Chat now with support
Chat with Support

Password Manager 5.7.1 - Administration Guide

About Password Manager Getting Started Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in Perimeter Network Management Policy Overview Password Policy Overview Secure Password Extension Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Password Change and Reset Process Overview Data Replication Phone-Based Authentication Service Overview
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow Overview Custom Workflows Custom Activities Self-Service Workflows Helpdesk Workflows Notification Activities User Enforcement Rules
General Settings Upgrading Password Manager Secure Password Extension Password Policies Reporting Password Manager Integration Appendixes Glossary About us

Upgrade Requirements

Before you start the upgrade process, follow this checklist to ensure you have made the necessary preparations and met the essential upgrade requirements.

Table 17:

 

Step

Comment

Back up the current configuration by doing one of the following:

  • Export the configuration file using the Import/Export option in General Settings and import the same file after the upgrade.
  • Create a copy of the ProgramData folder in the C:\ProgramData\One Identity\Password Manager and replace the same after upgrade.

UI customizations will be lost during upgrade. Follow the steps to save the configuration. For more information on saving the configuration, see Import/Export Configuration Settings.

Ensure that you installed or upgraded the third-party redistributable packages required for the latest version of Password Manager.

 

Ensure that you know the user name and password for domain management accounts.

For more information on what permissions are required for a domain management account, see Configuring Permissions for Domain Management Account.

Ensure that Password Manager Service account is a member of the Administrators group on the Web server where Password Manager is installed.

 

Ensure that in IIS 7.0, application pool identity account is a member of the IIS_IUSRS local group. This account must also have permissions to create files in the <Password Manager installation folder>\App_Data folder.

 

Ensure that you know the user name and password for SQL database account.

That is needed only if Password Manager Service account is configured to use special SQL account (different from Password Manager Service account) to access the SQL database.

Ensure that the account, that is used to upgrade Password Manager, is a member of the local Administrators group on the server where you upgrade the product.

 

Ensure that the account, that is used to upgrade Password Manager, is a member of the database creators (db_creator) fixed role on the SQL server hosting the Password Manager configuration database.

 

Depending on your environment, refer to one of the sections below: “Side-by-Side Upgrade” or “In-Place Upgrade”.

Side-by-Side Upgrade

Side-by-Side Upgrade

When upgrading to Password Manager 5.6.3, it is recommended to perform a side-by-side upgrade. When performing a side-by-side upgrade, you install Password Manager 5.6.3 on a computer alongside the computer running an earlier version of Password Manager.

Thus, you have two versions of Password Manager and can export and import configuration settings several times using the Migration wizard 5.6.3. This allows you to review the results of the configuration settings import in Password Manager 5.6.3, change export settings if necessary and repeat the procedure of importing configuration settings.

 IMPORTANT: It is recommended to perform a side-by-side upgrade from Password Manager version 4.7.

Side-by-side upgrade should be performed in the following order:

  1. Use the administrative template to force SPE to connect to the Self-Service site 4.x.
  2. Upgrade Secure Password Extension (SPE).
  3. Upgrade Password Policy Manager (PPM).
  4. Export configuration settings from Password Manager 4.x.
  5. Install Password Manager 5.6.3.
  6. Import configuration settings to Password Manager 5.6.3.
  7. Configure settings in Password Manager 5.6.3 that were not migrated from Password Manager 4.x.
  8. Verify the configuration by creating a test user.
  9. Export configuration settings from Password Manager 5.6.3 and import them to all other instances of Password Manager 5.6.3.

    This step is optional and should be performed if you have multiple instances of Password Manager.

  10. Convert Q&A profiles of users belonging to the user scope of created Management Policies.

    If you upgrade Password Manager from version 4.6.x, before converting users’ Q&A profiles make sure you stop the scheduled tasks (“Quest Password Manager” and “Quest Password Manager Publisher”) and stop the QPM application pool in IIS console on a computer running Password Manager 4.6.x.

  11. Use the administrative template to disable the setting that forces SPE to connect to the Self-Service site 4.x.
  12. Uninstall Password Manager 4.x.

Enabling Secure Password Extension Connection to Self-Service Site 4.x

By default, Secure Password Extension automatically discovers the Self-Service site. Before you upgrade Secure Password Extension, you should use the prm_gina.adm(x) administrative template to enforce connection to the Self-Service site 4.x. This will allow users, whose Q&A profiles have not been converted yet, to use the Self-Service site and perform password management tasks. To force Secure Password Extension to connect to the Self-Service site 4.x, you must enable the “Force connection to the Self-Service site 4.x” setting.

To force Secure Password Extension to connect to Self-Service site 4.x on a computer running Windows Server 2008 R2 or later

  1. Click the Start button, click Run, and type mmc. Click OK.
  2. In the Console window on the File menu, click Add/Remove Snap-in.
  3. Double-click Group Policy Management Editor in the list of available snap-ins.
  4. In the Group Policy Wizard window, click Browse, select the domain policy that is configured to work with Secure Password Extension and click OK.
  5. Click Finish to exit Group Policy Wizard.
  6. Click OK.
  7. Expand Computer Configuration on the Group Policy Object Editor left pane, then right click Administrative Templates node, and select Add / Remove Templates.
  8. Click Add, browse for the prm_gina.adm or prm_gina.admx file, select it, and then click Open.
  9. Click Close to close the Add/Remove Templates dialog box.
  10. If you used the prm_gina.admx file, select Administrative Templates node, and then double-click the One Identity Password Manager template on the right pane.

    - OR -

    If you used the prm_gina.adm file, select Classic Administrative Templates (ADM) node, and then double-click the One Identity Password Manager template on the right pane.

  11. Double-click Upgrade Settings.
  12. Double-click Force connection to Self-Service site 4.x.
  13. Select the Enabled option and click OK.

After you install Password Manager 5.6.3 and convert users’ Q&A profiles, you must disable the “Force connection to the Self-Service site 4.x” setting to allow Secure Password Extension to connect to the Self-Service site 5.6.3.

Upgrading Secure Password Extension

Secure Password Extension is an application that provides access to the complete functionality of the Self-Service site from the Windows logon screen. Secure Password Extension also provides dialog boxes displayed on end-user computers, these dialog boxes notify users who must create or update their Questions and Answers profiles.

Secure Password Extension is included on the installation CD and is deployed through Group Policy. For information on how to deploy and configure Secure Password Extension on end-user workstations in the managed domain, see Deploying and Configuring Secure Password Extension.

 IMPORTANT: Secure Password Extension may be deployed on different workstations by applying different GPOs. This allows you to not upgrade Secure Password Extension on all the workstations at one time, but do it in several steps depending on your needs and preferences.

You can centrally upgrade workstations to the latest version of Secure Password Extension by assigning the software for deployment using Group Policy. It is recommended to remove the existing MSI package from the Software installation list, and then assign the latest-version package.

 IMPORTANT: By default, Secure Password Extension uses the URL of the Self-Service site installed on the computer where Password Manager Service runs. You can modify the URL on the General Settings|Realm Instances page of the Administration site.

To remove the existing and assign a latest-version package

  1. Remove the assigned package (Quest Secure Password Extension x86.msi or Quest Secure Password Extension x64.msi) from the list of software to be installed.
  2. Add the latest-version MSI packages to the list of software to be installed.

When upgrading Secure Password Extension, do not forget to upgrade the prm_gina.adm(x) administrative template with the one located in the \Password Manager\Setup\Administrative Template\ folder of the installation CD.

During upgrade of prm_gina.adm(x) administrative template, the previously made template settings are preserved and picked up by newer versions.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating