立即与支持人员聊天
与支持团队交流

One Identity Safeguard for Privileged Sessions 6.0 LTS - Upgrade Guide

Upgrading a single SPS node to 6.0

The following describes how to upgrade a standalone One Identity Safeguard for Privileged Sessions (SPS) node to version 6.0.

Prerequisites:

Read the following warnings before starting the upgrade process.

Caution:
  • After performing the upgrade, it is not possible to downgrade to the earlier version. Upgrading to SPS 6.0 is an irreversible process.

  • It is recommended to test the upgrade process first in VMware. To do this, download a VMware image of the latest SPS version, import the configuration of your SPS into this VMware version, and perform the upgrade. If everything is working, perform the upgrade on the production system.

To upgrade a standalone SPS node to version 6.0

  1. Complete the prerequisites described in Prerequisites for upgrading SPS and upgrade SPS to the latest revision of the current version.

  2. Login to your support portal, and download your license file.

    You need a new license file for every LTS release. If there is no license file for One Identity Safeguard for Privileged Sessions 6.0 under your account, contact our Licensing Team and Request a license key for a new version.

  3. Download the SPS 6.0 firmware ISO file from the Downloads page.

  4. If you are using a plugin (for example, a Credential Store plugin, or a multi-factor authentication plugin), download the version of the plugin from the Downloads page that is labeled as DEPRECATED.

    This version of the plugin is supported in SPS 6.0, but will not be supported in version 6.1. Before upgrading to SPS 6.1, you will have to start using a new implementation of the plugin, and update your configuration. For details, see Upgrading plugins for One Identity Safeguard for Privileged Sessions version 6.0.

    Upload the plugin to your SPS.

  5. Upload the latest 6.0 firmware ISO file to your SPS. For details, see "Upgrading One Identity Safeguard for Privileged Sessions (SPS)" in the Administration Guide.

  6. Click Test for the new firmware to check if your configuration can be upgraded to version 6.0. If the test returns any errors, correct them before continuing the upgrade process. If you encounter any problems, contact our Support Team.

    Select After reboot.

  7. If the upgrade test is successful, activate the firmware.

  8. Recommended step. To help troubleshoot potential issues following the upgrade, collect and save system information (create a support bundle) now.

    Navigate to Basic Settings > Troubleshooting > Create support bundle and choose Create support bundle.

  9. Navigate to Basic Settings > System.

    Caution:

    Do NOT click Reboot cluster during the upgrade process unless explicitly instructed.

    Click System Control > This node > Reboot to reboot the machine. SPS will start with the new firmware and upgrade its configuration, database, and other system components. During the upgrade process, SPS displays status information and other data on the local console and on the web interface of SPS, at any of the Listening addresses configured at Basic settings > Local Services > Web login (admin and user).

    NOTE:

    If you are upgrading to version 6.0 from version 5.0.x, status information is displayed on the web interface only after the first boot to version 6.0. So during the upgrade to version 6.0, you will not be able to see any upgrade logs on the web interface.

    Caution:

    If the connection database is large and contains information about several thousands of sessions, the upgrade process can take about 15-20 minutes or more, depending on the actual hardware.

    Caution:

    After the reboot in 6.0, SPS will start importing large amounts of data from metadb. This process can take about 30-40 minutes or more. During the import process, the REST base search might not function properly, since the data to search in might still be incomplete.

  10. After the reboot, login to the web interface and upload the new license file. For details, see "Upgrading One Identity Safeguard for Privileged Sessions (SPS)" in the Administration Guide.

    Caution:

    In case the SPS web interface is not available within 30 minutes of rebooting SPS, check the information displayed on the local console and contact our Support Team.

    If you experience any strange behavior of the web interface, first try to reload the page by holding the SHIFT key while clicking the Reload button of your browser to remove any cached version of the page.

    NOTE:

    In the unlikely case that SPS encounters a problem during the upgrade process and cannot revert to its original state, SPS performs the following actions:

    • Initializes the network interfaces using the already configured IP addresses.

    • Enables SSH-access to SPS, unless SPS is running in sealed mode. That way it is possible to access the logs of the upgrade process, which helps the Support Team to diagnose and solve the problem. Note that SSH access will be enabled on every active interface, even if management access has not been enabled for the interface.

  11. Navigate to Basic Settings > System > Version details and verify that SPS is running version 6.0 of the firmware. If not, it means that the upgrade process did not complete properly and SPS performed a rollback to revert to the earlier firmware version. In this case, complete the following steps:

    1. Navigate to Basic Settings > Troubleshooting > Create support bundle and click Create support bundle.

    2. Save the resulting ZIP file.

    3. contact our Support Team and send them the file. They will analyze its contents to determine why the upgrade was not completed and assist you in solving the problem.

  12. (Optional) If SPS was in a domain before the upgrade, navigate to RDP Control -> Domain membership and make sure that your domain-related settings are correct. In case of correct settings, you will see the following:

    • Fully qualified domain name (realm name): Host joined currently configured domain successfully.

    • Currently joined domains: <name.of.the.joined.domain>

    This is important because in rare cases, the appliance might fall out from the domain after an upgrade, and a manual rejoin might be required based on its status.

  13. Upgrade your Safeguard Desktop Player installations to the latest version. For details, see Upgrading the Safeguard Desktop Player.

  14. Upgrade your external indexer installations to the latest version. For details, see Upgrading the external indexer.

Upgrading the Safeguard Desktop Player

Upgrading the Safeguard Desktop Player application is only a simple installation process.

NOTE: If you already have an earlier version of the Safeguard Desktop Player application installed on the host, uninstall the previous installation. If you want to keep the previous installation for some reason, install the new version into a different directory.

You can download the Safeguard Desktop Player application from the Downloads page.

For more information, see Safeguard Desktop Player User Guide.

Caution:

One Identity Safeguard for Privileged Sessions (SPS) 5 F4 and later versions use a new encryption algorithm to encrypt the recorded audit trails (AES128-GCM). This change has the following effects:

  • If you are using external indexers to index your audit trails, you must upgrade them to the latest version. Earlier versions will not be able to index encrypted audit trails recorded with SPS 5 F4 and later.

  • To replay an encrypted audit trail recorded with SPS 5 F4 or later, you can use the latest version of the Safeguard Desktop Player application, or the browser-based player of SPS. You cannot replay such audit trails using earlier versions of Safeguard Desktop Player, nor any version of the Audit Player application.

Upgrading the external indexer

The following describes how to upgrade the indexer application on your external indexer hosts.

Caution:

One Identity Safeguard for Privileged Sessions (SPS) 5 F4 and later versions use a new encryption algorithm to encrypt the recorded audit trails (AES128-GCM). This change has the following effects:

  • If you are using external indexers to index your audit trails, you must upgrade them to the latest version. Earlier versions will not be able to index encrypted audit trails recorded with SPS 5 F4 and later.

  • To replay an encrypted audit trail recorded with SPS 5 F4 or later, you can use the latest version of the Safeguard Desktop Player application, or the browser-based player of SPS. You cannot replay such audit trails using earlier versions of Safeguard Desktop Player, nor any version of the Audit Player application.

Prerequisites

Before you start, create a backup copy of the /opt/external-indexer/etc/indexer/indexerworker.cfg and /opt/external-indexer/etc/indexer/indexer-certs.cfg indexer configuration files.

To upgrade the indexer application on your external indexer hosts

  1. Download the latest indexer package from the Downloads page.

  2. Copy the downloaded .rpm package to your external indexer hosts.

  3. Stop the indexer by using the following command.

    • On Red Hat or CentOS 6.5:

      service external-indexer stop
    • On Red Hat or CentOS 7:

      systemctl stop external-indexer.service
  4. Execute the following command: yum upgrade -y indexer.rpm

  5. Resolve any warnings displayed during the upgrade process.

  6. Restart the indexer by using the following command.

    • On Red Hat or CentOS 6.5:

      service external-indexer start
    • On Red Hat or CentOS 7:

      systemctl start external-indexer.service
  7. Repeat this procedure on every indexer host.

Upgrading an SPS high-availability cluster to 6.0

The following describes how to upgrade a One Identity Safeguard for Privileged Sessions (SPS) high-availability cluster.

Prerequisites:

Make sure that you have physically connected the IPMI interface to the network and that it is properly configured. This is important because you can only power the secondary node on through the IPMI interface. For details on configuring the IPMI interface, see "Out-of-band management of One Identity Safeguard for Privileged Sessions (SPS)" in the Administration Guide.

Caution:
  • After performing the upgrade, it is not possible to downgrade to the earlier version. Upgrading to SPS 6.0 is an irreversible process.

  • It is recommended to test the upgrade process first in VMware. To do this, download a VMware image of the latest SPS version, import the configuration of your SPS into this VMware version, and perform the upgrade. If everything is working, perform the upgrade on the production system.

Caution:

Do NOT reboot any of the SPS nodes unless explicitly instructed.

Caution:

Do NOT click Reboot cluster during the upgrade process unless explicitly instructed.

To upgrade an SPS high-availability cluster

  1. Complete the prerequisites described in Prerequisites for upgrading SPS and upgrade SPS to the latest revision of the current version.

  2. Login to your support portal, and download your license file.

    You need a new license file for every LTS release. If there is no license file for One Identity Safeguard for Privileged Sessions 6.0 under your account, contact our Licensing Team and Request a license key for a new version.

  3. Download the SPS 6.0 firmware ISO file from the Downloads page.

  4. If you are using a plugin (for example, a Credential Store plugin, or a multi-factor authentication plugin), download the version of the plugin from the Downloads page that is labeled as DEPRECATED.

    This version of the plugin is supported in SPS 6.0, but will not be supported in version 6.1. Before upgrading to SPS 6.1, you will have to start using a new implementation of the plugin, and update your configuration. For details, see Upgrading plugins for One Identity Safeguard for Privileged Sessions version 6.0.

    Upload the plugin to your SPS.

  5. Upload the latest 6.0 firmware ISO file to your SPS. For details, see "Upgrading One Identity Safeguard for Privileged Sessions (SPS)" in the Administration Guide.

  6. Click Test for the new firmware to check if your configuration can be upgraded to version 6.0. If the test returns any errors, correct them before continuing the upgrade process. If you encounter any problems, contact our Support Team.

    Select After reboot.

  7. If the upgrade test is successful, activate the firmware.

  8. Wait until the new firmware is synchronized to the slave node. This is usually completed within 60 seconds.

  9. Navigate to Basic Settings > High availability & Nodes > Other node and click Shutdown to power off the slave node.

    Caution:

    Do not power on the slave node.

  10. Recommended step. To help troubleshoot potential issues following the upgrade, collect and save system information (create a support bundle) now.

    Navigate to Basic Settings > Troubleshooting > Create support bundle and choose Create support bundle.

  11. Navigate to Basic Settings > System.

    Caution:

    Do NOT click Reboot cluster during the upgrade process unless explicitly instructed.

    Click System Control > This node > Reboot to reboot the machine. SPS will start with the new firmware and upgrade its configuration, database, and other system components. During the upgrade process, SPS displays status information and other data on the local console and on the web interface of SPS, at any of the Listening addresses configured at Basic settings > Local Services > Web login (admin and user).

    NOTE:

    If you are upgrading to version 6.0 from version 5.0.x, status information is displayed on the web interface only after the first boot to version 6.0. So during the upgrade to version 6.0, you will not be able to see any upgrade logs on the web interface.

    Caution:

    If the connection database is large and contains information about several thousands of sessions, the upgrade process can take about 15-20 minutes or more, depending on the actual hardware.

    Caution:

    After the reboot in 6.0, SPS will start importing large amounts of data from metadb. This process can take about 30-40 minutes or more. During the import process, the REST base search might not function properly, since the data to search in might still be incomplete.

  12. After the reboot, login to the web interface and upload the new license file. For details, see "Upgrading One Identity Safeguard for Privileged Sessions (SPS)" in the Administration Guide.

    Caution:

    In case the SPS web interface is not available within 30 minutes of rebooting SPS, check the information displayed on the local console and contact our Support Team.

    If you experience any strange behavior of the web interface, first try to reload the page by holding the SHIFT key while clicking the Reload button of your browser to remove any cached version of the page.

    NOTE:

    In the unlikely case that SPS encounters a problem during the upgrade process and cannot revert to its original state, SPS performs the following actions:

    • Initializes the network interfaces using the already configured IP addresses.

    • Enables SSH-access to SPS, unless SPS is running in sealed mode. That way it is possible to access the logs of the upgrade process, which helps the Support Team to diagnose and solve the problem. Note that SSH access will be enabled on every active interface, even if management access has not been enabled for the interface.

  13. Navigate to Basic Settings > System > Version details and verify that SPS is running version 6.0 of the firmware. If not, it means that the upgrade process did not complete properly and SPS performed a rollback to revert to the earlier firmware version. In this case, complete the following steps:

    1. Navigate to Basic Settings > Troubleshooting > Create support bundle and click Create support bundle.

    2. Save the resulting ZIP file.

    3. contact our Support Team and send them the file. They will analyze its contents to determine why the upgrade was not completed and assist you in solving the problem.

  14. (Optional) If SPS was in a domain before the upgrade, navigate to RDP Control -> Domain membership and make sure that your domain-related settings are correct. In case of correct settings, you will see the following:

    • Fully qualified domain name (realm name): Host joined currently configured domain successfully.

    • Currently joined domains: <name.of.the.joined.domain>

    This is important because in rare cases, the appliance might fall out from the domain after an upgrade, and a manual rejoin might be required based on its status.

  15. If rebooting the primary node has been successful, power up the secondary node through IPMI.

    The secondary node attempts to boot with the new firmware, and reconnects to the primary node to sync data. During the sync process, certain services (including Heartbeat) are not available. Wait for the process to finish, and the secondary node to boot fully. This process is finished when the Basic Settings > High availability & Nodes > Other node appears.

    Note that at this stage, on the Other node > Boot firmware version, the version number next to Current is lower than the version number next to Active.

  16. Click Activate Slave. This effectively turns the previously secondary node into the primary node. This process can take a few minutes.

    To ensure that the process is finished correctly, check the version numbers next to Current and Active on both the primary and the secondary node. These version numbers should all be the same. If the page is not refreshed after the process is finished, press F5 to refresh the page.

  17. Upgrade your Safeguard Desktop Player installations to the latest version. For details, see Upgrading the Safeguard Desktop Player.

  18. Upgrade your external indexer installations to the latest version. For details, see Upgrading the external indexer.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级