.1 [if SLES 12 and other supported operating systems] or 9.4.10[if SLES 11 SP4 only].
  
  
  
  • Refer to the documentation section from NetIQ (pg_upgrade procedures https://www.netiq.com/documentation/identity-manager-46/setup/data/t428q5h2aqb4.html#t42id7jpemk5) or refer to the PostgreSQL documentation portal for PostgreSQL upgrade methodologies. Depends on major or minor versions of PostgreSQL database platform upgrade and Data.
  
  

• Ensure that the Tomcat Application Server is up and running and it uses the '/etc/init.d/idmapps_tomcat_init' start/stop/restart script.

• Make sure there is enough disk space to keep the log files, necessary files in /tmp and the installation directory (/opt/netiq/idm) - as the Identity Applications Upgrade Program will rename existing installation directories with time stamp as backup (ex: tomcat_backup_04012017_083335); so it at least requires '3 GB' of disk space comprised from '/' or the installation directory and '/tmp' together.
  
  
  
  • [Optional: If we do not have enough space in /tmp, it's possible to redirect/run 'export IATEMPDIR=/non_tmp_point_with_enough_space' in command terminal only for log files storage; and then run RBPM_Upgrade.bin]
  
  

• Ensure that the Port numbers are specified in webcontexts URLs, as the upgrade program requires the ports to be explicitly specified in the URL settings.
  
  
  
  • [Optional: Suppose we have masked port numbers in URL settings for Identity Manager 4.5.5 application server. Launch the Configupdate utility, specify the port number in all required URLS from the SSO Clients tab. For ex: https://<Identity_applications_server>:443/IDMProv and save the configuration]
  
  

• If we have portal.context=non_IDMProv, please refer to the documentation procedures to change to IDMProv and run the upgrade program. After the upgrade is completed, restore non_IDMProv context using the configupdate utility. For more details see https://www.netiq.com/documentation/identity-manager-46/setup/data/t428q5h2aqb4.html#t42ogxi3kavl

Stage II: Running Identity Applications Upgrade Program/RBPM_Upgrade Utility:

Get the RBPM_Upgrade.bin/executable from 'Identity_Manager_4.6_<platform>.iso':/products/RBPM directory or from 'Identity_Manager_4.6_<platform>_IdentityApplications.iso':/RBPM directory.

[Ensure running RBPM_Upgrade.bin/exe from products/RBPM or RBPM directory where "OSP, SSPR and user_app_install" directories are present as internally the Identity Applications upgrade program uses those individual installers for the upgrade process]

Once you run 'RBPM_Upgrade.bin' there will be five phases:

• Discovery phase: Scan the server for an existing Installation. Read the information using /etc/init.d/idmapps_tomcat_init script and webapps directory[where extracted directories of *.war files]
  
  
  
  • If Identity Reporting components/other non-Identity applications are deployed on the same server, plan to upgrade those components separately. Depends on maximum.minimum versions of Tomcat/PostgreSQL and its supporting components (appropriate Warning message will be displayed on this).
  
  

• Detected Path/Browse Path: Automatically detects path for OSP, SSPR and UserApplications. Also, there is a provision to select/browse the existing installation directories (if the detected path is not right).

• Database Details: Provision to provide valid Database Connection Details and options to select 'Updating Schema for Database'.

• Review: Pre-Upgrade/Summary screen for Upgrade Program.

• Upgrade Flow: Create configuration properties for the Upgrade process, stopping existing tomcat/activemq, taking backup of existing installation directories (if we have customized files, refer to in future to restore/merge with newer upgraded components)

Screens available with the Identity Applications Upgrade Program:

Snap 1: Introduction Screen [guides you through the upgrade of following components]

Identity Applications - 4.6 (including new idmdash, IDMProv, rra, dash, landing); side-note: dash and landing will be deprecated sooner.

Tomcat - 8.5.9

ActiveMQ - 5.14

Java - 1.8.0_112

One SSO Provider - 6.1.3

Self Service Password Reset - 4.1. 0.0

Upgrade Introduction Screen

Snap 2: Discovered Applications/Detected Applications; Read out warning message alerted, if non-Identity Applications deployed on same server

Discovered Applications

Other Applications

Snap 3: Detected Path/Browse and Select existing installation directories for OSP, SSPR and UserApplications.

