Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 7.5 - Upgrade Guide

Preface

Welcome to One Identity Safeguard for Privileged Sessions (SPS) version 7.5 and thank you for choosing our product. This document describes the upgrade process from existing SPS installations to SPS 7.5. The main goal of this paper is to help system administrators in planning the migration to the new version of SPS.

Caution:

Read the entire document thoroughly before starting the upgrade.

This document covers the One Identity Safeguard for Privileged Sessions 7.5 product.

Versions and releases of One Identity Safeguard for Privileged Sessions (SPS)

The following release policy applies to One Identity Safeguard for Privileged Sessions (SPS):

One Identity Safeguard for Privileged Sessions customers choose between two paths for receiving SPS releases: Long Term Supported (LTS) release or feature release.

Releases
  LTS release Feature release
Release frequency

Frequency: Typically, every 2 years

Scope: Includes new features, resolved issues and security updates

Versioning: First digit identifies the LTS and the second digit is a 0 (for example, 6.0, 7.0, and so on)

Frequency: Typically, every 2 months

Scope: Includes the latest features, resolved issues, and other updates, such as security patches for the OS

Versioning: First digit identifies the LTS and the second digit is a number identifying the feature release (for example, 6.1, 6.2, and so on)

Maintenance release

Frequency:Typically, every 2 months during full support

Scope: Includes important resolved issues and security updates

Versioning: Third digit designates the LTS maintenance release (for example, 6.0.1)

Frequency:Only for highly critical issues

Scope: Includes highly critical resolved issues

Versioning: Third digit designates the feature maintenance release (for example, 6.1.1)

Support

For more information on the product support, see Product Support - One Identity Safeguard for Privileged Sessions.

For a full description of long-term-supported and feature releases, see Product Life Cycle & Policies - One Identity Safeguard for Privileged Sessions.

Prerequisites for upgrading SPS

This section describes the requirements and steps to perform before starting the SPS upgrade process.

General requirements:

  • You must have a valid software subscription to be able to download the new version of SPS.

  • You will need a support portal account to download the required ISO image. Note that the registration is not automatic, and might take up to two working days to be processed.

  • Back up your configuration and your data.

    For more information on creating configuration and data backups, see Data and configuration backups in the Administration Guide.

  • Export your configuration.

    For more information, see Exporting the configuration of One Identity Safeguard for Privileged Sessions (SPS) in the Administration Guide.

  • Verify that SPS is in good condition (no issues are displayed on the System Monitor).

  • Optional: If you have core dump files that are necessary for debugging, download them from Basic Settings > Troubleshooting > Core files. These files are removed during the upgrade process.

If you have a high availability cluster:

  • Verify that you have IPMI access to the slave node. You can find detailed information on using the IPMI in the following documents:

    For Safeguard Sessions Appliance 3000 and 3500, see the X9 SMT IPMI User's Guide.

  • On the Basic Settings > High Availability page, verify that the HA status is not degraded.

If you are upgrading SPS in a virtual environment:

  • Create a snapshot of the virtual machine before starting the upgrade process.

  • Configure and enable console redirection (if the virtual environment allows it).

If you are using a plugin (for example, a Credential Store plugin, or a multi-factor authentication plugin):

  • You will need an updated version of the plugin you are using. Download it from the Downloads page. The not officially supported plugins are also available on GitHub.

    NOTE: Version 2.2.0 and later of the One Identity Starling Two-Factor Authentication plugin works only if you have joined your SPS deployment to Starling.

    If you want use version 2.2.0 and later of the One Identity Starling Two-Factor Authentication plugin, complete the procedure before upgrading the plugin. For more information, see Starling integration in the Administration Guide.

Notes and warnings about the upgrade

The following is a list of important notes and warnings about the upgrade process and changes in SPS 7.5.

Caution:

After upgrading to version 7.0 LTS, SPS requires a new license. To avoid possible downtimes due to certain features not being available, before starting the upgrade, ensure that you have a valid SPS license for 7.0 LTS.

Upgrade as follows:

  1. Perform the upgrade to 7.0 LTS with your current license.

  2. Update your SPS license to 7.0 LTS.

For a new SPS license for 7.0 LTS, contact our Licensing Team.

CAUTION: From SPS version 6.12.0, the PAA database is also backed up as a part of the backup and restore procedure. Depending on the size of the PAA database, the backup size may increase significantly.

CAUTION: SPS support for Internet Explorer 11 (IE11) will soon be phased out.

SPS version 6.11.0 and previous versions continue to support IE11.

Caution:

After SPS 6.5, CentOS 6 operating systems will not be supported for external indexers. This means that after upgrading to SPS 6.5, or the LTS maintanance release in that cadence, you will not be able to use your external indexers that are running on CentOS 6. Make sure that you prepare your affected systems for this change and upgrade to CentOS 7 or later.

Caution:

SPS checks if the certificate revocation list (CRL) has expired and that the CRL has been signed by the same certificate authority (CA).

CAUTION: From version 6.8, SPS changes authenticating the users of the web interface with X.509 client certificates: certificates are validated against a trust store instead of a trusted CA list. During the upgrade, the trusted CA list formerly used for authentication is copied to a trust store that has revocation check disabled by default.

If you have previously enabled revocation check for your trusted CA list and already added the URLs of Certificate Revocation Lists (CRL), or you want to enable revocation check, you must edit the trust store settings manually.

  • Navigate to Basic Settings > Trust Stores.

  • Select the revocation check type Leaf or Full for the trust store.

  • Add a CRL URL for each root and intermediate CA.

For more information about trust stores and how to configure them, see "Verifying certificates with Certificate Authorities using trust stores" in the Administration Guide.

Caution:

Make sure to check the value configured in Disk space fill-up prevention before starting the upgrade process. From SPS version 6.4, the value range of Disconnect clients when disks are: x percent used field in Basic Settings > Management > Disk space fill up prevention is limited to 50-98 percent. If your configured value is outside this range, you cannot start upgrading.

Caution:

Upgrading to SPS 6.3.0 and later versions involves a reorganization in the internal data storage of SPS. As a result, several files are moved to new location during the upgrade process. Depending on the amount of data (logs, index files, reports, and so on) stored on the appliance, this can take a long time, usually at least 30 minutes. When you activate the new firmware file, an estimate will be displayed.

To avoid data loss, the appliance will not boot if this step of the upgrade fails. In this case, contact our Support Team.

Caution:

Upgrading to SPS requires at least 10% free disk space.

Increase the amount of free disk space. For details, read Increasing the amount of available free disk space.

If increasing the amount of free disk space fails, or you encounter a different issue, contact our Support Team.

NOTE: Version 2.2.0 and later of the One Identity Starling Two-Factor Authentication plugin works only if you have joined your SPS deployment to Starling.

If you want use version 2.2.0 and later of the One Identity Starling Two-Factor Authentication plugin, complete the procedure before upgrading the plugin. For more information, see Starling integration in the Administration Guide.

Caution:

If you are authenticating your SPS users to an LDAP/Active Directory server, make sure that the response timeout of the LDAP/Active Directory server is at least 120 seconds.

Caution:
  • For SSH connections, X.509 host certificates are not supported, the related options have been removed from the product. One Identity recommends using public keys instead.

  • For SSH connections, DSA keys are not supported, the related options have been removed from the product. One Identity recommends using RSA or Ed25519 keys instead.

  • The log ingestion feature of SPS has been removed from the product.

Caution:

Following the upgrade, support for less than 1024-bit SSH keys is lost.

Caution:

When the client uses hostname in inband destination selections, the hostname must comply with RFC5890: Internationalized Domain Names for Applications (IDNA). For example, from the ASCII characters only letters, digits, and the hyphen character is permitted.

Starting with version 6.1.0, SPS rejects connection requests where the hostname does not comply with RFC5890.

NOTE: Due to legal reasons, installation packages of the external indexer application will be available only from the SPS web interface. After SPS versions 6.4 and 6.0.3 are released, the installation packages will be removed from our website.

Caution:

It is no longer possible to search for screen contents indexed by the old Audit Player on the search UI and the REST interface. Searching in session metadata (such as IP addresses and usernames) and in extracted events (such as executed commands and window titles that appeared on the screen) remains possible.

As the old Audit Player was replaced and deprecated as an indexing tool during the 4.x versions, this should only affect very old sessions. Sessions that were processed by the new indexing service will work perfectly. If you wish to do screen content searches in historical sessions, contact our Support Team.

Caution:

Starting from 6.10.0, SPS (SPS) has changed to hardened SSL settings. As a result, during TLS session establishment, the following items are not considered secure:

  • Private keys and X.509 certificates having RSA or DSA keys shorter than 2048 bits, or ECC keys shorter than 224 bits.

  • Certificates (other than Root CA certificates) with signatures that use the SHA-1 or the MD5 hashing algorithm.

With the hardened SSL settings, SPS will not connect to remote systems that are protected with weak certificates.

You cannot upgrade SPS if your configuration contains insecure certificates, keys or certificate chains in any of the following sections:

  • SPS web interface

  • internal CA certificate

  • connection policy TLS settings

  • client X.509 credentials for external LDAP, SMTP or Syslog connections

  • server X.509 certificates for external SMTP or Splunk servers

  • external indexer credentials (only writable over the REST API)

  • CA certificates in Trusted CA Lists and Trust Stores

Note that the certificates and keys that are used for signing, timestamping, encryption or decryption are not affected by this change.

The accuracy of replaying audit trails in Asian languages (Traditional Chinese, Korean) has been enhanced. Due to this change, when upgrading SPS to version 6.11.0, all your sessions will be reindexed, and while reindexing is in progress, your sessions on the Search interface are incomplete. For this reason, plan your upgrade to SPS 6.11.0 accordingly.

Default Network Level Authentication (NLA) settings

Starting from 6.8.0, the default protocol-level settings for RDP connections have changed and NLA is now enabled by default in the RDP setting policies.

Due to this change:

  • The default RDP setting is now default_nla, where NLA is enabled.

  • The RDP setting, which was previously called default has been renamed to legacy_default.

  • RDP 4-style authentication is now cleared by default.

NOTE: If you are upgrading from an SPS version earlier than 6.8.0, and you have an existing RDP setting named legacy_default or default_nla, you must rename it before upgrade.

Change the deprecated SHA1 signed certificates to SHA256 for RDP

CAUTION: If you are using SHA1 (Secure Hash Algorithm 1) signed certificates, SPS does not allow Remote Desktop Protocol (RDP) connections to Windows Servers.

Use the Microsoft Management Console (MMC) to verify your certificate:

  • If Remote Desktop Services (RDS) uses a self-signed certificate, make sure that you update your system to the latest patch level, then delete the certificate and restart the Remote Desktop Configuration service in order to re-generate the self-signed certificate.

  • If RDS is using a certificate imported from a Public Key Infrastructure (PKI), contact your PKI admin for a new SHA256 certificate.

Upgrade path to SPS 7.5

Upgrading to SPS 7.5 is tested and supported from the following versions:

  • SPS 7 LTS.

  • SPS 7.0.1.

To upgrade from SPS versions older than 7 LTS, first upgrade to 7 LTS. For details, see One Identity Safeguard for Privileged Sessions 7 LTS - Upgrade Guide.

Downgrading is not supported.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating