SecurID Governance & Lifecycle

Patch Installation Guide

7.5.2
Contact Information
RSA Community at https://community.rsa.com contains a knowledgebase that answers common questions and
provides solutions to known problems, product documentation, community discussions, and case management.

Trademarks
RSA, RSA Security, the RSA Logo, and other trademarks, are trademarks of RSA Security LLC or its affiliates.
Other trademarks may be trademarks of their respective owners. For a list of RSA trademarks, go to
https://www.rsa.com/en-us/company/rsa-trademarks.

License agreement
This software and the associated documentation are proprietary and confidential to RSA Security LLC or its
subsidiaries, are furnished under license, and may be used and copied only in accordance with the terms of such
license and with the inclusion of the copyright notice below. This software and the documentation, and any
copies thereof, may not be provided or otherwise made available to any other person.

No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby
transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to
civil and/or criminal liability.

This software is subject to change without notice and should not be construed as a commitment by RSA
Security.

Third-party licenses
This product may include software developed by parties other than RSA. The text of the license agreements
applicable to third-party software in this product may be viewed by launching the RSA Identity Governance and
Lifecycle product and selecting the About menu. By using this product, a user of this product agrees to be fully
bound by terms of the license agreements.

Note on encryption technologies

This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of
encryption technologies, and current use, import, and export regulations should be followed when using,
importing or exporting this product.

Distribution
Use, copying, and distribution of any RSA Security software described in this publication requires an applicable
software license.

RSA Security LLC believes the information in this publication is accurate as of its publication date. The
information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." RSA SECURITY LLC MAKES NO
REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS
PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR
A PARTICULAR PURPOSE.

Copyright © 2022 RSA Security LLC or its affiliates. All Rights Reserved.

November 2022
 SecurID Governance & Lifecycle Patch Installation Guide 7.5.2

Contents

Installing a Patch 4

Important 4

Migration Queries for Group Business Descriptions 5

Unused Group Business Descriptions Not Associated with an Application 5

All Unused Group Business Descriptions 6

Group Business Description Table 7

Supported Patch Upgrade Platforms 8

Installing the SecurID Governance & Lifecycle Patch 9

STEP 1: Download the patch files 9

STEP 2: Shut down all AFX instances 10

STEP 3: Install the Patch 10

In a WildFly Standalone and Virtual Application, do as follows: 10

To apply a patch on a WildFly Cluster: 10

To apply a patch on a Docker Container: 11

To apply a patch in a WebLogic or WebSphere Environment: 12

STEP 4: Update AFX Server 13

STEP 5: Update Remote Collection Agents 13

Import AFX Connector Packages 14

Upgrade JDK 15

3
SecurID Governance & Lifecycle Patch Installation Guide 7.5.2

Installing a Patch

The following procedures describe how to download and apply a patch to SecurID Governance and Lifecycle
hardware appliance and software bundle installations, and how to upgrade Access Fulfillment Express (AFX)
server and connectors. Patches are cumulative.

Important
l When upgrading from product versions older than 7.5.2, you must upgrade to version 7.5.2 before you
install any version 7.5.2 patches.
l If you are applying a patch immediately after installing or upgrading, apply the patch in a different shell
session from the one in which you ran install.sh.
l Do not attempt to install a previous version of a patch over a later version of a patch.
l When applying a patch in a WebSphere or WebLogic environment, you must uninstall the Workflow
Architect EAR before applying updates.

Before you begin

l Customizations made using the SecurID Governance and Lifecycle user interface are preserved during
the upgrade process. However, any customizations made directly to the EAR are overwritten during the
patching process. If you have made any customizations to the EAR, record the customizations before
performing the upgrade, and manually restore them after you complete the installation.

l The way in which SecurID Governance and Lifecycle handles business descriptions for groups has
changed from previous product versions.

If your SecurID Governance and Lifecycle deployment includes business descriptions for groups, run the
pre-migration queries for group business descriptions to identify any business descriptions that will be
automatically deleted during the update process. For more information and the queries, see Migration
Queries for Group Business Descriptions on page 5.

l If your environment uses a customer-supplied database or an RSA-provided database on a remote host,

ensure that no database procedures are running against the database schema during the patch
installation. The patch process may run SQL against various tables in the database.

Note: On a deployment with an RSA-provided local database, the patch script automatically stops and
starts the database to ensure that this requirement is met.

l In a clustered environment, use only one node during the patch update process. Stop all other nodes in
the cluster to ensure that multiple nodes do not attempt a database migration. Before you patch
additional nodes or enable farming to push EAR changes to other nodes, validate that the patch is
applied and the one node is working as expected.
For additional details for WebSphere and WebLogic environments, see the SecurID Governance &
Lifecycle Installation Guide. For additional details on WildFly environments, see Chapter: Set Up WildFly
Clustering in SecurID Governance & Lifecycle Installation Guide.

Note:  The created product schemas, such as AVUSER, are reserved for product database objects.
Creating additional database objects within the product schemas may affect the operation of the
systems, migration, or patch applications.

4 Installing a Patch
 SecurID Governance & Lifecycle Patch Installation Guide 7.5.2

Migration Queries for Group Business Descriptions

When updating or migrating SecurID Governance & Lifecycle from a previous version, SecurID Governance &
Lifecycle deletes group business descriptions that are not actively in use. Before you migrate, run the following
pre-migration queries to identify any group business descriptions that will be deleted by the migration process.
If you still need these group business descriptions, you can re-import them with an application reference in the
import file, or you can manually recreate them after migration.

Review the results of each query to determine if any of the identified business descriptions are still needed. You
must manually recreate or import the identified business descriptions in the new system after migration is
complete.

Unused Group Business Descriptions Not Associated with an Application

The following query identifies all group business descriptions that are not associated with an application, and
that are currently unused. These business descriptions will be automatically deleted during migration.

SELECT

id,

'Group' as Type,

object_filter AS "Object Filter",

alt_name AS "Display Name",

short_desc AS "Short Description",

long_desc AS "Long Description",

url_ref as "Help Link"

FROM

t_av_business_description a

WHERE

NOT EXISTS (

SELECT

application_id

FROM

t_groups b

WHERE

b.filter_id = a.id

AND a.scope_id IS NULL

Migration Queries for Group Business Descriptions 5

SecurID Governance & Lifecycle Patch Installation Guide 7.5.2

AND a.is_deleted = 'FALSE'

AND a.object_type = 4

AND a.applies_to_set = 'FALSE';

All Unused Group Business Descriptions

The following query identifies all group business descriptions that are not associated with an application, and
that are currently unused. These business descriptions will be automatically deleted during migration.

SELECT

id,

'Group' as Type,

object_filter AS "Object Filter",

alt_name AS "Display Name",

short_desc AS "Short Description",

long_desc AS "Long Description",

url_ref as "Help Link",

(select name from t_groups where id = a.scope_id) as "Group

Name",

(select name from t_applications where id = a.scope_id) as

"Application Name"

FROM

t_av_business_description a

WHERE

NOT EXISTS (

SELECT

application_id

FROM

t_groups b

WHERE

b.filter_id = a.id

AND a.scope_id IS NOT NULL

AND a.is_deleted = 'FALSE'

6 Migration Queries for Group Business Descriptions

 SecurID Governance & Lifecycle Patch Installation Guide 7.5.2

AND a.object_type = 4

AND a.applies_to_set = 'FALSE';

Group Business Description Table

As the ACM schema owner, run the following SQL statement to create a table that allows SecurID Governance &
Lifecycle to determine a group's business description state during migration.

declare

v_tbl_count number;

Begin

select count(*) into v_tbl_count

from user_tab_columns

where table_name = 'TEMP_BUSDESC';

if v_tbl_count > 0 then

execute immediate 'drop table temp_busdesc purge';

end if;

execute immediate

'CREATE TABLE temp_busdesc

AS

SELECT

name,

id,

filter_id,

application_id

FROM

t_groups

WHERE

filter_id !=-1';

end;

Migration Queries for Group Business Descriptions 7

SecurID Governance & Lifecycle Patch Installation Guide 7.5.2

Supported Patch Upgrade Platforms

Follow the steps below to apply the patch on various deployment types:

l WildFly Standalone & Virtual Application

l WildFly Cluster

l Docker Container

l WebLogic & WebSphere

8 Supported Patch Upgrade Platforms

 SecurID Governance & Lifecycle Patch Installation Guide 7.5.2

Installing the SecurID Governance & Lifecycle Patch

Follow these steps to install the SecurID Governance & Lifecycle patch:

l STEP 1: Download the patch files

l STEP 2: Shut down all AFX instances

l STEP 3: Install the Patch

l STEP 4: Update AFX Server

l STEP 5: Update Remote Collection Agents

STEP 1: Download the patch files

1. Log in to RSA Community, and from Downloads drop-down list, click SecurID Governance &
Lifecycle.
2. Click Full Product Downloads on the top right of the page.
3. You will be redirected to myRSA website after authentication.

4. Select the Downloads card, then click SecurID Governance & Lifecycle from the list of products.

5. Click the SKU for the product you want to download.

6. From the Select Version drop-down list, select the version/patch you are patching to.

7. Download the following files:

l Aveksa_<VersionNumber>_P<PatchNumber>.tar.gz

o For WebSphere: ACM-WebSphere-<VersionNumber>_

P<PatchNumber>.tar.gz

o For WebLogic: ACM-WebLogic-<VersionNumber>_

P<PatchNumber>.tar.gz

l upgradeJDK<version>_<revision>.tar (optional JDK update for security updates)

8. If you are using Docker Container, download the following file:

l ACM_Container_V<VersionAndPatchNumber>.tar

9. If you have Access Fulfillment Express (AFX), download the following AFX connector packages:

l AFX-<VersionNumber>_P<PatchNumber>-Standard-Connectors.zip

Installing the SecurID Governance & Lifecycle Patch 9

SecurID Governance & Lifecycle Patch Installation Guide 7.5.2

l AFX-<VersionNumber>_P<PatchNumber>-Premium-Connectors.zip (SAP customers only)

STEP 2: Shut down all AFX instances

If you have Access Fulfillment Express (AFX) installed, using the AFX user account, shut down all AFX instances
before installing the patch upgrade:

<path-to-AFX_installation-directory>/AFX/afx stop

STEP 3: Install the Patch

In a WildFly Standalone and Virtual Application, do as follows:

1. Copy the patch file Aveksa_<VersionNumber>_P<PatchNumber>.tar.gz to the installation folder (eg:
/home/oracle) as root user, and run the following commands to decompress the file:

i. cd /home/oracle

ii. tar zvxf Aveksa_<VersionNumber>_P<PatchNumber>.tar.gz

2. Log in as the user who performed the base installation of SecurID Governance and Lifecycle, for example
root or the oracle user, as the patch.sh installation script will be run in the directory created in the
previous step "1".

3. Run the following commands:

i. cd /home/oracle/Aveksa_<VersionNumber>_P<PatchNumber>

ii. sh patch.sh

Note: With each application of a patch, previous versions of the Aveksa EAR are archived in the $AVEKSA_
HOME/archive directory. Each archive requires approximately 1 GB of disk space. For more information, see
archive/Archive_README.txt.

Note: Applying the patch as root updates the system files created during installation, such as service files and
the sudoer file.

To apply a patch on a WildFly Cluster:

1. Ensure that the server running on the Domain Controller node (usually this is the first node configured
during the installion of WildFly cluster and indicated as "img-server-1" on Server Nodes page) is
configured as the Systems Operation Node (SON). To do this, in SecurID Governance & Lifecycle, go to
Admin > System > Server Nodes.