OSP

Snap 4: Database Connection Details and Update Database schema on valid parameters provided.

PostgreSQL

Upgrade the database schema on already upgraded PostgreSQL database platform (as per pre-req/stage -I)

Update Schema

Snap 5: Pre-Upgrade Summary screen: if Required Disk space is less than 3 GB (the upgrade program prompts and aborts the flow, plan to have more space in the installation directory and /tmp directory or redirecting to /non_tmp as mentioned in Pre-req stage-I)



Snap 6: Upgrade completed wizard and URL to new Identity Applications dashboard #http://<ipaddress_or_dnsname>:<port>/idmdash

Review the upgrade logs and necessary files from /tmp/rbpm_upgrade/Logs directory.



Stage III: Post-Upgrade Tasks

After the upgrade, we need to perform post-upgrade tasks before starting tomcat service.

Java:

• Verify the Java Home path is right in /opt/netiq/idm/apps/tomcat/bin/setenv.sh [JRE HOME]

• Manually Import your certificates into newly upgraded Java jre/lib/security/cacerts, as the upgrade process won't import your certificates into new cacerts: "keytool -import -trustcacerts -file Cerificate_Path -alias ALIAS_NAME -keystore cacerts"

• Also, ensure cacerts path is right from configupdate utility -> UserApplication tab -> Identity Vault Certificates -> Keystore path and password.

Tomcat:

• Manually restore the customized files from tomcat_backup_<timestamp> to the newly upgraded tomcat directory, compare and merge appropriately - [for more details about merging the configuration properties, please refer to the tomcat upgrade documentation recommendation]

• If we had https/TLS enabled in your setup (prior upgrade), plan to merge those entries manually in upgraded tomcat server.xml which is available in /opt/netiq/idm/apps/tomcat/conf directory.
  
  

  For example:

  
  
  

  <Connector port="8543" protocol="HTTP/1.1"
  maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
  clientAuth="false" sslProtocol="TLS"
  keystoreFile="path_to_keystore_file"
  keystorePass="keystore_password" />

  
  
  or
  
  

  <Connector port="8543" protocol="org.apache.coyote.http11.Http11NioProtocol"
  maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
  clientAuth="false" sslProtocol="TLS"
  keystoreFile="path_to_keystore_file"
  keystorePass="keystore_password" />

  
  

• Change directory to Identity Manager User Application and restore the customized settings manually by reading the backed-up configuration.

One SSO Platform:

• If OSP and User Applications are deployed on different servers, then update the SSO client parameter using Configuration Update utility.

• Auditing: To modify the LogHost entry, manually restore the customized OSP configurations from the backup taken during the upgrade process.

Self Service Password Reset:

To update the SSPR configuration details, perform the following steps:

1. Log in to SSPR portal as an administrator, update the audit server details.

• Navigate to Configuration Editor, specify the configuration password.
  
  

  Select Settings > Auditing > Audit Forwarding > Syslog Audit Server Certificates. Import these certificates from the sever and click Save.

• Import the LocalDB into SSPR:
  
  

  In the top-right corner for the page, click Configuration Manager from the drop-down menu. Click LocalDB.

  
  
  

  Click Import (Upload) LocalDB Archive File.

  
  
  

  Configure administrator permissions for SSPR, as per Post-Installation Tasks of the SSPR documentation section.

  
  
  

  NOTE: If you are upgrading from SSPR 4.0 to SSPR 4.1, the customized location of SSPR configurations is changed to the default location of SSPR 4.1. You can find additional information about the configuration locations in the setenv.sh file. However, this change does not affect the behavior of the components.

Identity Applications: If we have non default IDMProv(non_IDMProv), change the name back to original name(non_IDMProv) using the configupdate utility as per the documentation at https://www.netiq.com/documentation/identity-manager-46/setup/data/t428q5h2aqb4.html#t42fi6a6idy5

To verify that the upgrade is successful, launch the upgraded Identity Applications/new Graphical User Interface webcontext http://<ipaddress_or_dnsname>:<port>/idmdash