Chapter 6. Upgrading Identity Management
Identity Management is generally updated whenever a system is upgraded to a new release. Upgrades should be transparent and do not require any user or administrative intervention.
6.1. Upgrade Notes
Due to CVE-2014-3566, the Secure Socket Layer version 3 (SSLv3) protocol needs to be disabled in the
mod_nssmodule. You can ensure that by following these steps:
- Edit the
/etc/httpd/conf.d/nss.conffile and set the
TLSv1.0(for backward compatibility) and
- Restart the
# service httpd restart
- The update process automatically updates all schema and LDAP configuration, Apache configuration, and other services configuration, and restarts all IdM-associated services.
- When a replica is created, it must be the same version as the master it is based on. This means that replicas should not be created on an older bersion of Identity Management while the servers are in the process of being upgraded. Wait until the upgrade process is completed, and then create new replicas.
- Schema changes are replicated between servers. So once one master server is updated, all servers and replicas will have the updated schema, even if their packages are not yet updated. This ensures that any new entries which use the new schema can still be replicated among all the servers in the IdM domain.The LDAP upgrade operation is logged in the upgrade log at
/var/log/ipaupgrade-log. If any LDAP errors occur, then they are recorded in that log. Once any errors are resolved, the LDAP update process can be manually initiated by running the updater script:
[root@server ~]# ipa-ldap-updater --upgrade
- Clients do not need to have new packages installed. The client packages used to configure a Red Hat Enterprise Linux system do not impact the enrollment of the client within the domain.
- Updating client packages could bring in updated packages for other dependencies, such as
certmongerwhich contain bug fixes, but this is not required to maintain client functionality or behavior within the IdM domain.