Identity Manager Upgrade Guide
Note: It is assumed that the following procedures are fully tested in a prototyped production environment in the LAB before going ahead in production. This article includes general information that applies to IDM 3.x.
- Get and note activation ID's for each of the drivers being upgraded.
- Get admin, root and administrator passwords for all trees and servers including eDir, AD, Linux/Unix etc..
- Prepare backout procedures. i.e. Unmirror drives if this exists, have snapshots and/or have a good backup of everything being upgraded prior to starting.
- Check for and install any appropriate OS and directory type patches or upgrades to make sure your IDM version is supported on the OS patch levels as well as the directories, for example, eDir, AD or any other directories being synchronized to.
- Upgrade iManager to the latest supported version for your IDM version in all eDir trees involved.
- Have the upgraded version of your IDM DVD media as well as any latest patches available for your IDM version. Mount the IDM DVD on each of the servers, or copy appropriate platform installation directories and patches to each of the servers. Tip - Always check to see if any new drivers, updates or patches have come out for the version of IDM you are upgrading to. Download, install and add to the test environment before deploying to production. It is better to be on the latest code possible from the start.
- Prepare to have to redo SSL certificates if necessary.
Steps for upgrade of each IDM Server in each tree:
- Export all driver sets.
- Check general server, eDir, and iManager health of all servers being upgraded. Resolve any issues before moving forward.
- Set all drivers in all trees to manual and shutdown all drivers. Shutdown remote loaders.
- Start the IDM installation of first server in one of the trees. (you might want to upgrade IDM on the tree with the best/easiest backout procedures first, i.e. unmirror drives or grab a snapshot if possible)
- Have the IDM software available on all servers: ie. DVD mounted as ISO on servers, or for example: in the SYS:idm3.7, or c:\idm3.7 or /root/idm3.7 folder for all NetWare, Windows, and Linux/Unix servers respectively. etc.. Don't forget the remote loader servers.
- For a NetWare server, run the installation from startx on the NetWare server, pointing to the product.ni file in the NW folder of the SYS:IDM3.7 installation folder.
- For a Windows remote loader server, run the install file from the NT folder of the c:\idm3.7 installation folder.
- For a Linux or Unix server, run the engine installation or remote loader installation from the /root/idm3.7 installation folder.
- Follow prompts and select appropriate drivers for the servers. Uncheck anything pertaining to other drivers or not in use.
- After the IDM upgrade successfully completes, to finish the upgrade of the iManager IDM plugins, restart Tomcat/Apache on the server.
- Check new plugins in iManager and check that the upgraded driver starts properly. If not, troubleshoot by checking the driverset logs, otherwise, shutdown driver again and continue upgrade on remaining servers.
- If plugins don't appear, (it is likely related to RBS roles configuration) go into RBS Configuration, not installed and out of date and click both to see if the Identity Manager plugins show up in either list. If so, click update. The Identity Manager plugins should appear right after.
- Redo steps 4 to 7 above for the next server until all servers with Identity Manager engines with drivers are upgraded.
- To upgrade the remote loader server, first, shutdown the remote loader. Access the IDM media, and start the installation. Follow the prompts and deselect the metadirectory engine server, and select the connector server instead.
- Once the upgrade completes, re-start the remote loader. Do this for each of the remote loaders to be upgraded.
- Start the drivers in each of the trees, verify they are each working, and then set each driver back to AUTO START.
Troubleshooting driver issues after the upgrade:
- Always check the driverset and driver logs for information first. Turn on dstrace to gather more information and check the status log for the publisher and subscriber.
- Tip: Check to make sure that the engine dstraces are set to 3 for the driver you are troubleshooting. For remote loader issues, check that the shim traces are set to 3 or higher. For LInux and Unix fax out drivers, get the platform agent log files.
- Troubleshooting drive errors -641 or -783 Starting an IDM driver - TID Document (7002449)
- 783 Error When Loading an Identity Manager Driver - TID Document (7000998)
- DirXML driver won't start with KMO specified.TID document (10074000) Tip: Make sure SSL certificates are still valid, use pkidiag and if that does not help, you may have to recreate the certificates if the errors indicate a certificate problem persists. Use the following link to recreate eDir to eDir certificates. Information is provided just below in number 5 in the TID on how to recreate the SSL connection between a remote loader and the engine.
- DirXML Driver does not start TID document (10080575)
Testing after a successful upgrade:
- Testing should be done according to business rules. The following are only examples as this list should be much more detailed and exhaustive. Use the policies in each of the drivers to come up with the full list of business rules to test.
- Password changes (determine from which trees to which trees in production)
- User creation (determine from which trees to which trees and whether vetos should also be tested)
- User deletion (determine from which trees to which trees and whether vetos should also be tested)
- Attribute modifications (determine from which trees to which trees and whether vetos should also be tested.
- Check modify/test any custom scripts used to monitor/manage the environment etc..
- Don't forget to get the activation done on the upgraded IDM products within the 3 month period.
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.