2. Copy the patch file Aveksa_<VersionNumber>_P<PatchNumber>.tar.gz to the installation folder (e.g.,

/home/oracle) on the Domain/SON node as root user, and run the following commands to decompress

10 Installing the SecurID Governance & Lifecycle Patch

 SecurID Governance & Lifecycle Patch Installation Guide 7.5.2

the file:

cd /home/oracle

tar zvxf Aveksa_<VersionNumber>_P<PatchNumber>.tar.gz

3. Ensure that SecurID Governance & Lifecycle is only running on the Domain/SON node and stopped on all
other nodes.

4. Run the following commands on the Domain/SON node:

i. cd /home/oracle/Aveksa_<VersionNumber>_P<PatchNumber>

ii. sh patch.sh

5. Access the SecurID Governance & Lifecycle URL of the Domain/SON node and verify the patch
application is complete.

6. Start all the other nodes in the WildFly cluster. After start, SecurID Governance & Lifecycle application
will automatically update to the same patch level as the Domain/SON node.

Note: In case the Server Nodes page takes time to load, restart the domain node and then the host nodes.

To apply a patch on a Docker Container:

1. Stop the currently running docker container.

l docker stop <container_name>

l docker rm -f <container_name> (This step is just to be sure proper clean-up is done before
starting new container)

2. Follow the steps below to upload the patch and start SecurID Governance & Lifecycle container:

l Copy ACM_Container_V<VersionAndPatchNumber>.tar to the Docker Container host and load

the container package:

docker load -i ACM_Container_V<VersionAndPatchNumber>.tar

l Make a note of the image name in the output of the above command. The image name is
composed of the repository and tag identifiers, e.g. identity/rsaigl:7.5.0.180683. You can also
run the following command to obtain the repository and tag identifiers:

docker images

l Create and start the new GL Docker Container as follows. Make sure to use the same
configuration options and point to the same Docker volumes (for encryption files,
keystore/certificate files, and configuration files) that were used for the original GL Docker
Container.

docker run -itd --net=host --name=<name_of_container> -e CONFIG_FILE=Aveksa_

System.cfg -v iglconfig:/home/oracle/config:Z -v iglsecurity:/home/oracle/security:Z -v
iglkeystore:/home/oracle/keystore:Z <repository:tag>

3. Access the UI (https://<IP>/aveksa/main)

Installing the SecurID Governance & Lifecycle Patch 11

SecurID Governance & Lifecycle Patch Installation Guide 7.5.2

4. It will ask for Migration Password, to migrate the DB to the same build version as that of Docker
container.

5. Once migration is completed you will be asked to restart the server.

l docker stop <container_name>

l docker start <container_name>

6. UI should be accessible, and everything should be working as expected

7. For Docker Container cluster, carry out the following steps:

l Repeat the above step "1" on all nodes to stop/remove the containers on all nodes

l Follow the above step "2" to load the IGL container image on all nodes. Once the container image
is loaded on all nodes, then create and start the IGL container on domain node ONLY. Do NOT
create/start the IGL container on other nodes for now.

l Follow the above steps "3" through "5" on the domain node only.

l Once the domain node is working as expected, create and start the IGL container on all other
nodes. UI should now be accessible on all nodes.

To apply a patch in a WebLogic or WebSphere Environment:

1. For detailed instructions, see the section Updating SecurID Governance & Lifecycle on WebSphere (or
WebLogic) with a Patch in SecurID Governance & Lifecycle Installation Guide, and the section Upgrade
SecurID Governance & Lifecycle on WebSphere (or WebLogic) Application Server in SecurID Governance
& Lifecycle Upgrade and Migration Guide.

2. Uncompress and extract the following files from ACM-WebSphere-<VersionNumber>_

P<PatchNumber>.tar.gz or ACM-WebLogic-<VersionNumber>_P<PatchNumber>.tar.gz: aveksa.ear
and aveksaWFArchitect.ear.

3. Perform any necessary customizations to the Aveksa EAR file. For more information, see "Modifying the
SecurID Governance & Lifecycle Enterprise Archive" in the SecurID Governance & Lifecycle Installation
Guide.

4. Uninstall the Workflow Architect EAR.

5. Upgrade the Aveksa EAR.

6. Deploy the Workflow Architect EAR.

7. Restart the WebSphere or WebLogic Application Server.

8. In a WebSphere environment, after you deploy the patch, you must restart SecurID Governance &
Lifecycle. When you start SecurID Governance and Lifecycle after applying the patch, SQL processing is
performed. After SQL processing is complete, restart SecurID Governance & Lifecycle again, to ensure
that any patch processing takes effect.

12 Installing the SecurID Governance & Lifecycle Patch

 SecurID Governance & Lifecycle Patch Installation Guide 7.5.2

l To stop and restart SecurID Governance & Lifecycle on a WebSphere server:

i. In the WebSphere console, go to Applications.

ii. Under All Applications, select aveksa.

iii. Click Stop to stop the SecurID Governance and Lifecycle.

iv. After the aveksa application has been stopped, click Start to start SecurID Governance
and Lifecycle.

9. In a WebLogic environment, you must restart SecurID Governance and Lifecycle after you install the
patch.

l To stop and restart SecurID Governance and Lifecycle in a WebLogic environment:

i. In the WebLogic administrative console, select Deployments from the menu.

ii. Select the Aveksa application and click Stop and then Start to restart the application.

Note: Restarting SecurID Governance and Lifecycle also restarts the local agent.

STEP 4: Update AFX Server

l If your WildFly deployment includes a local Access Fulfillment Express (AFX), it will be started by the
patch script. The AFX server automatically gets upgraded on a startup after the patch is applied.

l If AFX is installed on a remote server (e.g., in WebLogic or WebSphere environment), start AFX server
using the AFX user account as follows. The AFX server automatically gets upgraded on a startup after the
patch is applied.

<path-to-AFX_installation-directory>/AFX/afx start

l If your deployment includes AFX server, you must also upgrade your AFX connectors. For instructions,
see Import AFX Connector Packages on page 14.

STEP 5: Update Remote Collection Agents

If your deployment includes a remote Collection Agent, download a new AveksaAgent.zip from SecurID
Governance & Lifecycle UI. Follow the steps in the SecurID Governance & Lifecycle Upgrade and Migration Guide
to re-install the agent.

Installing the SecurID Governance & Lifecycle Patch 13

SecurID Governance & Lifecycle Patch Installation Guide 7.5.2

Import AFX Connector Packages

If your SecurID Governance & Lifecycle deployment uses Access Fulfillment Express (AFX), use this procedure to
import the AFX connector package. Reference the instructions in Step 1 above for downloading the connector
packages from RSA Community.

Procedure
1. Copy the Connector package files to a directory local to the browser client from which you plan to
import the packages:
l AFX-<VersionNumber>_P<PatchNumber>-Standard-Connectors.zip

l AFX-<VersionNumber>_P<PatchNumber>-Premium-Connectors.zip (SAP customers only)

2. Log on to SecurID Governance & Lifecycle.

3. Click AFX > Import.
4. Import the packages.
5. Using the AFX user account, start all AFX instances:

<path-to-AFX_installation-directory>/AFX/afx start

14 Import AFX Connector Packages

 SecurID Governance & Lifecycle Patch Installation Guide 7.5.2

Upgrade JDK

If the patch includes a new JDK version, follow the steps below to upgrade JDK. This step applies to WildFly and
Virtual Application deployments.

1. Stop ACM, AFX, and any remote Collection Agents.

2. Copy the file upgradeJDK<version>_<revision>.tar to the WildFly installation folder, e.g., /home/oracle.

3. Log in as root, and change directory: cd /home/oracle.

4. Decompress the file: tar vxf upgradeJDK<version>_<revision>.tar.

5. As root user, run the following commands:

i. cd /home/oracle/upgradeJDK
ii. chmod -R 744 *
iii. sh upgradeJDK.sh

6. After JDK is upgraded, log out of all SSH sessions (for root and oracle users). Log back in as needed.

7. Start ACM, AFX, and any remote Collection Agents.

Upgrade JDK 15