Chat now with support
Chat with Support

Safeguard Authentication Services 5.0.2 - Upgrade Guide

Privileged Access Suite for Unix Introducing One Identity Safeguard Authentication Services Upgrade the web console Upgrade Windows components Configure Active Directory Configure Unix agent components Upgrade client components manually Getting started with Safeguard Authentication Services
Getting acquainted with the Control Center Learning the basics

Installing software on hosts

Once you have successfully added and profiled one or more hosts, and checked them for AD Readiness, you can remotely deploy software products to them from the management console.

To install Safeguard Authentication Services software on hosts

  1. Select one or more profiled hosts on the All Hosts view and click the Install Software tool bar button.

    Note: The Install Software tool bar menu is enabled when you select hosts that are profiled.

    The tool bar button will not be active if:

    • You have not selected any hosts.
    • You have selected multiple hosts with different states (added, profiled, or joined).

  2. In the Install Software dialog, select the Safeguard Authentication Services software products you want to install and click OK.
    • Safeguard Authentication Services Agent (Required): Select to allow Active Directory users access to selected host. Safeguard Authentication Services provides centralized user and authentication management. It uses Kerberos and LDAP to provide secure data transport and an authentication framework that works with Microsoft Active Directory. Components include vasd, nss_vas, pam_vas, and vastool.
    • Safeguard Authentication Services for Group Policy (Required): Select to install the Group Policy component that provides Active Directory Group Policy support for Unix, Linux, and macOS platforms.
    • Safeguard Authentication Services for NIS: Select to install the NIS Proxy component that provides the NIS compatibility features for Safeguard Authentication Services. vasyp is a NIS daemon that acts as a ypserv replacement on each host.
    • Safeguard Authentication Services for LDAP: Select to install the LDAP Proxy component that provides a way for applications that use LDAP bind to authenticate users to Active Directory without using secure LDAP (LDAPS). Instead of sending LDAP traffic directly to Active Directory domain controllers, you can configure applications to send plain text LDAP traffic to vasldapd by means of the loopback interface. vasldapd proxies these requests to Active Directory using Kerberos as the security mechanism.
    • Dynamic DNS Updater: Select to install the Dynamic DNS Updater component that provides a way to dynamically update host records in DNS and can be triggered by DHCP updates.
    • Defender PAM Module: Select to install the Defender authentication components for PAM based Unix/Linux systems. Includes PAM module, documentation, and utilities to appropriately configure the PAM subsystem for Active Directory/Defender OTP authentication.

    Note: You must install the Safeguard Authentication Services Agent and the Group Policy packages.

    Note: If you do not see all of these software packages, verify the path to the software packages is correctly set in System Settings. Refer to Set the Safeguard Authentication Services Client Software Location on the Server in the management console online help for details.

  3. In the Log on to Host dialog, enter the user credentials to access the selected hosts and click OK.

    Note: This task requires elevated credentials.

    If you selected multiple hosts, it asks whether you want to use the same credentials for all the hosts (default) or enter different credentials for each host.

    1. If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your credentials to log on to access the selected hosts and click OK.
    2. If you selected multiple hosts and the Enter different credentials for each selected host option, a grid displays that allows you to enter different credentials for each host listed. Place your cursor in a cell in the grid to activate it and enter the data.

Upgrade client components manually

The easiest way to upgrade Safeguard Authentication Services client components is from Management Console for Unix. Once a you have successfully added and profiled one or more hosts, you can remotely deploy software products to them from the management console. For more information, see Configure Unix agent components.

You can also upgrade your Safeguard Authentication Services client components from the Unix command line, if you prefer.

About the Application Configuration

The first time you install or upgrade the Safeguard Authentication ServicesWindows components in your environment, One Identity recommends that you configure Active Directory for Safeguard Authentication Services to utilize full functionality. This is a one-time Active Directory configuration step that creates the Safeguard Authentication Services application configuration in your forest. Safeguard Authentication Services uses the information found in the application configuration to maintain consistency across the enterprise.

If you upgrade Safeguard Authentication Services using Management Console for Unix, the Safeguard Authentication Services Active Directory Configuration Wizard starts automatically to assist you in setting up the application configuration; however, if you are upgrading from the Unix command line, you can create the Safeguard Authentication Services application configuration using the vastool command.

Note: You need only one application configuration per forest. If you already have an Safeguard Authentication Services application configuration in your forest, you do not need to create another one. For more information, see About Active Directory configuration.

Agent upgrade commands

To upgrade the Safeguard Authentication Services agent package

  1. Log in and open a root shell.
  2. Mount the installation ISO and run the appropriate command.

    See Additional configuration information that follows the table.

    Table 11: Authentication Services: Agent commands
    Platform Command

    Linux x86 - RPM

    # rpm -Uhv /<mount>/client/linux-x86/vasclnt-<version>-<build>.i386.rpm

    Linux x64 - RPM

    # rpm -Uhv /<mount>/client/linux-x86_64/vasclnt-<version>-<build>.x86_64.rpm

    Linux x86 - DEB

    # dpkg -i /<mount>/client/linux-x86/vasclnt-<version>-<build>.i386.deb

    Linux x64 - DEB

    # dpkg -i /<mount>/client/linux-x86_64/vasclnt-<version>-<build>_amd64.deb

    Linux s390

    # rpm -Uhv /<mount>/client/linux-s390/vasclnt-<version>-<build>.s390.rpm

    Linux s390x

    # rpm -Uhv /<mount>/client/linux-s390x/vasclnt-<version>-<build>.s390x.rpm

    SLES 11, 12, and 15 PPC

    # rpm -Uhv /<mount>/client/linux-glibc23-ppc64/vasclnt-glibc23-<version>-<build>.ppc64.rpm

    Oracle Solaris 10 and 11 x64

    # pkgadd -d /<mount>/client/solaris10-x64/vasclnt_SunOS_5.10_i386-<version>-<build>.pkg vasclnt

    Oracle Solaris 10 and 11 SPARC

    # pkgadd -d /<mount>/client/solaris10-sparc/vasclnt_SunOS_5.8_sparc-<version>-<build>.pkg vasclnt

    HP-UX PA-RISC 11i v3 (B.11.31)

    # swinstall -s /<mount>/client/hpux-pa-11v1/vasclnt_hpux-11.11-<version>-<build>.depot vasclnt

    HP-UX IA64 11i v3 (B.11.31)

    # swinstall -s /<mount>/client/hpux-ia64/vasclnt_ia64-<version>-<build>.depot vasclnt

    AIX 7.1 and 7.2

    # installp -acXd /<mount>/client/aix-71/vasclnt.AIX_5.3.<version>-<build>.bff all

    Mac OS X

    /usr/sbin/installer -pkg '/<mount>/VAS.mpkg/Contents/Packages/vasclnt.pkg' -target /

    FreeBSD 10 and 11

    pkg /<mount>/client/freebsd-x86_64/vasclnt-<build>.txz

    Amazon Linux AMI

    # rpm - Uhv /<mount>/client/linux-x86_64/vasclnt-<build>.x86_64.rpm

Additional configuration information

Note: During the upgrade, vasd reloads and updates its user and group cache. To restart the Safeguard Authentication Services caching service, see Restarting services.

Note: Oracle Solaris: The -a vasclient-defaults option specifies an alternative default file for pkgadd administrative options that allows pkgadd to overwrite an existing package with a new package.

pkgadd does not support the concept of upgrading a package, so this allows you to upgrade without having to rejoin your machine to the Active Directory domain, or uninstalling the old version first.

Note: HP-UX: Reboot the HP-UX machine to ensure that all of the new files are installed. HP-UX does not allow you to overwrite files that are in use—this is done as part of the boot sequence.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating