IBM Security Access Manager for Web Version 7.0. Upgrade Guide SC

Similar documents
IBM Security Access Manager for Web Version 7.0. Installation Guide GC

Authorization C API Developer Reference

IBM Security Access Manager for Web Version 7.0. Command Reference SC

Performance Tuning Guide

Shared Session Management Administration Guide

Deployment Overview Guide

Troubleshooting Guide

IBM Tivoli Storage Manager for Windows Version Tivoli Monitoring for Tivoli Storage Manager

WebSEAL Installation Guide

Web Security Developer Reference

IBM i Version 7.2. Connecting to IBM i IBM i Access for Web IBM

IBM Tivoli Access Manager for WebSphere Application Server. User s Guide. Version 4.1 SC

Extended Search Administration

Error Message Reference

IBM Security Identity Manager Version 6.0. Installation Guide GC

IBM Tivoli Monitoring for Business Integration. User s Guide. Version SC

IBM Tivoli Access Manager for Linux on zseries. Installation Guide. Version 3.9 GC

WebSphere Message Broker Monitoring Agent User's Guide

WebSphere MQ Configuration Agent User's Guide

Installation and Configuration Guide

IBM Operational Decision Manager Version 8 Release 5. Installation Guide

Installation and Configuration Guide

License Administrator s Guide

IBM i Version 7.2. Security Service Tools IBM

IBM. Connecting to IBM i IBM i Access for Web. IBM i 7.1

Tivoli Tivoli Intelligent ThinkDynamic Orchestrator

Planning and Installation

High Availability Guide for Distributed Systems

Tivoli Tivoli Provisioning Manager

Administration Java Classes Developer Reference

IBM Tivoli Storage Manager for Virtual Environments Version Data Protection for VMware Installation Guide IBM

IBM Tivoli Access Manager forweblogicserver. User s Guide. Version 3.9 GC

IBM Tivoli Storage Manager for Windows Version Installation Guide

Web Services Security Management Guide

IBM Tivoli Monitoring for Messaging and Collaboration: Lotus Domino. User s Guide. Version SC

IBM Tivoli Access Manager Plug-in for Edge Server. User s Guide. Version 3.9 GC

High Availability Guide for Distributed Systems

Administration Java Classes Developer Reference

Installation and Setup Guide

Jazz for Service Management Version 1.1 FIx Pack 3 Beta. Configuration Guide Draft

IBM. Installing. IBM Emptoris Suite. Version

IBM. Installing and configuring. Version 6.4

IBM Sterling Gentran:Server for Windows. Installation Guide. Version 5.3.1

IBM Tivoli Storage Manager for Windows Version 7.1. Installation Guide

Registration Authority Desktop Guide

IBM Tivoli Federated Identity Manager Version Installation Guide GC

Tivoli Tivoli Provisioning Manager

IBM Tivoli Netcool Performance Manager Wireline Component October 2015 Document Revision R2E1. Pack Upgrade Guide IBM

Tivoli Tivoli Intelligent ThinkDynamic Orchestrator

Installation and Setup Guide

Road Map for the Typical Installation Option of IBM Tivoli Monitoring Products, Version 5.1.0

IBM Agent Builder Version User's Guide IBM SC

IBM Tivoli Access Manager WebSEAL for Linux on zseries. Installation Guide. Version 3.9 GC

Administrator's Guide

Tivoli Monitoring: Windows OS Agent

Live Partition Mobility ESCALA REFERENCE 86 A1 85FA 01

IBM InfoSphere Information Server Integration Guide for IBM InfoSphere DataStage Pack for SAP BW

Tivoli Application Dependency Discovery Manager Version 7.3. Installation Guide IBM

Tivoli Tivoli Intelligent ThinkDynamic Orchestrator

Installation and Configuration Guide

Tivoli Directory Server Version 6.3, Fix Pack 17. Support for NIST SP A

Product Overview Guide

Tivoli Tivoli Provisioning Manager

Tivoli System Automation Application Manager

IBM Security Role and Policy Modeler Version 1 Release 1. Planning Guide SC

Tivoli IBM Tivoli Advanced Catalog Management for z/os

IBM Director Virtual Machine Manager 1.0 Installation and User s Guide

IBM Spectrum Protect Snapshot for Oracle Version What's new Supporting multiple Oracle databases with a single instance IBM

IBM Tivoli Storage Manager for AIX Version Tivoli Monitoring for Tivoli Storage Manager

Workload Automation Version 8.6. Overview SC

Connectivity Guide for Oracle Databases

IBM. Client Configuration Guide. IBM Explorer for z/os. Version 3 Release 1 SC

Managing Server Installation and Customization Guide

IBM. Planning and Installation. IBM Tivoli Workload Scheduler. Version 9 Release 1 SC

IBM Tivoli Privacy Manager for e-business. Installation Guide. Version 1.1 SC

Tivoli Access Manager for e-business

Troubleshooting Guide

Tivoli Tivoli Provisioning Manager

Installing and Configuring IBM Case Manager with FileNet P8 Platform on a Single Server

IBM Cognos Dynamic Query Analyzer Version Installation and Configuration Guide IBM

Tivoli Identity Manager

IBM Security Access Manager Version Appliance administration topics

IBM. Basic system operations. System i. Version 6 Release 1

IBM Tivoli Storage Manager for Linux Version Tivoli Monitoring for Tivoli Storage Manager

xseries Systems Management IBM Diagnostic Data Capture 1.0 Installation and User s Guide

IBM Tivoli Storage Manager for Databases Version 7.1. Data Protection for Oracle for UNIX and Linux Installation and User's Guide

IBM Security Identity Manager Version Installation Topics IBM

Tivoli Tivoli Provisioning Manager

iplanetwebserveruser sguide

IBM Campaign Version 9 Release 1 October 25, User's Guide

IBM Tivoli Monitoring: AIX Premium Agent Version User's Guide SA

Tivoli Storage Manager for Enterprise Resource Planning

Installing and Configuring Tivoli Enterprise Data Warehouse

Monitoring: Windows OS Agent Version Fix Pack 2 (Revised May 2010) User s Guide SC

Tivoli IBM Tivoli Advanced Audit for DFSMShsm

High Availability Policies Guide

Common Server Administration Guide

IBM. Troubleshooting Operations Center client updates

IBM Tivoli Access Manager for Operating Systems. Administration Guide. Version 5.1 SC

BEA WebLogic Server Integration Guide

Transcription:

