Upgrading CA Identity Suite Virtual Appliance

This article contains the following sections:
cis141
This article contains the following sections:
Supported upgrade paths
  • The following platforms support upgrading to Identity Suite Virtual Appliance 14.1.0:
    • CA Identity Suite Virtual Appliance 14.0.0 (any CP level)
    • CA Identity Suite Virtual Appliance 14.0.1 (any CP level)
  • Upgrading to 14.1.0 is only supported for systems that have already been deployed with at least one of the following services:
    • Identity Manager
    • Identity Governance
    • Identity Portal
Note
: For installing
new
vApp 14.1.0 nodes, please download the vApp 14.1 OVA from the CA Download Center -> Download Center → Download Products → CA Identity Suite → 14.1.
Overview
  • The patch upgrade the following products in the following order on every 14.0.x node:
    • Virtual Appliance platform scripts and web-ui
    • CA Directory
    • CA Identity Portal
    • CA Identity Manager
    • CA Provisioning Server
    • CA Connector Server
    • CA Identity Governance
  • Note
    : the patch upgrades a single node at a time
    .
    For systems with multiple nodes - you must install the patch multiple times (once for each node).
    As part of the upgrade process, services are being stopped and started on all vApp nodes
    You must schedule a maintenance window for the upgrade during which no user traffic is directed to the solution.
Prerequisites for upgrading Identity Suite Virtual Appliance
Before starting the upgrade, review and perform the following instructions:
before upgrading, you must take a backup of following:
  1. Full database backup for all databases/schemas used by Identity Manager, Identity Governance and Identity Portal.
    A database backup is mandatory for rollback!
  2. Identity Manager environment (IME) backup using the Identity Manager management console → Environments → identityEnv → Export
  3. Any custom files on the file-system (these normally reside on /opt/CA/VirtualAppliance/custom/<product name>)
  4. Virtual Machine Snapshot
Disk Space Requirements
The upgrade requires at least
15GB
of free disk space on the "/" volume on each node.
Run the following command to check for free space on the "/" volume:
df -h /
For example:
 Filesystem            Size  Used   Avail   Use%  Mounted on
                               47G   26G    
19G
  58%          /
In case a node does not have 15GB of disk space, perform the following steps to free disk space:
Delete log files
  1. Navigate to the following directory:
    /opt/CA/VirtualAppliance/logs/
  2. Delete unnecessary log files to reclaim disk space
Resize the Virtual Disk
In case the deletion of log files is undesirable or insufficient for reclaiming enough free disk space, you may resize the Virtual Disk by following the below steps:
  1. Power off the server
  2. Ask the ESX administrator to extend the Virtual Disk assigned to the Virtual machine
  3. Power on the server
  4. Run the
    resizeDisk
    command
RAM Memory Requirements
If you are upgrading an All-In-One solution (All CA Identity Suite components on the same Virtual Appliance), it is recommended to configure at least 16GB of RAM for the VM before running the upgrade.
Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy requirement
Identity Suite 14.1 requires that Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy is installed.
Please download the JCE package (
jce_policy-8.zip
) from the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 Download page
Using an SCP utility, copy the file
jce_policy-8.zip
file to the following location on
every vApp node
:
/opt/CA/jdk1.8.0_71/jre/lib/security/
For customers using Identity Governance on MS SQL database:
You must enable XA transactions on the database, please refer to the Install XA section in the Identity Governance upgrade guide.
For customers using CA SSO (formerly SiteMinder)
Add a host record to the hosts file on all CA SSO Policy Servers
.
The hostname record is named
ca-prov-srv
and should point to any vApp-based Provisioning Server in the deployment.
For example
10.0.0.20 ca-prov-srv
Upgrade instructions
Prepare for the upgrade
  1. Download the following patch files from the CA Identity Suite Virtual Appliance - 12.6.08 Cumulative Patchespage.
    GA-140100-STEP-1.tgz.gpg GA-140100-STEP-2.tgz.gpg
  2. Using SCP software, copy the above patch files to all vApp nodes.
  3. Review the prerequisites section above and perform the necessary steps
Perform the upgrade
General notes
:
  • The patch upgrades a single node at a time.
  • For systems with multiple nodes - you must install the patch multiple times (once for each node).
  • Upgrade the vApp nodes one after the other
  • For systems with a custom Provisioning Server Domain - see the corresponding appendix on this page
  • Only when a vApp node finished upgrading - you may proceed to upgrading the next node.
  • During the upgrade, solution health checks performed by the dashboard may return various errors.
    All dashboard errors and warnings during the upgrade are safe to ignore.
  • The 2nd step of the upgrade must be executed from within a "screen" session.
    Screen sessions are terminal sessions allowing to resume a disconnected session (e.g. for cases where a terminal session where an upgrade is performed may disconnect due to network issues).
  • To resume a disconnected screen session, perform the steps below:
    • Open a new SSH or CLI session to the node on which the terminal session disconnected
    • Run the following command:
      screen -x
Upgrade steps
:
Please read the below steps thoroughly before starting the upgrade process.
  1. Ensure that all nodes in the vApp solution are powered-on before starting the upgrade
  2. Ensure that all services are started on all nodes in the vApp solution - check that monitoring dashboard does not report any errors.
    (You may inspect the monitoring dashboard from web-ui or from the command line by running the "
    s
    " command)
  3. Perform the upgrade as detailed on "
    Run the below commands to start the patch upgrade process
    " on all nodes.
  4. First, upgrade nodes that have the
    Identity Manager
    service deployed
  5. Run the below commands to start the patch upgrade process:
    1. Run the following command:
      patch_vapp GA-140100-STEP-1.tgz.gpg
    2. The following text will be displayed:
      Prerequisites for the upgrade have been successfully deployed
      ****************************************************************************************************************** * Please execute the following command in order to complete the upgrade: * patch_vapp GA-140100-STEP-2.tgz.gpg ******************************************************************************************************************
      PRESS <RETURN> TO PROCEED
    3. Press
      <RETURN>
    4. Run the following command:
      screen
    5. Run the following command:
      patch_vapp GA-140100-STEP-2.tgz.gpg
  6. The installation may take up to 90 minutes on each node, depending hardware performance and the number of services deployed on the node.
    The following message signifies that the node was successfully upgraded:
    [OK] patch "<path>/GA-140100-STEP-2.tgz.gpg" successfully installed!
  7. Perform step #5 on the next node that has the Identity Manager service deployed, and repeat the process until all Identity Manager nodes are upgraded.
  8. After all nodes running Identity Manager are upgraded - proceed by upgrading additional nodes (if applicable)
Post upgrade
Ensure that all services are started by examining the vApp dashboard.
If services are stopped, start them manually and review the corresponding product log files.
Identity Manager
Review the Upgrade-related Issues and After You Upgrade sections in the CA Identity Manager14.1 upgrade guide.
Identity Portal
Review the Migration to CA Identity Portal Release 14.1 section in the CA Identity Portal upgrade guide.
Master password
vApp 14.1 is shipped with no default passwords. Instead, a
Master Password
set by the user (when the vApp 14.1 solution is deployed for the first time) is used for the management user accounts of newly deployed services when they are deployed for the first time.
When upgrading a 14.0.x vApp to 14.1, the existing admin passwords for all deployed products will be retained.
However, upon the next deployment operation in the Virtual Appliance web-ui → Setup page, you will be prompted for a
Master Password
.
This master password will be used to set the default password for the following newly deployed services:
  1. Management password for newly deployed
    Identity Portal
    nodes
  2. Management password for newly deployed
    Connector Server
    nodes
Existing services on previously deployed nodes will have their management passwords retained.
For deployments with Custom Provisioning Server Domain (migrated environments)
When the Provisioning Server domain is different than the domain that comes by default - “
im
” in lowercase, you must perform the following steps:
  1. Before the upgrade,
    export
    the existing Provisioning Directory definition (e.g. ProvStore) to an XML file
  2. The upgrade overwrites the Provisioning Directory domain, as a result - the Identity Manager environment (IME) will fail to start after the upgrade.
  3. After the upgrade, perform the following steps to restore the Provisioning Directory definition from backup:
    1. Navigate to the Identity Manager Management console
    2. Click  Directories › ProvStore
    3. Click "Update"
    4. Browse and select the backed-up file
    5. Click Next
    6. Click Finish
    7. Restart the environment and make sure startup is successful