Depending on your system and environment, you may need to perform some of the following actions when you install or upgrade RSA Identity Governance and Lifecycle.
- If upgrading from RSA Identity Governance and Lifecycle 7.0.2, 7.1.0, or 7.1.1, run the following SQL statements. Before performing the migration, connect to the database to migrate as AVUSER and execute the following:
TRUNCATE TABLE T_AV_RULE_TEST_METRICS DROP ALL STORAGE;
TRUNCATE TABLE T_AV_RULE_TEST_VIOLS DROP ALL STORAGE;
Update SUSE Linux Enterprise Server (SLES) 11 deployments to SLES 12. RSA Identity Governance and Lifecycle 7.2 does not support SLES 11. Before upgrading RSA Identity Governance and Lifecycle running in a SLES 11 environment, you must first back up the RSA Identity Governance and Lifecycle database and upgrade the operating system to SLES 12. RSA provides an .iso of the SLES 12 operating system for download on RSA Link. For more information, see "Operating System Installation and Upgrade" in the RSA Identity Governance and Lifecycle Installation Guide.
- Run the appliance updater.If your environment is a hardware or software appliance, RSA recommends running the latest appliance updater. The appliance OS updater bundles a certified patch set for the operating system of an RSA appliance and the database on the appliance. Downloading and running these patches closes vulnerabilities and addresses bugs. If using a hardware appliance or software appliance with a local RSA Oracle instance, RSA recommends running the appliance Oracle updater to update any critical Oracle patches. The appliance updater does not patch the RSA Identity Governance and Lifecycle application. The patches are provided in a compressed file (rsaimg_updater_<release_date>_<platform>.tar.bz2) and posted on RSA Link at https://community.rsa.com/community/products/governance-and-lifecycle. Download and apply the appliance updater patches on a regular basis as new patches are released.
For more information, see the RSA Identity Governance and Lifecycle Appliance Updater Guide.
Review certificate configuration if your deployment contains Active Directory collectors that use SSL. The JRE has been upgraded to Java 8. By default, Java 8 enforces endpoint identification on LDAPS connections to improve the robustness of the connections. After upgrading, Active Directory collectors that use SSL that were previously able to connect might be unable to connect. View the aveksaServer.log for details about connection failures. If this occurs, ensure that the certificate of the host configured in the collector settings has the correct subject alternative name attributes available that match the hostname.
- If upgrading RSA Identity Governance and Lifecycle in a WebLogic or WebSphere environment, you must update the AVDWDB data source. Instructions are provided in the RSA Identity Governance and Lifecycle Upgrade and Migration Guide.
- Update server.keystore and client.keystore. After you upgrade, you must update server.keystore and client.keystore for all remote agents and AFX.
After you perform the upgrade, do the following steps:
- Log in to RSA Identity Governance and Lifecycle, and go to Admin > System > Security. In a clustered environment, perform this step on the single system operations node (SON).
- Click Change Certificate Store, and click OK to change the root certificate and CA.
- Click Download and save the server.keystore file to a location on your computer.
- Go to AFX > Servers, click Change Certificate Store, and click OK to change the client certificate.
- Click Download and save the client.keystore file to a location on your computer.
- Stop the ACM and AFX servers.
- Copy the new server.keystore file to the location on the server where your web server reads the keystore. For example, $AVEKSA_HOME/keystore.
- Copy the new client.keystore file to the AFX server under <AFX-server-root>/esb/conf.
- Update the client.keystore files from the remote agents after you download the corresponding client.keystore from RSA Identity Governance and Lifecycle.
- Restart the ACM and AFX servers and verify connectivity with the endpoints.