IBM Security Access Manager for Web Version 7.0 Upgrade Guide SC23-6503-02

IBM Security Access Manager for Web Version 7.0 Upgrade Guide SC23-6503-02

Note Before using this information and the product it supports, read the information in Notices on page 221. Edition notice Note: This edition applies to ersion 7, release 0, modification 0 of IBM Security Access Manager (product number 5724-C87) and to all subsequent releases and modifications until otherwise indicated in new editions. Copyright IBM Corporation 2003, 2012. US Goernment Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Contents Figures............... Tables............... ii About this publication........ ix Intended audience............ ix Access to publications and terminology..... ix Related publications.......... xii Accessibility.............. xiii Technical training............ xi Support information........... xi Chapter 1. Introduction........ 1 Upgrading to the IBM Security Web Gateway Appliance............... 1 Preparing for an upgrade.......... 2 Mixed leel enironment.......... 2 Configuring a preious leel component to a 7.0 policy serer on Windows......... 3 Configuring a preious leel component to a 7.0 policy serer on AIX, Linux, or Solaris..... 5 Scenario 1: Two system upgrade with large user base 8 Scenario 2: No peer or additional serers aailable 11 Scenario 3: Using a registry other than Tioli Directory Serer............. 14 Scenario 3: Conditions.......... 14 Scenario 3: Hardware configuration..... 14 Scenario 3: High-leel steps........ 15 Chapter 2. Upgrading IBM Tioli Directory Serer........... 17 High-leel steps for upgrading Tioli Directory Serer................ 17 About the client............. 18 Location of migration utilities........ 18 Before you upgrade Tioli Directory Serer.... 18 Chapter 3. Upgrading the policy serer 21 AIX, Solaris, and Linux: Upgrade considerations.. 21 AIX: Upgrading the policy serer....... 22 AIX: Upgrading the policy serer on a single system............... 22 AIX: Upgrading the policy serer using two systems............... 25 AIX: Retiring the original policy serer.... 29 Linux on x86-64: Upgrading the policy serer... 30 Linux on x86-64: Upgrading the policy serer using a single system.......... 30 Linux on x86-64: Upgrading the policy serer using two systems........... 32 Linux on x86-64: Retiring the original policy serer............... 36 Linux on System z: Upgrading the policy serer.. 37 Linux on System z: Upgrading the policy serer using a single system.......... 37 Linux on System z: Upgrading the policy serer using two systems........... 39 Linux on System z: Retiring the original policy serer............... 43 Solaris: Upgrading the policy serer...... 44 Solaris: Upgrading the policy serer using a single system............. 44 Solaris: Upgrading the policy serer using two systems............... 47 Solaris: Retiring the original policy serer... 51 Windows: Upgrading the policy serer..... 52 Windows: Upgrade considerations...... 52 Windows: Upgrading the policy serer using two systems............... 53 Windows: Retiring the original policy serer.. 56 Chapter 4. Upgrading the authorization serer............... 59 Authorization serer: Upgrade considerations... 59 AIX: Upgrading the authorization serer.... 59 Linux on x86-64: Upgrading the authorization serer 62 Linux on System z: Upgrading the authorization serer................ 64 Solaris: Upgrading the authorization serer.... 66 Windows: Upgrading the authorization serer... 69 Chapter 5. Upgrading WebSEAL.... 71 WebSEAL: Upgrade considerations...... 71 AIX: Upgrading WebSEAL......... 73 Linux on x86-64: Upgrading WebSEAL..... 77 Linux on System z: Upgrading WebSEAL.... 81 Solaris: Upgrading WebSEAL........ 84 Windows: Upgrading WebSEAL....... 89 Chapter 6. Upgrading the runtime... 91 Security Access Manager Runtime: Upgrade considerations............. 91 AIX: Upgrading the runtime......... 91 Linux on x86-64: Upgrading the runtime.... 94 Linux on System z: Upgrading the runtime.... 96 Solaris: Upgrading the runtime........ 98 Windows: Upgrading the runtime...... 100 Chapter 7. Upgrading the runtime for Jaa............... 103 Security Access Manager Runtime for Jaa: Upgrade considerations.......... 103 AIX: Upgrading the runtime for Jaa..... 103 Linux on x86-64: Upgrading the runtime for Jaa 106 Linux on System z: Upgrading the runtime for Jaa 108 Solaris: Upgrading the runtime for Jaa.... 110 Windows: Upgrading the runtime for Jaa.... 112 Copyright IBM Corp. 2003, 2012 iii

Chapter 8. Upgrading the policy proxy serer............... 115 Policy proxy serer: Upgrade considerations... 115 AIX: Upgrading the policy proxy serer.... 115 Linux on x86-64: Upgrading policy proxy serers 118 Linux on System z: Upgrading policy proxy serers............... 120 Solaris: Upgrading the policy proxy serer... 122 Windows: Upgrading the policy proxy serer.. 125 Chapter 9. Upgrading the deelopment system........ 129 Deelopment ADK: Upgrade considerations... 129 AIX: Upgrading the deelopment system.... 129 Linux on x86-64: Upgrading the deelopment ADK 132 Linux on System z: Upgrading the deelopment system............... 134 Solaris: Upgrading the deelopment system... 136 Windows: Upgrading the deelopment system.. 138 Chapter 10. Upgrading the session management serer........ 141 Session Management Serer: Upgrade requirements and considerations........... 141 Upgrade scenarios............ 142 Single serer upgrade from ersion 6.1.1... 142 Single serer upgrade from ersion 6.1.... 143 Single serer upgrade from ersion 6.0.... 144 Side-by-side cluster upgrade from SMS 6.0, 6.1, or 6.1.1.............. 145 In-place cluster upgrade from ersion 6.0, 6.1, or 6.1.1............... 147 Upgrading the session management serer... 148 AIX: Upgrading the session management serer 148 Linux on x86-64: Upgrading the session management serer.......... 151 Linux on System z: Upgrading the session management serer.......... 154 Solaris: Upgrading the session management serer............... 156 Windows: Upgrading the session management serer............... 159 Chapter 11. Upgrading the session management command line..... 163 Session management command line: Upgrade considerations............. 163 AIX: Upgrading the session management command line............. 163 Linux on x86-64: Upgrading the session management command line........ 166 Linux on System z: Upgrading the session management command line........ 168 Solaris: Upgrading the session management command line............. 171 Windows: Upgrading the session management command line............. 174 Chapter 12. Upgrading the session management Web interface..... 177 Chapter 13. Upgrading a plug-in for Web serers............ 179 Chapter 14. Upgrading Web Portal Manager............. 183 Chapter 15. Restoring a system to its prior leel............. 185 Restoring the policy serer......... 185 AIX: Restoring the policy serer...... 185 Linux on x86-64: Restoring the policy serer.. 186 Linux on System z: Restoring the policy serer 187 Solaris: Restoring the policy serer..... 188 Windows: Restoring the policy serer.... 189 Restoring WebSEAL........... 191 AIX: Restoring WebSEAL........ 191 Linux on x86-64: Restoring WebSEAL.... 192 Linux on System z: Restoring WebSEAL... 194 Solaris: Restoring WebSEAL....... 195 Windows: Restoring WebSEAL...... 196 Appendix. Upgrade utilities..... 199 Reading syntax statements......... 199 adschema_update............ 199 idsimigr............... 200 irgy_tool.............. 203 pdbackup.............. 207 pdconfig............... 210 pdjrtecfg............... 212 pdsmsclicfg.............. 216 Notices.............. 221 Index............... 225 i IBM Security Access Manager for Web Version 7.0: Upgrade Guide

Figures 1. Scenario 1: Hardware configuration..... 9 2. Scenario 2: Hardware configuration.... 12 3. Scenario 3: Hardware configuration.... 14 Copyright IBM Corp. 2003, 2012

i IBM Security Access Manager for Web Version 7.0: Upgrade Guide

Tables 1. Configure preious leel component to 7.0 policy serer on Windows........ 4 2. Configure preious leel component to 7.0 policy serer on AIX, Linux, or Solaris.... 6 Copyright IBM Corp. 2003, 2012 ii

iii IBM Security Access Manager for Web Version 7.0: Upgrade Guide

About this publication Intended audience IBM Security Access Manager for Web, formerly called IBM Tioli Access Manager for e-business, is a user authentication, authorization, and web single sign-on solution for enforcing security policies oer a wide range of web and application resources. This guide explains how to upgrade from a preious Tioli Access Manager leel to Security Access Manager, ersion 7.0. This guide is for system administrators responsible for the upgrade of Security Access Manager. Readers should be familiar with the following: Microsoft Windows, AIX, Linux, or Solaris operating systems Database architecture and concepts Security management Internet protocols, including HTTP, TCP/IP, File Transfer Protocol (FTP), and Telnet Lightweight Directory Access Protocol (LDAP) and directory serices Authentication and authorization If you are enabling secure communication, you also should be familiar with secure communication protocols, key exchange (public and priate), digital signatures, cryptographic algorithms, and certificate authorities. Access to publications and terminology This section proides: A list of publications in the IBM Security Access Manager for Web library. Links to Online publications on page xi. A link to the IBM Terminology website on page xii. IBM Security Access Manager for Web library The following documents are in the IBM Security Access Manager for Web library: IBM Security Access Manager for Web Quick Start Guide, GI11-9333-01 Proides steps that summarize major installation and configuration tasks. IBM Security Web Gateway Appliance Quick Start Guide Hardware Offering Guides users through the process of connecting and completing the initial configuration of the WebSEAL Hardware Appliance, SC22-5434-00 IBM Security Web Gateway Appliance Quick Start Guide Virtual Offering Guides users through the process of connecting and completing the initial configuration of the WebSEAL Virtual Appliance. IBM Security Access Manager for Web Installation Guide, GC23-6502-02 Explains how to install and configure Security Access Manager. IBM Security Access Manager for Web Upgrade Guide, SC23-6503-02 Copyright IBM Corp. 2003, 2012 ix

Proides information for users to upgrade from ersion 6.0, or 6.1.x to ersion 7.0. IBM Security Access Manager for Web Administration Guide, SC23-6504-03 Describes the concepts and procedures for using Security Access Manager. Proides instructions for performing tasks from the Web Portal Manager interface and by using the pdadmin utility. IBM Security Access Manager for Web WebSEAL Administration Guide, SC23-6505-03 Proides background material, administratie procedures, and reference information for using WebSEAL to manage the resources of your secure Web domain. IBM Security Access Manager for Web Plug-in for Web Serers Administration Guide, SC23-6507-02 Proides procedures and reference information for securing your Web domain by using a Web serer plug-in. IBM Security Access Manager for Web Shared Session Management Administration Guide, SC23-6509-02 Proides administratie considerations and operational instructions for the session management serer. IBM Security Access Manager for Web Shared Session Management Deployment Guide, SC22-5431-00 Proides deployment considerations for the session management serer. IBM Security Web Gateway Appliance Administration Guide, SC22-5432-01 Proides administratie procedures and technical reference information for the WebSEAL Appliance. IBM Security Web Gateway Appliance Configuration Guide for Web Reerse Proxy, SC22-5433-01 Proides configuration procedures and technical reference information for the WebSEAL Appliance. IBM Security Web Gateway Appliance Web Reerse Proxy Stanza Reference, SC27-4442-01 Proides a complete stanza reference for the IBM Security Web Gateway Appliance Web Reerse Proxy. IBM Security Access Manager for Web WebSEAL Configuration Stanza Reference, SC27-4443-01 Proides a complete stanza reference for WebSEAL. IBM Global Security Kit: CapiCmd Users Guide, SC22-5459-00 Proides instructions on creating key databases, public-priate key pairs, and certificate requests. IBM Security Access Manager for Web Auditing Guide, SC23-6511-03 Proides information about configuring and managing audit eents by using the natie Security Access Manager approach and the Common Auditing and Reporting Serice. You can also find information about installing and configuring the Common Auditing and Reporting Serice. Use this serice for generating and iewing operational reports. IBM Security Access Manager for Web Command Reference, SC23-6512-03 Proides reference information about the commands, utilities, and scripts that are proided with Security Access Manager. IBM Security Access Manager for Web Administration C API Deeloper Reference, SC23-6513-02 x IBM Security Access Manager for Web Version 7.0: Upgrade Guide

Proides reference information about using the C language implementation of the administration API to enable an application to perform Security Access Manager administration tasks. IBM Security Access Manager for Web Administration Jaa Classes Deeloper Reference, SC23-6514-02 Proides reference information about using the Jaa language implementation of the administration API to enable an application to perform Security Access Manager administration tasks. IBM Security Access Manager for Web Authorization C API Deeloper Reference, SC23-6515-02 Proides reference information about using the C language implementation of the authorization API to enable an application to use Security Access Manager security. IBM Security Access Manager for Web Authorization Jaa Classes Deeloper Reference, SC23-6516-02 Proides reference information about using the Jaa language implementation of the authorization API to enable an application to use Security Access Manager security. IBM Security Access Manager for Web Web Security Deeloper Reference, SC23-6517-02 Proides programming and reference information for deeloping authentication modules. IBM Security Access Manager for Web Error Message Reference, GI11-8157-02 Proides explanations and correctie actions for the messages and return code. IBM Security Access Manager for Web Troubleshooting Guide, GC27-2717-01 Proides problem determination information. IBM Security Access Manager for Web Performance Tuning Guide, SC23-6518-02 Proides performance tuning information for an enironment that consists of Security Access Manager with the IBM Tioli Directory Serer as the user registry. Online publications IBM posts product publications when the product is released and when the publications are updated at the following locations: IBM Security Access Manager for Web Information Center The http://pic.dhe.ibm.com/infocenter/tiihelp/2r1/topic/ com.ibm.isam.doc_70/welcome.html site displays the information center welcome page for this product. IBM Security Systems Documentation Central and Welcome page IBM Security Systems Documentation Central proides an alphabetical list of all IBM Security Systems product documentation and links to the product information center for specific ersions of each product. Welcome to IBM Security Systems Information Centers proides and introduction to, links to, and general information about IBM Security Systems information centers. IBM Publications Center The http://www-05.ibm.com/e-business/linkweb/publications/serlet/ pbi.wss site offers customized search functions to help you find all the IBM publications that you need. About this publication xi

IBM Terminology website The IBM Terminology website consolidates terminology for product libraries in one location. You can access the Terminology website at http://www.ibm.com/ software/globalization/terminology. Related publications This section lists the IBM products that are related to and included with the Security Access Manager solution. Note: The following middleware products are not packaged with IBM Security Web Gateway Appliance. IBM Global Security Kit Security Access Manager proides data encryption by using Global Security Kit (GSKit) ersion 8.0.x. GSKit is included on the IBM Security Access Manager for Web Version 7.0 product image or DVD for your particular platform. GSKit ersion 8 includes the command-line tool for key management, GSKCapiCmd (gsk8capicmd_64). GSKit ersion 8 no longer includes the key management utility, ikeyman (gskikm.jar). ikeyman is packaged with IBM Jaa ersion 6 or later and is now a pure Jaa application with no dependency on the natie GSKit runtime. Do not moe or remoe the bundled jaa/jre/lib/gskikm.jar library. The IBM Deeloper Kit and Runtime Enironment, Jaa Technology Edition, Version 6 and 7, ikeyman User's Guide for ersion 8.0 is aailable on the Security Access Manager Information Center. You can also find this document directly at: Note: http://download.boulder.ibm.com/ibmdl/pub/software/dw/jdk/security/ 60/iKeyman.8.User.Guide.pdf GSKit ersion 8 includes important changes made to the implementation of Transport Layer Security required to remediate security issues. The GSKit ersion 8 changes comply with the Internet Engineering Task Force (IETF) Request for Comments (RFC) requirements. Howeer, it is not compatible with earlier ersions of GSKit. Any component that communicates with Security Access Manager that uses GSKit must be upgraded to use GSKit ersion 7.0.4.42, or 8.0.14.26 or later. Otherwise, communication problems might occur. IBM Tioli Directory Serer IBM Tioli Directory Serer ersion 6.3 FP17 (6.3.0.17-ISS-ITDS-FP0017) is included on the IBM Security Access Manager for Web Version 7.0 product image or DVD for your particular platform. You can find more information about Tioli Directory Serer at: http://www.ibm.com/software/tioli/products/directory-serer/ xii IBM Security Access Manager for Web Version 7.0: Upgrade Guide

IBM Tioli Directory Integrator IBM Tioli Directory Integrator ersion 7.1.1 is included on the IBM Tioli Directory Integrator Identity Edition V 7.1.1 for Multiplatform product image or DVD for your particular platform. You can find more information about IBM Tioli Directory Integrator at: http://www.ibm.com/software/tioli/products/directory-integrator/ IBM DB2 Uniersal Database IBM DB2 Uniersal Database Enterprise Serer Edition, ersion 9.7 FP4 is proided on the IBM Security Access Manager for Web Version 7.0 product image or DVD for your particular platform. You can install DB2 with the Tioli Directory Serer software, or as a stand-alone product. DB2 is required when you use Tioli Directory Serer or z/os LDAP serers as the user registry for Security Access Manager. For z/os LDAP serers, you must separately purchase DB2. You can find more information about DB2 at: http://www.ibm.com/software/data/db2 IBM WebSphere products The installation packages for WebSphere Application Serer Network Deployment, ersion 8.0, and WebSphere extreme Scale, ersion 8.5.0.1, are included with Security Access Manager ersion 7.0. WebSphere extreme Scale is required only when you use the Session Management Serer (SMS) component. WebSphere Application Serer enables the support of the following applications: Web Portal Manager interface, which administers Security Access Manager. Web Administration Tool, which administers Tioli Directory Serer. Common Auditing and Reporting Serice, which processes and reports on audit eents. Session Management Serer, which manages shared session in a Web security serer enironment. Attribute Retrieal Serice. You can find more information about WebSphere Application Serer at: http://www.ibm.com/software/webserers/appser/was/library/ Accessibility Accessibility features help users with a physical disability, such as restricted mobility or limited ision, to use software products successfully. With this product, you can use assistie technologies to hear and naigate the interface. You can also use the keyboard instead of the mouse to operate all features of the graphical user interface. Visit the IBM Accessibility Center for more information about IBM's commitment to accessibility. About this publication xiii

Technical training Support information For technical training information, see the following IBM Education website at http://www.ibm.com/software/tioli/education. IBM Support proides assistance with code-related problems and routine, short duration installation or usage questions. You can directly access the IBM Software Support site at http://www.ibm.com/software/support/probsub.html. The IBM Security Access Manager for Web Troubleshooting Guide proides details about: What information to collect before you contact IBM Support. The arious methods for contacting IBM Support. How to use IBM Support Assistant. Instructions and problem-determination resources to isolate and fix the problem yourself. Note: The Community and Support tab on the product information center can proide more support resources. xi IBM Security Access Manager for Web Version 7.0: Upgrade Guide

Chapter 1. Introduction When you upgrade your existing Tioli Access Manager ersion to Security Access Manager, ersion 7.0, consider the interdependencies among the Security Access Manager components and other software components. For example, a user who logs on to WebSEAL might interact with the WebSEAL component directly. For the authentication to complete, WebSEAL must communicate with the registry serer, such as an LDAP serer. Consideration of this interdependency helps to maintain serice continuity during the upgrade. This guide takes a system-leel approach to the upgrade process by considering the interaction of the arious components that are in a production enironment. There are many different ways to deploy the product components. This guide presents specific scenarios that apply to many Security Access Manager deployments. Reiew the scenarios to determine the one that best matches your deployment. If your enironment does not exactly match a scenario, create a custom upgrade plan with the procedures in this guide. A custom upgrade plan must include enough detail to complete the upgrade. Thoroughly erify the successful upgrade in a test enironment before you apply the upgrade in a production enironment. The following list proides suggestions for the type of information to include in a custom upgrade plan: Host names and IP addresses of serers Components that are installed on the serers Networking deices, such as firewalls and load balancers How to add and remoe WebSEAL serers to and from load balancers Exact commands to run for each step of each procedure You might not need more hardware. Howeer, in some cases, more systems might reduce the risks that are inoled in the upgrade, such as in a two-system upgrade. Upgrading to the IBM Security Web Gateway Appliance You can migrate a WebSEAL instance from a preious leel of Tioli Access Manager to the hardware or irtual ersion of IBM Security Web Gateway Appliance. There are no restrictions on the ersion or platform of the preious leel of WebSEAL. WebSEAL instance migration is performed by exporting the configuration and junction database from the Tioli Access Manager software installation, and then importing the files into the appliance. See the IBM Security Web Gateway Appliance Administration Guide for migration information and instructions. Copyright IBM Corp. 2003, 2012 1

Preparing for an upgrade Mixed leel enironment Before you upgrade to Security Access Manager, ersion 7.0, determine if you meet certain prerequisites. Procedure 1. Verify that your current ersion of Tioli Access Manager is one of the following supported ersions for upgrade to Security Access Manager, ersion 7.0: Tioli Access Manager 6.1.1 Tioli Access Manager 6.1 Tioli Access Manager 6.0 2. Back up your installation. Note: If the upgrade fails, you must restore a backup of the product from before the upgrade, and then try the upgrade again. Back up the following data: Tioli Access Manager serers Follow the pdbackup steps in each component upgrade procedure. User registry data For Tioli Directory Serer, see Chapter 2, Upgrading IBM Tioli Directory Serer, on page 17; otherwise, consult the documentation for your supported registry serer. Databases and DB2 settings 3. Plan your upgrade approach. AIX, Linux, and Solaris operating systems support single and two-system upgrade paths: Single-system approach Upgrades and migrates data to ersion 7.0 on the same system that is used by the existing leel. Two-system approach Installs ersion 7.0 on a new system and migrates existing data. Note: Windows systems must use a two-system approach. 4. Upgrade your operating system to the minimum supported leel. For information about minimum supported leels, see the IBM Security Access Manager for Web Release Notes. 5. Reiew the upgrade considerations for each component upgrade. You are not required to hae all Security Access Manager components in your secure domain at a 7.0 leel. Mixed leel enironment To use Security Access Manager, ersion 7.0, you must hae your policy serer at the 7.0 leel. You can configure your 6.0, 6.1 or 6.1.1 leel components to the 7.0 policy serer. 2 IBM Security Access Manager for Web Version 7.0: Upgrade Guide

Howeer, if you use a single system for multiple components, then when you upgrade any Security Access Manager component to the 7.0 leel, all components on that system must be at the 7.0 leel. For best results, keep all Security Access Manager components at the same leel, including fix pack leel. If you want to keep an existing Tioli Access Manager component at the 6.0, 6.1, or 6.1.1 leel, but use the Security Access Manager 7.0 policy serer, see: Configuring a preious leel component to a 7.0 policy serer on Windows Configuring a preious leel component to a 7.0 policy serer on AIX, Linux, or Solaris on page 5 Configuring a preious leel component to a 7.0 policy serer on Windows You can configure a 6.0, 6.1 or 6.1.1 Tioli Access Manager component to a Security Access Manager 7.0 policy serer on Windows. Before you begin Upgrade the 7.0 policy serer. See Chapter 3, Upgrading the policy serer, on page 21. Back up critical Tioli Access Manager data with the pdbackup utility. For more information about the pdbackup utility, see pdbackup on page 207. About this task The following procedure is for Windows systems. For AIX, Linux, or Solaris systems, see Configuring a preious leel component to a 7.0 policy serer on AIX, Linux, or Solaris on page 5. Complete this procedure from the system with the preious leel component. Procedure 1. Stop all Tioli Access Manager applications and serices. For example, on Windows 2008 systems: a. Select Start > Control Panel > Administratie Tools. b. Double-click the Serices icon. c. Stop all Tioli Access Manager serices that run on the local system, including applications, such as WebSEAL. 2. Complete the steps in Table 1 on page 4 for the component that you want to configure to the Security Access Manager 7.0 policy serer. Chapter 1. Introduction 3

Table 1. Configure preious leel component to 7.0 policy serer on Windows Component Authorization Serer Steps to configure a preious leel component with a 7.0 policy serer 1. Open each of the following configuration files: image_path\etc\pd.conf image_path\etc\iacld.conf 2. In each file, change the master-host entry in the [manager] stanza to the following alue: master-host=host_name where host_name is the fully qualified host name of the ersion 7.0 policy serer. For example: master-host=serer1.example.ibm.com 3. Sae the files. Runtime Deelopment system 1. Open the following configuration file: image_path\etc\pd.conf 2. Change the master-host entry in the [manager] stanza to the following alue: master-host=host_name Runtime for Jaa Policy Proxy Serer where host_name is the fully qualified host name of the ersion 7.0 policy serer. For example: master-host=serer1.example.ibm.com 3. Sae the file. 1. Unconfigure the Runtime for Jaa. 2. Configure the Runtime for Jaa for the 7.0 policy serer. 1. Open each of the following configuration files: image_path\etc\pd.conf image_path\etc\pdmgrproxyd.conf 2. In each file, change the master-host entry in the [manager] stanza to the following alue: master-host=host_name where host_name is the fully qualified host name of the ersion 7.0 policy serer. For example: master-host=serer1.example.ibm.com 3. Sae the files. 4 IBM Security Access Manager for Web Version 7.0: Upgrade Guide

Table 1. Configure preious leel component to 7.0 policy serer on Windows (continued) Component WebSEAL SMS CLI Steps to configure a preious leel component with a 7.0 policy serer 1. Open each of the following configuration files: image_path\etc\pd.conf image_path\etc\websealdinstance.conf 2. In each file, change the master-host entry in the [manager] stanza to the following alue: master-host=host_name where host_name is the fully qualified host name of the ersion 7.0 policy serer for the domain to which WebSEAL belongs. For example: master-host=serer1.example.ibm.com 3. Sae the files. 1. Open each of the following configuration files: image_path\etc\pd.conf image_path\opt\pdsms\etc\ pdsmsclicfg.conf 2. In each file, change the master-host entry in the [manager] stanza to the following alue: master-host=host_name where host_name is the fully qualified host name of the ersion 7.0 policy serer. For example: master-host=serer1.example.ibm.com 3. Sae the files. 3. Start all Tioli Access Manager applications and serices. For example, on Windows 2008 systems: a. Select Start > Control Panel > Administratie Tools. b. Double-click the Serices icon. c. Start all Tioli Access Manager serices that run on the local system, including applications, such as WebSEAL. 4. Optional: Confirm that the preious leel component can contact the Security Access Manager 7.0 policy serer. For example, run a sample pdadmin command: pdadmin -a sec_master -p password pdadmin sec_master> acl list Configuring a preious leel component to a 7.0 policy serer on AIX, Linux, or Solaris You can configure a 6.0, 6.1 or 6.1.1 Tioli Access Manager component to a Security Access Manager 7.0 policy serer on AIX, Linux, or Solaris. Chapter 1. Introduction 5

Before you begin Upgrade the 7.0 policy serer. See Chapter 3, Upgrading the policy serer, on page 21. Back up critical Tioli Access Manager data with the pdbackup utility. For more information about the pdbackup utility, see pdbackup on page 207. About this task The following procedure is for AIX, Linux, or Solaris systems. For Windows systems, see Configuring a preious leel component to a 7.0 policy serer on Windows on page 3. Complete this procedure from the system with the preious leel component. Procedure 1. Stop all Tioli Access Manager applications and serices: pd_start stop 2. Confirm that all Tioli Access Manager serices and applications are stopped: pd_start status If any Tioli Access Manager serice or application is still running, issue the kill command: kill 9 daemon_process_id 3. Complete the steps in Table 2for the component that you want to configure to the Security Access Manager 7.0 policy serer. Table 2. Configure preious leel component to 7.0 policy serer on AIX, Linux, or Solaris Component Authorization Serer Steps to configure a preious leel component with a 7.0 policy serer 1. Open each of the following configuration files: /opt/policydirector/etc/pd.conf /opt/policydirector/etc/iacld.conf 2. In each file, change the master-host entry in the [manager] stanza to the following alue: master-host=host_name where host_name is the fully qualified host name of the ersion 7.0 policy serer. For example: master-host=serer1.example.ibm.com 3. Sae the files. 6 IBM Security Access Manager for Web Version 7.0: Upgrade Guide

Table 2. Configure preious leel component to 7.0 policy serer on AIX, Linux, or Solaris (continued) Component Steps to configure a preious leel component with a 7.0 policy serer Runtime Deelopment system 1. Open the following configuration file: /opt/policydirector/etc/pd.conf 2. Change the master-host entry in the [manager] stanza to the following alue: master-host=host_name Runtime for Jaa Policy Proxy Serer WebSEAL where host_name is the fully qualified host name of the ersion 7.0 policy serer. For example: master-host=serer1.example.ibm.com 3. Sae the file. 1. Unconfigure the Runtime for Jaa. 2. Configure the Runtime for Jaa for the 7.0 policy serer. 1. Open each of the following configuration files: /opt/policydirector/etc/pd.conf /opt/policydirector/etc/ pdmgrproxyd.conf 2. In each file, change the master-host entry in the [manager] stanza to the following alue: master-host=host_name where host_name is the fully qualified host name of the ersion 7.0 policy serer. For example: master-host=serer1.example.ibm.com 3. Sae the files. 1. Open each of the following configuration files: /opt/policydirector/etc/pd.conf /opt/pdweb/etc/websealdinstance.conf 2. In each file, change the master-host entry in the [manager] stanza to the following alue: master-host=host_name where host_name is the fully qualified host name of the ersion 7.0 policy serer for the domain to which WebSEAL belongs. For example: master-host=serer1.example.ibm.com 3. Sae the files. Chapter 1. Introduction 7

Table 2. Configure preious leel component to 7.0 policy serer on AIX, Linux, or Solaris (continued) Component SMS CLI Steps to configure a preious leel component with a 7.0 policy serer 1. Open each of the following configuration files: /opt/policydirector/etc/pd.conf /opt/pdsms/etc/pdsmsclicfg.conf 2. In each file, change the master-host entry in the [manager] stanza to the following alue: master-host=host_name where host_name is the fully qualified host name of the ersion 7.0 policy serer. For example: master-host=serer1.example.ibm.com 3. Sae the files. 4. Start all Tioli Access Manager applications and serices: pd_start start 5. Optional: Confirm that the preious leel component can contact the Security Access Manager 7.0 policy serer. For example, run a sample pdadmin command: pdadmin -a sec_master -p password pdadmin sec_master> acl list Scenario 1: Two system upgrade with large user base The key considerations in this scenario inole: A primary system that has both the policy serer and the primary LDAP serer, Tioli Directory Serer. Large numbers of Security Access Manager user accounts, such as in the millions. Rather than affect the actie, primary policy serer, use the two system upgrade procedure to install a 7.0 policy serer on an LDAP serer peer. Or, if you do not want to use an LDAP serer peer for this purpose, you can introduce an additional serer to act as the new registry serer. The peer or second serer in this scenario is named the ldap_host2 system. Security Access Manager 7.0 components require a Tioli Directory Serer 6.3 FP17 client on the same machine. Howeer, Tioli Directory Serer 6.3 FP17 clients can coexist on the same machine with other Tioli Directory Serer clients that are ersion 6.0 or later. For example, if you keep the LDAP serer at ersion 6.2, and you hae Tioli Directory Serer 6.2 clients, then if you install any Security Access Manager 7.0 component, that machine must also hae a 6.3 FP17 client. In this case, you can keep the 6.2 clients and add 6.3 clients on the same machine because of the Tioli Directory Serer coexistence support. 8 IBM Security Access Manager for Web Version 7.0: Upgrade Guide

For more information about Tioli Directory Serer 6.3 FP17 serer and client coexistence, see: the Tioli Directory Serer Installation and Configuration Guide for ersion 6.3 FP17. Scenario 1: Conditions The following conditions apply to this scenario: 1. Serice must remain aailable during migration. 2. The number of Security Access Manager user accounts are in the millions. 3. Must be able to fall back to a preious ersion in the eent of failure with minimal downtime. This condition precludes restoring from tape backup. 4. If necessary, proide more hardware to support the upgrade process. Scenario 1: Hardware configuration webseal_host1 WebSEAL ldap_host1 LDAP primary serer Policy serer webseal_host2 WebSEAL ldap_host2 LDAP serer peer webseal_host3 ldap_host3 WebSEAL LDAP serer peer Figure 1. Scenario 1: Hardware configuration In this scenario: LDAP primary serer Indicates the primary LDAP serer against which the policy serer is configured. This system also proides authentication serices for the WebSEAL serers. LDAP serer peers Indicates the backup LDAP serers for the policy serer. Also proides authentication serices for the WebSEAL serers. Scenario 1: High-leel steps Use the following procedure as a guideline to understand the high-leel steps that are required to upgrade your enironment. If your enironment does not exactly match the following two-system scenario, create a custom upgrade plan with the procedures in this guide. Procedure 1. Back up the following data: Tioli Access Manager serers See the pdbackup utility in the IBM Security Access Manager for Web Command Reference for information. Chapter 1. Introduction 9

User registry data For Tioli Directory Serer, see Chapter 2, Upgrading IBM Tioli Directory Serer, on page 17; otherwise, consult the documentation for your supported registry serer. 2. Upgrade Tioli Directory Serer on ldap_host2. a. Upgrade Tioli Directory Serer. For instructions, see Chapter 2, Upgrading IBM Tioli Directory Serer, on page 17. Then, return to these high-leel steps and continue with step 2b. b. Test that Tioli Directory Serer is up and running by using the following command: idsldapsearch -h ldap_host2 -s base p port objectclass=* If the last line from the output from the ldapsearch command (ibm-slapdisconfigurationmode) is set to TRUE, there was a problem during the migration and the serer started in configuration mode. Examine the ibmslapd.log file for errors. If no specific error is gien, try restarting Tioli Directory Serer. c. Verify that replication still works by creating a Security Access Manager user on the LDAP primary serer (ldap_host1) and erify that it is replicated to this LDAP serer peer (ldap_host2). 3. Upgrade the policy serer by following the two system approach. Make ldap_host2 the new system and ldap_host1 the original system. For instructions on upgrading the policy serer for your appropriate platform by following the two system approach, see Chapter 3, Upgrading the policy serer, on page 21. After the upgrade is complete, ldap_host2 hosts Tioli Directory Serer 6.3 FP17 and Security Access Manager policy serer, ersion 7.0. The other serers still hae the older ersions of the software. Note: Maintain the original policy serer until the other Security Access Manager components complete upgrade. This approach proides the option of restoring the original ersion. Any policy modification that results in an update on one policy serer must also be made on the other one. This means that new ACLs and other policy-related configurations must be completed on both the new and the old policy serers when the two systems are running in parallel. 4. Upgrade the WebSEAL serers (webseal_host1, webseal_host2, webseal_host3). The WebSEAL serers are still configured to use the policy serer that is on ldap_host1. Howeer, because there is compatibility between an earlier ersion of the 7.0 policy serer and preious ersions of WebSEAL, you can configure the three WebSEAL serers to use the new policy serer. This approach offers a low-risk way of moing oer to the new policy serer. If for some reason a WebSEAL serer does not function properly with the new policy serer, point it back to the old one. Changing the policy serer that WebSEAL uses inoles changing the master-host entry in the WebSEAL configuration file. Another item to consider concerns the user actiity on the system during your upgrade. If you plan to upgrade WebSEAL while users are trying to access the system, you must isolate each WebSEAL serer before you upgrade it. To do so, change the port on which the WebSEAL serer listens or configure your load balancer so that it does not route traffic to the WebSEAL serer. Apply the following steps to each WebSEAL serer in succession: 10 IBM Security Access Manager for Web Version 7.0: Upgrade Guide

a. If required, isolate the WebSEAL serer from use by changing the listening port or by reconfiguring the load balancer. b. Upgrade WebSEAL. For instructions, see Chapter 5, Upgrading WebSEAL, on page 71. c. If you took measures to isolate the WebSEAL serer from use, reerse those measures and restart WebSEAL. Note: Do not change the WebSEAL configuration file to use the new policy serer before you complete step 4b. 5. Retire the original policy serer. After the WebSEAL serers are upgraded, you hae at least one instance of each Security Access Manager component that runs the new ersion of the software. You can keep this configuration up and running until you feel that the new ersion is stable. When you are ready to make the switch, retire the original policy serer (ldap_host1). For information about how to retire the original policy serer, see the procedure for your platform in Chapter 3, Upgrading the policy serer, on page 21. 6. Upgrade Tioli Directory Serer. Upgrade Tioli Directory Serer on ldap_host1 and ldap_host3. For instructions on upgrading, see Chapter 2, Upgrading IBM Tioli Directory Serer, on page 17 Scenario 2: No peer or additional serers aailable The key feature in this configuration is haing little or no redundancy in the serers, where occasional failure outages are preferred oer maintaining more serers. Similar to Scenario 1: Two system upgrade with large user base on page 8, this scenario requires the use of existing hardware to the maximum adantage. Howeer, unlike the large user base scenario, there is no redundancy in the serers (no peer or second serer) so downtime must be scheduled with the users of the system. This scenario inoles arious Security Access Manager components, but does not serice as many users as in Scenario 1: Two system upgrade with large user base on page 8. Scenario 2: Conditions The following conditions apply to this scenario: 1. Serice outage for upgrade can be scheduled. 2. The number of Security Access Manager serers is minimal. 3. The number of Security Access Manager user accounts is in the tens of thousands. 4. Must be able to fall back to the preious ersion in the eent of failure. 5. Not willing to purchase more hardware to support migration. Chapter 1. Introduction 11

Scenario 2: Hardware configuration webseal_host WebSEAL ldap_host LDAP serer Policy serer plugin_host IIS with Security Access Manager plug-in authzn_host Authorization serer app_host AznAPI application Figure 2. Scenario 2: Hardware configuration In this scenario: LDAP primary serer Indicates the primary LDAP serer against which the policy serer is configured, and there is no backup LDAP serer for the policy serer. This system also proides authentication serices for the WebSEAL serers. Scenario 2: High-leel steps Use the following procedure as a guideline to understand the high-leel steps that are required to upgrade your enironment. If your enironment does not exactly match the following limited hardware scenario, create a custom upgrade plan with the procedures in this guide. Procedure 1. Back up the following data: Tioli Access Manager serers See the pdbackup utility in the IBM Security Access Manager for Web Command Reference for information. User registry data For Tioli Directory Serer, see Chapter 2, Upgrading IBM Tioli Directory Serer, on page 17; otherwise, consult the documentation for your supported registry serer. 2. Do one of the following actions: If you scheduled downtime for the upgrade, proceed to step 3 on page 13 without installing a second authorization serer. If you want your AznAPI application to hae minimal downtime, install a second authorization serer to ensure that your AznAPI application continues to make authorization decisions during upgrade. To install the second authorization serer, follow these steps: a. Install another instance of the authorization serer on app_host. Use the same software ersion of the authorization serer that is running on authzn_host, just running on a different system. b. Edit your AznAPI application configuration file on app_host: 1) Comment out the replica entry for the original authorization serer. 2) Add a replica line for the new authorization serer. c. Restart the AznAPI application on app_host and erify that it functions properly. 12 IBM Security Access Manager for Web Version 7.0: Upgrade Guide

3. Unconfigure and uninstall the existing Tioli Access Manager authorization serer and runtime packages on authzn_host. If you hae the command-line extension to the Session Management Serer installed and configured, unconfigure and uninstall the command-line extension. 4. Install a Security Access Manager, ersion 7.0, policy serer on authzn_host for the second policy serer in addition to the policy serer on ldap_host. Use the two system upgrade procedure as instructed for your specific operating system in Chapter 3, Upgrading the policy serer, on page 21. After you complete this step, you hae a policy serer that runs on ldap_host (the original serer) and on authzn_host (new serer). 5. Confirm that the policy serer is running on authzn_host: pd_start status 6. Install and configure a Security Access Manager, ersion 7.0, authorization serer on authzn_host. For instructions, see the IBM Security Access Manager for Web Installation Guide. When you use a Tioli Directory Serer registry, set [ldap] auth-using-compare to no in iacld.conf after you install the authorization serer. 7. Upgrade WebSEAL on webseal_host. For instructions, see Chapter 5, Upgrading WebSEAL, on page 71. Because there is only one WebSEAL serer, there is a time when the WebSEAL serice is unaailable. 8. Confirm that the WebSEAL serer is running and functioning properly. 9. Upgrade the plug-in for Web Serers on plugin_host. For instructions, see Chapter 13, Upgrading a plug-in for Web serers, on page 179. 10. Upgrade the AznAPI application by completing these procedures: Upgrade the Security Access Manager components such as the deelopment system. See Chapter 9, Upgrading the deelopment system, on page 129. Install a new ersion of your AznAPI application that is based on the 7.0 API. To deploy a new ersion of your application, build and test a new ersion of your code in your 7.0 test enironment. Complete the build and test actiities before the scheduled upgrade of the production serers. To upgrade the production serer, complete the following steps on app_host: a. Stop the AznAPI application. b. Unconfigure and uninstall the aznapi application on app_host. c. Back up your AznAPI application by moing it out of the Security Access Manager directory hierarchy and storing it elsewhere. d. Edit pd.conf (the configuration file for the Security Access Manager runtime component) and aznapi.conf (the configuration file for the authorization API application) to change the master-host entry to the alue of authzn_host. The change directs the IBM Security Access Manager runtime and your application to use the 7.0 policy serer that is running on authzn_host. e. Upgrade Security Access Manager runtime according to the instructions in Chapter 6, Upgrading the runtime, on page 91. f. Copy the newly built 7.0 ersion of your AznAPI application to the same location where you stored the preious ersion. Chapter 1. Introduction 13

g. Start your AznAPI application. 11. Retire the preious leel policy serer. After success with the ersion 7.0 Security Access Manager serers in production, you can retire the preious leel policy serer. For information about retiring the original policy serer, see information for your platform in Chapter 3, Upgrading the policy serer, on page 21. 12. Upgrade Tioli Directory Serer. For instructions on upgrading, see Chapter 2, Upgrading IBM Tioli Directory Serer, on page 17. Scenario 3: Using a registry other than Tioli Directory Serer This scenario describes the use of Security Access Manager with a registry serer other than Tioli Directory Serer. Microsoft Actie Directory is chosen for this example. Scenario 3: Conditions The following conditions apply to this scenario: 1. The system is on AIX, Linux, or Solaris. 2. Serice outage for migration can be scheduled for short interal. 3. The number of Security Access Manager serers is minimal. 4. The number of Security Access Manager user accounts is in the tens of thousands. 5. Must be able to fall back to the preious ersion in the eent of failure. 6. Not willing to purchase more hardware to support migration. 7. Uses a non-ibm user registry serer. Scenario 3: Hardware configuration Similar to Scenario 1: Two system upgrade with large user base on page 8, this scenario requires using the existing hardware to maximum adantage. Howeer, unlike the large user base scenario, there is redundancy only in the WebSEAL serers, so downtime must be scheduled with the users of the system during the policy serer upgrade. Scheduled downtime primarily affects policy management, not WebSEAL authentication. Figure 3. Scenario 3: Hardware configuration 14 IBM Security Access Manager for Web Version 7.0: Upgrade Guide

Scenario 3: High-leel steps Use the following procedure as a guideline to understand the high-leel steps that are required to upgrade your enironment. If your enironment does not exactly match the following scenario, create a custom upgrade plan with the procedures in this guide. Procedure 1. Back up the following data: Tioli Access Manager serers See the pdbackup utility in the IBM Security Access Manager for Web Command Reference for information. User registry data For Tioli Directory Serer, see Chapter 2, Upgrading IBM Tioli Directory Serer, on page 17; otherwise, consult the documentation for your supported registry serer. 2. Upgrade the Web Portal Manager system. Because Web Portal Manager does not hae its own database to manage (it retriees its data from Security Access Manager), uninstall the old ersion and install the latest ersion. For instructions, see the IBM Security Access Manager for Web Installation Guide. 3. Upgrade the policy serer by following the single system approach only. Note: The two-system approach is supported for LDAP-based and Actie Directory registries only. You must schedule downtime to upgrade the policy serer because there is a time during the upgrade when the policy serer is not aailable. An unaailable policy serer affects the management of policy information, such as access control lists. The WebSEAL serers continue to proide serice. For instructions on upgrading the policy serer for your appropriate platform by following a single system, see Chapter 3, Upgrading the policy serer, on page 21. 4. Verify that the WebSEAL serers can communicate with the policy serer. 5. Upgrade WebSEAL on the serers. To do so, follow these steps: a. If you plan to upgrade WebSEAL on a serer while users are trying to access the system, you must isolate each WebSEAL serer before you upgrade it. To do so, change the port on which the WebSEAL serer listens or configure your load balancer so that it does not route traffic to the WebSEAL serer. b. Upgrade WebSEAL. For instructions, see Chapter 5, Upgrading WebSEAL, on page 71. c. If you took measures to isolate the WebSEAL serer, you can reerse those measures and restart WebSEAL. Chapter 1. Introduction 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback