Welcome to One Identity Safeguard for Privileged Sessions (SPS) version 6.0 and thank you for choosing our product. This document describes the upgrade process from existing SPS installations to SPS 6.0. The main goal of this paper is to help system administrators in planning the migration to the new version of SPS.
|
Caution:
Read the entire document thoroughly before starting the upgrade. |
This document covers the One Identity Safeguard for Privileged Sessions 6.0 product.
The following release policy applies to One Identity Safeguard for Privileged Sessions (SPS):
Long Term Supported or LTS releases (for example, SPS 6.0) are supported for 3 years after their original publication date and for 1 year after the next LTS release is published (whichever date is later). The second digit of the revisions of such releases is 0 (for example, SPS 6.0.1). Maintenance releases to LTS releases contain only bugfixes and security updates.
Feature releases (for example, SPS 6.1) are supported for 6 months after their original publication date and for 2 months after a succeeding Feature or LTS release is published (whichever date is later). Feature releases contain enhancements and new features, presumably 1-3 new features per release. Only the last feature release is supported (for example, when a new feature release comes out, the last one becomes unsupported in 2 months).
For a full description of long-term-supported and feature releases, open the SPS product page on the Support Portal and navigate to Product Life Cycle & Policies > Product Support Policies > Software Product Support Lifecycle Policy.
|
Caution:
Downgrading from a feature release is not supported. If you upgrade from an LTS release (for example, 6.0) to a feature release (6.1), you have to keep upgrading with each new feature release until the next LTS version (in this case, 7.0) is published. |
This section describes the requirements and steps to perform before starting the SPS upgrade process.
General requirements:
You must have a valid software subscription to be able to download the new version of SPS
You will need a support portal account to download the required ISO image
Back up your configuration and your data.
For more information on creating configuration and data backups, see "Data and configuration backups" in the Administration Guide.
Export your configuration.
For more information, see "Exporting the configuration of One Identity Safeguard for Privileged Sessions (SPS)" in the Administration Guide.
Verify that SPS is in good condition (no issues are displayed on the System Monitor).
Optional: If you have core dump files that are necessary for debugging, download them from Basic Settings > Troubleshooting > Core files. These files are removed during the upgrade process.
If you have a high availability cluster:
Verify that you have IPMI access to the slave node. You can find detailed information on using the IPMI interface in the following documents:
For Safeguard Sessions Appliance 3000 and 3500, see the X9 SMT IPMI User's Guide.
On the Basic Settings > High Availability page, verify that the HA status is not degraded.
If you are upgrading SPS in a virtual environment:
Create a snapshot of the virtual machine before starting the upgrade process.
Configure and enable console redirection (if the virtual environment allows it).
If you are using a plugin (for example, a Credential Store plugin, or a multi-factor authentication plugin):
You will need an updated version of the plugin you are using. Download it from Downloads page.
The following is a list of important notes and warnings about the upgrade process and changes in SPS 6.0.
|
Caution:
According to recent cryptographic research, SHA-1 algorithm cannot be trusted as secure anymore, because signatures can be forged with reasonable costs. As a result, SHA-1 algorithm is not supported in SPS for X.509 certificate chains. Starting from SPS versions 6.0.4 and 6.5.0, certificates with SHA1-based signatures are no longer trusted for Active Directory or LDAP authentication, and future versions might refuse to validate SHA-1 signatures altogether. Note that Root CA certificates may still contain SHA-1 signatures, because the signature is not validated for self-signed certificates. It is expected that other software such as clients and servers connected to SPS might reject SHA-1 signatures in a similar fashion. Signing CAs in SPS generate certificates with SHA-256 since versions 4.3.4 and 5.0.0. |
|
Caution:
Make sure to check the value configured in Disk space fill-up prevention before starting the upgrade process. From SPS version 6.0.4, the value range of Disconnect clients when disks are: x percent used field in Basic Settings > Management > Disk space fill up prevention is limited to 50-98 percent. If your configured value is outside this range, you cannot start upgrading. |
Due to legal reasons, installation packages of the external indexer application will be available only from the SPS web interface. After SPS versions 6.4 and 6.0.3 are released, the installation packages will be removed from our website.
|
Caution:
If you are authenticating your SPS users to an LDAP/Active Directory server, make sure that the response timeout of the LDAP/Active Directory server is at least 120 seconds. |
|
Caution:
|
|
Caution:
|
|
Caution:
Due to a change in the underlying database, the upgrade process removes all risk scores generated earlier by One Identity Safeguard for Privileged Analytics. Sessions initiated after the upgrade will be scored again. |
|
Caution:
|
|
Caution:
As part of the upgrade, SPS upgrades its session database. This involves the following processes:
If there are any errors during the upgrade, contact our Support Team. |
|
Caution:
Following the upgrade, support for less than 1024-bit SSH keys is lost. |
|
Caution:
One Identity Safeguard for Privileged Sessions (SPS) 5 F4 and later versions use a new encryption algorithm to encrypt the recorded audit trails (AES128-GCM). This change has the following effects:
|
|
Caution:
It is no longer possible to search for screen contents indexed by the old Audit Player on the new search UI and the REST interface. Searching in session metadata (such as IP addresses and usernames) and in extracted events (such as executed commands and window titles that appeared on the screen) remains possible. As the old Audit Player was replaced and deprecated as an indexing tool during the 4.x versions, this should only affect very old sessions. Sessions that were processed by the new indexing service will work perfectly. If you wish to do screen content searches in historical sessions, contact our Support Team. |
|
Caution:
The Basic Settings > Local Services > Required minimum version of encryption protocol option is removed as of One Identity Safeguard for Privileged Sessions (SPS) version 5.8.0. Regardless of the TLS version you configured previously, SPS will uniformly use TLS version 1.2. This change might have the effect that using old (likely unsupported) browsers, it will not be possible to access the web interface of SPS. |
|
Caution:
Command detection and window title detection in content policies have changed and they are case-insensitive as of One Identity Safeguard for Privileged Sessions (SPS) version 5.8.0. In earlier versions, both used to be case-sensitive. |
|
Caution:
You can now use an Authentication Policy with GSSAPI and a Usermapping Policy in SSH connections. When an SSH Connection Policy uses an Authentication Policy with GSSAPI, and a Usermapping Policy, then SPS stores the user principal as the Gateway username, and the username used on the target as the Server username. Note that this change has the following side effect: when using an Authentication Policy with GSSAPI, earlier versions of SPS used the client-username@REALM username to authenticate on the target server. Starting with version 5.9.0, it uses the client-username as username. Configure your servers accordingly, or configure a Usermapping Policy for your SSH connections in SPS. |
|
Caution:
Physical SPS appliances based on Pyramid hardware are not supported in 5 F1 and later releases. Do not upgrade to 5 F1 or later on a Pyramid-based hardware. The last supported release for this hardware is 5 LTS, which is a long-term supported release. If you have purchased SPS before August, 2014 and have not received a replacement hardware since then, you have Pyramid hardware, so do not upgrade to SPS 5 F1 or later. If you have purchased SPS after August 2014, you can upgrade to 5 F1. If you do not know the type of your hardware or when it was purchased, complete the following steps:
|
Upgrading to SPS 6.0 is tested and supported using the following upgrade path:
The latest SPS 5 LTS maintenance version (for example, 5.0.x) -> SPS 6.0
Always upgrade to the latest available maintenance version of SPS 5 LTS before upgrading to SPS 6.0.
The latest maintenance versions of the previous three feature releases (in this case, SPS 5 F9 or later) -> SPS 6.0
Always upgrade to the latest available maintenance version of the feature release before upgrading to SPS 6.0.
From older releases, upgrade to 5 LTS first. For details, see How to upgrade to One Identity Safeguard for Privileged Sessions 5 LTS.
© ALL RIGHTS RESERVED. Nutzungsbedingungen Datenschutz Cookie Preference Center