The following describes how to upgrade a standalone One Identity Safeguard for Privileged Sessions (SPS) node to version 6.0.
If you want to upgrade an SPS high-availability cluster, see Upgrading an SPS high-availability cluster to 6.0.
If you want to upgrade an SPS central search or central management cluster, see Upgrading an SPS central cluster to 6.0.
Read the following warnings before starting the upgrade process.
|
Caution:
|
To upgrade a standalone SPS node to version 6.0
Complete the prerequisites described in Prerequisites for upgrading SPS and upgrade SPS to the latest revision of the current version.
Login to your support portal
You need a new license file for every LTS release. If there is no license file for One Identity Safeguard for Privileged Sessions 6.0 under your account, contact our Licensing Team and Request a license key for a new version.
Download the SPS 6.0 firmware ISO file from the Downloads page.
If you are using a plugin (for example, a Credential Store plugin, or a multi-factor authentication plugin), download the version of the plugin from the Downloads page that is labeled as DEPRECATED.
This version of the plugin is supported in SPS 6.0, but will not be supported in version 6.1. Before upgrading to SPS 6.1, you will have to start using a new implementation of the plugin, and update your configuration. For details, see Upgrading plugins for One Identity Safeguard for Privileged Sessions version 6.0.
Upload the plugin to your SPS.
Upload the latest 6.0 firmware ISO file to your SPS. For details, see "Upgrading One Identity Safeguard for Privileged Sessions (SPS)" in the Administration Guide.
Click Test for the new firmware to check if your configuration can be upgraded to version 6.0. If the test returns any errors, correct them before continuing the upgrade process. If you encounter any problems, contact our Support Team.
Select After reboot.
If the upgrade test is successful, activate the firmware.
Recommended step. To help troubleshoot potential issues following the upgrade, collect and save system information (create a support bundle) now.
Navigate to Basic Settings > Troubleshooting > Create support bundle and choose Create support bundle.
Navigate to Basic Settings > System.
|
Caution:
Do NOT click Reboot cluster during the upgrade process unless explicitly instructed. |
Click System Control > This node > Reboot to reboot the machine. SPS will start with the new firmware and upgrade its configuration, database, and other system components. During the upgrade process, SPS displays status information and other data on the local console and on the web interface of SPS, at any of the Listening addresses configured at Basic settings > Local Services > Web login (admin and user).
|
NOTE:
If you are upgrading to version 6.0 from version 5.0.x, status information is displayed on the web interface only after the first boot to version 6.0. So during the upgrade to version 6.0, you will not be able to see any upgrade logs on the web interface. |
|
Caution:
If the connection database is large and contains information about several thousands of sessions, the upgrade process can take about 15-20 minutes or more, depending on the actual hardware. |
|
Caution:
After the reboot in 6.0, SPS will start importing large amounts of data from metadb. This process can take about 30-40 minutes or more. During the import process, the REST base search might not function properly, since the data to search in might still be incomplete. |
After the reboot, login to the web interface
|
Caution:
In case the SPS web interface is not available within 30 minutes of rebooting SPS, check the information displayed on the local console and contact our Support Team. If you experience any strange behavior of the web interface, first try to reload the page by holding the SHIFT key while clicking the Reload button of your browser to remove any cached version of the page. |
|
NOTE:
In the unlikely case that SPS encounters a problem during the upgrade process and cannot revert to its original state, SPS performs the following actions:
|
Navigate to Basic Settings > System > Version details and verify that SPS is running version 6.0 of the firmware. If not, it means that the upgrade process did not complete properly and SPS performed a rollback to revert to the earlier firmware version. In this case, complete the following steps:
Navigate to Basic Settings > Troubleshooting > Create support bundle and click Create support bundle.
Save the resulting ZIP file.
contact our Support Team and send them the file. They will analyze its contents to determine why the upgrade was not completed and assist you in solving the problem.
(Optional) If SPS was in a domain before the upgrade, navigate to RDP Control -> Domain membership and make sure that your domain-related settings are correct. In case of correct settings, you will see the following:
Fully qualified domain name (realm name): Host joined currently configured domain successfully.
Currently joined domains: <name.of.the.joined.domain>
This is important because in rare cases, the appliance might fall out from the domain after an upgrade, and a manual rejoin might be required based on its status.
Upgrade your Safeguard Desktop Player installations to the latest version. For details, see Upgrading the Safeguard Desktop Player.
Upgrade your external indexer installations to the latest version. For details, see Upgrading the external indexer.
Upgrading the Safeguard Desktop Player application is only a simple installation process.
|
NOTE: If you already have an earlier version of the Safeguard Desktop Player application installed on the host, uninstall the previous installation. If you want to keep the previous installation for some reason, install the new version into a different directory. |
You can download the Safeguard Desktop Player application from the Downloads page.
For more information, see Safeguard Desktop Player User Guide.
|
Caution:
One Identity Safeguard for Privileged Sessions (SPS) 5 F4 and later versions use a new encryption algorithm to encrypt the recorded audit trails (AES128-GCM). This change has the following effects:
|
The following describes how to upgrade the indexer application on your external indexer hosts.
|
Caution:
One Identity Safeguard for Privileged Sessions (SPS) 5 F4 and later versions use a new encryption algorithm to encrypt the recorded audit trails (AES128-GCM). This change has the following effects:
|
Before you start, create a backup copy of the /etc/indexer/indexerworker.cfg and /etc/indexer/indexer-certs.cfg indexer configuration files.
To upgrade the indexer application on your external indexer hosts
Download the latest indexer package from the Downloads page.
|
NOTE:
Due to legal reasons, installation packages of the external indexer application will be available only from the SPS web interface. After SPS versions 6.3 and 6.0.2 are released, the installation packages will be removed from our website. |
Copy the downloaded .rpm package to your external indexer hosts.
Stop the indexer by using the following command.
On Red Hat or CentOS 6.5:
service external-indexer stop
On Red Hat or CentOS 7:
systemctl stop external-indexer.service
Execute the following command: yum upgrade -y indexer.rpm
Resolve any warnings displayed during the upgrade process.
Restart the indexer by using the following command.
On Red Hat or CentOS 6.5:
service external-indexer start
On Red Hat or CentOS 7:
systemctl start external-indexer.service
Repeat this procedure on every indexer host.
The following describes how to upgrade a One Identity Safeguard for Privileged Sessions (SPS) high-availability cluster.
If you want to upgrade a standalone One Identity Safeguard for Privileged Sessions (SPS) node, see Upgrading a single SPS node to 6.0.
If you want to upgrade an SPS central search or central management cluster, see Upgrading an SPS central cluster to 6.0.
Make sure that you have physically connected the IPMI interface to the network and that it is properly configured. This is important because you can only power the secondary node on through the IPMI interface. For details on configuring the IPMI interface, see "Out-of-band management of One Identity Safeguard for Privileged Sessions (SPS)" in the Administration Guide.
|
Caution:
|
|
Caution:
Do NOT reboot any of the SPS nodes unless explicitly instructed. |
|
Caution:
Do NOT click Reboot cluster during the upgrade process unless explicitly instructed. |
To upgrade an SPS high-availability cluster
Complete the prerequisites described in Prerequisites for upgrading SPS and upgrade SPS to the latest revision of the current version.
Login to your support portal
You need a new license file for every LTS release. If there is no license file for One Identity Safeguard for Privileged Sessions 6.0 under your account, contact our Licensing Team and Request a license key for a new version.
Download the SPS 6.0 firmware ISO file from the Downloads page.
If you are using a plugin (for example, a Credential Store plugin, or a multi-factor authentication plugin), download the version of the plugin from the Downloads page that is labeled as DEPRECATED.
This version of the plugin is supported in SPS 6.0, but will not be supported in version 6.1. Before upgrading to SPS 6.1, you will have to start using a new implementation of the plugin, and update your configuration. For details, see Upgrading plugins for One Identity Safeguard for Privileged Sessions version 6.0.
Upload the plugin to your SPS.
Upload the latest 6.0 firmware ISO file to your SPS. For details, see "Upgrading One Identity Safeguard for Privileged Sessions (SPS)" in the Administration Guide.
Click Test for the new firmware to check if your configuration can be upgraded to version 6.0. If the test returns any errors, correct them before continuing the upgrade process. If you encounter any problems, contact our Support Team.
Select After reboot.
If the upgrade test is successful, activate the firmware.
Wait until the new firmware is synchronized to the slave node. This is usually completed within 60 seconds.
Navigate to Basic Settings > High availability & Nodes > Other node and click Shutdown to power off the slave node.
|
Caution:
Do not power on the slave node. |
Recommended step. To help troubleshoot potential issues following the upgrade, collect and save system information (create a support bundle) now.
Navigate to Basic Settings > Troubleshooting > Create support bundle and choose Create support bundle.
Navigate to Basic Settings > System.
|
Caution:
Do NOT click Reboot cluster during the upgrade process unless explicitly instructed. |
Click System Control > This node > Reboot to reboot the machine. SPS will start with the new firmware and upgrade its configuration, database, and other system components. During the upgrade process, SPS displays status information and other data on the local console and on the web interface of SPS, at any of the Listening addresses configured at Basic settings > Local Services > Web login (admin and user).
|
NOTE:
If you are upgrading to version 6.0 from version 5.0.x, status information is displayed on the web interface only after the first boot to version 6.0. So during the upgrade to version 6.0, you will not be able to see any upgrade logs on the web interface. |
|
Caution:
If the connection database is large and contains information about several thousands of sessions, the upgrade process can take about 15-20 minutes or more, depending on the actual hardware. |
|
Caution:
After the reboot in 6.0, SPS will start importing large amounts of data from metadb. This process can take about 30-40 minutes or more. During the import process, the REST base search might not function properly, since the data to search in might still be incomplete. |
After the reboot, login to the web interface
|
Caution:
In case the SPS web interface is not available within 30 minutes of rebooting SPS, check the information displayed on the local console and contact our Support Team. If you experience any strange behavior of the web interface, first try to reload the page by holding the SHIFT key while clicking the Reload button of your browser to remove any cached version of the page. |
|
NOTE:
In the unlikely case that SPS encounters a problem during the upgrade process and cannot revert to its original state, SPS performs the following actions:
|
Navigate to Basic Settings > System > Version details and verify that SPS is running version 6.0 of the firmware. If not, it means that the upgrade process did not complete properly and SPS performed a rollback to revert to the earlier firmware version. In this case, complete the following steps:
Navigate to Basic Settings > Troubleshooting > Create support bundle and click Create support bundle.
Save the resulting ZIP file.
contact our Support Team and send them the file. They will analyze its contents to determine why the upgrade was not completed and assist you in solving the problem.
(Optional) If SPS was in a domain before the upgrade, navigate to RDP Control -> Domain membership and make sure that your domain-related settings are correct. In case of correct settings, you will see the following:
Fully qualified domain name (realm name): Host joined currently configured domain successfully.
Currently joined domains: <name.of.the.joined.domain>
This is important because in rare cases, the appliance might fall out from the domain after an upgrade, and a manual rejoin might be required based on its status.
If rebooting the primary node has been successful, power up the secondary node through IPMI.
The secondary node attempts to boot with the new firmware, and reconnects to the primary node to sync data. During the sync process, certain services (including Heartbeat) are not available. Wait for the process to finish, and the secondary node to boot fully. This process is finished when the Basic Settings > High availability & Nodes > Other node appears.
Note that at this stage, on the Other node > Boot firmware version, the version number next to Current is lower than the version number next to Active.
Click Activate Slave. This effectively turns the previously secondary node into the primary node. This process can take a few minutes.
To ensure that the process is finished correctly, check the version numbers next to Current and Active on both the primary and the secondary node. These version numbers should all be the same. If the page is not refreshed after the process is finished, press F5 to refresh the page.
Upgrade your Safeguard Desktop Player installations to the latest version. For details, see Upgrading the Safeguard Desktop Player.
Upgrade your external indexer installations to the latest version. For details, see Upgrading the external indexer.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center