The following procedures describe how to download and apply a patch to RSA Identity Governance and Lifecycle appliance and soft-appliance installations, and how to upgrade Access Fulfillment Express (AFX) connectors. Patches are cumulative.
Note: The base installation files for version 7.1 now include all improvements and fixed issues contained in RSA Identity Governance and Lifecycle 7.1 Patch 1. However, the filenames for the base installation files have not changed since version 7.1
Before you begin
When migrating to 7.1.0 Patch 8 or 9 using the command line, there is a potential issue in which the migration is unable to find the aveksa-version.properties file. If this occurs, you should complete the migration through the browser interface. Note that the migration may take some time. Check /home/oracle/wildfly/standalone/log/migrate.log to view the migration status.
If you are unable to complete the migration using a browser, download the appropriate file for your migration from the following list and rename it to aveksa-version.properties. As the oracle user, copy the renamed file to the /home/oracle/database/ directory, then run the migrate.sh command.
The way in which RSA Identity Governance and Lifecycle handles business descriptions for groups has changed from previous product versions.
If your RSA Identity Governance and Lifecycle deployment includes business descriptions for groups, run the pre-migration queries for group business descriptions to identify any business descriptions that will be automatically deleted during the update process. For more information and the queries, see Migration Queries for Group Business Descriptions.
If your environment uses a customer-supplied database, ensure that no database procedures are running against the database schema during the patch installation. The patch process may run SQL against various tables in the database.
Note: On an appliance with an RSA-supplied database, the patch script automatically stops and starts the database to ensure that this requirement is met.
In a clustered environment, use only one node during the patch update process. Stop all other nodes in the cluster to ensure that multiple nodes do not attempt a database migration. Before you patch additional nodes or enable farming to push EAR changes to other nodes, validate that the patch is applied and the one node is working as expected.
For additional details for WebSphere and WebLogic environments, see theRSA Identity Governance and Lifecycle Installation Guide. For additional details for WildFly environments, see the document Configuring WildFly Clustering.
Note: The created product schemas, such as AVUSER, are reserved for product database objects. Creating additional database objects within the product schemas may affect the operation of the systems, migration, or patch applications.
When updating or migrating RSA Identity Governance and Lifecycle from a previous version, RSA Identity Governance and Lifecycle deletes group business descriptions that are not actively in use. Before you migrate, run the following pre-migration queries to identify any group business descriptions that will be deleted by the migration process. If you still need these group business descriptions, you can re-import them with an application reference in the import file, or you can manually recreate them after migration.
Review the results of each query to determine if any of the identified business descriptions are still needed. You must manually recreate or import the identified business descriptions in the new system after migration is complete.
The following query identifies all group business descriptions that are not associated with an application, and that are currently unused. These business descriptions will be automatically deleted during migration.
SELECT
id,
'Group' as Type,
object_filter AS "Object Filter",
alt_name AS "Display Name",
short_desc AS "Short Description",
long_desc AS "Long Description",
url_ref as "Help Link"
FROM
t_av_business_description a
WHERE
NOT EXISTS (
SELECT
application_id
FROM
t_groups b
WHERE
b.filter_id = a.id
)
AND a.scope_id IS NULL
AND a.is_deleted = 'FALSE'
AND a.object_type = 4
AND a.applies_to_set = 'FALSE';
The following query identifies all unused group business descriptions regardless of their association with an application. These business descriptions will be automatically deleted during migration.
SELECT
id,
'Group' as Type,
object_filter AS "Object Filter",
alt_name AS "Display Name",
short_desc AS "Short Description",
long_desc AS "Long Description",
url_ref as "Help Link",
(select name from t_groups where id = a.scope_id) as "Group Name",
(select name from t_applications where id = a.scope_id) as "Application Name"
FROM
t_av_business_description a
WHERE
NOT EXISTS (
SELECT
application_id
FROM
t_groups b
WHERE
b.filter_id = a.id
)
AND a.scope_id IS NOT NULL
AND a.is_deleted = 'FALSE'
AND a.object_type = 4
AND a.applies_to_set = 'FALSE';
As the ACM schema owner, run the following SQL statement to create a table that allows RSA Identity Governance and Lifecycle to determine a group's business description state during migration.
declare
v_tbl_count number;
Begin
select count(*) into v_tbl_count
from user_tab_columns
where table_name = 'TEMP_BUSDESC';
if v_tbl_count > 0 then
execute immediate 'drop table temp_busdesc purge';
end if;
execute immediate
'CREATE TABLE temp_busdesc
AS
SELECT
name,
id,
filter_id,
application_id
FROM
t_groups
WHERE
filter_id !=-1';
end;
/
Use this procedure to install the patch on appliance and soft-appliance installations.
Procedure
<path-to-AFX_installation-directory>/AFX/afx stop
If this release does not include a new JDK version, this step is optional. If you have already applied the latest JDK version, there is no need to reapply it. Apply the JDK upgrade as follows:
acm restart
After you finish
In a WebSphere environment, after you deploy the patch, you must restart RSA Identity Governance and Lifecycle. When you start RSA Identity Governance and Lifecycle after applying the patch, SQL processing is performed. After SQL processing is complete, restart RSA Identity Governance and Lifecycle again, to ensure that any patch processing takes effect.
To stop and restart RSA Identity Governance and Lifecycle on a WebSphere server:
In the WebSphere console, go to Applications.
Under All Applications, select aveksa.
Click Stop to stop the RSA Identity Governance and Lifecycle.
After the aveksa application has been stopped, click Start to start RSA Identity Governance and Lifecycle.
In a WebLogic environment, you must restart RSA Identity Governance and Lifecycle after you install the patch.
To stop and restart RSA Identity Governance and Lifecycle in a WebLogic environment:
In the WebLogic administrative console, select Deployments from the menu.
Select the Aveksa application and click Stop and then Start to restart the application.
Restarting RSA Identity Governance and Lifecycle also restarts the local agent.
If your RSA Identity Governance and Lifecycle deployment uses Access Fulfillment Express (AFX), use this procedure to download and import the AFX connector package. Reference the instructions in Step 2 above for accessing the software from RSA Link. In this case, look for an AFX link from Version Upgrades.
Procedure
AFX-<Product_Version>-Premium-Connectors.zip (SAP customers only)
<path-to-AFX_installation-directory>/AFX/afx start