Installation and Upgrade Guide for the Cisco Secure Access Control System 5.2
Upgrading the Cisco Secure Access Control System
Downloads: This chapterpdf (PDF - 230.0KB) The complete bookPDF (PDF - 5.56MB) | Feedback

Upgrading the Cisco Secure Access Control System

Table Of Contents

Upgrading the Cisco Secure Access Control System

Upgrading an ACS Deployment from 5.1 to 5.2

Upgrading the Log Collector Server

Upgrading the Secondary Servers

Upgrading the Primary Server

Upgrading the PKI Data and Certificates

Promoting a Secondary Server to Primary

Upgrading the ACS Monitoring and Report Viewer

Restoring the Monitoring and Report Viewer Data After Upgrade

Upgrading the Database

Upgrading the Reports

Upgrading an ACS Server from 5.1 to 5.2

Incremental upgrade of ACS server from ACS 5.1 to 5.2

Backing Up and Restoring ACS Application

Upgrading an ACS Server from 5.0 to 5.1

Applying ACS Patch


Upgrading the Cisco Secure Access Control System


This chapter describes the procedure to upgrade an ACS deployment from 5.1 to 5.2 and to upgrade a single ACS server to ADE-OS 1.2 and ACS 5.2.


Note If you are using ACS 5.0, you should first upgrade to ACS 5.1 and then to ACS 5.2. For procedures to upgrade from ACS 5.0 to ACS 5.1, see the Installation and Upgrade Guide for the Cisco Secure Access Control System 5.1.


This chapter describes the following scenarios:

Upgrading an ACS Deployment from 5.1 to 5.2—Procedure to upgrade an ACS deployment from 5.1 to 5.2.

Upgrading the ACS Monitoring and Report Viewer—Processes involved in upgrading the ACS Monitoring and Report Viewer.

Upgrading an ACS Server from 5.1 to 5.2—Procedures for upgrading an ACS server from 5.1 to 5.2. You can use any one of the following procedures:

Incremental upgrade of ACS server from ACS 5.1 to 5.2—Procedure for an incremental upgrade of an ACS server from 5.1 to 5.2.

Backing Up and Restoring ACS Application—Procedure for backing up ACS 5.1 application data and restoring it on ACS 5.2.

Upgrading an ACS Server from 5.0 to 5.1—Procedure to upgrade an ACS server from 5.0 to 5.2.

Applying ACS Patch—Procedure to download and apply upgrade patch.

The upgrade process involves upgrading an ACS server that includes the Monitoring and Report Viewer and the configuration information in the database.

During the upgrade process, ACS upgrades the ACS server to 5.2 and restores the data to ACS 5.2 server. As part of the restore operation, ACS converts the configuration data to a 5.2-compatible format.

ACS stores the information related to data upgrade in /opt/CSCOacs/logs/acsupgrade.log. To view the content of this log file, download the support bunddle. For information on downloading the support bunddle, see the CLI Reference Guide for the Cisco Secure Access Control System 5.2. Also, see /var/log/ade/ADE.log, which logs the details of all the operations performed in ACS CLI.

If you are migrating your ACS from 4.x to 5.2, you must follow the migration procedure as described in the Migration Guide for the Cisco Secure Access Control System 5.2.

You must have a repository configured with an FTP, NFS, or SFTP network server (but not a TFTP repository) to perform the ACS upgrade.

To create a repository, use the repository command. For more details about the commands used in this chapter, see the CLI Reference Guide for the Cisco Secure Access Control System 5.2.

Upgrading an ACS Deployment from 5.1 to 5.2

Follow the procedure described in this section to upgrade an ACS 5.1 deployment to 5.2.

The deployment upgrade process consists of the following phases and is illustrated in Figure 7-1:

Upgrading the Log Collector Server

Upgrading the Secondary Servers

Upgrading the Primary Server

Upgrading the PKI Data and Certificates

Promoting a Secondary Server to Primary

Figure 7-1 Upgrading an ACS Deployment


Note ACS does not support interoperability between the ACS 5.1 and 5.2 deployments.


Usually in a deployment scenario of multiple servers, the ACS primary server functions as a master database for the configuration data, and a secondary server stores the monitoring and report data. There are some exceptions to this setup, which can be handled as described below:

If ACS 5.1 primary server also functions as a log collector in your 5.1 deployment, you should interchange the primary server for one of the secondary servers in the deployment. See Promoting a Secondary Server to Primary.

If your 5.1 deployment contains only two servers, you could skip the second step (upgrading the secondary servers) listed in the deployment upgrade process.


Note If the backup data is huge in size, then extraction process might take a minimum of 1 hour to many hours.


Upgrading the Log Collector Server

Initially, you need to upgrade the log collector server to ACS 5.2 and use this server as a common log collector between the ACS 5.1 and 5.2 deployments until the 5.2 upgrade for all the servers is complete.

You can upgrade a log collector node that functions as a secondary server. However, when your primary server also functions as the log collector, you must promote a secondary server to play the role of the primary for the 5.1 deployment, change the primary server to secondary, and upgrade the secondary server (the server that was changed from primary to secondary) to 5.2.

To promote a secondary server as primary, see Promoting a Secondary Server to Primary.

To upgrade a log collector to 5.2:


Step 1 Back up the log collector data.

You must backup the log collector data to a remote server and not to the local disk.

From the ACS CLI, issue the following backup command in the EXEC mode to perform a backup and place the backup in a repository:

backup backup-file-name repository repository-name

Step 2 Change the log collector configured on the primary server.

You should assign another secondary server in the 5.1 deployment as log collector and assign it to the primary server:

a. From the ACS web interface, select System Administration > Configuration > Log Configuration > Log Collector.

The Log Collector page appears.

b. From the Select Log Collector drop-down list box, choose a different secondary server to configure it as a log collector for your 5.1 deployment.

c. Click Set Log Collector.

Step 3 From the CLI of the newly-assigned log collector, run the show application status acs command to verify that all of the ACS processes are running.

Step 4 Restore the log collector data from the backup repository to the new 5.2 log collector.

Run the following restore command in the EXEC mode:

restore backup-file-name repository repository-name

Step 5 Deregister the old log collector server from the deployment and delete it from the ACS 5.1 primary, so that it is now a standalone server.

a. From the web interface of the ACS 5.1 primary server, select System Administration > Operations > Distributed System Management.

The Distributed System Management page appears.

b. From the Secondary Instances table, check the check box next to the secondary instance that you want to deregister.

c. Click Deregister.

The system displays the following message:

This operation will deregister the selected ACS Instance from the Primary Instance.
 
   
Do you wish to continue?
 
   

d. Click OK.

The ACS machine restarts.

e. Log into the ACS 5.1 primary server.

f. Select System Administration > Operations > Distributed System Management.

g. From the Secondary Instances table, check the check box next to the deregistered secondary instance that you want to delete.

h. Click Delete.

The following message appears:

Are you sure you want to delete the selected item/items?
 
   

i. Click OK.

The Secondary Instances table on the Distributed System Management page appears without the deleted secondary instance.

Step 6 Backup the ACS 5.1 data (configuration and monitoring) and store it in a remote repository.

Run the backup command in the EXEC mode to backup the data:

backup backup-name repository repository-name

Step 7 Perform the steps described in Incremental upgrade of ACS server from ACS 5.1 to 5.2 .

ACS upgrades to ACS 5.2.

Step 8 Configure a repository to place the backed up data.

Step 9 Restore the ACS 5.1 data to the ACS 5.2 server:

Run the restore command in the EXEC mode to restore the backup taken earlier:

restore filename repository repository-name

While the ACS 5.1 configuration data is restored, the ACS 5.1 Monitoring and Report Viewer data is converted and upgraded to the 5.2 format.

Step 10 On the primary server of the 5.1 deployment, define a remote log target for the 5.2 log collector server:

a. Select System Administration > Configuration > Log Configuration > Remote Log Targets.

The Remote Log Targets page appears.

b. Click Create.

The Create page appears.

c. Enter the values for the following fields:

Name—The name of the remote log target. Maximum length is 32 characters.

Description—(Optional) A description of the remote log target. Maximum description length is 1024 characters.

Type—The type of remote log target. Syslog is the only option.

IP Address—IP address of the remote log target, in the format x.x.x.x. Specify the IP address of the 5.2 log collector server.

Use Advanced Syslog Options—Click to enable the advanced syslog options that include port number, facility code, and maximum length.

Port—The port number of the remote log target that is used as the communication channel between the ACS and the remote log target (default is 514). Enter 20514 for the port number.

Facility Code—(Optional) Choose an option from the Facility Code drop-down list box.

Maximum Length—The maximum length of the remote log target messages. Valid options are from 200 to 1024.

d. Click Submit.

The remote log target configuration is saved. The Remote Log Targets page appears with the new remote log target configuration.

Now, the authentication details from the 5.1 deployment are logged in both the 5.1 and 5.2 log collector servers.

Step 11 On the 5.1 primary server, configure the appropriate logging categories for the remote log target:

a. Select System Administration > Configuration > Log Configuration > Logging Categories > Global.

The Logging Categories page appears; from here, you can view the logging categories.

b. Click the name of the logging category you want to configure

Or

Click the radio button next to the name of the logging category you want to configure and click Edit.

c. In the General tab, complete the following fields:

Log Severity—Use the drop-down list box to select the severity level. Valid options are FATAL, ERROR, WARN, INFO, and DEBUG.

Log to Local Target—Check to enable logging to the local target.

Local Target is Critical—Check the check box to make this local target the critical target. Usable for accounting and for AAA audit (passed authentication) logging category types only.

d. Click the Remote Syslog Target tab and choose the Remote Targets to view the logs.

e. Click Submit.

The Logging Categories page appears, with your configured logging category.

When the ACS processes of the 5.2 log collector server are up and running, all the configuration data, monitoring and report data, and reports are upgraded.

Now the upgraded server functions as ACS 5.2 primary server as well as a log collector.

Step 12 Import local and outstanding Certificate Sign Requests (CSRs).

See Importing Server Certificates and Associating Certificates to Protocols section on page 15 and Generating Self-Signed Certificates section on page 16 in the User Guide for the Cisco Secure Access Control System 5.2.

To verify upgrade of the log collector, check the MonitoringandReportingDatabase.log file. There should not be any error in the database upgrade.

While performing a full backup and restore on different servers, IP address of the backed up server will be assigned to the restoring server.


Upgrading the Secondary Servers

To upgrade each 5.1 secondary server in your deployment to 5.2:

To ensure that you preserve the local certificates of the secondary server, you must import all the local and outstanding CSRs to each node in the deployment. See Upgrading the PKI Data and Certificates.

Before upgrading a secondary ACS server, ensure that the server is not inactive and it is not in local mode.

To verify the status, from the web interface of the secondary server, select System Administration > Operations > Local Operations > Join a Distributed System and check the status of the secondary ACS server.


Step 1 Verify if the secondary server is a log collector.

If so, change the log collector server to the primary server or any other secondary server; otherwise, proceed to Step 2.

a. From the 5.1 primary server, select System Administration > Configuration > Log Configuration > Log Collector.

ACS displays the current log collector server.

b. From the Select Log Collector drop-down list box, choose a different server to configure it as a log collector.

c. Click Set Log Collector.

Step 2 Deregister the secondary server from the 5.1 deployment and delete it from the ACS 5.1 primary server, so that it now becomes a standalone server:

a. Select System Administration > Operations > Distributed System Management.

The Distributed System Management page appears.

b. From the Secondary Instances table, check the check box next to the secondary instance that you want to deregister.

c. Click Deregister.

The system displays the following message:

This operation will deregister the selected ACS Instance from the Primary Instance.
 
   
Do you wish to continue?
 
   

d. Click OK.

The ACS machine restarts.

e. Log into the ACS 5.1 primary server.

f. Select System Administration > Operations > Distributed System Management.

g. From the Secondary Instances table, check the check box next to the secondary instance that you want to delete.

h. Click Delete.

The following message appears:

Are you sure you want to delete the selected item/items?
 
   

i. Click OK.

The Secondary Instances table on the Distributed System Management page appears without the deleted secondary instance.

Step 3 Back up the secondary server data.

From the ACS CLI, issue the following backup command in the EXEC mode to perform a backup and place the backup in a repository:

backup backup-name repository repository-name

Step 4 Perform the steps described in Incremental upgrade of ACS server from ACS 5.1 to 5.2.

ACS upgrades to ACS 5.2.

Step 5 Register the secondary server to the ACS 5.2 primary server.

a. Select System Administration > Operations > Local Operations > Deployment Operations.

The Deployment Operation page appears.

b. Complete the following mandatory fields under Registration dialog box:

Primary Instance—The hostname of the 5.2 primary server that you wish to register the secondary instance with.

Admin Username—Username of an administrator account.

Admin Password—The password for the administrator account.

Hardware Replacement—Check to enable the existing ACS instance to re-register with the primary instance and get a copy of the configuration already present in the primary instance.

Recovery Keyword—Specify the same hostname that was used in the 5.1 deployment to ensure that you associate this secondary server with the monitoring and report data collected earlier.

After you submit this information, this instance connects to the primary instance. The primary instance finds the associated ACS instance records based on the keyword, and marks each record as registered.

c. Click Register to Primary.

The system displays the following message:

This operation will register this ACS Instance as a secondary to the specified Primary 
Instance. ACS will be restarted. You will be required to login again. Do you wish to 
continue?
 
   

d. Click OK.

When you register a secondary to a primary instance, you can use any account created on the primary instance. The credentials that you create on the primary instance are replicated to the secondary instance.

e. Log into the ACS secondary server after restart.

After the registration is complete, ACS performs a full synchronization and sends the ACS 5.2 configuration data to the 5.2 secondary server.

Step 6 Import local and outstanding CSRs.

See Importing Server Certificates and Associating Certificates to Protocols section on page 15 and Generating Self-Signed Certificates section on page 16 of the User Guide for the Cisco Secure Access Control System 5.2.


Upgrading the Primary Server

To upgrade the primary server from a 5.1 to 5.2 deployment:


Step 1 Back up the primary server data.

To do this, from the ACS CLI, enter the following backup command in the EXEC mode to perform a backup and place the backup in a repository:

backup backup-name repository repository-name

Step 2 Make sure the primary server is a standalone server:

a. Select System Administration > Operations > Distributed System Management.

The Distributed System Management page appears.

b. Check if there are secondary servers listed in the Secondary Instances table.

If there are any secondary servers, upgrade those servers before upgrading the 5.1 primary server. See Upgrading the Secondary Servers.

Step 3 Upgrade the ACS server to 5.2. See Incremental upgrade of ACS server from ACS 5.1 to 5.2.

Step 4 Register the server to the Primary ACS 5.2:

a. Select System Administration > Operations > Local Operations > Deployment Operations.

The Deployment Operation page appears.

b. Complete the following mandatory fields under Registration dialog box:

Primary Instance—The hostname of the primary server that you wish to register the secondary instance with.

Admin Username—Username of an administrator account.

Admin Password—The password for the administrator account.

Hardware Replacement—Check to enable the existing ACS instance with re-register to the primary instance and get a copy of the configuration already present in the primary instance.

Recovery Keyword—Specify the same hostname as was used in the 5.1 deployment to ensure that you associate this server with the monitoring and report data collected earlier.

After you submit this information, this instance connects to the primary instance. The primary instance finds the associated ACS instance records based on the keyword, and marks each record as registered.

c. Click Register to Primary.

The system displays the following message:

This operation will register this ACS Instance as a secondary to the specified Primary 
Instance. ACS will be restarted. You will be required to login again. Do you wish to 
continue?
 
   

d. Click OK.

When you register a secondary to a primary instance, you can use any account created on the primary instance. The credentials that you create on the primary instance are replicated to the secondary instance.

e. Log into the ACS server after restart.

Step 5 Promote this instance as the ACS 5.2 primary again. See Promoting a Secondary Server to Primary.


Note Perform Step 4 only when you have a secondary server functioning as an ACS 5.2 primary server or when you want the log collector node to be a secondary server.



Upgrading the PKI Data and Certificates

The ACS 5.1 Public Key Infrastructure (PKI) credentials and the local certificates and outstanding CSRs are restored in ACS 5.2 by reimporting the certificates.

If you upgrade the ACS 5.1 machine to ACS 5.2, all the PKI data will be erased. To preserve the local certificates, you must import all the local and outstanding CSRs to the primary node in the deployment.

To preserve the local certificates:


Step 1 On the ACS 5.1 target machine, go to System Administration > Configuration > Local Server Certificates > Local Certificates.

Step 2 Check the local certificate.

Step 3 Click Export.

Step 4 Export the certificate and the private key.

Step 5 Repeat steps 2 to 4 for all the local certificates.

Step 6 Go to System Administration > Configuration > Local Server Certificates > Outstanding Signing Requests.

Step 7 Check the CSR.

Step 8 Click Export.

Step 9 Repeat steps 7 and 8 for all the CSRs.

Step 10 Save all the exported certificates and CSRs.

Step 11 Reimaging the target machine ACS 5.1 to ACS 5.2.

Step 12 Import all the exported certificates and CSRs.


Promoting a Secondary Server to Primary

To promote a secondary server to primary:


Step 1 From the web interface of the primary server, select System Administration > Operations > Distributed System Management.

The Distributed System Management page appears.

Step 2 In the Secondary Instances table, check the check box next to the secondary server that you want to promote to primary.

Step 3 Click Promote.

The system displays the following message:

This operation will promote the selected ACS Instance to become the new Primary Instance. 
As a consequence, the current Primary Instance will be demoted to a Secondary.
 
   
Do you wish to continue?
 
   

Step 4 Click OK.

The system promotes the selected secondary server to primary, moves it to the Primary Instance table, and the existing primary server will be automatically moved to the Secondary Instances table.

When the registration completes, ACS performs a full synchronization and sends the ACS 5.2 configuration data to the newly promoted primary server.


Upgrading the ACS Monitoring and Report Viewer

ACS invokes the upgrade of the Monitoring and Report Viewer as a subtask during upgrade.

The maximum disk space available for ACS Monitoring and Report Viewer is 150 GB.

This section contains:

Restoring the Monitoring and Report Viewer Data After Upgrade

Upgrading the Database

Upgrading the Reports

To check the status of the database upgrade, in the Monitoring and Report Viewer, choose Monitoring Configuration > System Operations > Data Upgrade Status.

The Data Upgrade Status page appears, indicating the status of the Monitoring and Report Viewer data upgrade.

When the database upgrade completes, ACS displays the following message:

Upgrade completed successfully.

Restoring the Monitoring and Report Viewer Data After Upgrade

When you restore the backup data after upgrading to 5.2, ACS automatically synchronizes the changes with the database and reports, if any changes are found.

The reports data is available only for the period during which you take a backup and not for the period when you restore it. For example, if you back up the data in June and restore it in August, the reports data avalable will be for June only and not for August. To get the latest reports data you need to run the reports again.

Upgrading the Database

After the 5.2 upgrade, if you restore the backup made prior to the upgrade, ACS displays the database version as AVPair:DBVersion=5.2 and maintains the schema version as 5.2 in the av_system_settings table. When the database process restarts, ACS checks the ACS version and the database version if they are out-of-date and performs a schema and data upgrade.

Upgrading the Reports

After you upgrade to 5.2, if you restore the backup made prior to the upgrade, ACS checks if the reports tag displays "View 5.2" and when the web process starts up, ACS performs the necessary updates.Up

Upgrading an ACS Server from 5.1 to 5.2

There are the following two ways in which you can upgrade an ACS server from 5.1 to 5.2:

Incremental upgrade of ACS server from ACS 5.1 to 5.2

Backing Up and Restoring ACS Application

Incremental upgrade of ACS server from ACS 5.1 to 5.2

This section describes the steps to upgrade ACS from 5.1 to 5.2.

To upgrade an ACS server from 5.1 to 5.2:


Step 1 Back up the ACS data from the ACS 5.1 server.


Note Note Ensure that you use a nonlocal repository for the ACS 5.1 data backup.


Step 2 Issue the following backup command in the EXEC mode to perform a backup and place the backup in a repository:

backup backup file name repository repository name


Note This backup file is not used during upgrade.


Step 3 Place the ACS 5.2 upgrade image in a remote repository and upgrade ACS to 5.2:

Issue the following application upgrade command in the EXEC mode to upgrade ACS.

application upgrade ACS_5.2.0.26.tar.gz repository-name

ACS displays the following confirmation message:

Do you want to save the current configuration ? (yes/no) [yes] ?

Enter yes.

When the ACS upgrade is complete, the following message appears:

% CARS Install application required post install reboot...

The system is going down for reboot NOW!

Application upgrade successful

While ACS upgrades the ACS 5.1 configuration data, it also begins to convert the ACS 5.1 Monitoring and Report Viewer data to the 5.2 format.

Step 4 To monitor the status of the data upgrade, from the Monitoring and Report Viewer, choose Monitoring Configuration > System Operations > Data Upgrade Status.

The Data Upgrade Status page appears, indicating the status of the Monitoring and Report Viewer data upgrade.

When the database upgrade completes, ACS displays the following message:

Upgrade completed successfully.

Step 5 Click OK.

Step 6 Issue the show application version acs command and check if the upgrade is successful.

The following message is displayed:

ADE-OS Build Version: 1.2.0.182

Cisco ACS VERSION INFORMATION

-----------------------------

Version : 5.2.0.26


Backing Up and Restoring ACS Application

This section describes the procedure for upgrading ACS 5.1 to 5.2 by backing up the ACS 5.1 data and restoring it on ACS 5.2.

You must have physical access to the ACS box to perform this upgrade procedure.

To backup and restore the ACS application:


Step 1 Back up the ACS data from the ACS 5.1 server.


Note Ensure that you use a nonlocal repository for the ACS 5.1 data backup. Otherwise, you might lose the configuration data after you install 5.2.


Issue the following backup command in the EXEC mode to perform a backup and place the backup in a repository.

backup backup-name repository repository-name

Step 2 Use ACS 5.2 recovery DVD to install ACS 5.2. This reimages the ACS server with ACS 5.2.

Step 3 Install the latest ACS 5.2 patch:

acs patch install patch file name repository repository name

Step 4 Configure a repository to place the backed up data.

Step 5 Restore the ACS data to the ACS 5.2 server:

Issue the restore command in the EXEC mode to restore the backup taken earlier:

restore filename repository repository-name

While ACS restores the 5.1 configuration data, it begins to convert and upgrade the ACS 5.1 Monitoring and Report Viewer data to the 5.2 format.

Step 6 To monitor the status of the data upgrade, from the Monitoring and Report Viewer, choose Monitoring Configuration > System Operations > Data Upgrade Status.

The Data Upgrade Status page appears, indicating the status of the Monitoring and Report Viewer data upgrade.

When the database upgrade completes, ACS displays the following message:

Upgrade completed successfully.

Step 7 Click OK.



Note You do not need to change the IP address and the running configuration of the ACS server when restoring database on a different ACS server.


Upgrading an ACS Server from 5.0 to 5.1

To upgrade your ACS 5.0 server to ACS 5.2, follow the below steps:


Step 1 Backup the ACS 5.0 database.

Issue the following backup command in the EXEC mode to perform a backup and place the backup in a repository.

backup backup-name repository repository-name


Note Ensure that you use a nonlocal repository for the ACS 5.0 data backup. Otherwise, you might lose the configuration data after you install 5.1.


Step 2 Install ACS 5.1 using the recovery DVD.

Step 3 Install the latest ACS 5.1 patch available on Cisco.com.

Step 4 Restore the ACS 5.0 database.

Issue the restore command in the EXEC mode to restore the backup taken earlier:

restore filename repository repository-name

ACS upgrades the 5.0 configuration data and Monitoring and Report Viewer data to the 5.1 format.

Step 5 Backup the ACS 5.1 database.

Issue the following backup command in the EXEC mode to perform a backup and place the backup in a repository.

backup backup-name repository repository-name


Note Ensure that you use a nonlocal repository for the ACS 5.1 data backup. Otherwise, you might lose the configuration data after you install 5.2.


Step 6 Install ACS 5.2 using the recovery DVD.

Step 7 Install the latest ACS 5.2 patch, if available.

Step 8 Restore the ACS 5.1 database

Issue the restore command in the EXEC mode to restore the backup taken earlier:

restore filename repository repository-name

ACS upgrades the 5.1 configuration data and Monitoring and Report Viewer data to the 5.2 format.


Applying ACS Patch

You can download the ACS 5.2 cumulative patches from the following location: http://www.cisco.com/public/sw-center/index.shtml

To download and apply the patches:


Step 1 Log into Cisco.com and navigate to Network Management > Security and Identity Management > Cisco Secure Access Control Server Products > Cisco Secure Access Control System > Cisco Secure Access Control System 5.2.

Step 2 Download the patch.

Step 3 Install the ACS 5.2 cumulative patch by running the following acs patch command in the EXEC mode to install the ACS patch:

acs patch install patch-name.tar.gpg repository repository-name

ACS displays the following confirmation message:

Installing an ACS patch requires a restart of ACS services.
Would you like to continue? yes/no
 
   

Step 4 Enter yes.