SecurID^® Governance & Lifecycle Product Documentation

The following procedures describe how to download and apply a patch to RSA Identity Governance and Lifecycle appliance and soft-appliance installations, and how to upgrade Access Fulfillment Express (AFX) connectors. Patches are cumulative.

Important

• When upgrading from product versions older than 7.1, you must upgrade to version 7.1 before you install any version 7.1 patches.

  Note:  The base installation files for version 7.1 now include all improvements and fixed issues contained in RSA Identity Governance and Lifecycle 7.1 Patch 1. However, the filenames for the base installation files have not changed since version 7.1

• Do not attempt to install a previous version of a patch over a later version of a patch.
• When applying a patch in a WebSphere or WebLogic environment, you must uninstall the Workflow Architect EAR before applying updates.

Before you begin 

• When migrating to 7.1.0 Patch 8 or 9 using the command line, there is a potential issue in which the migration is unable to find the aveksa-version.properties file. If this occurs, you should complete the migration through the browser interface. Note that the migration may take some time. Check /home/oracle/wildfly/standalone/log/migrate.log to view the migration status.

  If you are unable to complete the migration using a browser, download the appropriate file for your migration from the following list and rename it to aveksa-version.properties. As the oracle user, copy the renamed file to the /home/oracle/database/ directory, then run the migrate.sh command.

  • 7.1.0 Patch 8:aveksa-version710P08.properties
  • 7.1.1 Patch 9:aveksa-version710P09.properties

• Customizations made using the RSA Identity Governance and Lifecycle user interface are preserved during the upgrade process. However, any customizations made directly to the EAR are overwritten during the patching process. If you have made any customizations to the EAR, record the customizations before performing the upgrade, and manually restore them after you complete the installation.

• The way in which RSA Identity Governance and Lifecycle handles business descriptions for groups has changed from previous product versions.

  If your RSA Identity Governance and Lifecycle deployment includes business descriptions for groups, run the pre-migration queries for group business descriptions to identify any business descriptions that will be automatically deleted during the update process. For more information and the queries, see Migration Queries for Group Business Descriptions.

• If your environment uses a customer-supplied database, ensure that no database procedures are running against the database schema during the patch installation. The patch process may run SQL against various tables in the database.

  Note:  On an appliance with an RSA-supplied database, the patch script automatically stops and starts the database to ensure that this requirement is met.

• In a clustered environment, use only one node during the patch update process. Stop all other nodes in the cluster to ensure that multiple nodes do not attempt a database migration. Before you patch additional nodes or enable farming to push EAR changes to other nodes, validate that the patch is applied and the one node is working as expected.
  For additional details for WebSphere and WebLogic environments, see theRSA Identity Governance and Lifecycle Installation Guide. For additional details for WildFly environments, see the document Configuring WildFly Clustering.

• Note: The created product schemas, such as AVUSER, are reserved for product database objects. Creating additional database objects within the product schemas may affect the operation of the systems, migration, or patch applications.

​Migration Queries for Group Business Descriptions

When updating or migrating RSA Identity Governance and Lifecycle from a previous version, RSA Identity Governance and Lifecycle deletes group business descriptions that are not actively in use. Before you migrate, run the following pre-migration queries to identify any group business descriptions that will be deleted by the migration process. If you still need these group business descriptions, you can re-import them with an application reference in the import file, or you can manually recreate them after migration.

Review the results of each query to determine if any of the identified business descriptions are still needed. You must manually recreate or import the identified business descriptions in the new system after migration is complete.

Unused Group Business Descriptions Not Associated with an Application

The following query identifies all group business descriptions that are not associated with an application, and that are currently unused. These business descriptions will be automatically deleted during migration.

SELECT

id,

'Group' as Type,

object_filter AS "Object Filter",

alt_name AS "Display Name",

short_desc AS "Short Description",

long_desc AS "Long Description",

url_ref as "Help Link"

FROM

t_av_business_description a

WHERE

NOT EXISTS (

SELECT

application_id

FROM

t_groups b

WHERE

b.filter_id = a.id

)

AND a.scope_id IS NULL

AND a.is_deleted = 'FALSE'

AND a.object_type = 4

AND a.applies_to_set = 'FALSE';

All Unused Group Business Descriptions

The following query identifies all unused group business descriptions regardless of their association with an application. These business descriptions will be automatically deleted during migration.

SELECT

id,

'Group' as Type,

object_filter AS "Object Filter",

alt_name AS "Display Name",

short_desc AS "Short Description",

long_desc AS "Long Description",

url_ref as "Help Link",

(select name from t_groups where id = a.scope_id) as "Group Name",

(select name from t_applications where id = a.scope_id) as "Application Name"

FROM

t_av_business_description a

WHERE

NOT EXISTS (

SELECT

application_id

FROM

t_groups b

WHERE

b.filter_id = a.id

)

AND a.scope_id IS NOT NULL

AND a.is_deleted = 'FALSE'

AND a.object_type = 4

AND a.applies_to_set = 'FALSE';

 

Group Business Description Table

As the ACM schema owner, run the following SQL statement to create a table that allows RSA Identity Governance and Lifecycle to determine a group's business description state during migration.

declare

v_tbl_count number;

Begin

select count(*) into v_tbl_count

from user_tab_columns

where table_name = 'TEMP_BUSDESC';

if v_tbl_count > 0 then

execute immediate 'drop table temp_busdesc purge';

end if;

execute immediate

'CREATE TABLE temp_busdesc

AS

SELECT

name,

id,

filter_id,

application_id

FROM

t_groups

WHERE

filter_id !=-1';

end;

/

​Install the RSA Identity Governance and Lifecycle Patch

Use this procedure to install the patch on appliance and soft-appliance installations.

Procedure

1. If you have Access Fulfillment Express (AFX) installed, using the AFX user account, shut down all AFX instances before installing the patch upgrade:

   <path-to-AFX_installation-directory>/AFX/afx stop

2. To download the upgrade files:
1. Log in to RSA Link, and click RSA Identity Governance and Lifecycle.
2. Click Downloads > RSA Identity Governance and Lifecycle <Version>, where <Version> is the version number of the product that you are patching.
3. Click Version Upgrades.
4. Click the Upgrade link for your licensed RSA Identity Governance and Lifecycle asset.
5. Click Continue.
6. On the Order Detail page, click the menu icon and select Product List.
   The Current tab provides the most current release or patch, and the Archive tab provides previous patches and releases.
7. Click the appropriate tab, and select the name of the patch to download.
8. Download the following files:
   • Aveksa_<VersionNumber>_P<PatchNumber>.tar.gz
     • For WebSphere: ACM-WebSphere-<VersionNumber>_P<PatchNumber>.tar.gz
     • For WebLogic: ACM-WebLogic-<VersionNumber>_P<PatchNumber>.tar.gz
   • upgradeJDK<version>_<revision>.tar (optional JDK update for security updates)

3. If this release does not include a new JDK version, this step is optional. If you have already applied the latest JDK version, there is no need to reapply it. Apply the JDK upgrade as follows:

1. Change to the Oracle directory: cd /home/oracle
2. Decompress the file: tar vxf upgradeJDK<version>_<revision>.tar
3. Log in as root, and run the following commands:
   1. cd /home/oracle/upgradeJDK<version>_<revision>
   2. chmod 777 *
   3. cd deploy/
   4. chmod 777 *
   5. cd ..
   6. sh upgradeJDK<version>_<revision>.sh
4. To decompress the patch file, Aveksa_<VersionNumber>_P<PatchNumber>.tar.gz, run the following commands:
1. cd /home/oracle
2. tar zvxf Aveksa_<VersionNumber>_P<PatchNumber>.tar.gz
5. Install the patch:
• In a WildFly environment:
1. Log in as root and run the patch.sh installation script in the directory created in Step 4. Run the following commands:
1. cd /home/oracle/Aveksa_<VersionNumber>_P<PatchNumber>
2. sh patch.sh
2. When the patch script completes, restart RSA Identity Governance and Lifecycle. Run the following command:

   acm restart

• In a WebSphere or WebLogic environment, perform the following steps to apply the patch. For detailed instructions, see theRSA Identity Governance and Lifecycle Upgrade and Migration Guide.
  1. Perform any necessary customizations to the Aveksa EAR and Workflow Architect EAR files. For more information, see "Modifying the RSA Identity Governance and Lifecycle Enterprise Archive" in the RSA Identity Governance and Lifecycle Installation Guide.
  2. Uninstall the Workflow Architect EAR.
  3. Upgrade the Aveksa EAR.
  4. Deploy the Workflow Architect EAR.
  5. Restart the WebSphere or WebLogic Application Server.

After you finish 

• In a WebSphere environment, after you deploy the patch, you must restart RSA Identity Governance and Lifecycle. When you start RSA Identity Governance and Lifecycle after applying the patch, SQL processing is performed. After SQL processing is complete, restart RSA Identity Governance and Lifecycle again, to ensure that any patch processing takes effect.
  

  To stop and restart RSA Identity Governance and Lifecycle on a WebSphere server:

  1. In the WebSphere console, go to Applications.

  2. Under All Applications, select aveksa.

  3. Click Stop to stop the RSA Identity Governance and Lifecycle.

  4. After the aveksa application has been stopped, click Start to start RSA Identity Governance and Lifecycle.

• In a WebLogic environment, you must restart RSA Identity Governance and Lifecycle after you install the patch.
  

  To stop and restart RSA Identity Governance and Lifecycle in a WebLogic environment:

  1. In the WebLogic administrative console, select Deployments from the menu.

  2. Select the Aveksa application and click Stop and then Start to restart the application.

     Restarting RSA Identity Governance and Lifecycle also restarts the local agent.

• If your deployment includes Access Fulfillment Express (AFX), you must also upgrade your AFX connectors. For instructions, see Download and Import AFX Connector Packages.

​Download and Import AFX Connector Packages

If your RSA Identity Governance and Lifecycle deployment uses Access Fulfillment Express (AFX), use this procedure to download and import the AFX connector package. Reference the instructions in Step 2 above for accessing the software from RSA Link. In this case, look for an AFX link from Version Upgrades.

Procedure

1. Download the Connector package files to a directory local to the browser client from which you plan to import the packages:
   • AFX-<Product_Version>-Standard-Connectors.zip

   • AFX-<Product_Version>-Premium-Connectors.zip (SAP customers only)

2. Log on to RSA Identity Governance and Lifecycle.
3. Click AFX > Import.
4. Import the packages.
5. Run the following command:

<path-to-AFX_installation-directory>/AFX/afx start