Safeguard Authentication Services 5.0.2 - Upgrade Guide

Installing software on hosts

Once you have successfully added and profiled one or more hosts, and checked them for AD Readiness, you can remotely deploy software products to them from the management console.

To install Safeguard Authentication Services software on hosts

1. Select one or more profiled hosts on the All Hosts view and click the Install Software tool bar button.

   Note: The Install Software tool bar menu is enabled when you select hosts that are profiled.

   The tool bar button will not be active if:

   • You have not selected any hosts.
   • You have selected multiple hosts with different states (added, profiled, or joined).

2. In the Install Software dialog, select the Safeguard Authentication Services software products you want to install and click OK.
   • Safeguard Authentication Services Agent (Required): Select to allow Active Directory users access to selected host. Safeguard Authentication Services provides centralized user and authentication management. It uses Kerberos and LDAP to provide secure data transport and an authentication framework that works with Microsoft Active Directory. Components include vasd, nss_vas, pam_vas, and vastool.
   • Safeguard Authentication Services for Group Policy (Required): Select to install the Group Policy component that provides Active Directory Group Policy support for Unix, Linux, and macOS platforms.
   • Safeguard Authentication Services for NIS: Select to install the NIS Proxy component that provides the NIS compatibility features for Safeguard Authentication Services. vasyp is a NIS daemon that acts as a ypserv replacement on each host.
   • Safeguard Authentication Services for LDAP: Select to install the LDAP Proxy component that provides a way for applications that use LDAP bind to authenticate users to Active Directory without using secure LDAP (LDAPS). Instead of sending LDAP traffic directly to Active Directory domain controllers, you can configure applications to send plain text LDAP traffic to vasldapd by means of the loopback interface. vasldapd proxies these requests to Active Directory using Kerberos as the security mechanism.
   • Dynamic DNS Updater: Select to install the Dynamic DNS Updater component that provides a way to dynamically update host records in DNS and can be triggered by DHCP updates.
   • Defender PAM Module: Select to install the Defender authentication components for PAM based Unix/Linux systems. Includes PAM module, documentation, and utilities to appropriately configure the PAM subsystem for Active Directory/Defender OTP authentication.

   Note: You must install the Safeguard Authentication Services Agent and the Group Policy packages.

   Note: If you do not see all of these software packages, verify the path to the software packages is correctly set in System Settings. Refer to Set the Safeguard Authentication Services Client Software Location on the Server in the management console online help for details.

3. In the Log on to Host dialog, enter the user credentials to access the selected hosts and click OK.

   Note: This task requires elevated credentials.

   If you selected multiple hosts, it asks whether you want to use the same credentials for all the hosts (default) or enter different credentials for each host.

   1. If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your credentials to log on to access the selected hosts and click OK.
   2. If you selected multiple hosts and the Enter different credentials for each selected host option, a grid displays that allows you to enter different credentials for each host listed. Place your cursor in a cell in the grid to activate it and enter the data.

Upgrade client components manually

The easiest way to upgrade Safeguard Authentication Services client components is from Management Console for Unix. Once a you have successfully added and profiled one or more hosts, you can remotely deploy software products to them from the management console. For more information, see Configure Unix agent components.

You can also upgrade your Safeguard Authentication Services client components from the Unix command line, if you prefer.

About the Application Configuration

The first time you install or upgrade the Safeguard Authentication ServicesWindows components in your environment, One Identity recommends that you configure Active Directory for Safeguard Authentication Services to utilize full functionality. This is a one-time Active Directory configuration step that creates the Safeguard Authentication Services application configuration in your forest. Safeguard Authentication Services uses the information found in the application configuration to maintain consistency across the enterprise.

If you upgrade Safeguard Authentication Services using Management Console for Unix, the Safeguard Authentication Services Active Directory Configuration Wizard starts automatically to assist you in setting up the application configuration; however, if you are upgrading from the Unix command line, you can create the Safeguard Authentication Services application configuration using the vastool command.

Agent upgrade commands

To upgrade the Safeguard Authentication Services agent package

1. Log in and open a root shell.
2. Mount the installation ISO and run the appropriate command.

   See Additional configuration information that follows the table.

   Table 11: Authentication Services: Agent commands

   Platform	Command
   Linux x86 - RPM	# rpm -Uhv /<mount>/client/linux-x86/vasclnt-<version>-<build>.i386.rpm
   Linux x64 - RPM	# rpm -Uhv /<mount>/client/linux-x86_64/vasclnt-<version>-<build>.x86_64.rpm
   Linux x86 - DEB	# dpkg -i /<mount>/client/linux-x86/vasclnt-<version>-<build>.i386.deb
   Linux x64 - DEB	# dpkg -i /<mount>/client/linux-x86_64/vasclnt-<version>-<build>_amd64.deb
   Linux s390	# rpm -Uhv /<mount>/client/linux-s390/vasclnt-<version>-<build>.s390.rpm
   Linux s390x	# rpm -Uhv /<mount>/client/linux-s390x/vasclnt-<version>-<build>.s390x.rpm
   SLES 11, 12, and 15 PPC	# rpm -Uhv /<mount>/client/linux-glibc23-ppc64/vasclnt-glibc23-<version>-<build>.ppc64.rpm
   Oracle Solaris 10 and 11 x64	# pkgadd -d /<mount>/client/solaris10-x64/vasclnt_SunOS_5.10_i386-<version>-<build>.pkg vasclnt
   Oracle Solaris 10 and 11 SPARC	# pkgadd -d /<mount>/client/solaris10-sparc/vasclnt_SunOS_5.8_sparc-<version>-<build>.pkg vasclnt
   HP-UX PA-RISC 11i v3 (B.11.31)	# swinstall -s /<mount>/client/hpux-pa-11v1/vasclnt_hpux-11.11-<version>-<build>.depot vasclnt
   HP-UX IA64 11i v3 (B.11.31)	# swinstall -s /<mount>/client/hpux-ia64/vasclnt_ia64-<version>-<build>.depot vasclnt
   AIX 7.1 and 7.2	# installp -acXd /<mount>/client/aix-71/vasclnt.AIX_5.3.<version>-<build>.bff all
   Mac OS X	/usr/sbin/installer -pkg '/<mount>/VAS.mpkg/Contents/Packages/vasclnt.pkg' -target /
   FreeBSD 10 and 11	pkg /<mount>/client/freebsd-x86_64/vasclnt-<build>.txz
   Amazon Linux AMI	# rpm - Uhv /<mount>/client/linux-x86_64/vasclnt-<build>.x86_64.rpm