Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Upgrade Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services What's new in Authentication Services 4.1 Upgrade from 3.5 to 4.1 considerations Upgrade the web console Upgrade Authentication Services Windows components Configure Active Directory for Authentication Services Configure Unix agent components Upgrade Authentication Services client components manually Getting started with Authentication Services Troubleshooting

Upgrading VAS 3.5 from the command line

To upgrade VAS 3.5 from the Unix command line

  1. Install the upgrade package on that host by running:
    # ./install.sh upgrade

    Note: If you are running your client agent in Version 3 Compatibility Mode, Authentication Services displays a warning message. (For more information, see Version 3 compatibility mode.)

  2. Install the Authentication Services license. (See Licensing Authentication Services.)
  3. Create the Authentication Services application configuration. (See Creating the Application Configuration from the Unix Command Line in the Authentication Services Installation Guide for more information.)

    Note: This step is optional. If you do not configure Authentication Services for Active Directory, you can run your Authentication Services client agent in "Version 3 Compatibility Mode" which allows you to join a host to an Active Directory domain.

  4. Upgrade the rest of your hosts to the Authentication Services 4.1 Agent.
About the Authentication Services Application Configuration

The first time you install or upgrade the Authentication Services 4.1 Windows components in your environment, One Identity recommends that you configure Active Directory for Authentication Services to utilize full Authentication Services 4.1 functionality. This is a one-time Active Directory configuration step that creates the Authentication Services application configuration in your forest. Authentication Services uses the information found in the application configuration to maintain consistency across the enterprise.

If you upgrade VAS 3.5 to Authentication Services 4.1 using Management Console for Unix as explained in the Authentication Services Upgrade Guide, the Authentication Services Active Directory Configuration Wizard starts automatically to assist you in setting up the application configuration; however, if you are upgrading from the Unix command line, you can create the Authentication Services application configuration using the vastool command.

Note: You need only one application configuration per forest. If you already have an Authentication Services application configuration in your forest, you do not need to create another one. (For more information, see About Active Directory configuration.)

Authentication Services agent upgrade commands

To upgrade the Authentication Services agent package

  1. Log in and open a root shell.
  2. Mount the installation DVD and run the appropriate command.

    (See Notes for additional configuration information.)

    Table 15: Authentication Services: Agent upgrade commands
    Platform Command
    Linux x86 - RPM # rpm -Uhv /<mount>/client/linux-x86/vasclnt-<version>-<build>.i386.rpm
    Linux x64 - RPM # rpm -Uhv /<mount>/client/linux-x86_64/vasclnt-<version>-<build>.x86_64.rpm
    Linux x86 - DEB # dpkg -i /<mount>/client/linux-x86/vasclnt-<version>-<build>.i386.deb
    Linux x64 - DEB # dpkg -i /<mount>/client/linux-x86_64/vasclnt-<version>-<build>_amd64.deb
    Linux s390 # rpm -Uhv /<mount>/client/linux-s390/vasclnt-<version>-<build>.s390.rpm
    Linux s390x # rpm -Uhv /<mount>/client/linux-s390x/vasclnt-<version>-<build>.s390x.rpm
    VMware ESX 3.x # rpm -Uhv /<mount>/client/linux-x86/vasclnt-<version>-<build>.i386.rpm
    VMware ESX 4.1 # rpm -Uhv /<mount>/client/linux-x86_64/vasclnt-<version>-<build>.x86_64.rpm
    SLES 8 PPC # rpm -Uhv /<mount>/client/linux-glibc22-ppc64/vasclnt-glibc22-<version>-<build>.ppc64.rpm
    SLES 9 PPC # rpm -Uhv /<mount>/client/linux-glibc23-ppc64/vasclnt-glibc23-<version>-<build>.ppc64.rpm
    Solaris 8-10 x86 # pkgadd -d /<mount>/client/solaris8-x86/vasclnt_SunOS_5.8_i386-<version>-<build>.pkg vasclnt
    Solaris 10 x64 # pkgadd -d /<mount>/client/solaris10-x64/vasclnt_SunOS_5.10_i386-<version>-<build>.pkg vasclnt
    Solaris 8-10 SPARC # pkgadd -d /<mount>/client/solaris8-sparc/vasclnt_SunOS_5.8_sparc-<version>-<build>.pkg vasclnt
    HP-UX PA-RISC 11i v1 (B.11.11) # swinstall -s /<mount>/client/hpux-pa/vasclnt_9000-<version>-<build>.depot vaslcnt
    HP-UX PA-RISC 11i v2 (B.11.23), 11i v3 (B.11.31) # swinstall -s /<mount>/client/hpux-pa-11v1/vasclnt_hpux-11.11-<version>-<build>.depot vasclnt
    HP-UX IA64 11i v1.6 (B.11.22), 11i v2 (B.11.23), 11i v3 (B.11.31) # swinstall -s /<mount>/client/hpux-ia64/vasclnt_ia64-<version>-<build>.depot vasclnt
    AIX 4.3.3 # installp -acXd /<mount>/client/aix-43/vasclnt.AIX_4.3.<version>-<build>.bff all
    AIX 5.1 – 5.2 # installp -acXd /<mount>/client/aix-51/vasclnt.AIX_5.1.<version>-<build>.bff all
    AIX 5.3 – 6.1 # installp -acXd /<mount>/client/aix-53/vasclnt.AIX_5.3.<version>-<build>.bff all
    Mac OS X /usr/sbin/installer -pkg '/<mount>/VAS.mpkg/Contents/Packages/vasclnt.pkg' -target /
Additional Configuration Information:

Note: During the upgrade, vasd reloads and updates its user and group cache. To restart the Authentication Services caching service, see Restarting Authentication Services services.

Note: VMware: VMware provides a Host Update Utility to upgrade an ESX 3.5 agent to 4.0, but if Authentication Services is left installed and configured during the procedure, the machine will be inaccessible after the upgrade. This is because the previous 3.5 installation is pushed aside and mounted under the /esx3-installation directory, but all the key configuration files, like /etc/nsswitch.conf and the pam.d directory, are preserved.

If Authentication Services is still configured in those files it leaves the machine in a bad state. Because of this, One Identity recommends that you uninstall Authentication Services before attempting to upgrade to ESX 4.0. In the vSphere Upgrade Guide, VMware warns that "no third-party management agents or third-party software applications are migrated," but it does not explicitly say they should be uninstalled prior to upgrade.

Should you accidentally leave Authentication Services installed or configured during the upgrade, use the following steps to fix the machine:

  1. Boot into single user mode
  2. Copy /etc/pam.d/vmware-authd.esx4 over /etc/pam.d/vmware-authd (backup vmware-authd first if desired)
  3. Copy /etc/pam.d/system-auth-generic.esx4 over /etc/pam.d/system-auth-generic
  4. Remove "vas4" from the passwd, group, and any other configured lines in nsswitch.conf
  5. Reboot the machine--the machine should now be accessible
  6. Install the linux-x86_64Authentication Services packages

Note: Solaris: The -a vasclient-defaults option specifies an alternative default file for pkgadd administrative options that allows pkgadd to overwrite an existing package with a new package.

pkgadd does not support the concept of upgrading a package, so this allows you to upgrade without having to rejoin your machine to the Active Directory domain, or uninstalling the old version first.

Note: HP-UX: Reboot the HP-UX machine to ensure that all of the new files are installed. HP-UX does not allow you to overwrite files that are in use—this is done as part of the boot sequence.

Restarting Authentication Services services

  1. The method for restarting services varies by platform:
    1. To restart Authentication Services on Linux or Solaris, enter:
      /etc/init.d/vasd restart
    2. To restart Authentication Services on HP-UX, enter:
      /sbin/init.d/vasd restart
    3. To restart Authentication Services on AIX, enter:
      stopsrc -s vasd
      startsrc -s vasd

Note: Due to library changes between the Authentication Services 3.x and 4.1, One Identity recommends that you restart all long-lived processes that use Authentication Services data to force a reload of the newer libraries. For example, you must restart cron.

Getting started with Authentication Services

Once you have successfully installed Authentication Services you will want to learn how to do some basic system administration tasks using the Control Center and Management Console for Unix.

Related Documents