Backup/restore upgrade procedure
This section looks at how to upgrade using a back & restore method. If you have a clustered environment click here.
Prerequisites
Before starting your backup and restore upgrade make sure the following prerequisites are met:
Prerequisite | Description |
---|---|
Upgrade path | Review the Standalone upgrade path to ensure you are applying the correct upgrade method based on the version you are upgrading from and to. |
Hardware & Software | Ensure the correct resources are available before deploying. The following outlines the hardware and software requirements. |
Templates | When upgrading to v7.5.1 and above, an upgrade will be required to the latest template bundle to ensure templates continue to work. This should be done before the upgrade. The steps required to perform the template bundle upgrade will depend upon the template. For details on the templates affected, and how to upgrade them click here. |
Licencing | A valid license file will be required during the system configuration step. If you don't have a license file contact Osirium. |
Ports | Ensure TCP ports 443 and 9002 are open as they are required for the client-side and PAM UI. TCP 2379 (etcd, i.e. key-value store), 2380 (etcd, i.e. key-value store), 2390 (cluster setup API), 2391 (cluster delegation API), 5432 (postgres, i.e. database) For a full list of ports used by the PAM Server click here. |
Software downloads | Download the latest PAM Server software, click here. |
Recent backup | We recommend that you have a recent Osirium backup as well as VM Level backup or Snapshot of the PAM Server being upgraded. |
No active user connections | Ensure there are no active user connections. |
Regenerate Account Credentials for all devices tasks | Within the Admin Interface, disable all scheduled Regenerate Account Credentials for all devices tasks within profiles. |
Master Encryption Key | Ensure you have the Master Encryption Key (MEK) of the current PAM Server or the leader node MEK if restoring a cluster node. |
Upgrade procedure
The diagram provides a high-level overview of the process for upgrading your PAM Server using the backup/restore method. This process will apply for both a standalone PAM Server as well as restoring a node in a cluster using an Osirium backup of that node.
Backup/restore upgrade procedure flowchart
Warning
Before starting your upgrade make sure that all Prerequisites have been met.
Deploying the PAM Server
Firstly you will need to deploy a new PAM Server using the latest software version.
Deployment into the different supported infrastructures may vary, therefore click on a link below to be navigated to the correct deployment steps.
- Deploy using VMWare vSphere
- Deploy using Microsoft Azure
- Deploy using Microsoft Hyper-V
- Deploy using Amazon Web Services
Upgrading the PAM Server
Once the PAM Server has been successfully deployed you will need to run through the setup and configuration.
-
Within the Console window, press ENTER when prompted to start the setup and configuration.
Note
The screen may look different depending upon the environment you are deploying to.
-
Read and accept the EULA to continue.
-
Within the Configure Networking screen, configure the following virtual appliance settings. Press TAB to navigate between the fields.
- IP Address: Enter the IP Address which will be used to connect to the virtual appliance.
- Netmask: Enter the network mask.
- Gateway: Enter the network default gateway IP address.
- Primary DNS: Enter the network primary DNS IP address.
- (Secondary DNS): Enter the secondary DNS IP address if relevant, else leave blank.
- (Tertiary DNS): Enter the tertiary DNS IP address if relevant, else leave blank.
- (DNS Suffixes): Enter the DNS Suffixes if relevant, else leave blank.
Note
If you are adding a follower node to a cluster and you have Active Directory configured with just a hostname, enter the search suffixes to allow users to login in to the follower. Alternatively if you do not enter the search suffixes here you can configure them later in the Admin Interface of the follower. See DNS search suffix.
-
Once completed TAB down to the
OK
button and press ENTER. -
On the PAM Server Restore screen, SFTP onto the virtual appliance using IP Address, username and password shown on the screen.
-
Copy the Osirium backup file of the PAM Server you want to restore onto this new PAM Server. Once successfully copied, the screen will update and the copied backup file will appear in the list.
-
Select the Osirium backup file and press ENTER.
-
When prompted, TAB to the
OK
button and press ENTER to continue. -
Enter the Master Encryption Key (including dashes) of the PAM Server that the Osirium backup was taken from.
-
Once entered TAB to the
OK
button and press ENTER. -
Within the Enter a hostname window, enter a name to identify the new PAM Server.
-
TAB down to the
OK
button and press ENTER. -
Enter the FQDN (all in lowercase) or IP Address which will be assigned to the PAM Server. The configuration entered here is used to communicate between nodes if you are setting up a cluster.
If the following error occurs then make sure that the hostname can be resolved and check if it has been included in the DNS A records - see Prerequisites.
If the following errors occur then make sure that the entered hostname / address are correct and press ENTER to re-enter.
-
TAB down to the
OK
button and press ENTER. -
Set a password for the Primary SuperAdmin account. The username (SuperAdmin) and the password will be used later to log into Osirium PAM.
-
TAB down to the
OK
button and press TAB. -
Confirm the primary SuperAdmin account password.
-
TAB down to the
OK
button and press TAB. Wait while the system is configured.From release v7.2 the PAM Server and PAM UI have been integrated to provide a single unified installation.
Make a note of the https address if you want to connect to the server via the unified PAM UI.
If you wish to install and configure a separate PAM UI Server click here for instructions.
Post upgrade tasks
Once the Osirium backup has successfully installed, logon to Osirium PAM and check the following before allowing users to reconnect:
Post upgrade task | Description |
---|---|
Trigger AD audit | Before opening any device connections that use an Active Directory account, an audit needs to be manually triggered on all provisioned Active Directories. You can do this by right clicking the Active Directory on the Manage Active Directory page, and select Trigger audit from the menu. This will allow additional fields on the Active Directory account page to be populated. |
Check device states | Check device status to ensure they are running successfully. |
Check user connections | Check users can connect to devices. |
Re-enable scheduled tasks | Re-enable scheduled Regenerate Account Credentials for all devices tasks. |
VM level backup | Take an Osirium backup and a VM level backup. See Backup & Recovery for further details. |
Upgrade other components | Use the PAM Component Compatibility Matrix to check if other PAM components need updating inline with the version you are upgrading to and upgrade as appropriate. |