Your Access Manager components have 3.1 installed if they display a version number between 3.1.0.420 and 3.1.0.431. You need to upgrade all components to SP2 before you migrate components to SLES 11 or Windows Server 2008.
The upgrade from 3.1 to 3.1 SP2 uses the standard processes used in the other Access Manager support pack releases.
There are some new processes you need to be aware of and some additional configuration steps.
Administration Console: Before you upgrade the Administration Console, check for the following potential issues:
The installation script for the Administration Console and the Identity Server now checks to ensure that you have the at least 1 GB (Linux) or 1.2 GB (Windows) of memory on the machine, and the upgrade fails if you have less. This upgrade check is below the recommended minimum of 4 GB.
When you upgrade the Administration Console, answer Yes to the prompt to make a backup of your configuration.
A recent backup is usually the quickest solution for restoring a system when an upgrade encounters a problem that requires an engineering fix. If you don’t have a recent backup, you might be forced to re-create your configuration.
SP2 adds some new features. Do not try using any of the new features until after you have upgraded all components to 3.1 SP2.
For information about these new features, see What’s New in Access Manager 3.1 SP2.
Back up customized Tomcat files on your Access Manager components.
If you have customized the tomcat5.conf file or the server.xml file, back up these files before upgrading. These files are overwritten during the upgrade process.
Identity Server: Before you upgrade the Identity Server, check for the following potential issues:
Do not make modifications to your user stores until you have upgraded both the Administration Console and the Identity Server.
If you make modifications, you break communication between the Identity Server and the user store until you upgrade the Identity Server.
When you upgrade the Identity Server, the Session Timeout value is rounded up to the nearest value divisible by 5. This value is then assigned to all contracts. After all the Identity Servers in the cluster have been upgraded, you can modify the Authentication Timeout on each contract to meet your security requirements. You can also modify the Default Timeout value (the new name for the Session Timeout option) to the value you want assigned to new contracts and to federated sessions that cannot be associated with a contract.
If you have customized the login pages, make sure you make a backup before you begin the upgrade process.
Even though the program automatically backs up the JSP directory and stores a zip of these files in a nambkup directory (under $HOME on Linux and at the root of the operating system drive on Windows), you should have your own backup.
(Conditional) If you have customized login pages and you have not given these files unique names but have used the Identity Server names for these file, you need to carefully consider your answer to the prompt to preserve your 3.1 login pages. If you answer Yes, the following modifications happen automatically:
The main.jsp file from the backup of the 3.1 system is renamed nidp.jsp and installed in the JSP directory.
The menus.jsp, content.jsp, and login.jsp files from the backup of the 3.1 system are copied to the JSP directory.
The Tomcat working directory is cleared.
If you have given any other of your custom login pages or custom images the same name as the files that come with the product, the new files that come with the upgrade are overwritten with your custom pages and images. If the Access Manager pages contained any new functionality, that functionality is lost.
(Conditional) If you have customized login pages but you have given them unique names and have not used the Identity Server names for the files, answer No to the prompt to preserve your 3.1 login pages. The files are backed up to the nambkup directory (under $HOME on Linux and at the root of the operating system drive on Windows). If necessary, you can manually restore them.
If you manually restore your files, remember to clear the Tomcat working directory.
Linux: /var/opt/novell/tomcat5/work/Catalina/localhosts/nidp
Windows: C:\Program Files\Novell\Tomcat\work\Catalina\localhosts\nidp
Then restart Tomcat on the Identity Server.
(Conditional) If you have configured your Identity Server for trace logging (
> > ), you need to modify the logging page after you finish the upgrade.The trace logging option on the Logging page has been removed. You can obtain the same level of event messages when you set the
to .The trace logging options are viewable in the Administration Console as long as one Identity Server in the cluster is still running version 3.1, but they can’t be set.
(Conditional) If you have configured the Identity Server for Card Space, you need to download high encryption files and copy them to the /opt/novell/java/jre/lib/security directory. For instructions, see Enabling High Encryption
in the Novell Access Manager 3.1 SP2 Identity Server Guide.
(Conditional) If you have configured the Identity Server to send attributes to the Access Gateway, decide on an upgrade strategy for a potential issue.
If any of the attributes you are sending have empty values, users cannot authenticate until you have upgraded all your Identity Servers and Access Gateways to SP2 or you have disabled the sending of attributes until you have upgraded all components. For more information about this issue, see TID 7005475.
Access Gateway Appliance: Before you upgrade the Access Gateway Appliance, check for the following potential issues:
(Conditional) If you have installed an SSL VPN server with your Access Gateway Appliance, you need to modify the port that the Access Gateway protected resource is using for the SSL VPN server. For instructions, see Section 9.3.1, Configuration Changes to the SSL VPN Server Installed with the Access Gateway Appliance.
(Conditional) If you have enabled the LAGmonitor service of Linux Access Gateway Appliance, be aware that the LAGmonitor services is removed from initservices during the upgrade. After upgrading to 3.1 SP 2, you need to enable this service manually. For more information, see Using the Linux Access Gateway Monitor Service
in the Novell Access Manager 3.1 SP2 Access Gateway Guide.
(Conditional) The location of the keystores on the Administration Console for the Embedded Service Provider of the Access Gateway Appliance changed in Access Manager 3.0.1. If you installed the Access Gateway Appliance with the 3.0 version and upgraded it to 3.1, the keystores are in the old location. The SLES 9 Access Gateway Appliance works with the keystores in either the old or the new location. However, when you migrate your SLES 9 Access Gateway Appliances to SLES 11, the SLES 11 Access Gateway Appliance ceases to function because it cannot find the Embedded Service Provider keystores. To correct this problem:
If you are upgrading to SP2, you need to run the keystore cleanup script before upgrading. For instructions, see Running the Keystore Clean-Up Script.
If you are upgrading to SP2 IR1, the upgrade script automatically cleans up the keystores for you. After the upgrade, the keystores are in the new location.
After you have upgraded the SSL VPN server installed along with the Access Gateway Appliance, you must modify the existing path-based service accelerating the SSL VPN server as follows:
In the Administration Console, click [Name of Reverse Proxy].
> > >In the
section, click the SSL VPN service that you have configured.Select the
tab. Click the IP address link from the section.Change the IP address to 127.0.0.1, which is the loopback IP address.
Originally, the public IP address of SSL VPN was configured as the IP address of the Web server.
Click
when prompted to the purge cache.Click
, then click on the Configuration page to save your modifications.