Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 8.0 LTS - Upgrade Guide

Upgrading a single SPS node to 8.0 LTS

The following describes how to upgrade a standalone One Identity Safeguard for Privileged Sessions (SPS) node to version 8.0 LTS.

Prerequisites

Read the following warnings before starting the upgrade process.

Caution:
  • After performing the upgrade, it is not possible to downgrade to the earlier version. Upgrading to SPS 8.0 LTS is an irreversible process.

To upgrade a standalone SPS node to version 8.0 LTS

  1. Complete the prerequisites described in Prerequisites for upgrading SPS and upgrade SPS to the latest revision of the current version.

  2. Login to your support portal.

    You need a new license file for every LTS release. If there is no license file for One Identity Safeguard for Privileged Sessions 8.0 LTS under your account, contact our Licensing Team and Request a license key for a new version.

  3. Download the SPS 8.0 LTS firmware ISO file from the Downloads page.

    On the support portal, navigate to Support > Download Software > One Identity Safeguard for Privileged Sessions and download the latest install cdrom ISO file under Application.

  4. Verify the integrity of the SPS 8.0 LTS firmware ISO file with the hash available on the Downloads page.

    CAUTION:Do NOT upgrade until you verify the integrity of the ISO file.

    Verifying the integrity and authenticity of the ISO file is to make sure that it is not corrupted and it has not been tampered with by any other party. Verifying the ISO file guarantees that it has been officially released by One Identity.

    NOTE: You can use the following utilities for hash verification (optional):

    On Windows:

    1. On your PC, navigate to the folder where you downloaded the ISO file.
    2. Press and hold the Shift key.
    3. Right-click in the folder and select Open PowerShell window here.

    4. In the PowerShell window, enter the certUtil -hashfile <path\to\sps.iso> sha256 command.

      Figure 1: Example hash of the downloaded ISO file

    5. Compare the hash of the file to the hash available on the Downloads page under Application, click One Identity Safeguard for Privileged Sessions install cdrom.

      Figure 2: Example hash from the Support Portal

    6. If the two hashes match, continue the upgrading process.

  5. Upload the latest 8.0 LTS firmware ISO file to your SPS. For details, see Upgrading One Identity Safeguard for Privileged Sessions (SPS) in the Administration Guide.

  6. Click Test for the new firmware to check if your configuration can be upgraded to version 8.0 LTS. If the test returns any errors, correct them before continuing the upgrade process. If you encounter any problems, contact our Support Team.

    Select After reboot.

  7. If the upgrade test is successful, activate the firmware.

  8. Recommended step. To help troubleshoot potential issues following the upgrade, collect and save system information (create a support bundle) now.

    Navigate to Basic Settings > Troubleshooting > Create support bundle and choose Create support bundle.

  9. Navigate to Basic Settings > System.

    Caution:

    Do NOT click Reboot cluster during the upgrade process unless explicitly instructed.

    Click System Control > This node > Reboot to reboot the machine. SPS will start with the new firmware and upgrade its configuration, database, and other system components. During the upgrade process, SPS displays status information and other data on the local console and on the web interface of SPS, at any of the Listening addresses configured at Basic settings > Local Services > Web login (admin and user).

    NOTE: If you are upgrading to version 8.0 LTS from version 5.0.x, status information is displayed on the web interface only after the first boot to version 8.0 LTS. So during the upgrade to version 8.0 LTS, you will not be able to see any upgrade logs on the web interface.

    Caution:

    If the connection database is large and contains information about several thousands of sessions, the upgrade process can take about 15-20 minutes or more, depending on the actual hardware.

    Caution:

    After the reboot in 8.0 LTS, SPS will start importing large amounts of data from metadb. This process can take about 30-40 minutes or more. During the import process, the REST base search might not function properly, since the data to search in might still be incomplete.

  10. After the reboot, login to the web interface.

    Caution:

    In case the SPS web interface is not available within 30 minutes of rebooting SPS, check the information displayed on the local console and contact our Support Team.

    If you experience any strange behavior of the web interface, first try to reload the page by holding the SHIFT key while clicking the Reload button of your browser to remove any cached version of the page.

    NOTE: In the unlikely case that SPS encounters a problem during the upgrade process and cannot revert to its original state, SPS performs the following actions:

    • Initializes the network interfaces using the already configured IP addresses.

    • Enables SSH-access to SPS, unless SPS is running in sealed mode. That way it is possible to access the logs of the upgrade process, which helps the Support Team to diagnose and solve the problem. Note that SSH access will be enabled on every active interface, even if management access has not been enabled for the interface.

  11. Navigate to Basic Settings > System > Version details and verify that SPS is running version 8.0 LTS of the firmware. If not, it means that the upgrade process did not complete properly and SPS performed a rollback to revert to the earlier firmware version. In this case, complete the following steps:

    1. Navigate to Basic Settings > Troubleshooting > Create support bundle and click Create support bundle.

    2. Save the resulting ZIP file.

    3. contact our Support Team and send them the file. They will analyze its contents to determine why the upgrade was not completed and assist you in solving the problem.

  12. (Optional) If SPS was in a domain before the upgrade, navigate to Traffic Controls > RDP > Domain membership and make sure that your domain-related settings are correct. In case of correct settings, you will see the following:

    • Fully qualified domain name (realm name): Host joined currently configured domain successfully.

    • Currently joined domains: <name.of.the.joined.domain>

    This is important because in rare cases, the appliance might fall out from the domain after an upgrade, and a manual rejoin might be required based on its status.

  13. Upgrade your Credential Store or other plugins to the latest version. You can download official plugins from the Downloads page and upload them to SPS on the Basic Settings > Plugins > Upload/Update Plugins page. The not officially supported plugins are also available on GitHub.

  14. Upgrade your Safeguard Desktop Player installations to the latest version. For details, see Upgrading the Safeguard Desktop Player.

  15. Upgrade your external indexer installations to the latest version. For details, see Upgrading the external indexer.

Upgrading the Safeguard Desktop Player

Upgrading the Safeguard Desktop Player application is only a simple installation process.

NOTE: If you already have an earlier version of the Safeguard Desktop Player application installed on the host, uninstall the previous installation. If you want to keep the previous installation for some reason, install the new version into a different directory.

You can download the Safeguard Desktop Player application from the Downloads page.

For more information, see Safeguard Desktop Player User Guide.

Upgrading the external indexer

This section describes how to upgrade the indexer application on your external indexer hosts.

Caution:

After SPS 6.5, CentOS 6 operating systems will not be supported for external indexers. This means that after upgrading to SPS 6.5, or the LTS maintanance release in that cadence, you will not be able to use your external indexers that are running on CentOS 6. Make sure that you prepare your affected systems for this change and upgrade to CentOS 7 or later.

NOTE: The version of the external indexer must be equal to or greater than the version of One Identity Safeguard for Privileged Sessions (SPS). To make sure you meet this criterion, One Identity recommends that you always upgrade your external indexer when you upgrade SPS. You can check that SPS has established a connection to the external indexer on the Indexer > Worker status page of the SPS web interface.

Prerequisites

Before you start, create a backup copy of the /etc/indexer/indexerworker.cfg and /etc/indexer/indexer-certs.cfg indexer configuration files. After SPS 6.13, the /etc/indexer/indexer-certs.cfg indexer configuration file is automatically renamed to /etc/indexer/indexer-keys.cfg.

To upgrade the indexer application on your external indexer hosts

  1. Download the latest indexer .rpm package from the Basic Settings > Local Services > Indexer service page of the SPS web interface.

    NOTE: Due to legal reasons, installation packages of the external indexer application will be available only from the SPS web interface. After SPS versions 6.4 and 6.0.3 are released, the installation packages will be removed from our website.

  2. Copy the downloaded .rpm package to your external indexer hosts.

  3. Stop the indexer by using the following command.

    • On Red Hat or CentOS 6.5:

      service external-indexer stop
    • On Red Hat or CentOS 7:

      systemctl stop external-indexer.service
  4. Execute the following command: yum upgrade -y indexer.rpm

  5. Resolve any warnings displayed during the upgrade process.

  6. Restart the indexer by using the following command.

    • On Red Hat or CentOS 6.5:

      service external-indexer start
    • On Red Hat or CentOS 7:

      systemctl start external-indexer.service
  7. Repeat this procedure on every indexer host.

Upgrading an SPS high-availability cluster to 8.0 LTS

Caution:

Creating a High-availability (HA) node pair from different types of hardware is not possible. The primary and the secondary HA nodes have to run on the same type of hardware.

The following section describes how to upgrade a One Identity Safeguard for Privileged Sessions (SPS) high-availability cluster.

Prerequisites

Make sure that you have physically connected the IPMI to the network and that it is properly configured. This is important because you can only power the secondary node on through the IPMI. For details on configuring the IPMI, see Out-of-band management of One Identity Safeguard for Privileged Sessions (SPS) in the Administration Guide.

Caution:
  • After performing the upgrade, it is not possible to downgrade to the earlier version. Upgrading to SPS 8.0 LTS is an irreversible process.

Caution:

Do NOT reboot any of the SPS nodes unless explicitly instructed.

Caution:

Do NOT click Reboot cluster during the upgrade process unless explicitly instructed.

To upgrade an SPS high-availability cluster

  1. Complete the prerequisites described in Prerequisites for upgrading SPS and upgrade SPS to the latest revision of the current version.

  2. Login to your support portal.

    You need a new license file for every LTS release. If there is no license file for One Identity Safeguard for Privileged Sessions 8.0 LTS under your account, contact our Licensing Team and Request a license key for a new version.

  3. Download the SPS 8.0 LTS firmware ISO file from the Downloads page.

    On the support portal, navigate to Support > Download Software > One Identity Safeguard for Privileged Sessions and download the latest install cdrom ISO file under Application.

  4. Verify the integrity of the SPS 8.0 LTS firmware ISO file with the hash available on the Downloads page.

    CAUTION:Do NOT upgrade until you verify the integrity of the ISO file.

    Verifying the integrity and authenticity of the ISO file is to make sure that it is not corrupted and it has not been tampered with by any other party. Verifying the ISO file guarantees that it has been officially released by One Identity.

    NOTE: You can use the following utilities for hash verification (optional):

    On Windows:

    1. On your PC, navigate to the folder where you downloaded the ISO file.
    2. Press and hold the Shift key.
    3. Right-click in the folder and select Open PowerShell window here.

    4. In the PowerShell window, enter the certUtil -hashfile <path\to\sps.iso> sha256 command.

      Figure 3: Example hash of the downloaded ISO file

    5. Compare the hash of the file to the hash available on the Downloads page under Application, click One Identity Safeguard for Privileged Sessions install cdrom.

      Figure 4: Example hash from the Support Portal

    6. If the two hashes match, continue the upgrading process.

  5. Upload the latest 8.0 LTS firmware ISO file to your SPS. For details, see Upgrading One Identity Safeguard for Privileged Sessions (SPS) in the Administration Guide.

  6. Click Test for the new firmware to check if your configuration can be upgraded to version 8.0 LTS. If the test returns any errors, correct them before continuing the upgrade process. If you encounter any problems, contact our Support Team.

    Select After reboot.

  7. If the upgrade test is successful, activate the firmware.

  8. Wait until the new firmware is synchronized to the slave node. This is usually completed within 60 seconds.

  9. Navigate to Basic Settings > High availability & Nodes > Other node and click Shutdown to power off the slave node.

    Caution:

    Do not power on the secondary node.

  10. Recommended step. To help troubleshoot potential issues following the upgrade, collect and save system information (create a support bundle) now.

    Navigate to Basic Settings > Troubleshooting > Create support bundle and choose Create support bundle.

  11. Navigate to Basic Settings > System.

    Caution:

    Do NOT click Reboot cluster during the upgrade process unless explicitly instructed.

    Click System Control > This node > Reboot to reboot the machine. SPS will start with the new firmware and upgrade its configuration, database, and other system components. During the upgrade process, SPS displays status information and other data on the local console and on the web interface of SPS, at any of the Listening addresses configured at Basic settings > Local Services > Web login (admin and user).

    NOTE: If you are upgrading to version 8.0 LTS from version 5.0.x, status information is displayed on the web interface only after the first boot to version 8.0 LTS. So during the upgrade to version 8.0 LTS, you will not be able to see any upgrade logs on the web interface.

    Caution:

    If the connection database is large and contains information about several thousands of sessions, the upgrade process can take about 15-20 minutes or more, depending on the actual hardware.

    Caution:

    After the reboot in 8.0 LTS, SPS will start importing large amounts of data from metadb. This process can take about 30-40 minutes or more. During the import process, the REST base search might not function properly, since the data to search in might still be incomplete.

  12. After the reboot, login to the web interface.

    Caution:

    In case the SPS web interface is not available within 30 minutes of rebooting SPS, check the information displayed on the local console and contact our Support Team.

    If you experience any strange behavior of the web interface, first try to reload the page by holding the SHIFT key while clicking the Reload button of your browser to remove any cached version of the page.

    NOTE: In the unlikely case that SPS encounters a problem during the upgrade process and cannot revert to its original state, SPS performs the following actions:

    • Initializes the network interfaces using the already configured IP addresses.

    • Enables SSH-access to SPS, unless SPS is running in sealed mode. That way it is possible to access the logs of the upgrade process, which helps the Support Team to diagnose and solve the problem. Note that SSH access will be enabled on every active interface, even if management access has not been enabled for the interface.

  13. Navigate to Basic Settings > System > Version details and verify that SPS is running version 8.0 LTS of the firmware. If not, it means that the upgrade process did not complete properly and SPS performed a rollback to revert to the earlier firmware version. In this case, complete the following steps:

    1. Navigate to Basic Settings > Troubleshooting > Create support bundle and click Create support bundle.

    2. Save the resulting ZIP file.

    3. contact our Support Team and send them the file. They will analyze its contents to determine why the upgrade was not completed and assist you in solving the problem.

  14. (Optional) If SPS was in a domain before the upgrade, navigate to Traffic Controls > RDP > Domain membership and make sure that your domain-related settings are correct. In case of correct settings, you will see the following:

    • Fully qualified domain name (realm name): Host joined currently configured domain successfully.

    • Currently joined domains: <name.of.the.joined.domain>

    This is important because in rare cases, the appliance might fall out from the domain after an upgrade, and a manual rejoin might be required based on its status.

  15. If rebooting the primary node has been successful, power up the secondary node through IPMI.

    The secondary node attempts to boot with the new firmware, and reconnects to the primary node to sync data. During the sync process, certain services (including Heartbeat) are not available. Wait for the process to finish, and the secondary node to boot fully. This process is finished when the Basic Settings > High availability & Nodes > Other node appears.

    Note that at this stage, on the Other node > Firmware version, the version number next to Current is lower than the version number next to After reboot.

  16. Click Activate Slave. This effectively turns the previously secondary node into the primary node. This process can take a few minutes.

    Caution:

    Do not skip this step! To run the Core firmware on the secondary node that you want to turn into the primary node, always click Activate Slave.

    To ensure that the process is finished correctly, check the version numbers next to Current and After reboot on both the primary and the secondary node. These version numbers should all be the same. If the page is not refreshed after the process is finished, press F5 to refresh the page.

  17. Upgrade your Safeguard Desktop Player installations to the latest version. For details, see Upgrading the Safeguard Desktop Player.

  18. Upgrade your external indexer installations to the latest version. For details, see Upgrading the external indexer.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating