Upgrading a PAM HA Pair
This section looks at how to upgrade your HA Pair to the latest release.
Prerequisites
Before starting your inline upgrade make sure the following prerequisites are met:
Prerequisite | Description |
---|---|
Upgrade path | Review the Upgrade path to ensure you are applying the correct upgrade method based on the version you are upgrading from and to. |
Hardware and Software | Ensure the correct resources are available before upgrading. The following outlines the hardware and software requirements. |
Software downloads | Use the pam-kit-downloader command to download the latest upgrade kit onto your PAM Server. |
Disk space | Ensure the internal disk has a minimum of 5GB free disk space. |
Recent backup of PAM HA Servers | We recommend that you have a recent Osirium PAM Server backup file of your active server as well as VM level backup or snapshot of both servers in your HA Pair. |
No active user connections | Ensure there are no active user connections. |
Disable Task 'Regenerate Account Credentials for all devices' | Within the Admin Interface, disable all scheduled Regenerate Account Credentials for all devices tasks within profiles. |
Osirium Support account | Within the Admin Interface ensure the Osirium Support account has been enabled and a password set. |
.local DNS domains | If you are using .local DNS domains, ensure matching records have been entered in the DNS Search Suffixes. |
No Reporter role users | The Reporter role was removed from 9.x and is no longer available, if you are upgrading from an earlier version, any associated user groups configured within this role will have to be removed before upgrading. Upgrades will be blocked if they are not removed. For further information see Managing roles. |
No user tasks | User tasks have been removed from 9.0.5 and users will no longer see tasks listed in the PAM UI. When upgrading you will be prompted with a notification if there are profiles configured with user tasks that will no longer be valid when the system is upgraded. For further information see Managing removal of User Tasks when upgrading to 9.x. |
Upgrade procedure
The diagram provides a high-level overview of the process for upgrading a PAM Server HA Pair.
PAM Server HA Pair upgrade procedure flowchart
Upgrade the Primary PAM Server
Upgrade the active Primary server first.
-
Open the Primary server Console window, then press ALT + F2. The server login prompt appears.
Note
Alternatively, you could use an SSH connection to the PAM Server.
-
Enter osirium_support at the login prompt and press ENTER.
-
When prompted, enter the password of the osirium_support account and press ENTER.
-
Extract the upgrade kit copied to the server using the following command:
sudo bash Osirium_PAM_Server_vA.B.C_upgrade.bin
Where A.B.C is the version you are upgrading to.
-
When the kit has been extracted, type the command specified on the screen and press ENTER.
-
Press ENTER when prompted to start the setup and configuration.
-
The EULA screen will be displayed. Press ENTER once you have read it.
-
Wait while the upgrade completes and the server is rebooted.
Upgrade the Secondary PAM Server
Now upgrade the Secondary server.
-
Open the Secondary Server Console window, then press ALT + F2. The server login prompt appears.
Note
Alternatively, you could use an SSH connection to the PAM Server.
-
Enter osirium_support at the login prompt and press ENTER.
-
When prompted, enter the password of the osirium_support account and press ENTER.
-
Extract the upgrade kit copied to the server using the following command:
sudo bash Osirium_PAM_Server_vA.B.C_upgrade.bin
Where A.B.C is the version you are upgrading to.
-
When the kit has been extracted, type the command specified on the screen and press ENTER.
-
Press ENTER when prompted to start the setup and configuration.
-
The EULA screen will be displayed. Press ENTER once you have read it.
-
Wait while the upgrade completes and the server is rebooted. You HA Pair is now upgraded.
Post upgrade tasks
Once the HA Pair upgrade has successfully completed, logon to the active Primary server and check the following before allowing users to reconnect:
Post upgrade task | Description |
---|---|
Trigger AD audit | Before opening any device connections that use an Active Directory account, an audit needs to be manually triggered on all provisioned Active Directories. You can do this by right clicking the Active Directory on the Manage Active Directory page, and select Trigger audit from the menu. |
Check device states | Check device status to ensure they are running successfully. |
Check user connections | Check users can connect to devices. |
Re-enable scheduled tasks | Re-enable scheduled Regenerate Account Credentials for all devices tasks. |
Backup | Run the Osirium PAM Server backup task as well as VM level backup of the upgraded active server. |
Upgrade PAM UI | Use the PAM Component Compatibility Matrix to check if the PAM UI Server needs updating inline with the PAM version you have upgraded to. Upgrade as appropriate. |
Upgrade MAP Server | Use the PAM Component Compatibility Matrix to check if the MAP Server needs updating inline with the PAM version you have upgraded to. Upgrade as appropriate. |