Upgrade Process#

Novell Access Manager 3.1 Support Pack 3 Interim Release 1 3.1.3-273

see Novell official documentation.

http://www.novell.com/documentation/novellaccessmanager312/installation/?page=/documentation/novellaccessmanager312/installation/data/bn6ajpt.html

Consult appropriate Novell Documentation and Readme files provided for the release you are using.

Use Entirely at Your Own Risk Services.willeke.biz nor anyone else is responsible if you use a tool or any information on this site and causes damages to anyone or anything! You are required to read Our Standard Disclaimer

Backup Configuration:#

See WAM Backups and Restores

Backup JSPs#

All JSPs are overwritten by the upgrade process. Be sure to save any custom JSPs before performing upgrade. See Backup JSPs at WAM Backups and Restores

Download Files#

We put IDP and Console files in "special" locations as follows:

mkdir /root/downloads
mkdir /var/opt/novell/tomcat5/webapps/nidp/downloads
mkdir /var/opt/novell/tomcat5/webapps/nidp/downloads/namsp3

From my PC#

Where we downloaded from Novell we used the follwoing:

Need to copy the above file to each Admin Console/IDP server.

scp -pvr -P 22 /Users/jim/Downloads/software/novell/nam/AM_31_SP3_IR1_IdentityServer_Linux32.tar.gz root@su-idpappqa01:/root/downloads/AM_31_SP3_IR1_IdentityServer_Linux32.tar.gz

This needs to only be done on one Admin Console/IDP server:

scp -pvr -P 22 /Users/jim/Downloads/software/novell/nam/AM_31_SP3_IR1_AccessGatewayAppliance_Linux_SLES11.tar.gz   root@su-idpappqa02:/var/opt/novell/tomcat5/webapps/nidp/downloads/namsp3/lagrpms.tar.gz 

Then on the Admin Console/IDP: Change rights so the file is visible from tomcat:

chown -R novlwww:novlwww /var/opt/novell/tomcat5/webapps/nidp/downloads

Installing on Admin Console/IDP Servers#

On each Admin Console/IDP server do the following:
tar -xzvf AM_31_SP3_IR1_IdentityServer_Linux32.tar.gz
cd /root/downloads/novell-access-manager-3.1.3-273/
./install.sh

Currently The client we were working with did not use the SSLVPN Agent.

Select "1" to do the install as the Admin COnsole and the Idnetity Server is all on the same box. The process will upgrade both.

Please select the installation you wish to perform:
1. Install Novell Access Manager Administration
2. Install Novell Identity Server
3. Install Novell SSLVPN Agent
Select installation (1, 2, 3 or QUIT)[1]:

Currently The client we were working with did not use the SSLVPN Agent.

Verification#

Check logs at:
/tmp/novell_access_manager

Also verify the version in the Administration Console.

Upgrading LAG(s)#

The filename MUST be: lagrpms.tar.gz We copied the file to one of the the Admin Console/IDP servers as lagrpms.tar.gz.

WARNING External LAGs#

The External LAGs are in the DMZ and can only communicate to servers on the "core" network on assigned ports. If an upgrade is attempted and the LAG can not receive the file it will be reflected in the /var/log/lagupgrade.log file like:
Downloading http://su-iamwpapptst01.nam.willeke.com:9080/downloads/AM3SP4/lagrpms.tar.gz failed

The file will then be available at:

http://su-idpappqa01.nam.willeke.com:8080/nidp/downloads/namsp3/lagrpms.tar.gz

Install Upgrade on LAGs#

Although Novell documentation says the upgrade can be done on the Admin Console, we were never able to enter the "Upgrade URL" data as the entry field was disabled.

We did the upgrades form the command line:

/chroot/lag/opt/novell/bin/lagupgrade.sh --url http://su-idpappqa01.nam.willeke.com:8080/nidp/downloads/namsp3/lagrpms.tar.gz

Encountered Issues#

We had some minor issues during the upgrade as described below.

Admin Console#

When we updated the Admin Console, we saw these items that were at least confusing:

Poor Information From Script#

When we start the install script, we see:

The Administration server is already installed.

The Identity Server is already installed.
####################################################################################
################################## W A R N I N G ###################################
####################################################################################
# Before you perform this upgrade, it is VERY IMPORTANT that you make sure
# you have a backup of all JSPs found at:  /opt/novell/nids/lib/webapp/jsp 
# A backup of this directory will be created at: /root/nambkup/
# before installation starts if you select to continue.
# Any changes in this directory WILL BE OVERWRITTEN if the upgrade continues.
# You will be prompted to restore some of these files after the install-
# for more information: http://www.novell.com/documentation/novellaccessmanager31/installation/data/bk0lvlm.html
####################################################################################
The link shown provides a 404 error.

Backups#

We see the same startup as above, On secondary Admin/ID server installs this is an inappropriate statement as no backup will be done.

and then:

Do you want to restore custom login pages? (y/n):y

####################################################################################
#
# ********** ALWAYS UPGRADE THE PRIMARY ADMINISTRATION CONSOLE FIRST **************.
# Please BACKUP the data and configuration in this server before running the upgrade.
# The installer had detected one or more components already installed on the system.
# If you proceed, ALL detected components will be upgraded at this time.
# During this upgrade no new components will be installed in addition to ones present
####################################################################################

=> Proceed to backup configuration data (y/n)? [y]:
This appears to be a secondary administration console.  Please run the backup from the primary administration console.
=> Continue with Upgrade (y/n)? [n]:y

ssl renegotiation#

We see this statement:
Warning: This installer is bundled with JDK, which has ssl renegotiation disabled by default.If you are using x509 authentication, then renegotiation has to be enabled.
Would you like to enable ssl renegotiation for this server y/n? [n]:

No idea what we should do at this point.

  • Does this include use with SAML?
  • Most people will not know the answer to this question, certainly not without looking in the admin console.
  • Can the installer not tell?
  • How would a customer tell?
  • See no mention of this within the documentation.

The IDentity Server Upgrade#

Apparently if the Admin Console and the Identity Server is on the same host, then the Identity Server is upgraded when you tell the script to upgrade the Admin Console. The documentation is not at all clear this is what happens.

The script output shows:

Successfully installed the following components:Novell Audit Platform Agent
Novell Audit Server
Novell Audit Platform Agent
Novell Device Manager
Novell Configuration Store
Novell Identity Server Administration Plugin
Novell iManager Upgrade
Novell Access Manager Server Communications
Novell Identity Server
We also checked in the Admin Console for versions and it was confirmed that this is what happens.

Backup of JSPs#

Do we need to backup and restore the JSPs on a secondary server? Or will the installer do this?

How can one tell if the pages were modified? Many customers would not have a clue if the pages were modified as often they products were installed by consultants.

We did no restores and the pages all appear to be fine.

LAGs#

The script can not handle HTTPS. You have to use http or ftp or some other option.

LAG Upgrade output#

When we run the upgrade on the LAGs we saw:
Upgrading LAG rpms...

warning: /etc/opt/novell/tomcat5/tomcat5.conf created as /etc/opt/novell/tomcat5/tomcat5.conf.rpmnew
insserv: script novell-vmc-chroot: service vmcontroller already provided!
insserv: script snmpd.noe: service vcp already provided!
insserv: script novell-vmc-chroot: service vmcontroller already provided!
insserv: script snmpd.noe: service vcp already provided!
warning: /etc/syslog-ng/syslog-ng.conf saved as /etc/syslog-ng/syslog-ng.conf.rpmsave
/var/tmp/rpm-tmp.72606: line 81: [: too many arguments
insserv: script novell-vmc-chroot: service vmcontroller already provided!
insserv: script snmpd.noe: service vcp already provided!
insserv: script novell-vmc-chroot: service vmcontroller already provided!
insserv: script snmpd.noe: service vcp already provided!

The warnings and obvious script error are not very comforting.

We also had one LAG (of six) where the vmc service did not start and we were shown an error. All the LAGs were upgraded successfully and even the one where the script said VMC service did not start was running when we checked.

Verification#

To check the status of upgrade, do one of the following:
  • Click Access Gateways > <Name of Server> > Upgrade > View Upgrade Log to view the upgrade log.
  • Or tail -f /var/log/lagupgrade.log
  • Check the health of the Access Gateway. When the upgrade command is successfully sent, the Access Gateway should be in a green state. As the upgrade proceeds, the health should turn red when the Access Gateway is stopped, white when the Access Gateway is disconnected and rebooting, then green.

NOTE: For geeks that want to know. The file is downloaded via curl) to: /opt/novell/devman/jcc/lagrpms.tar.gz Once it is downloaded, and installed, it is removed.

Checked log: Successfully upgraded the system with Linux Access Gateway rpms All green in Device Manager

Also verify the version in the Administration Console.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-9) was last changed on 28-Jul-2014 11:41 by jim