Chat now with support
Chat com o suporte

One Identity Safeguard for Privileged Sessions 6.4.0 - Upgrade Guide

Preface

Welcome to One Identity Safeguard for Privileged Sessions (SPS) version 6.4 and thank you for choosing our product. This document describes the upgrade process from existing SPS installations to SPS 6.4. The main goal of this paper is to help system administrators in planning the migration to the new version of SPS.

Caution:

Read the entire document thoroughly before starting the upgrade.

This document covers the One Identity Safeguard for Privileged Sessions 6.4 product.

Versions and releases of One Identity Safeguard for Privileged Sessions (SPS)

The following release policy applies to One Identity Safeguard for Privileged Sessions (SPS):

  • Long Term Supported or LTS releases (for example, SPS 6.0) are supported for 3 years after their original publication date and for 1 year after the next LTS release is published (whichever date is later). The second digit of the revisions of such releases is 0 (for example, SPS 6.0.1). Maintenance releases to LTS releases contain only bugfixes and security updates.

  • Feature releases (for example, SPS 6.1) are supported for 6 months after their original publication date and for 2 months after a succeeding Feature or LTS release is published (whichever date is later). Feature releases contain enhancements and new features, presumably 1-3 new features per release. Only the last feature release is supported (for example, when a new feature release comes out, the last one becomes unsupported in 2 months).

For a full description of long-term-supported and feature releases, open the SPS product page on the Support Portal and navigate to Product Life Cycle & Policies > Product Support Policies > Software Product Support Lifecycle Policy.

Caution:

Downgrading from a feature release is not supported. If you upgrade from an LTS release (for example, 6.0) to a feature release (6.1), you have to keep upgrading with each new feature release until the next LTS version (in this case, 7.0) is published.

Prerequisites for upgrading SPS

This section describes the requirements and steps to perform before starting the SPS upgrade process.

General requirements:

If you have a high availability cluster:

  • Verify that you have IPMI access to the slave node. You can find detailed information on using the IPMI interface in the following documents:

    For Safeguard Sessions Appliance 3000 and 3500, see the X9 SMT IPMI User's Guide.

  • On the Basic Settings > High Availability page, verify that the HA status is not degraded.

If you are upgrading SPS in a virtual environment:

  • Create a snapshot of the virtual machine before starting the upgrade process.

  • Configure and enable console redirection (if the virtual environment allows it).

If you are using a plugin (for example, a Credential Store plugin, or a multi-factor authentication plugin):

  • You will need an updated version of the plugin you are using. Download it from Downloads page.

    NOTE:

    Version 2.2.0 and later of the One Identity Starling Two-Factor Authentication plugin works only if you have joined your SPS deployment to Starling.

    If you want use version 2.2.0 and later of the One Identity Starling Two-Factor Authentication plugin, complete the "Joining to One Identity Starling" in the Administration Guide procedure before upgrading the plugin.

Notes and warnings about the upgrade

The following is a planned deprecation for SPS version 6.5 that does not affect the current release, but will affect the next release. Make sure that if your systems are affected, you prepare them in advance.

Caution:

After SPS 6.5, CentOS 6 operating systems will not be supported for external indexers. This means that after upgrading to SPS 6.5, or the LTS maintanance release in that cadence, you will not be able to use your external indexers that are running on CentOS 6. Make sure that you prepare your affected systems for this change and upgrade to CentOS 7 or later.

The following is a list of important notes and warnings about the upgrade process and changes in SPS 6.4.

Caution:

Make sure to check the value configured in Disk space fill-up prevention before starting the upgrade process. From SPS version 6.4, the value range of Disconnect clients when disks are: x percent used field in Basic Settings > Management > Disk space fill up prevention is limited to 50-98 percent. If your configured value is outside this range, you cannot start upgrading.

Caution:

Upgrading to SPS 6.3.0 and later versions involves a reorganization in the internal data storage of SPS. As a result, several files are moved to new location during the upgrade process. Depending on the amount of data (logs, index files, reports, and so on) stored on the appliance, this can take a long time, usually at least 30 minutes. When you activate the new firmware file, an estimate will be displayed.

To avoid data loss, the appliance will not boot if this step of the upgrade fails. In this case, contact our Support Team.

Caution:

Upgrading to SPS requires at least 10% free disk space.

Increase the amount of free disk space. For details, read Increasing the amount of available free disk space.

If increasing the amount of free disk space fails, or you encounter a different issue, contact our Support Team.

NOTE:

Version 2.2.0 and later of the One Identity Starling Two-Factor Authentication plugin works only if you have joined your SPS deployment to Starling.

If you want use version 2.2.0 and later of the One Identity Starling Two-Factor Authentication plugin, complete the "Joining to One Identity Starling" in the Administration Guide procedure before upgrading the plugin.

Caution:

If you are authenticating your SPS users to an LDAP/Active Directory server, make sure that the response timeout of the LDAP/Active Directory server is at least 120 seconds.

Caution:
  • X.509 host certificates are not supported, the related options have been removed from the product. One Identity recommends using public keys instead.

  • DSA keys are not supported, the related options have been removed from the product. One Identity recommends using RSA or Ed25519 keys instead.

  • The log ingestion feature of SPS has been removed from the product.

Caution:

Following the upgrade, support for less than 1024-bit SSH keys is lost.

Caution:

When the client uses hostname in inband destination selections, the hostname must comply with RFC5890: Internationalized Domain Names for Applications (IDNA). For example, from the ASCII characters only letters, digits, and the hyphen character is permitted.

Starting with version 6.1.0, SPS rejects connection requests where the hostname does not comply with RFC5890.

NOTE:

Due to legal reasons, installation packages of the external indexer application will be available only from the SPS web interface. After SPS versions 6.4 and 6.0.3 are released, the installation packages will be removed from our website.

Caution:

It is no longer possible to search for screen contents indexed by the old Audit Player on the search UI and the REST interface. Searching in session metadata (such as IP addresses and usernames) and in extracted events (such as executed commands and window titles that appeared on the screen) remains possible.

As the old Audit Player was replaced and deprecated as an indexing tool during the 4.x versions, this should only affect very old sessions. Sessions that were processed by the new indexing service will work perfectly. If you wish to do screen content searches in historical sessions, contact our Support Team.

Upgrade path to SPS 6.4

Upgrading to SPS 6.4 is tested and supported using the following upgrade path:

  • The latest SPS 6 LTS maintenance version (for example, 6.0.x) -> SPS 6.4

    Always upgrade to the latest available maintenance version of SPS 6 LTS before upgrading to SPS 6.4.

  • The latest maintenance versions of the previous three feature releases since the last LTS release (in this case, SPS 6 F1 or later) -> SPS 6.4

    Always upgrade to the latest available maintenance version of the feature release before upgrading to SPS 6.4.

From older releases, upgrade to 6 LTS first. For details, see How to upgrade to One Identity Safeguard for Privileged Sessions 6 LTS.

Ferramentas de autoatendimento
Base de conhecimento
Notificações e alertas
Suporte a produtos
Downloads de software
Documentação técnica
Fóruns de usuário
Tutorial em vídeo
RSS Feed
Fale conosco
Obtenha assistência de licenciamento
Suporte técnico
Visualizar tudo
Documentos relacionados