Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

Chapter 8. Updating and Migrating Identity Management

8.1. Updating Identity Management

You can use the yum utility to update the Identity Management packages on the system.
Additionally, if a new minor Red Hat Enterprise Linux version is available, such as 7.3, yum upgrades the Identity Management server or client to this version.
This section does not describe migrating Identity Management from Red Hat Enterprise Linux 6 to Red Hat Enterprise Linux 7. If you want to migrate, see Section 8.2, “Migrating Identity Management from Red Hat Enterprise Linux 6 to Version 7”.

8.1.1. Considerations for Updating Identity Management

  • After you update the Identity Management packages on at least one server, all other servers in the topology receive the updated schema, even if you do not update their packages. This ensures that any new entries which use the new schema can be replicated among the other servers.
  • Downgrading Identity Management packages is not supported.
    Do not run the yum downgrade command on any of the ipa-* packages.
  • Red Hat recommends upgrading to the next version only. For example, if you want to upgrade to Identity Management for Red Hat Enterprise Linux 7.4, we recommend upgrading from Identity Management for Red Hat Enterprise Linux 7.3. Upgrading from earlier versions can cause problems.

8.1.2. Using yum to Update the Identity Management Packages

To update all Identity Management packages on a server or client:
# yum update ipa-*
When upgrading multiple Identity Management servers, wait at least 10 minutes between each upgrade.
When two or more servers are upgraded simultaneously or with only short intervals between the upgrades, there is not enough time to replicate the post-upgrade data changes throughout the topology, which can result in conflicting replication events.

Related Information

  • For details on using the yum utility, see Yum in the System Administrator's Guide.
Due to CVE-2014-3566, the Secure Socket Layer version 3 (SSLv3) protocol needs to be disabled in the mod_nss module. You can ensure that by following these steps:
  1. Edit the /etc/httpd/conf.d/nss.conf file and set the NSSProtocol parameter to TLSv1.0 (for backward compatibility), TLSv1.1, and TLSv1.2.
    NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
  2. Restart the httpd service.
    # systemctl restart httpd.service
Note that Identity Management in Red Hat Enterprise Linux 7 automatically performs the above steps when the yum update ipa-* command is launched to upgrade the main packages.