17.1 Upgrading Identity Server

Use the following procedure to upgrade stand-alone Identity Server. If you installed Identity Server and Administration Console both on the same machine, see Upgrading Administration Console.

Prerequisites for Upgrading Identity Server

If you are upgrading Access Manager components on multiple machines, ensure that the time and date are synchronized among all machines.
Ensure that Administration Console is running. However, you must not perform any configuration tasks in Administration Console during an Identity Server upgrade.

NOTE:To prevent security vulnerability, Access Manager uses the jQuery version that is higher than the version used in the earlier release of Access Manager. The higher version of jQuery is not compatible with the Skype for Business 2016 application. Hence, after the upgrade, you cannot log in to Skype for Business 2016 using the Identity Server login page.

If you want to continue using an old version of jQuery, which is less secure, see Single Sign-on Fails in Skype for Business 2016 in the NetIQ Access Manager 5.0 Administration Guide.

NOTE:If you have configured risk-based authentication, perform the following steps before you upgrade Identity Server:

Copy all the custom risk rules and database-connector jars from /opt/novell/nids/lib/webapp/WEB-INF/lib to /opt/novell/rba-core/lib/webapp/WEB-INF/lib.
(Conditional) Upgrade the database schema for Risk Service. For more information, see Section 17.2, (Conditional) Upgrading the Database Schema for Risk Service.

Back up any customized JSP pages and related files.

Even though the upgrade program backs up the JSP directory and its related files in the /root/nambkup folder, it is a good practice to backup these files.
Open a terminal window.
Log in as the root user.
Download the upgrade file from Micro Focus Downloads and extract the tar.gz file by using the tar -xzvf <filename> command.

NOTE:For information about the name of the upgrade file, see the specific Release Notes.
Change to the directory where you unpacked the file, then run the following command in a terminal window:
```
./upgrade.sh
```

The system displays the following confirmation message:

The following components were installed on this machine

1. Identity Server

Do you want to upgrade the above components (y/n)?

Type Y and press Enter.

The system displays two warning messages. The first message is for backing up all JSPs before proceeding with the upgrade, and the next is for including security settings.
Type Y to continue with the upgrade, then press Enter.

If you do not want to include the security configurations, then type n. This stops the upgrade.
Enter the Access Manager Administration Console user ID. For example, admin
Enter the Access Manager Administration Console password.
Re-enter the password for verification.
The system displays the following message when the upgrade is complete:
```
Upgrade completed successfully.
```
Restore any customized files from the backup taken earlier. To restore files, add files to the respective locations using Advanced File Configurator:
- /opt/novell/nam/idp/webapps/nidp/jsp
- /opt/novell/nam/idp/webapps/nidp/html
- /opt/novell/nam/idp/webapps/nidp/images
- /opt/novell/nam/idp/webapps/nidp/config
- /opt/novell/nam/idp/webapps/nidp/WEB-INF/lib
- /opt/novell/nam/idp/webapps/nidp/WEB-INF/web.xml
- /opt/novell/nam/idp/webapps/nidp/WEB-INF/classes
- /opt/novell/nam/idp/webapps/nidp/WEB-INF/conf
- /opt/novell/java/jre/lib/security/bcslogin.conf
- /opt/novell/java/jre/lib/security/nidpkey.keytab
- /opt/novell/nids/lib/webapp/classUtils
- /opt/novell/nam/idp/conf/server.xml
  
  Also, add the following line to the server.xml file:
  
  <Connector NIDP_Name="localConnector" URIEncoding="utf-8" acceptCount="100" address="127.0.0.1" connectionTimeout="20000" maxThreads="600" minSpareThreads="5" port="8088" protocol="HTTP/1.1" />
  
  The following example shows that the IP address is removed and ciphers are added. <Connector NIDP_Name="connector" port="8443" address="" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, ... ../>
- /opt/novell/nam/idp/conf/tomcat.conf
NOTE:Post-Upgrade: To avoid any mismatch of customizations seen on Advanced File Configurator user interface and the file present in the VM server, it is recommended to click the Send Configurations to Servers icon () for all non-temporary files and folders in Identity Server from the Advanced File Configurator user interface. This action must be performed even if file status is displayed as Configuration sent successfully on the Advanced File Configurator user interface post-upgrade.

For information about how to add files using Advanced File Configurator, see Adding Configurations to a Cluster and how to modify a file, see Modifying Configurationsin the NetIQ Access Manager 5.0 Administration Guide.

Important Notes:

If you use Kerberos and you have renamed nidpkey.keytab and bcsLogin.conf with any other name, ensure that you modify the upgrade_utility_functions.sh script located in the novell-access-manager-x.x.x.x-xxx/scripts folder with these names before upgrading Access Manager.
If you have customized the Java settings in the /opt/novell/nam/idp/conf/tomcat.conf file, then after the upgrade, you must copy the customized setting to the new file using Advanced File Configurator. See Modifying Configurations in the NetIQ Access Manager 5.0 Administration Guide
If you have modified the JSP file to customize the login page, logout page, and error messages, you can restore the JSP file after installation. You should sanitize the restored JSP file to prevent XSS attacks. For more information, see Preventing Cross-site Scripting Attacks in the NetIQ Access Manager 5.0 Administration Guide.