Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 5.9.0 - Administration Guide

Preface Introduction The concepts of SPS The Welcome Wizard and the first login Basic settings User management and access control Managing SPS
Controlling SPS: reboot, shutdown Managing Safeguard for Privileged Sessions clusters Managing a high availability SPS cluster Upgrading SPS Managing the SPS license Accessing the SPS console Sealed mode Out-of-band management of SPS Managing the certificates used on SPS
General connection settings HTTP-specific settings ICA-specific settings RDP-specific settings SSH-specific settings Telnet-specific settings VMware Horizon View connections VNC-specific settings Indexing audit trails Using the Search (classic) interface Using the Search interface Searching session data on a central node in a cluster Advanced authentication and authorization techniques Reports The SPS RPC API The SPS REST API SPS scenarios Troubleshooting SPS Configuring external devices Using SCP with agent-forwarding Security checklist for configuring SPS Jumplists for in-product help Third-party contributions About us

Upgrading a high availability SPS cluster

Purpose:

To upgrade a high availability SPS cluster to a newer firmware version, complete the following steps. You are recommended to always use the latest maintenance release available.

Caution:

When upgrading to a new major release (that is, to a new Feature Release or a new Long-Term Supported release), always follow the instructions of the How to upgrade to One Identity Safeguard for Privileged Sessions guide for that release, as it contains more detailed instructions (available at the Safeguard for Privileged Sessions Documentation page).

Caution:

Physical SPS appliances based on Pyramid hardware are not supported in 5 F1 and later feature releases. Do not upgrade to 5 F1 or later on a Pyramid-based hardware. The last supported release for this hardware is 5 LTS, which is a long-term supported release.

If you have purchased SPS before August, 2014 and have not received a replacement hardware since then, you have Pyramid hardware, so do not upgrade to SPS 5 F1 or later. If you have purchased SPS after August 2014, you can upgrade to 5 F1.

If you do not know the type of your hardware or when it was purchased, complete the following steps:

  1. Login to SPS.

  2. Navigate to Basic Settings > Troubleshooting > Create support bundle, click Create support bundle, and save the file.

  3. Open a ticket at https://support.oneidentity.com/create-service-request/.

  4. Upload the file you downloaded from SPS in Step 1.

  5. We will check the type of your hardware and notify you.

Steps:
  1. Navigate to Basic Settings > System > Firmwares.

  1. Upload the new firmware: Browse for the firmware .iso file and then click Upload.

  2. To read the Upgrade Notes of the uploaded firmware, click on the icon. The Upgrade Notes are displayed in a pop-up window.

  3. Click Test for the new firmware to check if your configuration can be upgraded to version 5 F9. If the test returns any errors, correct them before continuing the upgrade process. If you encounter any problems, contact our Support Team.

  4. Caution:

    Proceed only if the upgrade test is successful.

    Activate the firmware, but do not reboot SPS yet.

  1. Navigate to Basic Settings > High availability, and verify that the new firmware is active on the slave node. This might take a few minutes.

  2. In Basic Settings > High availability > Other node, click Shutdown.

  3. Restart the master node: click This node > Reboot.

    SPS attempts to boot with the new firmware. Wait for the process to complete.

  4. Login to the SPS web interface to verify that the master node upgrade was successful.

    Navigate to Basic Settings > System > Version details, or check the system log for the version numbers SPS reports on boot. In case you encounter problems, you can find common troubleshooting steps in Troubleshooting.

  5. Use the IPMI interface to power on the slave node.

    The slave node attempts to boot with the new firmware, and reconnects to the master node to sync data. During the sync process, certain services (including Heartbeat) are not available. Wait for the process to finish, and the slave node to boot fully.

  6. Navigate to Basic Settings > High availability and verify that the slave node is connected, and has the same firmware versions as the master node.

Troubleshooting

If you experience any strange behavior of the web interface, first try to reload the page by holding the SHIFT key while clicking the Reload button of your browser to remove any cached version of the page.

In the unlikely case that SPS encounters a problem during the upgrade process and cannot revert to its original state, SPS performs the following actions:

  • Initializes the network interfaces using the already configured IP addresses.

  • Enables SSH-access to SPS, unless SPS is running in sealed mode. That way it is possible to access the logs of the upgrade process that helps the One Identity Support Team to diagnose and solve the problem. Note that SSH access will be enabled on every active interface, even if management access has not been enabled for the interface.

In case the web interface is not available within 30 minutes of rebooting SPS, check the information displayed on the local console and contact our Support Team.

Exporting the configuration of SPS

Purpose:

The configuration of SPS can be exported (for manual archiving, or to migrate it to another SPS unit) from the Basic Settings > System page. Use the respective action buttons to perform the desired operation.

You also have the option to export the configuration SPS into a local file using the console. For details, see Exporting and importing the configuration of SPS using the console.

Figure 102: Basic Settings > System — Exporting the SPS configuration

Steps:
  1. Navigate to Basic Settings > System > Export configuration.

  2. Select how to encrypt the configuration:

    • To export the configuration file without encryption, select No encryption.

      Caution:

      Exporting the SPS configuration without encryption is not recommended, as it contains sensitive information such as password hashes and private keys.

    • To encrypt the configuration file with a simple password, select Encrypt with password and enter the password into the Encryption password and Confirm password fields.

      NOTE:

      SPS accepts passwords that are not longer than 150 characters. The following special characters can be used: !"#$%&'()*+,-./:;<=>?@[\]^-`{|}

    • To encrypt the configuration file with GPG, select GPG encryption. Note that this option uses the same GPG key that is used to encrypt automatic system backups, and is only available if you have uploaded the public part of a GPG key to SPS at Basic Settings > Management > System backup. For details, see Encrypting configuration backups with GPG.

  3. Click Export.

    NOTE:

    The exported file is a gzip-compressed archive. On Windows platforms, it can be decompressed with common archive managers such as the free 7-Zip tool.

    The name of the exported file is <hostname_of_SPS>-YYYMMDDTHHMM.config, the -encrypted or -gpg suffix is added for password-encrypted and GPG-encrypted files, respectively.

Importing the configuration of SPS

Purpose:

The configuration of SPS can be imported from the Basic Settings > System page. Use the respective action buttons to perform the desired operation.

You also have the option to import configuration of SPS from a local file using the console. For details, see Exporting and importing the configuration of SPS using the console.

Figure 103: Basic Settings > System — Importing the SPS configuration

Caution:

It is not possible to import the configuration of an older major release (for example, 1.0) into a newer release (for example, 2.0).

Steps:
  1. Caution:

    Do not export or import configuration between a physical SPS deployment and a virtual one. Because of the differences and limitations between physical and virtual appliances, configure the virtual appliance from scratch to ensure proper functionality. When you migrate a virtual SPS to another one, you can export and import the configuration.

    Navigate to Basic Settings > System > Import configuration.

  2. Click Browse and select the configuration file to import.

  3. Enter the password into the Encryption password field and click Upload.

    NOTE:

    SPS accepts passwords that are not longer than 150 characters. The following special characters can be used: !"#$%&'()*+,-./:;<=>?@[\]^-`{|}

Related Documents