View PDF - Centrify
Centrify Server Suite 2015
Upgrade and Compatibility Guide
July 2015
Centrify Corporation
     
Legal notice
This document and the software described in this document are furnished under and are subject to the terms of a
license agreement or a non-disclosure agreement. Except as expressly set forth in such license agreement or
non-disclosure agreement, Centrify Corporation provides this document and the software described in this
document “as is” without warranty of any kind, either express or implied, including, but not limited to, the
implied warranties of merchantability or fitness for a particular purpose. Some states do not allow disclaimers of
express or implied warranties in certain transactions; therefore, this statement may not apply to you.
This document and the software described in this document may not be lent, sold, or given away without the prior
written permission of Centrify Corporation, except as otherwise permitted by law. Except as expressly set forth
in such license agreement or non-disclosure agreement, no part of this document or the software described in this
document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,
electronic, mechanical, or otherwise, without the prior written consent of Centrify Corporation. Some
companies, names, and data in this document are used for illustration purposes and may not represent real
companies, individuals, or data.
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the
information herein. These changes may be incorporated in new editions of this document. Centrify Corporation
may make improvements in or changes to the software described in this document at any time.
© 2004-2015 Centrify Corporation. All rights reserved. Portions of Centrify software are derived from
third party or open source software. Copyright and legal notices for these sources are listed separately in the
Acknowledgements.txt file included with the software.
U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the
U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48
C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for
non-DOD acquisitions), the government’s rights in the software and documentation, including its rights to use,
modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all
respects to the commercial license rights and restrictions provided in the license agreement.
Centrify, DirectAudit, DirectControl and DirectSecure are registered trademarks and Centrify Server Suite,
Centrify User Suite, DirectAuthorize and DirectManage are trademarks of Centrify Corporation in the United
States and other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either
registered trademarks or trademarks of Microsoft Corporation in the United States and other countries.
Centrify software is protected by U.S. Patents 7,591,005, 8,024,360, 8,321,523, and 9,015,103 B2.
The names of any other companies and products mentioned in this document may be the trademarks or registered
trademarks of their respective owners. Unless otherwise noted, all of the names used as examples of companies,
organizations, domain names, people and events herein are fictitious. No association with any real company,
organization, domain name, person, or event is intended or should be inferred.

Contents
About this guide
5
Intended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Using this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Conventions used in this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Finding information about Centrify products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Contacting Centrify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Getting additional support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Chapter 1
Preparing for an upgrade
7
Upgrading the operating system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Upgrading computers that are accessed by multiple users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
General compatibility between versions of Centrify software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Finding upgrade packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Disabling command-line auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Chapter 2
Upgrading DirectManage on Windows computers
10
What should you upgrade first? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Updating administrative components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Upgrading components interactively . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Upgrading auditing components silently on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Chapter 3
Upgrading the auditing infrastructure
13
Why there are formal steps for upgrading an audit installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Upgrading auditing components in a specific order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Unsupported configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Updating auditing-related databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Updating agents out of sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Restarting a computer after an agent upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Chapter 4
Upgrading managed computers
16
Using Deployment Manager to update agents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Using the install.sh shell script to update packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3
     
Using a native package manager on Linux computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Using a native package manager on UNIX computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Upgrading managed Mac OS X computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Chapter 5
Compatibility for additional packages on managed computers
25
Should you be concerned about compatibility?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Removing the CentrifyDC-idmap package. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Compatibility for CentrifyDC-nis package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Compatibility for CentrifyDC-krb5 package. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Compatibility for CentrifyDC-ldapproxy package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Compatibility for CentrifyDC-openssh package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Compatibility for CentrifyDC-apache and CentrifyDC-web packages. . . . . . . . . . . . . . . . . . . . . . . . . 27
Upgrading version-dependent packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Working with classic zones after an upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Chapter 6
What to do if there are problems during an upgrade
29
Remove and re-install DirectManage Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Remove and re-install DirectManage Audit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Remove and re-install agent features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Index
Upgrade and Compatibility Guide
31
4

About this guide
The Centrify Server Suite Upgrade and Compatibility Guide describes how to upgrade Centrify
components on computers where Centrify software has been previously installed. In most
cases, components and software packages from different releases can be used together within
certain limitations.
This guide provides guidelines for the order in which you should upgrade, compatibility issues
that might require you to upgrade, and how you can mix and match component and package
versions if you perform an upgrade over time on computers running different versions of
Centrify packages.
Intended audience
This guide is intended for administrators and application owners planning to update Centrify
software on multiple computers in the enterprise. This guide assumes that you are familiar
with all of the Centrify components you have currently installed on one or more Windows
computers and all of the required and optional packages you have installed on Linux, UNIX,
and Mac OS X computers. This guide also assumes that you have sufficient privileges to
perform administrative tasks on all of these computers.
Using this guide
Depending on your role and responsibilities, you may want to read portions of this guide
selectively.
The guide provides the following information:

Chapter 1, “Preparing for an upgrade,” provides an overview of the recommended
upgrade process and a summary of the compatibility requirements between the core
components of Centrify software.



Chapter 2, “Upgrading DirectManage on Windows computers,” describes the upgrade
steps for the access control and privilege management components you have installed on
Windows computers.
Chapter 3, “Upgrading the auditing infrastructure,” describes the recommended upgrade
path for the auditing infrastructure, including the databases, to ensure auditing is not
interrupted.
Chapter 4, “Upgrading managed computers,” describes the upgrade steps for the
components you have installed on managed computers.
5
     


Conventions used in this guide
Chapter 5, “Compatibility for additional packages on managed computers,” provides
additional information about the compatibility between core components and other
packages you may have installed on managed computers.
Chapter 6, “What to do if there are problems during an upgrade,” suggests the steps to
take if you encounter errors that prevent you from upgrading.
Conventions used in this guide
The following conventions are used in this guide:

Fixed-width font is used for sample code, program names, program output, file names,
and commands that you type at the command line. When italicized, the fixed-width
font is used to indicate variables.


Bold text is used to emphasize commands, buttons, or user interface text, and to
introduce new terms.
Italics are used for book titles and to emphasize specific words or terms.
Finding information about Centrify products
Centrify includes extensive documentation targeted for specific audiences, functional roles,
or topics of interest. If you want to learn more about Centrify and Centrify products and
features, start by visiting the Centrify website. From the Centrify website, you can download
data sheets and evaluation software, view video demonstrations and technical presentations
about Centrify products, and get the latest news about upcoming events and webinars.
Contacting Centrify
You can contact Centrify by visiting our website, www.centrify.com. On the website, you can
find information about Centrify office locations worldwide, email and phone numbers for
contacting Centrify sales, and links for following Centrify on social media. If you have
questions or comments, we look forward to hearing from you.
Getting additional support
If you have a Centrify account, click Support on the Centrify website to log on and access the
Centrify Customer Support Portal. From the support portal, you can to search knowledge
base articles, open and view support cases, connect with other Centrify users on customer
forums, and access additional resources—such as online training, how-to videos, and
diagnostic tools.
Upgrade and Compatibility Guide
6
Chapter 1
Preparing for an upgrade
This chapter provides an overview of the upgrade process and a summary of the
compatibility requirements between the core components of Centrify software. You should
review the information in this chapter before upgrading any components on the computers
where Centrify software is installed.
Upgrading the operating system
Upgrading the operating system (OS) on a managed computer can make major changes to
the configuration files and utilities installed on it, In many cases, operating system upgrades
and operating system patches can changes affect the behavior of Centrify software. If the
behavior of Centrify software is modified because of an operating system upgrade, it is
possible for users to be locked out and unable to access to computer resources. To prevent
this from happening, Centrify recommends that you first remove any Centrify packages you
have installed before upgrading the operating system, then reinstall the packages after the
operating system upgrade has been completed and the computer has been verified to be
operating normally.
You should note that removing Centrify software prior to applying operating system patches
or upgrading the operating system is not required in most cases. However, because
operating system changes can affect authentication and authorization services, it is
considered a best practice to ensure the upgrade does not interrupt services for any users.
Upgrading computers that are accessed by multiple users
In most cases, you can upgrade Centrify software on computers that are accessed by
multiple users without entering single-user mode. However, upgrading authentication,
authorization, and auditing services on a computer can potentially prevent users from
logging on or using computer resources. If possible, you should perform upgrades when
other users who might access the computer are logged off, then reboot the computer after
completing the upgrade.
You should note that having all users logged off and rebooting the computer after an
upgrade are not required steps, but are best practices to ensure the upgrade does not
interrupt services for any users. In most cases, users who are already logged on are not
affected by the upgrade. However, users who attempt to log on while files are being
replaced during the upgrade process might be temporarily locked out of the managed
computer you are upgrading.
7
     
General compatibility between versions of Centrify software
General compatibility between versions of Centrify software
In most cases, newer versions of Centrify software releases are backward-compatible with
previous versions, enabling you to mix and match components from different versions and
upgrade components over time when it is convenient to do so. However, there are some
limitations to take into account when mixing and matching versions, and these limitations
might influence which components you upgrade and how quickly you upgrade from one
version to another.
In most organizations, the agents you install on managed computers are upgraded on a
staggered schedule while administrative tools are upgraded at a set time to take advantage of
new features.
To ensure flexibility of the upgrade process:

Agents are always backward-compatible with older versions of the administrative
console.
However, using an older version of the administrative console with a newer agent limits
the features and functionality available. If you are using an administrative console from
version 2.x to manage zones, agents from version 4.x and 5.x must use the --compat
option to join 2.x-compatible zones.

Agents are always forward-compatible with the administrative console for one version.
You can upgrade the administrative console without upgrading agents at the same time.
However, there are limitations to features and functionality when using older agents with
an upgraded console. For example, agents from version 4.x cannot be included in
hierarchical zones. In addition, some features require an upgrade. For example, if you
want to use the Centrify Window agent for access control and privilege management,
you must either upgrade or remove the Centrify Windows auditing service.

Group policies are not guaranteed to be compatible with different agent and
administrative console versions.
New group policies cannot be enforced on computers with an agent from a previous
version of Centrify software. If a group policy is applied to a computer that has an older
version of the agent, the policy is ignored. You should only apply group policies that are
supported in both the agent and administrative console versions you are using.
Finding upgrade packages
You can find Centrify Server Suite and agent packages for all supported operating systems
on the Centrify Customer Download Center. From the Customer Download Center, you
can choose to download individual agent packages one at a time or download an archive that
includes agents for all operating systems at once.
At a minimum, you should download the Centrify Agent Installer and the ADCheck
Diagnostic Tool. You can then use the install.sh shell script interactively or with the
Upgrade and Compatibility Guide
8
     
Disabling command-line auditing
centrify-suite.cfg
configuration file to install and enable features on the computers you
want to upgrade.
Centrify recommends that you use the install.sh shell script to install or upgrade all
Centrify packages on managed computers, especially if you have multiple Centrify packages
installed that you wish to upgrade. The install.sh installation script performs a thorough
set of pre-installation and post-installation steps to ensure a successful installation or
upgrade with minimal disruption to your environment.
Alternatively, you can use the native package manager for your operating system to upgrade
the components you have installed. If you want to use a native package manager, see “Using
a native package manager on Linux computers” on page 18 for Linux computers or “Using a
native package manager on UNIX computers” on page 20 for UNIX computers.
Disabling command-line auditing
If you have auditing enabled on a computer you are upgrading, you should check whether
auditing is configured for individual commands or all user activity. If you have enabled
auditing for specific commands, you should temporarily disable auditing on the managed
computer before upgrading, then restart the auditing of individual commands after
completing the upgrade. If you are auditing all user activity on a managed computer, you do
not need to stop the auditing service. There will be a brief interruption while files are
replaced, then auditing will continue without requiring you to manually restart it.
Chapter 1 • Preparing for an upgrade
9
Chapter 2
Upgrading DirectManage on Windows computers
This chapter describes how to upgrade DirectManage Access and DirectManage Audit
administrative components on Windows computers. It includes a more detailed discussion
about compatibility between components.
What should you upgrade first?
You are not required to upgrade Centrify software components in any particular order.
Depending on where you have components installed and how they are distributed, you
might update components used for auditing before updating components for access control
and privilege management. Alternatively, you might update one set of agents immediately,
followed by one administrative console, then update other components at a later time.
Although there’s no technical requirement to upgrade components in a specific order, most
organizations upgrade one or more administrative consoles and components that might
require changes to a database first—for example, DirectManage Access Manager and
DirectManage Deployment Manager if upgrading access control and privilege
management—then deploy upgraded agent software after upgrading all of other
components.
Similarly, if you upgrading the auditing infrastructure, you might upgrade DirectManage
Audit Manager, the management database, and the audit store before upgrading collectors
and agents.
Updating administrative components
As noted in “General compatibility between versions of Centrify software” on page 8, most
organization upgrade the administrative consoles at a set time, often as part of planned
maintenance, then upgrade agents opportunistically over a period of time. It is common,
therefore, to have a mix of components from different versions of Centrify software within
certain limits.
To help you plan for the upgrade, you should identify which versions of different
components you currently have installed and which components will require an upgrade.
Depending on whether you are upgrading DirectManage Access, DirectManage Audit, or
both feature sets, you might have different compatibility requirements.
10
     
Upgrading components interactively
Access control and privilege management compatibility
You can upgrade to Centrify Server Suite—with DirectManage Access Manager, version
5.1.x or later—to manage zones and agents (adclient) from version 3.x, 4.x, or 5.x. If
you have agents from version 2.x, you must manage them using a console from version 4.x
or earlier. If you use an older version of the console, you cannot take advantage of any
features or enhancements introduced in newer versions of the console. If you upgrade to the
latest release, you can continue to manage all of your currently deployed agents but must
upgrade those agents to take full advantage of any new features.
You must upgrade UNIX, Linux, or Mac agents to 5.0 or later to use hierarchical zones. If
you have zones from a previous release of Centrify software, you can use admigrate to
convert those zones to hierarchical zones.
To manage Windows computers with DirectManage Access Manager, the Centrify
Windows agent must be version 3.0 or later.
Auditing infrastructure compatibility
You can upgrade to Centrify Server Suite—with DirectManage Audit Manager,
Audit Analyzer, and Collector service version 3.1.x or later—to manage auditing on
UNIX, Linux, and Windows computers from version 2.x or 3.x. If you have agents from
version 1.x, you must manage them using a console from version 1.x. You can, however,
make data collected by 1.x agents available for viewing in the Audit Analyzer console by
attaching the 1.x database to an updated audit store.
You must update the collector service to version 3.x to receive audit data from Windows
computers with 3.x Windows agents.
Because the auditing infrastructure is a multi-tiered architecture that collects information to
be preserved, reviewed, and archived, Centrify recommends a more formal upgrade
process than for other components. This is especially true for larger organizations that
collect a great deal of audit data. If you are upgrading the auditing infrastructure, therefore,
see “Upgrading the auditing infrastructure” on page 13 for more detailed information about
the process to follow.
Upgrading components interactively
You can upgrade components on any Windows computer interactively by clicking the links
on the Centrify Server Suite Getting Started page. If the DirectManage Access setup
program detects components are installed, you have the option to update, modify, or
remove those components. You can then follow the prompts displayed to review the
components to be updated and complete the upgrade.
If the DirectManage Audit setup program detects components are installed, you are
prompted to confirm that you want to continue with the upgrade. You can then follow the
prompts displayed to review the components to be updated and complete the upgrade.
Chapter 2 • Upgrading DirectManage on Windows computers
11
     
Upgrading auditing components silently on Windows
Upgrading auditing components silently on Windows
If you want to perform a “silent” or unattended installation of the Centrify auditing
components, you can do so by specifying the appropriate command line options and
Microsoft Windows Installer (MSI) file to deploy. You can also use an unattended
installation to automate the installation or upgrade on remote computers if you use a
software distribution product, such as Microsoft System Center Configuration Manager
(SCCM), to deploy software packages.
If you have the physical CD or ISO image for Centrify software, you can find the Microsoft
Windows Installer (MSI) files for auditing components in subdirectories under the
DirectAudit folder.
Before running the Microsoft Windows Installer (MSI) for any component, you should
verify the computers where you plan to install meet the prerequisites described in the
auditing administrator’s guide.
To install the auditing components silently:
1 Open a Command prompt window or prepare a software distribution package for
deployment on remote computers.
For information about preparing to deploy software on remote computers, see the
documentation for the specific software distribution product you are using. For example,
if you are using Microsoft System Center Configuration Manager (SCCM), see the
Configuration Manager documentation.
2 Select the appropriate package for the auditing component you want to upgrade.
For example, locate the following file to install the audit management database on 32-bit
operating systems:
Centrify DirectAudit Audit Management Server.msi
On 64-bit operating systems, locate the following file:
Centrify DirectAudit Audit Management Server64.msi
3 Run the installer with no user interface and specify the package for the auditing
component you want to upgrade.
For example, to upgrade an agent on 32-bit operating systems, run the following
command:
msiexec /qn /i "Centrify Windows Agent.msi"
On 64-bit operating systems, run the following command:
msiexec /qn /i "Centrify Windows Agent64.msi"
Upgrade and Compatibility Guide
12
Chapter 3
Upgrading the auditing infrastructure
This chapter describes the recommended steps for upgrading auditing-related components
to ensure you can continue auditing activity throughout the upgrade process. Keep in mind
that upgrading the auditing infrastructure might require updates to the existing database,
but, in most cases, should not require any computers to be shutdown or restarted to
complete the upgrade.
Why there are formal steps for upgrading an audit installation
In most organizations that deploy auditing, the auditing infrastructure—the installation—
consists of components on multiple computers that must be able to communicate with each
other to collect, transfer, and store information about user and computer activity. This
multi-tiered architecture might be widely distributed and might include hundreds or
thousands of computers that must be monitored. Upgrading all of those computers without
interrupting ongoing auditing service requires a formal upgrade process that allows
computers from different versions to continue communicating for a period of time.
Upgrading auditing components in a specific order
Because the upgrade process is expected to take a period of time—the length of time
depends on the size and complexity of your installation—there are specific rules about the
configurations supported and the order in which you should upgrade auditing components.
To ensure auditing continues uninterrupted during the upgrade period, you should upgrade
audit installation components in the following order:

Audit store databases

Management server databases

Consoles and collectors and the management server service

Agents
By following this upgrade order, you can ensure components can continue to communicate
while you upgrade the rest of the audit installation. For example, an upgraded audit store
can continue to receive audit date from collectors and respond to requests from the
management server and consoles that have not be updated.
Be sure to upgrade all of your audit store databases before upgrading other components.
You can upgrade the database without upgrading other components from a Command
window by running the following command:
setup.exe /database
13
     
Unsupported configurations
Unsupported configurations
If you upgrade auditing components in a different sequence than the one described in
“Upgrading auditing components in a specific order” on page 13, you might end up with an
unsupported configuration that requires you to upgrade the remaining components
immediately or suspend auditing of user activity until you can complete the upgrade.
You might encounter this situation if you upgrade the Audit Manager and Audit Analyzer
consoles or a collector before upgrading the management and audit store databases.
Updating auditing-related databases
If an upgrade requires an update to the database, you are prompted to run the database
maintenance wizard and to select the databases to upgrade. If the wizard can connect to the
databases selected and the database upgrade is successful, no further action is required.
You can upgrade audit store databases and the management database interactively using the
Database Maintenance Wizard or by running the following command:
setup.exe /database
Upgrading the auditing databases, however, requires specific Windows and database
permissions. Before attempting to upgrade the database, verify you have a user account that
meets the following requirements:

The Windows account you use to update the database with the Database Maintenance
Wizard must be an Active Directory domain user and a local administrator on computer
where you are running the setup.exe program.

Your Windows or SQL login account must be either a member of sysadmin fixed server
role or a member of db_owner database role on each of the database instances being
upgraded. If the account is a member of db_owner database role, you must also have the
EXTERNAL ACCESS ASSEMBLY permission on each of the database servers hosting the
management database and audit store databases.
You can use the following SQL statement to grant the EXTERNAL
permission to a specific user:
ACCESS ASSEMBLY
GRANT EXTERNAL ACCESS ASSEMBLY TO [DOMAIN\user]
For example, to grant this permission to the account john@acme.com, you might execute
the following SQL statement:
GRANT EXTERNAL ACCESS ASSEMBLY TO [ACME\john]
Updating agents out of sequence
The recommended upgrade steps suggest that you to update deployed agents last. However,
upgrading the agent is much simpler than upgrading the audit store or management
database. which might require a database administrator to be involved. In most cases, it is
Upgrade and Compatibility Guide
14
     
Restarting a computer after an agent upgrade
safe to update the agent at any point in the upgrade process. If there are restrictions that
would prevent a new agent from using an older collector, those restrictions are documented
in the release notes you received with the package.
Restarting a computer after an agent upgrade
If a computer has both Access and Audit features enabled, you must restart the computer
after upgrading the agent. If a computer only has auditing features enabled, there’s no
requirement to restart.
Chapter 3 • Upgrading the auditing infrastructure
15
Chapter 4
Upgrading managed computers
This chapter describes how to update Centrify software on managed Linux and UNIX
computers. You can also upgrade Centrify software on Mac OS X computers using the
install.sh shell script in a Terminal application or by downloading, unpacking, and running
the latest Mac OS X installer. For more information about upgrading Centrify software on
Mac OS X computers, see the Administrator’s Guide for Mac OS X.
Using Deployment Manager to update agents
You can use DirectManage Deployment Manager to automatically or manually download
updated Centrify software, check whether remote computers are prepared to receive
software updates, and deploy updated software from a central console on a Windows
computer. Although you can perform other administrative tasks from Deployment
Manager, it is intended primarily to simplify the deployment of new and updated Centrify
agents with default configuration options.
If you are only interested in updating the Centrify agent and default packages, such as the
Centrify-enabled OpenSSH, you should use Deployment Manager to perform the upgrade.
For information about using Deployment Manager, see the Deployment Manager User’s Guide
or the Planning and Deployment Guide.
If you don’t have access to a Windows computer with Deployment Manager or have
restricted network connectivity that prevents you from using Deployment Manager, you
can use the install.sh shell script or a native package manager to update Centrify
software. You might also want to use the install.sh shell script instead of Deployment
Manager if you have packages other than the Centrify agent that you want to upgrade or if
you want to manually select which packages are upgraded.
Using the install.sh shell script to update packages
The Centrify agent installation script, install.sh, is a shell script that you can run
interactively or configure to run silently on any supported UNIX, Linux, or Mac OS X
computer.
You can use the install.sh shell script to upgrade any installed Centrify software except
Centrify DirectSecure and Centrify sudo. If you have DirectSecure installed on a managed
computer, you should stop the service prior to upgrading the Centrify agent. You can then
upgrade DirectSecure after you have upgraded the Centrify agent and other packages. The
DirectSecure service and the Centrify agent should be kept synchronized at the same
version level.
16
     
Using the install.sh shell script to update packages
If you have the Centrify sudo package, you can upgrade the package before or after you
upgrade the Centrify agent and other packages.
To use the install.sh script interactively:
1 Unzip and extract the contents of the file you downloaded from the Centrify Corporation
Customer Download Center. For example:
gunzip centrify-suite-2015.update-platform-arch.tgz
tar -xvf centrify-suite-2015.update-platform-arch.tar
2 Run the install.sh script to start the update on the local computer’s operating
environment. For example:
./install.sh
The installer checks that it is possible to update Centrify software on the local computer.
For example, it will check that the computer is a supported platform and that any
required patches are installed. For more information about the ADCheck diagnostic tool,
see the Planning and Deployment Guide.
3 Specify the type of upgrade you want to perform.




Standard (S) edition upgrades Centrify Server Suite access control (DirectControl),
privilege management (DirectAuthorize), and secure shell (Centrify-enabled
OpenSSH) features. Any other Centrify packages you have installed are unchanged as
long as they are compatible with the version being upgraded.
Enterprise (E) edition upgrades Centrify Server Suite access control,
privilege management, secure shell, and auditing (DirectAudit) features. Any other
Centrify packages you have installed are unchanged as long as they are compatible with
the version being upgraded.
Custom (C) option allows you to select the Centrify packages located in the current
directory and choose whether to erase (E), update (U), replace (R), keep unchanged
(K) each package. If there is a package available for which there is no corresponding
version already installed, you can choose to install (I) the package.
Express (X) installs or upgrades the standard edition components as unlicensed
Centrify Express components.
If you want to install or upgrade additional packages such as the Centrify Network
Information Service (adnisd) or the Centrify LDAP proxy service, you should use the
custom install option and select the packages to install.
Configuring install.sh to run without user interaction
You can use the install.sh shell script to upgrade computers silently without user
interaction. When you run install.sh without user interaction, you have the same
standard, enterprise, and custom upgrade options that you have when using install.sh
interactively. When using install.sh without user interaction, however, you specify the
type of upgrade on the command line and in a configuration file.
Chapter 4 • Upgrading managed computers
17
     
Using a native package manager on Linux computers
upgrades Centrify Server Suite access control, privilege management, and
secure shell features. Any other Centrify packages you have installed are unchanged as long
as they are compatible with the version being upgraded.
--std-suite
upgrades Centrify Server Suite access control, privilege management, secure
shell, and auditing features. Any other Centrify packages you have installed are unchanged
as long as they are compatible with the version being upgraded.
--ent-suite
In both cases, you can customize the upgrade by modifying the default centrify-suite.cfg
configuration file. With the default centrify-suite.cfg configuration file, the install.sh
script upgrades the following Centrify features if there are corresponding packages in the
current directory:

Centrify agent access control and privilege management features

Centrify-enabled OpenSSH

Centrify-enabled Kerberos tools

Centrify agent auditing features (if you specify the --ent-suite option)
All other packages are left unchanged. For more detailed information about configuring a
silent upgrade using the configuration file, see “Setting the parameters in a custom
configuration file for the installation script” and the details for the INSTALL parameter in the
Planning and Deployment Guide.
If you run the install.sh script with the --std-suite option, the settings for
CentrifyDC-nis and CentrifyDA packages are ignored.
Note
Using a native package manager on Linux computers
When you upgrade using the install.sh shell script, the script manages all dependencies
and compatibility issues for you. If you want to upgrade Centrify software packages using
the native package manager and you have more than the core agent package (CentrifyDC)
installed, you should first determine whether there are any compatibility issues or
dependencies between the packages you have installed. For details about specific version
compatibility requirements and upgrade scenarios, see “Compatibility for additional
packages on managed computers” on page 25.
After you have determined whether you have any version dependencies, you can use the
native package manager to upgrade individual packages one at a time or to upgrade all
packages simultaneously. You can also use the native package manager to remove old
packages individually or remove all packages simultaneously.
Upgrading packages individually on a Linux computer
You do not need to stop any running Centrify process to perform the upgrade. To upgrade
Centrify software using the native package manager, follow these basic steps:

Upgrade the core agent package (CentrifyDC) using the native package manager.
Upgrade and Compatibility Guide
18
     
Using a native package manager on Linux computers

Upgrade other Centrify packages using the native package manager.

Restart Centrify processes or reboot the computer.
Depending on the order in which you are upgrading individual packages, you might see
warnings from the package manager about file dependencies. If you see that a dependency is
generated because of a package you have yet to upgrade, it is safe to ignore the warning.
Upgrading individual packages using RPM
To upgrade the base agent package and the Centrify-enabled OpenSSH package to version
5.2.3 on a Linux computer that supports the Red Hat Package Manager (rpm), you would
enter commands similar to this:
rpm -U centrifydc-5.2.3-platform-arch.rpm
rpm -U centrifydc-openssh-6.7p1-5.2.3-platform-arch.rpm
The platform and architecture you specify on the command line should identify the specific
operating system you are updating, for example centrifydc-5.2.3-rhel3-x86_64.rpm or
centrifydc-5.2.3-suse9-ia64.rpm. After the package manager updates the packages
installed, you can optionally restart Centrify processes or reboot the computer. For
example, run the following commands:
/usr/share/centrifydc/bin/centrifydc restart
/etc/init.d/centrify-sshd restart
Upgrading individual packages using the Debian package manager
On a Debian, Ubuntu, or Linux MINT computer, you would enter commands similar to
the following:
dpkg -i centrifydc-5.2.3-platform-arch.deb
dpkg -i centrifydc-openssh-6.7p1-5.2.3-platform-arch.deb
The platform and architecture you specify on the command like should identify the specific
operating system you are updating, for example centrifydc-5.2.3-deb5-i386.deb. After
the package manager updates the packages installed, you can optionally restart Centrify
processes or reboot the computer. For example, run the following commands:
/usr/share/centrifydc/bin/centrifydc restart
/etc/init.d/centrify-sshd restart
Performing simultaneous upgrades
In most cases, you can upgrade multiple Centrify packages at the same time using the native
package manager for Linux computers. You do not need to stop any running Centrify
process to perform the upgrade. To upgrade multiple Centrify packages at the same time,
you simply pass multiple package names to the package manager.
For example, to upgrade the base agent package, the Centrify Network Information
Service, and Centrify-enabled OpenSSH to version 5.2.3 on a Linux computer that
supports the Red Hat Package Manager (rpm), you would enter commands similar to this:
rpm -U centrifydc-5.2.3-platform-arch.rpm \
centrifydc-nis-5.2.3-platform-arch.rpm \
centrifydc-openssh-6.7p1-5.2.3-platform-arch.rpm
Chapter 4 • Upgrading managed computers
19
     
Using a native package manager on UNIX computers
The platform and architecture you specify on the command line should identify the specific
operating system you are updating, for example centrifydc-5.2.3-rhel3-x86_64.rpm or
centrifydc-5.2.3-suse9-ia64.rpm. You can then verify the Centrify packages that were
upgraded using the following command:
rpm -qa CentrifyDC-*
On a Debian, Ubuntu, or Linux MINT computer, you would enter commands similar to
the following:
dpkg -i centrifydc-5.2.3-platform-arch.deb \
centrifydc-nis-5.2.3-platform-arch.deb \
centrifydc-openssh-6.7p1-5.2.3-platform-arch.deb
You can then verify the Centrify packages that were upgraded using the following
command:
dpkg -s CentrifyDC-*
Using a native package manager on UNIX computers
When you upgrade using the install.sh shell script, the script manages all dependencies
and compatibility issues for you. If you want to upgrade Centrify software packages using
the native package manager, you should first determine whether there are any compatibility
issues or dependencies between the packages you have installed. You can then upgrade
packages individually or simultaneously. For details about specific version compatibility
requirements and upgrade scenarios, see “Compatibility for additional packages on
managed computers” on page 25.
After you have determined whether you have any version dependencies, you can use the
native package manager to upgrade individual packages one at a time or to upgrade all
packages simultaneously. You can also use the native package manager to remove old
packages individually or remove all packages simultaneously.
Upgrading packages individually on a UNIX computer
With the exception of Solaris, you do not need to stop any running Centrify process to
perform the upgrade. On Solaris computers, you should stop all Centrify processes before
upgrading. For all UNIX platforms, you should either reboot the computer or restart
Centrify processes after you complete the upgrade to ensure that the upgraded packages are
being run. You should note that rebooting the computer or restarting agent services after an
upgrade is not required in most cases or on most platforms. However, it is recommended as
a best practice.
To upgrade Centrify software using the native package manager, follow these basic steps:

Stop all Centrify processes running on Solaris computers.
For example:
/usr/share/centrifydc/bin/centrifydc stop
/etc/init.d/centrify-sshd stop
/etc/init.d/adfsagent stop
Upgrade and Compatibility Guide
20
     
Using a native package manager on UNIX computers

Upgrade the core agent package (CentrifyDC) using the native package manager.

Upgrade other Centrify packages using the native package manager.

Restart Centrify processes or reboot the computer.
Depending on the order in which you are upgrading individual packages, you might see
warnings from the package manager about file dependencies. If you see that a dependency is
generated because of a package you have yet to upgrade, it is safe to ignore the warning.
The next sections illustrate the commands to use on different platforms. The actual file
name that you specify on the command line—including a specific build number, platform,
and architecture—will identify the specific operating system you are updating, for example
centrifydc-5.2.3-sol8-sparc-local.tgz or centrifydc-5.2.3-aix53-ppc-bff.gz.
Upgrading packages on Solaris computers
To upgrade the base agent package and the Centrify-enabled OpenSSH package to version
5.2.3 on Solaris computers, you would enter commands similar to this:
/etc/init.d/centrify-sshd stop
/usr/share/centrifydc/bin/centrifydc stop
gunzip centrifydc-5.2.3-platform-arch-local.tgz
tar xvf centrifydc-5.2.3-platform-arch-local.tar
pkgadd -a admin -n -d CentrifyDC
gunzip centrifydc-openssh-6.7p1-5.2.3-platform-arch-local.gz
pkgadd -a admin -d centrifydc-openssh-6.7p1-5.2.3-platform-arch-local
After the package manager updates the packages installed, you can optionally restart
Centrify processes or reboot the computer. For example, run the following commands:
/usr/share/centrifydc/bin/centrifydc start
/etc/init.d/centrify-sshd start
On Solaris 10 computers that use Solaris zones, you should upgrade the core agent
package first then upgrade other Centrify packages.
Note
Upgrading packages on HP-UX computers
To upgrade the base agent package and the Centrify-enabled OpenSSH package to version
5.2.3 on HP-UX computers, you would enter commands similar to this:
gunzip centrifydc-5.2.3-platform-arch.depot.gz
swinstall -s centrifydc-5.2.3-platform-arch.depot
gunzip centrifydc-openssh-6.7p1-5.2.3-platform-arch.depot.gz
swinstall -s centrifydc-openssh-6.7p1-5.2.3-platform-arch.depot
Upgrading packages on AIX computers
To upgrade the base agent package and the Centrify-enabled OpenSSH package to version
5.2.3 on AIX computers, you would enter commands similar to this:
gunzip centrifydc-5.2.3-platform-arch-bff.gz
gunzip centrifydc-openssh-6.7p1-5.2.3-platform-arch.bff.gz
inutoc .
installp -d CentrifyDC.5.2.3.nnn.bff CentrifyDC.base
installp -d centrifydc-openssh-6.7p1-5.2.3-platform-arch.bff \
CentrifyDC.openssh
Chapter 4 • Upgrading managed computers
21
     
Using a native package manager on UNIX computers
Performing simultaneous upgrades
The process for simultaneous upgrades on UNIX computers is similar to that for Linux
computers. However, the native package managers on different platforms vary in their
ability to perform simultaneous upgrades.
Simultaneous upgrades on Solaris computers
On Solaris computers, it is necessary to spool all packages that are to be installed
simultaneously. The package manager can then take the spooled packages and install them
all at once using one command. Before upgrading on Solaris computers, however, you
should stop all Centrify processes that are running.
On Solaris 10 computers that use Solaris zones, you should upgrade the core agent
package as a separate step. You can then upgrade other Centrify packages using a
simultaneous upgrade.
Note
The recommended spool directory is /var/tmp/spool and denoted spool_dir in the
instructions below. You can use another location, however, depending on your file system
configuration and disk space available. You should also create a working directory, for
example /var/tmp/temp denoted as working_dir in the instructions below.
For each package (pkg) to be upgraded, unzip and extract the package into the working
directory, then run a command similar to the following to spool the packages:
pkgadd -s spool_dir -d working_dir/pkg pkg
After all of the packages have been spooled, run a command similar to the following to
install the packages:
pkgadd -a admin -n -d spool_dir pkg_1 pkg_2 … pkg_n
where pkg_1 to pkg_n are the package names you have spooled.
Restart Centrify processes after the upgrade is complete.
To upgrade the core agent, Centrify-enabled OpenSSH, and Centrify NIS packages on
Solaris, you would enter commands similar to the following to stop running processes:
/usr/share/centrifydc/bin/centrifydc stop
/etc/init.d/centrify-sshd stop
/etc/init.d/adnisd stop (on Solaris 8 or 9)
svcadm disable centrifydc_server (on Solaris 10 or later)
You would enter commands similar to the following to make the spool and working
directories:
mkdir /var/tmp/spool
mkdir /var/tmp/temp
cd /var/tmp/temp
After copying the packages into the current directory, you would enter commands similar
to the following to unzip, extract, and spool the packages:
gunzip centrifydc-5.2.3-platform-arch-local.tgz
tar xvf centrifydc-5.2.3-platform-arch-local.tar
pkgadd -s /var/tmp/spool -d /var/tmp/temp/CentrifyDC CentrifyDC
Upgrade and Compatibility Guide
22
     
Using a native package manager on UNIX computers
gunzip centrifydc-nis-5.2.3-platform-arch-local.tgz
tar xvf centrifydc-nis-5.2.3-platform-arch-local.tar
pkgadd -s /var/tmp/spool -d /var/tmp/temp/CentrifyDC-nis \
CentrifyDC-nis
gunzip centrifydc-openssh-6.7p1-5.2.3-platform-arch-local.tgz
tar xvf centrifydc-openssh-6.7p1-5.2.3-platform-arch-local.tar
pkgadd -s /var/tmp/spool -d /var/tmp/temp \
/centrifydc-openssh-6.7p1-5.2.3-platform-arch-local \
CentrifyDC-openssh
You would then enter a command similar to the following to upgrade all three packages:
pkgadd -a admin -n -d /var/tmp/spool CentrifyDC CentrifyDC-nis \
CentrifyDC-openssh
After the upgrade, you would enter commands similar to the following to restart centrify
processes:
/usr/share/centrifydc/bin/centrifydc start
/etc/init.d/centrify-sshd start
/etc/init.d/adnisd start (on Solaris 8 or 9)
svcadm enable centrifydc_server (on Solaris 10 or later)
Simultaneous upgrades on HP-UX computers
On HP-UX computers, it is necessary to spool all packages that are to be installed
simultaneously. The package manager can then take the spooled packages and install them
all at once using one command.
On HP-UX computers, you can use the default spool directory, but you must create a
working directory, for example /var/tmp/temp, denoted as working_dir in the instructions
below.
For each package (pkg) to be upgraded, unzip and extract the package into the working
directory, then run a command similar to the following to spool the packages:
swcopy -s working_dir/pkg.depot pkg
After all of the packages have been spooled, run a command similar to the following to
install the packages:
swinstall -s pkg_1 pkg_2 … pkg_n
where pkg_1 to pkg_n are the package names you have spooled.
To upgrade core agent package, Centrify NIS, and Centrify-enabled OpenSSH on HP-UX,
you would enter commands similar to the following to make the working directory:
mkdir /var/tmp/temp
cd /var/tmp/temp
After copying the packages into the current directory, you would enter commands similar
to the following to unzip, extract, and spool the packages:
gunzip centrifydc-5.2.3-platform-arch.depot.gz
swcopy -s /var/tmp/temp/centrifydc-5.2.3-platform-arch.depot CentrifyDC
gunzip centrifydc-nis-5.2.3-platform-arch.depot.gz
swcopy -s /var/tmp/temp/centrifydc-nis-5.2.3-platform-arch.depot \
CentrifyDC-nis
Chapter 4 • Upgrading managed computers
23
     
Upgrading managed Mac OS X computers
gunzip centrifydc-openssh-6.7p1-5.2.3-platform-arch.depot.gz
swcopy -s /var/tmp/temp/centrifydc-openssh-6.7p1-5.2.3-platform-arch.depot \
CentrifyDC-openssh
swinstall -s CentrifyDC CentrifyDC-nis CentrifyDC-openssh
Simultaneous upgrades on AIX computers
On AIX computers, it is necessary to spool all packages that are to be installed
simultaneously. The package manager can then take the spooled packages and install them
all at once using one command.
The recommended spool directory is /var/tmp/spool and denoted spool_dir in the
instructions below. You can use another location, however, depending on your file system
configuration and disk space available.
For each package (pkg) to be upgraded, unzip and extract the package into the spool_dir
directory, then run the installp command to install all of the spooled packages. For
example:
inutoc .
installp -aY -d spool_dir all
To upgrade core agent package, Centrify NIS, and Centrify-enabled OpenSSH on AIX, you
would enter commands similar to the following to make the spool directory:
mkdir /var/tmp/spool
cd /var/tmp/spool
After copying the packages into the spool directory, you would enter commands similar to
the following to unzip and upgrade the packages:
gunzip centrifydc-5.2.3-platform-arch-bff.gz
gunzip centrifydc-nis-5.2.3-platform-arch-bff.gz
gunzip centrifydc-openssh-6.7p1-5.2.3-platform-arch.bff.gz
inutoc .
installp -aY -d /var/tmp/spool all
Upgrading managed Mac OS X computers
In most cases, you can update agents on Mac OS X computers by simply installing the new
agent either directly or remotely on top of an existing agent. As a best practice, you should
perform in-place upgrades using a local Mac administrative (admin) account or any other
user account that has local administrative rights and reboot the computer after completing
the upgrade. In most cases, you should not perform the upgrade while you are logged on as
an Active Directory user in a currently active session.
In rare cases, you might be advised to run adflush to clear the Active Directory cache
before performing an in-place upgrade. For example, if you are updating agents from
version 4.x, or earlier, to 5.1.x, run adflush first to ensure a smooth upgrade. It is highly
unusual for an upgrade to require you to leave and rejoin a managed Mac computer to the
domain.
Upgrade and Compatibility Guide
24
Chapter 5
Compatibility for additional packages on
managed computers
In general, Centrify software packages are not version-dependent on each other. However,
there are compatibility limitations in some situations. This chapter describes specific
compatibility requirements for packages that are not part of the core agent package or have
been added to or removed from the core agent package. If you are only upgrading the core
agent package and have no other packages installed, you can skip this chapter.
Should you be concerned about compatibility?
Compatibility issues are managed automatically when you use the install.sh shell script to
upgrade packages. If you plan to update packages using a native package manager, however,
you must be aware of potential compatibility issues and be able to manually manage
dependencies between packages. Depending on the version of Centrify software you
currently have installed, the version you upgrading to, and which packages you have
installed, you might have many or no compatibility concerns. The first step is to identify
which software packages and versions you have deployed.
The core agent package for access control and privilege management is
CentrifyDC-version. The core agent package for auditing is CentrifyDA-version. Other
packages you might have installed include:
CentrifyDC-nis
CentrifyDC-krb5
CentrifyDC-ldapproxy
CentrifyDC-openssh
CentrifyDC-web
CentrifyDC-apache
CentrifyDC-samba
Removing the CentrifyDC-idmap package
If you are upgrading the core agent package for access control and privilege management
(CentrifyDC) from 4.0.0 and have Centrify Samba installed, you should remove the
CentrifyDC-idmap package before attempting the upgrade. The functionality provided by
the CentrifyDC-idmap package was incorporated into the core agent package (CentrifyDC)
after 4.0.0. Therefore, there is no need for a separate CentrifyDC-idmap package.
If you are manually managing packages, you can use the native package manager to
determine if this package is installed and remove it. For example, on a Linux computer, you
might query for the packages installed:
rpm -qa Centrify*
25
     
Compatibility for CentrifyDC-nis package
To remove the package on a Linux computer, you might run a command like this:
rpm -e CentrifyDC_idmap
Compatibility for CentrifyDC-nis package
If you are upgrading the core agent package (CentrifyDC) and have the CentrifyDC-nis
package installed, you should also upgrade the CentrifyDC-nis package. The
CentrifyDC-nis package must have the same major version number as the core agent
package. The version number for the CentrifyDC-nis package should never be higher than
the version number of the core agent package.
Note that on some platforms, the adnisd package might prevent the ypbind service from
starting properly because of the order in which services are started. For example, if ypbind
is configured to start before the adnisd service, the bind will fail. This issue does not occur
if you are installing new packages. However, to prevent unintended changes to the existing
startup sequence during an upgrade, upgrading the adnisd package will not modify your
existing startup configuration. You can manually correct the startup sequence after an
upgrade by manually running the chkconfig script. For example, run the following
command after the adnisd upgrade:
chkconfig adnisd on
Compatibility for CentrifyDC-krb5 package
The Centrify Kerberos tools were repackaged at version 4.2.0 and some tools that were
part of the Kerberos tools package moved into the core agent package. This repackaging
means that only version 4.2.0 of the Kerberos tools may be used with version 4.2.0, or
later, of the core agent package. If you are upgrading the core agent package to 4.2.0, or
later, you should first remove the CentrifyDC-krb5 package.
Compatibility for CentrifyDC-ldapproxy package
If you are upgrading the core agent package (CentrifyDC) and have the
CentrifyDC-ldapproxy package installed, you should also upgrade the
CentrifyDC-ldapproxy package. The CentrifyDC-ldapproxy package must have the same
major version number as the core agent package. The version number for the
CentrifyDC-ldapproxy package should never be higher than the version number of the
core agent package. If you upgrade the core agent package (CentrifyDC) to a version
number that is higher than the CentrifyDC-ldapproxy package version, the installation
script removes the CentrifyDC-ldapproxy package. To retain the CentrifyDC-ldapproxy
package when you upgrade the core agent package (CentrifyDC), you must make sure that
both packages are upgraded to the same version number.
Upgrade and Compatibility Guide
26
     
Compatibility for CentrifyDC-openssh package
Compatibility for CentrifyDC-openssh package
In most cases, the core agent package (CentrifyDC) and the CentrifyDC-openssh packages
installed and upgraded together. Therefore, in most cases, the CentrifyDC and
CentrifyDC-openssh have the same major version number. If you have the
CentrifyDC-openssh package installed and are upgrading the core agent to version 5.1.2 or
later, you must also upgrade the CentrifyDC-openssh package. If you use the installation
script to upgrade, it enforces this compatibility requirement.
Compatibility for CentrifyDC-apache and CentrifyDC-web packages
If you are upgrading the core agent package (CentrifyDC) to 5.x and have Centrify for
Apache or Java applications installed, the CentrifyDC-apache or CentrifyDC-web package
should be version 4.x or later. For example, CentrifyDC_apache-4.2.0-nnn is compatible
with CentrifyDC version 5.x.
Upgrading version-dependent packages
If you are upgrading a computer that has one or more Centrify software packages that are
version-dependent on one another, you should either:

Remove the Centrify packages that are version-dependent before upgrading the core
agent package, upgrade the core agent package, then re-install the new versions of the
version-dependent packages.

Simultaneously upgrade the core agent package and all of the additional packages that
are version-dependent.
If you are upgrading a computer where there are no version dependencies, Centrify
recommends you upgrade all packages simultaneously, if possible.
Working with classic zones after an upgrade
Centrify Server Suite supports both classic and hierarchical zones. After you upgrade
agents, you can choose to either migrate your classic zones into a hierarchical zone
structure or maintain them as classic zones. If you want to convert your classic zones into
hierarchical zones, you can use the admigrate program. For details about using the
admigrate program to migrate a classic zone to a new parent or child hierarchical zone, see
the man page for admigrate.
Note that you can only migrate classic zones to hierarchical zones if you have upgraded the
Centrify agent to version 5.x or later.
You are not required to migrate any existing classic zones. If you choose to maintain your
existing zones as classic zones, however, you should be aware that the authorization model
Chapter 5 • Compatibility for additional packages on managed computers
27
     
Working with classic zones after an upgrade
in classic zones differs from the authorization model used in hierarchical zones. For
example:

In classic zones, any user with a profile in a zone is automatically granted login access to
all computers joined to the zone.

In hierarchical zones, a user with a profile in a zone must be assigned to a role with login
rights and PAM access rights before being able to login to a computer joined to a zone.
In addition, there are configuration parameters, commands, APIs, and features that are only
applicable in classic zones and other parameters, commands, APIs, and features that are
only applicable in hierarchical zones. For example, authorization is an optional feature that
can be enabled or disabled in classic zones, so there is a configuration parameter and a zone
property option to support the feature in classic zones. For hierarchical zones, authorization
is required for access to any managed computer, so the configuration parameter and zone
property option are not visible in hierarchical zones.
Upgrade and Compatibility Guide
28
Chapter 6
What to do if there are problems during an upgrade
In most cases, upgrading Centrify software is a seamless process that does not interrupt
services. If you are not able to complete an upgrade successfully, however, there are a few
steps you can take to restore your working environment. This chapter covers the steps to
take if you have problems during the upgrade process.
Remove and re-install DirectManage Access
If yon have problems upgrading any DirectManage Access components, such as
DirectManage Access Manager or DirectManage Deployment Manager, you should use the
Control Panel application to uninstall the software, then rerun the setup program to install
the components cleanly.
If you want to restore an older version of the software—rather than attempt a fresh
installation of the latest version—run the setup program for that version of the software.
Remove and re-install DirectManage Audit
If yon have problems upgrading any DirectManage Audit components, such as
DirectManage Audit Manager or Centrify Audit Analyzer, you should do the following:

Use the Control Panel application to remove the auditing infrastructure components
from the local computer.


Use ADSI Edit to remove the service connection point for the installation. If you publish
this information in more than one location, remove all of the service connection points
from the forest.
Rerun the setup program to install the components cleanly.
If you want to restore an older version of the software—rather than attempt a fresh
installation of the latest version—run the setup program for that version of the software.
Remove and re-install agent features
If yon have problems upgrading any agent features, such as access control and privilege
management or auditing services, you should do the following:

Log on as root and disable auditing on UNIX computers where auditing is enabled:
dacontrol -d
29
     



Remove and re-install agent features
Use the adleave command to remove the UNIX computer from its current zone and
Active Directory domain.
Use the DirectAuthorize Agent Control Panel to remove the local Windows computer
from its current zone, then use the Windows Control Panel application to remove the
agent services from the local computer.
Rerun the install.sh script or the agent setup program to install the agent cleanly.
You can join the domain from the installation script on UNIX computers or join a zone
from the agent configuration wizard on Windows computers.

Log on as root and enable auditing on UNIX computers where you want auditing
enabled
dacontrol -e
Upgrade and Compatibility Guide
30

Index
A
administrative tools
scheduled upgrades 8
agents
audit installation 13
backward-compatible 8
core and add-on packages 25
default packages and options 16
forward-compatible 8
group policy enforcement 8
insstall.sh 16
restarting 15, 19
updating before other components 14
version compatibility 11
AIX
simultaneous upgrades 24
updating Centrify on 21
audit collectors 13
audit installation
continued communication 13
upgrade order 13
audit store databases 13
auditing consoles 13
auditing infrastructure
unique requirements 13
upgrade order 13
B
backward-compatibility 8
C
Centrify software
additional packages 25
Apache support 27
components from different versions 8
feature sets 17
install.sh 16
interactive upgrades 11
Java support 27
native package managers 18
removing version-dependent packages 27
restarting after upgrade 19
unattended upgrades 12
upgrade order 10
Centrify website 6
conventions, documentation 6
D
database maintenance wizard 14
Debian package manager 19
Deployment Manager 16
documentation
additional 6
audience 5
conventions 6
summary of contents 5
G
group policies 8
H
HP-UX
simultaneous upgrades 23
updating Centrify on 21
I
idmapper 25
installation script (install.sh)
ADCheck diagnostic tool 17
alternatives 9
compatibility 25
configuration files 17
interactive update 16
silent installs 17
use of 8
interactive upgrades 11
K
Kerberos tools 26
31
     
L
Linux
simultaneous upgrades 19
upgrading Centrify on 18
using rpm 19
M
Mac OS X
local administrator account 24
managed computers
agent upgrades 8
Mac OS X 24
operating system updates 7
verifying operations 7
management databases 13
N
NIS package 26, 27
O
operating systems
native package managers 9
platform-specific agents 8
updates 7
upgrading individual packages 20
V
versions
effect on upgrade steps 27
identifying dependencies 25
mixing and matching 8
W
Windows
deploying from a central location 16
interactive upgrades 11
knowledge of 5
unattended upgrades 12
Z
zones
agent compatibility 11
authorization models 28
hierarchical 11
migrating 27
R
Red Hat Package Manager (rpm) 19
S
Samba package 25
silent installation 12
simultaneous upgrades
AIX 24
HP-UX 23
Linux 19
Solaris 22
Solaris
commands 21
simultaneous upgrades 22
stopping Centrify services 20
upgrade steps 20
U
unattended installation 12
UNIX
dependency warnings 21
Upgrade and Compatibility Guide
32
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising