Table Of Contents
Upgrading and Migrating to Cisco Secure ACS Solution Engine
Upgrading to ACS SE 4.0.1 on the Quanta (1113) Platform
Upgrading to ACS SE 4.0
Performing a Full Upgrade
Upgrading to ACS SE 4.0 on top of the Existing Base Image
Loading and Installing an Upgrade Image
Transferring an Upgrade Package to the Solution Engine via Serial Console
Applying a Solution Engine Upgrade
Migrating to ACS SE
Upgrading and Migrating to Cisco Secure ACS Solution Engine
This chapter describes how to upgrade to Cisco Secure ACS Solution Engine (ACS SE) 4.0, and how to migrate from an ACS Windows server to ACS SE. This chapter contains the following sections:
•
Upgrading to ACS SE 4.0.1 on the Quanta (1113) Platform
•Upgrading to ACS SE 4.0
•Loading and Installing an Upgrade Image
•Migrating to ACS SE
Upgrading to ACS SE 4.0.1 on the Quanta (1113) Platform
The ACS SE 4.0.1 release uses the ACS SE Quanta (1113) platform. ACS SE on the Quanta (1113) platform can only run the ACS 4.0.1 software release (ACS for Windows 4.0.1.27). You cannot upgrade the software directly on the ACS SE Quanta (1113) platform using the ACS upgrade or management upgrade packages. Instead, you must do the following:
1. Upgrade the software on a previous SE hardware platform (the Cisco 1111 or the Cisco 1112) to ACS version 4.0.1 (ACS for Windows 4.0.1.27) using one of the upgrade methods:
–The full upgrade method. For information on this method, see Performing a Full Upgrade
–The ACS management upgrade method. For information on this method, see Upgrading to ACS SE 4.0 on top of the Existing Base Image.
2. Back up the software on the previous SE hardware platform.
3. On the new hardware platform—the Quanta (1113) hardware version, first install the SE 1113 version, or use the existing installation, and then use the ACS restore feature to install the 4.0.1 software (ACS for Windows 4.0.1.27) on the SE device.
For information on steps 2 and 3, see Migrating to ACS SE.
Upgrading to ACS SE 4.0
Note The information in this section applies only to upgrading the software on the Quanta (1112) version of the SE appliance hardware. If you are migrating the software release from an existing Cisco 1111 or Cisco 1112 device to a Cisco 1113 device—the Quanta (1113) version, you must first back up the existing software and then use the restore feature to install it on the Quanta (1113) hardware platform.
You can upgrade your existing ACS SE appliance with the latest ACS software, appliance management software, and appliance base image.
Table 5-1 describes the upgrade paths for ACS SE based on whether you want to perform a full upgrade, including the latest base image, and whether you want to restore existing data.
Note The ACS SE 4.0 base image includes additional Microsoft hotfixes. For details, see Release Notes for Cisco Secure ACS Solution Engine 4.0.
Table 5-1 Upgrade Paths to ACS SE 4.0
Upgrade Path
|
Description
|
Upgrade Procedure
|
Full upgrade with data restore
|
Upgrades appliance base image, appliance management software, and ACS software. Restores existing data.
|
Performing a Full Upgrade
|
Full upgrade without data restore
|
Upgrades appliance base image, appliance management software, and ACS software. All existing data is lost.
|
Performing a Full Upgrade
|
Appliance management software and ACS software upgrade.
|
Upgrades appliance management software, and ACS software on top of the existing base image. Existing data and configuration is automatically restored. The base image is not upgraded.
|
Upgrading to ACS SE 4.0 on top of the Existing Base Image
|
Note If you are upgrading from an ACS SE version before ACS SE 3.2.3, you must first upgrade to ACS SE 3.3.3. For information about upgrading to ACS SE 3.3.3, see Release Notes for Cisco Secure ACS Solution Engine 3.3.3 on Cisco.com.
Table 5-2 describes various upgrade use cases that you can use to decide the appropriate upgrade path to follow.
Caution Backup and restore are supported and tested only when done on the same version. For example, backup on 4.0 and restore on 4.0 is supported; not backup on 3.3.3 and restore on 4.0.
Note Before you begin any upgrade procedure, we recommend that you back up your existing data and configuration.
Table 5-2 Upgrade Use Cases
From Version
|
Upgrade Path
|
Results
|
3.3.2, 3.3.1, or 3.2.3
|
Full Upgrade with Data Restore
1. Use the Upgrade Package Appliance Management Software for ACS 4.0.1.
2. Use the Upgrade Package ACS 4.0.1 Software for Appliance
3. Back up your data.
4. Use the ACS SE 4.0 Recovery CD1 to upgrade the appliance.
5. Restore the data.
See Performing a Full Upgrade.
|
•Base image upgraded including SNMP support, and installation of Cisco Security Agent (CSA).
•Appliance management software upgraded.
•ACS software upgraded.
•Data restored.
|
3.3.3
(includes SNMP support and CSA)
|
Full Upgrade with Data Restore
1. Use the Upgrade Package Appliance Management Software for ACS 4.0.1.
2. Use the Upgrade Package ACS 4.0.1 Software for Appliance
3. Back up your data.
4. Use the ACS SE 4.0 Recovery CD1 to upgrade the appliance.
5. Restore the data.
See Performing a Full Upgrade.
|
•Base image upgraded including additional Microsoft hotfixes.
•Appliance management software upgraded.
•ACS software upgraded.
•Data restored.
|
3.3.2, 3.3.1, or 3.2.3
|
Full Upgrade without Data Restore
Use the ACS SE 4.0 Recovery CD1 to upgrade the appliance.
See Performing a Full Upgrade.
|
•Base image upgraded including SNMP support, and installation of Cisco Security Agent (CSA).
•Appliance management software upgraded.
•ACS software upgraded.
•Blank database (data not restored).
|
3.3.3
(includes SNMP support and CSA)
|
Full Upgrade without Data Restore
Use the ACS SE 4.0 Recovery CD1 to upgrade the appliance.
See Performing a Full Upgrade.
|
•Base image upgraded including additional Microsoft hotfixes.
•Appliance management software upgraded.
•ACS software upgraded.
•Blank database.
|
3.3.2, 3.3.1, or 3.2.3
|
Appliance management software and ACS software upgrade.
1. Use the Upgrade Package Appliance Management Software for ACS 4.0.1.
2. Use the Upgrade Package ACS 4.0.1 Software for Appliance
See Upgrading to ACS SE 4.0 on top of the Existing Base Image.
|
•Base image not upgraded—no SNMP support and no installation of Cisco Security Agent (CSA).
•Appliance management software upgraded.
•ACS software upgraded.
•Data restored.
|
3.3.3
(includes SNMP support and CSA)
|
Appliance management software and ACS software upgrade.
1. Use the Upgrade Package Appliance Management Software for ACS 4.0.1.
2. Use the Upgrade Package ACS 4.0.1 Software for Appliance
See Upgrading to ACS SE 4.0 on top of the Existing Base Image.
|
•Base image not upgraded— no additional Microsoft hotfixes.
•Appliance management software upgraded.
•ACS software upgraded.
•Data restored.
|
Note If you use ACS Remote Agents, after any type of upgrade to ACS SE 4.0, you must uninstall your old version of ACS Remote Agents, and install Remote Agents for ACS SE 4.0.
Performing a Full Upgrade
This procedure upgrades ACS SE to version 4.0 on a Cisco 1111 or a Cisco 1112 device.
To restore data on the upgraded appliance, you must upgrade the software on the appliance so that you can back up the upgraded data and configuration. You then reinstall ACS 4.0, and restore your data and configuration.
If you do not want to restore data on the upgraded appliance, skip steps 2 and 5.
Before you begin:
Make a backup of your existing data and configuration
Note The backup procedure does not back up the cert7.db file. If you use this certificate file with an LDAP database, we recommend that you back it up on a remote machine for disaster recovery. When you migrate from an ACS server to ACS appliance, move the cert7.db file to a FTP server and download it according to the normal provisioning instructions. When you upgrade an ACS appliance, repeat the download procedure as originally used to provision the original appliance.
Step 1 If the ACS SE is running Cisco Security Agent, you must disable the CSAgent service before upgrading. You can do so at the console or in the web interface:
•Using the console, enter show. If the CSAgent service is running, enter stop csagent.
•Using the web interface, choose System Configuration > Appliance Configuration and verify that the CSA Enabled check box is not checked. If it is checked, uncheck the CSA Enabled check box and click Submit.
Step 2 Required for full upgrade with Restore. If you do not want to restore your data, skip to step 3.
a. Apply the Upgrade Package Appliance Management Software for ACS 4.0.1, which is available on the ACS SE 4.0 Upgrade CD.
b. Apply the Upgrade Package ACS 4.0.1 Software for Appliance, which is available on the ACS SE 4.0 Upgrade CD.
For details on using the web interface to upgrade, see the User Guide for Cisco Secure ACS Solution Engine. For details on using the command line to upgrade, see Loading and Installing an Upgrade Image.
Note When you use the upgrade package, dynamically mapped users are not kept.
c. Back up the upgraded ACS SE data and configuration by using one of the following features:
–ACS Backup, which is available in the System Configuration section of the web interface. For more information, see the User Guide for Cisco Secure ACS Solution Engine.
–The CLI backup command, which is available from the serial console. For more information, see Backing Up ACS Data From the Serial Console, page 4-12
Step 3 Use the ACS SE 4.0 Recovery CD to upgrade the appliance to 4.0. The upgrade destroys all data and installs a new image. Ensure that you have the correct version for your hardware.
For more information about reimaging the hard drive, see Re-imaging the Solution Engine Hard Drive, page 4-25.
Step 4 Perform an initial configuration of the ACS SE. For more information, see Configuring ACS SE, page 3-23.
Step 5 Required for full upgrade with Restore. If you do not want to restore your data, skip to step 6.
Restore the appliance data and configuration by using one of the following features:
•ACS Restore, which is available in the System Configuration section of the web interface. For more information, see the User Guide for Cisco Secure ACS Solution Engine.
•The restore command, which is available on the serial console. For more information, see Restoring ACS Data From the Serial Console, page 4-14.
Step 6 Verify that Cisco Security Agent is enabled by using one of the following features:
•At the console, enter show. If the CSAgent service is not running, enter start csagent.
•In the web interface, choose System Configuration > Appliance Configuration and verify that the CSA Enabled check box is checked. If not, select it and click Submit.
Upgrading to ACS SE 4.0 on top of the Existing Base Image
If you do not need the new features that are available with the upgraded base image, you can upgrade the Appliance Management Software and ACS software on top of the existing base image. The existing data and configuration are automatically upgraded and restored.
This procedure upgrades the ACS software to version 4.0 on a Cisco 1111 device or a Cisco 1112 device
Before you begin:
Make a backup of your existing data and configuration.
Note The backup procedure does not back up the cert7.db file. If you use this certificate file with an LDAP database, we recommend that you back it up on a remote machine for disaster recovery. When you migrate from an ACS server to ACS appliance, move the cert7.db file to a FTP server and download it according to the normal provisioning instructions. When you upgrade an ACS appliance, repeat the download procedure as originally used to provision the original appliance.
Step 1 If ACS SE is running Cisco Security Agent, disable the CSAgent service before upgrading by using one of the following features:
•At the console, enter show. If the CSAgent service is running, enter stop csagent.
•In the web interface, choose System Configuration > Appliance Configuration and verify that the CSA Enabled check box is not checked. If it is checked, uncheck the CSA Enabled check box and click Submit.
Step 2 Apply the Upgrade Package Appliance Management Software for ACS 4.0.1, which is available on the ACS SE 4.0 Upgrade CD.
For details on using the web interface to upgrade, see the User Guide for Cisco Secure ACS Solution Engine. For details on using the command line to upgrade, see Loading and Installing an Upgrade Image.
Step 3 Apply the Upgrade Package ACS 4.0.1 Software for Appliance, which is available on the ACS SE 4.0 Upgrade CD.
For details on using the web interface to upgrade, see the User Guide for Cisco Secure ACS Solution Engine. For details on using the command line to upgrade, see Loading and Installing an Upgrade Image.
Note When you use the upgrade package, dynamically mapped users are not kept.
Step 4 Verify that Cisco Security Agent is enabled by using one of the following features:
•At the console, enter show. If the CSAgent service is not running, enter start csagent.
•In the web interface, choose System Configuration > Appliance Configuration and verify that the CSA Enabled check box is checked. If not, select it and click Submit.
Step 5 To see the results of this upgrade procedure, view the Appliance Upgrade page. To do so, log in to the web interface and choose System Configuration > Appliance Upgrade Status.
The Application Versions table appears, displaying the upgraded application versions for the ACS software, appliance management software, and appliance base image.
Loading and Installing an Upgrade Image
This section describes how to load and install an ACS SE upgrade image from the command line interface of the serial console.
Upgrading the ACS SE typically involves the following steps:
Step 1 Obtain the upgrade package from Cisco Systems and load it onto a distribution server in your network. You can use an upgrade CD or download the upgrade package from Cisco.com.
Step 2 Load the upgrade image onto the ACS SE from the distribution server on your network from within the web interface, or from the serial console. The ACS SE verifies the files that are transferred to ensure that they have not been corrupted. For more information on performing this step from the web interface, see the User Guide for Cisco Secure ACS Solution Engine. To load the upgrade image by using the command line interface, use the procedure described in Transferring an Upgrade Package to the Solution Engine via Serial Console.
Step 3 Finally, apply the ACS SE system upgrade from within the web interface, or from the serial console. For more information, see Applying a Solution Engine Upgrade.
This process is shown in Figure 5-1.
Figure 5-1 Solution Engine Upgrade Process
Transferring an Upgrade Package to the Solution Engine via Serial Console
Use this procedure to transfer an upgrade package from a distribution server to an ACS SE.
Before you begin
You must have acquired the upgrade package and selected a distribution server. For more information, see Loading and Installing an Upgrade Image.
Note This procedure is typically performed from within the web interface. For more information, see the User Guide for Cisco Secure ACS Solution Engine.
To transfer an upgrade to your ACS SE:
Step 1 If the distribution server uses Microsoft Windows, follow these steps:
a. If you have acquired the upgrade package on CD, insert the CD in a CD ROM drive on the distribution server.
Tip You can also use a shared CD drive on a different computer. If you do so and autorun is enabled on the shared CD drive, the HTTP server that is included in the upgrade package runs on the other computer, not the distribution server.
b. If either of the following conditions is true:
•You have acquired the upgrade package as a compressed file.
•Autorun is not enabled on the CD ROM drive.
Locate the autorun.bat file on the CD or in the directory from which you extracted the compressed upgrade package and run it.
Result: The HTTP server starts.
Step 2 If the distribution server uses Sun Solaris:
a. If you have acquired the upgrade package on CD, insert the CD in a CD-ROM drive on the distribution server.
b. Locate the autorun.sh file on the CD or in the directory that you extracted the compressed upgrade package.
c. Run autorun.sh.
Result: The HTTP server starts. Messages from autorun.sh appear in a console window. Two web browser windows appear. The browser window titled Appliance Upgrade contains the Enter solution engine hostname or IP address box. The browser window titled New Desktop contains buttons labeled Install Next and Stop Distribution Server. You can use the New Desktop window to start transfers to other solution engines.
Step 3 Log in to the ACS SE. For more information, see Logging In to the Solution Engine From a Serial Console, page 4-2.
Step 4 At the system prompt, type download followed by the IP address of the distribution server.
Step 5 Press Enter.
Result: The system displays a number of messages including, finally, the following confirmation message:
Successfully downloaded the package. Run upgrade command to install the package.
Applying a Solution Engine Upgrade
Use this procedure to install upgrades on the ACS SE. Upgrades may include the installation of a full software revision or simply the installation of a software patch.
Before you begin
You must have an upgrade to install. For information on checking the availability of and obtaining an upgrade, see the User Guide for Cisco Secure ACS Solution Engine. For information on how to load the upgrade package onto the ACS SE see, Transferring an Upgrade Package to the Solution Engine via Serial Console.
Also, if CSAgent is running, you must disable it before you issue the upgrade command. For information on stopping services see Stopping Solution Engine Services From a Serial Console, page 4-4.
Finally, because the ACS SE is nonoperational during the upgrade process, you should schedule the upgrade for a time when its absence online will have the least impact.
To apply a ACS SE system upgrade:
Step 1 Log in to the ACS SE. For more information, see Logging In to the Solution Engine From a Serial Console, page 4-2.
Caution The ACS SE will be nonoperational during the upgrade process.
Note If CSAgent is running, you must disable it before you issue the upgrade command.
Step 2 At the system prompt, type upgrade.
Step 3 Press Enter.
Result: The system displays the following confirmation message:
Installing the patch could adversely affect the system. Do you still want to
continue?---y(yes), n(no)
Step 4 Type Y to continue.
Result: The system displays a series of messages that include:
Tip If no upgrade package is loaded on the ACS SE, a message requests that you download an upgrade package.
Step 5 Depending on your certification authority settings, you might see a warning message similar to the following:
Upgrade package was not verified
Applying this upgrade package may corrupt the appliance
Continue at your own risk!
Continue ---y(yes), n(no)
If you do see this prompt, type Y to continue.
Result: The system displays a series of messages that may include:
Installing Cisco Secure ACS Version: x.x.x
ACS Installation was successful
Successfully upgraded Cisco Secure ACS Version x.x.x
Completed upgrade and system will be rebooted.
Note During this installation of the upgrade, the system reboots twice. Therefore, when the system displays the following message:
Reboot will occur in a few minutes.
Login:
Continue to wait until you see the final message:
Status: Appliance is functioning normally.
This message indicates that the upgrade is complete.
Tip To obtain system information, including the current version, see Determining the Status of Solution Engine System and Services From a Serial Console, page 4-3.
Migrating to ACS SE
Migrating from Cisco Secure ACS for Windows Server (ACS for Windows) to ACS SE uses the backup and restore features of ACS. Backup files produced by ACS for Windows are compatible with ACS SE, provided that both are using the same version of ACS software.
Before You Begin
Before upgrading or transferring data, back up your original ACS database and configuration, and save the backup file in a location on a drive that is not local to the computer on which ACS is running.
Note The backup procedure does not back up the cert7.db file. If you use this certificate file with an LDAP database, we recommend that you back it up on a remote machine for disaster recovery. When you migrate from an ACS server to ACS appliance, move the cert7.db file to a FTP server and download it according to the normal provisioning instructions. When you upgrade an ACS appliance, repeat the download procedure as originally used to provision the original appliance.
Note If ACS runs on Windows NT 4.0, the following procedure will advise you when it is necessary to upgrade to Windows 2000 Server. Because the use of the backup and restore features is only supported between ACSs of the same version, you must use ACS for Windows 4.0, to transfer data from ACS for Windows to ACS SE. ACS for Windows 4.0 supports Windows 2000 Server and Windows Server 2003, not Windows NT 4.0. See the following procedure for more details.
To migrate from a Windows version of ACS to ACS SE:
Step 1 Set up the appliance, following the steps in Chapter 3, "Installing and Configuring Cisco Secure ACS Solution Engine 4.0."
Step 2 On the ACS server, upgrade ACS for Windows to version 4.0. If you do not have a license for version 4.0, you can use the trial version, available at http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des.
If you run ACS on Windows NT 4.0, upgrade to ACS 3.0, and then migrate to Windows 2000 Server before upgrading to ACS 4.0. ACS 3.0 is the most recent version of ACS that supports Windows NT 4.0. For information about upgrading to ACS 3.0 or about migrating to Windows 2000 Server, see Installing Cisco Secure ACS 3.0 for Windows 2000/NT Servers. You can acquire the trial version of ACS 3.0 at http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des.
Step 3 In the web interface of ACS for Windows 4.0, use the ACS Backup feature to back up the database. For more information about the ACS Backup feature, see the User Guide for Cisco Secure ACS for Windows Server.
Step 4 Copy the backup file from the computer that is running ACS for Windows 4.0 to a directory on an FTP server. The directory must be accessible from the FTP root directory. ACS SE must be able to contact the FTP server. Any gateway devices must permit FTP communication between the appliance and the FTP server.
Step 5 In the web interface of ACS SE, use the ACS Restore feature to restore the database. For more information about restoring databases, see the User Guide for Cisco Secure ACS Solution Engine.
The ACS SE contains the original configuration of the ACS for Windows version from which you migrated.
Step 6 Continuing in the web interface of the ACS SE, verify that the settings for the (Default) entry in the Proxy Distribution Table are correct. To do so, choose Network Configuration > (Default) and ensure that the Forward To list contains the entry for the appliance.
Step 7 To replace the computer that is running ACS for Windows with ACS SE, you must change the IP address of the appliance to that used by the computer that is running ACS for Windows:
a. Record the IP address of the computer that is running ACS for Windows.
b. Change the IP address of the computer that is running ACS for Windows to a different IP address.
c. Change the IP address of the ACS SE to the IP address used previously by the computer that is running ACS for Windows. This is the IP address that you recorded in step a. For detailed steps, see Reconfiguring the Solution Engine IP Address, page 4-18.
Note If you do not change the IP address of the ACS SE to the address of the computer that is running ACS for Windows, you must reconfigure all AAA clients to use the IP address of the ACS SE.
Feedback
