Administration Console

Identity Servers

Access Gateways

SSL VPN Servers

J2EE Agents

You should not use any of the new SP2 features until all of your components are upgraded to SP2. For example, the Access Gateway Appliance ignores the timeout per protected resource feature until all Access Gateways in the cluster are upgraded to SP2.

You must upgrade the components to 3.1 SP2 before you can migrate the components to a new operating system. See Section 9.5, Migrating to Newer Operating Systems.

Back up customized Tomcat files on your Access Manager components.

If you have customized the tomcat5.conf file or the server.xml file, back up these files before upgrading. These files are overwritten during the upgrade process.

When you upgrade the Identity Server, the Session Timeout value is rounded up to the nearest value divisible by 5. This value is then assigned to all contracts. After all the Identity Servers in the cluster have been upgraded, you can modify the Authentication Timeout on each contract to meet your security requirements. You can also modify the Default Timeout value (the new name for the Session Timeout option) to the value you want assigned to new contracts and to federated sessions that cannot be associated with a contract.

If you are upgrading from Access Manager 3.1 SP1 or 3.1 SP1 IR1 and you have configured the Identity Server to send attributes to the Access Gateway, decide on an upgrade strategy for a potential issue.

If any of the attributes you are sending have empty values, users cannot authenticate until you have upgraded all your Identity Servers and Access Gateways to SP2 or you have disabled the sending of attributes until you have upgraded all components. For more information about this issue, see TID 7005475.

After you upgrade all the Access Gateway Appliances, you need to make a configuration change, then update the Access Gateways before using the features for SP2.

(Conditional) The location of the keystores on the Administration Console for the Embedded Service Provider of the Access Gateway Appliance changed in Access Manager 3.0.1. If you installed the Access Gateway Appliance with the Access Manager 3.0 release and upgraded it to 3.1 SP1, the keystores are in the old location. The SLES 9 Access Gateway Appliance works with the keystores in either the old or the new location. However, when you migrate your SLES 9 Access Gateway Appliances to SLES 11, the SLES 11 Access Gateway Appliance ceases to function because it cannot find the Embedded Service Provider keystores. To correct this problem:

After you upgrade the Access Gateway Appliance from 3.1 SP1 to 3.1 SP2, the following touch files have been disabled:

The the Force Secure Cookies option on the Reverse Proxies / Authentication page has also been disabled. After the upgrade, the following warning message is displayed if the Force Secure Cookies option or any of these touch files were enabled in 3.1 SP1:

If you receive this message, you must select the Enable Behind Third Party SSL Terminator option and/or the Enable Secure Cookies option on the Reverse Proxies / Authentication page before making any other configuration changes. For more information, see Managing Reverse Proxies and Authentication in the Novell Access Manager 3.1 SP2 Access Gateway Guide.