Published On: August 6ᵗʰ, 2019 02:11
Installation and Upgrade Guide for Cisco Secure Access Control System 5.4
Upgrading the Cisco Secure Access Control System
This chapter explains how to upgrade an ACS deployment or a standalone ACS server from 5.2/5.3 or from the available latest patch to 5.4.
Note
When you upgrade
from ACS 5.3 to ACS 5.4 version, it is mandatory to install the
patch 8 or a subsequent patch before you start upgrading to ACS
5.4.
Note If you are using ACS
5.0/5.1, you must first upgrade to ACS 5.2/5.3 and then upgrade to
ACS 5.4. For procedures to upgrade from ACS 5.x to ACS 5.3, see the
Installation and Upgrade Guide for Cisco Secure Access Control System 5.3.
Note Upgrading to ACS 5.4
may fail if any LDAP identity store is configured without groups or
attributes in it and AD identity store is not configured. To avoid
this issue, before upgrading to ACS 5.4, you need to either add
groups or attributes to the LDAP identity store or you need to
configure an AD.
This chapter describes the following scenarios:
- Upgrading an ACS Deployment from 5.3 to 5.4—To upgrade an ACS deployment from 5.3 to 5.4
- Upgrading an ACS Deployment from 5.2 to 5.4—To upgrade an ACS deployment from 5.2 to 5.4
- Upgrading an ACS Server from 5.3 to 5.4—To upgrade an ACS server from 5.3 to 5.4. You can use any one of the following procedures:
–
Upgrading an ACS Server Using the Application Upgrade
Bundle—For an incremental upgrade of an ACS server from 5.3 to
5.4
–
Reimaging and Upgrading an ACS Server—To back up ACS 5.3
application data and restoring it on ACS 5.4
- Upgrading an ACS Server from 5.2 to 5.4—To upgrade an ACS server from 5.2 to 5.4
- Applying an ACS Patch—To download and apply an upgrade patch
- Upgrading ACS 5.2 or 5.3 on CSACS-1120 or CSACS-1121 to SNS-3415—To upgrade the ACS 5.2 or 5.3 on CSACS-1120 or CSACS-1121 appliances to ACS 5.4 with SNS-3415 appliance.
The upgrade process involves upgrading an ACS server, which includes the Monitoring and Report Viewer and the configuration information in the database.
Note ACS 5.4 upgrades
CARS 1.x to the 2.x version as a part of the application upgrade
process.
During the upgrade process, ACS upgrades the ACS server to 5.4 and restores the data to the ACS 5.4 server. As part of the restore operation, ACS converts the configuration data to a 5.4-compatible format.
ACS stores the data upgrade information in the acsupgrade.log file. To view the content of this log file, download the support bundle.
For information on downloading the support bundle, see the CLI Reference Guide for Cisco Secure Access Control System 5.4 . Also, see ADE.log, which logs the details of all operations that are performed in the ACS CLI.
If you are migrating ACS from 4. x to 5.4, follow the migration procedure as described in the Migration Guide for Cisco Secure Access Control System 5.4 .
You must have a repository that is configured with an FTP, Network File System (NFS), or Secure FTP (SFTP) network server (but not a TFTP repository) to perform the ACS upgrade.
To create a repository, use the repository command. For more details about the commands that are used in this chapter, see the CLI Reference Guide for Cisco Secure Access Control System 5.4.
Upgrade Paths
You can use the following upgrade paths to upgrade the ACS server from 5.x versions to ACS 5.3:
To upgrade from ACS 5.3 to 5.4, see Upgrading an ACS Server from 5.3 to 5.4.
To upgrade from ACS 5.2 to 5.4, see Upgrading an ACS Server from 5.2 to 5.4.
To upgrade from 5.0/5.1 to ACS 5.2, see the Installation and Upgrade Guide for Cisco Secure Access Control System 5.2.
To upgrade from 5.0/5.1 to ACS 5.3, see the Installation and Upgrade Guide for Cisco Secure Access Control System 5.3.
Note When you upgrade
from ACS 5.3 to ACS 5.4 version, it is mandatory to install the
patch 8 or a subsequent patch before you start upgrading to ACS
5.4.
Note If you want to
upgrade the ACS installed on virtual machine to ACS 5.4, the
virtual machine disk size should be greater than or equal to 500
GB.
Upgrading an ACS Deployment from 5.3 to 5.4
Follow the procedure that is described in this section to upgrade an ACS 5.3 deployment to ACS 5.4.
The deployment upgrade process consists of the following phases:
Note ACS does not support
interoperability between the ACS 5.3 and 5.4 deployments.
Usually, in a deployment scenario of multiple servers, the ACS primary server functions as a master database for the configuration data, and a secondary server stores the Monitoring and Report data.
Initially, you need to upgrade the log collector server to ACS 5.4 and use this server as a common log collector between the ACS 5.3 and 5.4 deployments, until the 5.4 upgrade for all servers is complete.
There are some exceptions to this usual setup, which you can handle as described below:
If the ACS 5.3 primary server also functions as a log collector in your 5.3 deployment, you should promote any one of the secondary servers as primary server in the deployment. See Promoting a Secondary Server to Primary
Note Before upgrading any
secondary server, you need to deregister it from the primary
server.
Upgrading the Log Collector Server
To upgrade a log collector server to ACS 5.4, complete the following steps:
Step 1 Choose any secondary server to become a log
collector:
a. From the primary ACS server, choose System
Administration > Configuration > Log Configuration > Log
Collector.
The Log Collector page is displayed.
b. From the Select Log Collector Server drop-down list,
choose the new secondary instance to be the log collector, and
click Set Log Collector.
The ACS services of the new secondary log collector are restarted.
Step 2 Enter the show application status acs command in EXEC
mode to check whether all process are up and running successfully,
and press Enter.
Process 'view-database' running
Process 'view-jobmanager' running
Process 'view-alertmanager' running
Process 'view-collector' running
Process 'view-logprocessor' running
You can now see that all the processes are up and running.
Step 3 Deregister the old log collector server from the
deployment, and delete it from the ACS 5.3 primary server, so that
it is now a standalone server:
a. From the web interface of the ACS 5.3 primary server,
select System Administration > Operations > Distributed System Management.
The Distributed System Management page appears.
b. From the Secondary Instances table, check the check
box next to the secondary instance that you want to deregister.
The system displays the following message:
The secondary instance (old log collector) services are restarted.
e. Log into the ACS 5.3 secondary server.
f. Select System Administration > Operations > Distributed System Management.
g. From the Secondary Instances table, check the check
box next to the deregistered secondary instance that you want to
delete.
The following message appears:
The Secondary Instances table on the Distributed System Management page appears without the deleted secondary instance.
Step 4 Back up the log collector data:
From the ACS CLI, enter the following backup command in the EXEC mode to perform a backup and place the backup in a remote repository:
backup backup-file-name repository repository-name
Note When you back up
your data, if the data size exceeds the allowed disk quota of ACS,
a warning message is displayed in the CLI, and an alarm is
triggered in ACS Monitoring and Reports.
Step 5 Upgrade the old ACS log collector:
Use the procedure in Upgrading an ACS Server from 5.3 to 5.4.
When ACS processes of the 5.4 log collector server are up and running, you need to confirm once if the upgrade processes are completed successfully or not from the Monitoring and Report Viewer, choose Monitoring Configuration > System Operations > Data Upgrade Status page. The Data Upgrade Status page appears, indicating the status of the Monitoring and Report Viewer data upgrade.
When the database upgrade completes, ACS displays the following message:
Upgrade completed successfully.
Now the old log collector is upgraded to 5.4 and functions as the ACS 5.4 standalone primary server, as well as a log collector.
Step 6 Define the 5.4 log collector as a
remote log target for the 5.3 deployment.
a. Select System Administration > Configuration > Log Configuration > Remote Log Targets.
The Remote Log Targets page appears.
c. Enter the values for the following fields:
– Name—The name of the remote log target. Maximum
length is 32 characters.
– Description—(Optional) A description of the remote
log target. Maximum description length is 1024 characters.
– Type—The type of remote log target. Syslog is the
only option.
– IP Address—IP address of the remote log target, in
the format x.x.x.x. Specify the IP
address of the 5.4 log collector server.
– Use Advanced Syslog Options—Click to enable advanced
syslog options, which include port number, facility code, and
maximum length.
– Port—The port number of the remote log target that is
used as the communication channel between the ACS and the remote
log target (default is 514). Enter 20514 for the port number.
– Facility Code—(Optional) Choose an option from the
Facility Code drop-down list box.
– Maximum Length—The maximum length of the remote log
target messages. Valid options are from 200 to 1024.
The remote log target configuration is saved. The Remote Log Targets page appears with the new remote log target configuration.
Now, the authentication details from the 5.3 deployment are logged in both the 5.3 and 5.4 log collector servers.
Step 7 On the 5.3 primary server, configure the appropriate
logging categories for the remote log target:
a. Select System Administration > Configuration > Log Configuration > Logging Categories > Global.
The Logging Categories page appears; from here, you can view the logging categories.
b. Click the name of the logging category you want to
configure;
Click the radio button next to the name of the logging category you want to configure, and click Edit.
c. In the General tab, complete
the following fields:
– Log Severity—Use the drop-down list box to select the
severity level. Valid options are FATAL, ERROR, WARN, INFO, and
DEBUG.
– Log to Local Target—Check to enable logging to the
local target.
– Local Target is Critical—Check the check box to make
this local target the critical target. Usable for accounting and
for AAA audit (passed authentication) logging category types
only.
d. Click the Remote Syslog Target
tab and choose Remote Targets to view the logs.
The Logging Categories page appears, with your configured logging category.
Upgrading the Secondary Servers
To upgrade each 5.3 secondary server in your deployment to 5.4:
To ensure that you preserve the local certificates of the secondary server, you should promote each secondary server to the primary role, and then perform the ACS 5.4 upgrade. See Upgrading the PKI Data and Certificates.
Before upgrading a secondary ACS server, ensure that the server is not inactive and that it is not in local mode.
To verify the status, from the web interface of the secondary server, select System Administration > Operations > Local Operations and check the status of the secondary ACS server.
Step 1 Verify if the secondary server is a log collector. If
so, change the log collector server to any other secondary server;
otherwise, proceed to Step 2.
a. From the 5.3 primary server, select System Administration > Configuration > Log Configuration > Log Collector.
ACS displays the current log collector server.
b. From the Select Log Collector drop-down list box,
choose a different server to configure as a log collector.
Step 2 Deregister the secondary server from the 5.3
deployment and delete it from the ACS 5.3 primary server, so that
it now becomes a standalone server:
a. Select System Administration > Operations > Distributed System Management.
The Distributed System Management page appears.
b. From the Secondary Instances table, check the check
box next to the secondary instance that you want to deregister.
The system displays the following message:
e. Log into the ACS 5.3 primary server.
f. Select System Administration > Operations > Distributed System Management.
g. From the Secondary Instances table, check the check
box next to the secondary instance that you want to delete.
The following message appears:
The Secondary Instances table on the Distributed System Management page appears without the deleted secondary instance.
Step 3 Back up the secondary server data.
From the ACS CLI, issue the following backup command in EXEC mode to perform a backup and place the backup in a repository:
backup backup-name repository repository-name
Note When you back up
your data, if the data size exceeds the allowed disk quota of ACS,
a warning message is displayed in the CLI, and an alarm is
triggered in ACS Monitoring and Reports.
Step 4 Upgrade the ACS server to 5.4. See
Upgrading an ACS Server from 5.3 to 5.4.
Step 5 Register the secondary server to the ACS 5.4 primary
server.
a. Select System Administration > Operations > Local Operations > Deployment Operations.
The Deployment Operations page appears.
b. Complete the following mandatory fields under the
Registration dialog box:
– Primary Instance—The hostname of the 5.4 primary
server that you wish to register the secondary instance with.
– Admin Username—Username of an administrator
account.
– Admin Password—The password for the administrator
account.
– Hardware Replacement—Check to enable the existing ACS
instance to re-register with the primary instance and get a copy of
the configuration that is already present in the primary
instance.
– Recovery Keyword—Specify the same hostname that was
used in the 5.3 deployment to ensure that you associate this
secondary server with the Monitoring and Report data that was
collected earlier.
After you submit this information, this instance connects to the primary instance. The primary instance finds the associated ACS instance records based on the keyword, and marks each record as registered.
The system displays the following message:
ACS will restart automatically. Wait for some time to make sure that all processes are up and running successfully.
Note When you register a
secondary to a primary instance, you can use any account that is
created on the primary instance. The credentials that you create on
the primary instance are replicated to the secondary instance.
After the registration is complete, ACS performs a full synchronization and sends the ACS 5.4 configuration data to the 5.4 secondary server.
Step 6 Import local and outstanding Certificate Signing
Requests (CSRs).
See the Importing Server Certificates and Associating Certificates to Protocols section and the Generating Self-Signed Certificates section of the User Guide for Cisco Secure Access Control System 5.4.
When there is no secondary server that is registered with the primary server, the primary server itself acts as a log collector. Upgrade the ACS 5.3 primary server to ACS 5.4 once all the secondary servers are upgraded to ACS 5.4.
Upgrading the Primary Server
To upgrade the primary server from a 5.3 to 5.4 deployment:
Step 1 Make sure the primary server is a standalone
server:
a. Select System Administration > Operations > Distributed System Management.
The Distributed System Management page appears.
b. Check if there are secondary servers listed in the
Secondary Instances table. If there are any secondary servers,
upgrade those servers before upgrading the 5.3 primary server. See
Upgrading the Secondary Servers.
Step 2 Upgrade the ACS server to 5.4. See
Upgrading an ACS Server from 5.3 to 5.4.
Step 3 Register the newly upgraded 5.4 server to the
existing primary ACS 5.4 server:
a. Select System Administration > Operations > Local Operations > Deployment Operations.
The Deployment operation page appears.
b. Complete the following mandatory fields under the
Registration dialog box:
– Primary Instance—The hostname of the primary server
that you wish to register the secondary instance with.
– Admin Username—Username of an administrator
account.
– Admin Password—The password for the administrator
account.
– Hardware Replacement—Check to enable the existing ACS
instance to re-register to the primary instance and get a copy of
the configuration that is already present in the primary
instance.
– Recovery Keyword—Specify the same hostname that was
used in the 5.3 deployment to ensure that you associate this server
with the Monitoring and Report data that was collected earlier.
After you submit this information, this instance connects to the primary instance. The primary instance finds the associated ACS instance records based on the keyword, and marks each record as registered.
The system displays the following message:
ACS will restart automatically. Wait for some time to make sure that all processes are up and running successfully.
Note When you register a
secondary to a primary instance, you can use any account that is
created on the primary instance. The credentials that you create on
the primary instance are replicated to the secondary instance.
Promote this instance as the ACS 5.4 primary server again. See Promoting a Secondary Server to Primary.
Now the ACS 5.3 deployment is completely upgraded to ACS 5.4.
Upgrading the PKI Data and Certificates
When you upgrade from ACS 5.3 to ACS 5.4 using application upgrade method, ACS restores the Public Key Infrastructure (PKI), the local certificates, and outstanding CSRs.
Reimaging and upgrade method allows you to back up ACS 5.3 instance data and retrieve it in ACS 5.4. If you use reimaging and upgrade method, the PKI, local certificates, and outstanding CSRs in ACS 5.4 instance are erased and the data that is retrieved from ACS 5.3 instance will be stored in ACS 5.4 instance.
Promoting a Secondary Server to Primary
To promote a secondary server to the primary server:
Step 1 From the web interface of the primary server, select
System Administration > Operations > Distributed System Management.
The Distributed System Management page appears.
Step 2 In the Secondary Instances table, check the check box
next to the secondary server that you want to promote to
primary.
The system displays the following message:
The system promotes the selected secondary server to primary and moves it to the Primary Instance table. The existing primary server is automatically moved to the Secondary Instances table.
When the registration completes, ACS performs a full synchronization and sends the ACS 5.4 configuration data to the newly promoted primary server.
Upgrading the ACS Monitoring and Report Viewer
ACS invokes the upgrade of the Monitoring and Report Viewer as a subtask during upgrade.
The maximum disk space that is available for the ACS Monitoring and Report Viewer is 150 GB.
- Restoring the Monitoring and Report Viewer Data After Upgrade1
- Upgrading the Database
- Upgrading the Reports
To check the status of the database upgrade, in the Monitoring and Report Viewer, choose Monitoring Configuration > System Operations > Data Upgrade Status.
The Data Upgrade Status page appears, indicating the status of the Monitoring and Report Viewer data upgrade.
When the database upgrade completes, ACS displays the following message:
Upgrade completed successfully.
Restoring the Monitoring and Report Viewer Data After Upgrade
When you restore the backup data after upgrading to 5.4, ACS automatically synchronizes the changes with the database and reports, if any changes are found.
The report data is available only for the period during which you create a backup and not for the period when you restore the data. For example, if you back up the data in June and restore it in August, the report data that is available will be only the data for June and not for August. To get the latest report data, you need to run the reports again.
Upgrading the Database
After the 5.4 upgrade, if you restore the backup that was made prior to the upgrade, ACS displays the database version as AVPair:DBVersion=5.4 and maintains the schema version as 5.4 in the av_system_settings table. When the database process restarts, ACS checks the ACS version and the database version if they are out-of-date and performs a schema and data upgrade.
Upgrading the Reports
After you upgrade to 5.4, if you restore the backup that was made before the upgrade, ACS checks whether the reports tag displays “View 5.4”. Then, when the web process starts up, ACS performs the necessary updates.
Note When you click
Switch Database, the logs that are generated after performing step
7 (upgrading the database schema to version 5.2) of the log
collector server upgrade are lost. ACS retains only the logs that
are generated before you perform step 7.
Upgrading an ACS Deployment from 5.2 to 5.4
Follow the same procedure that was described in Upgrading an ACS Deployment from 5.3 to 5.4.
Upgrading an ACS Server from 5.3 to 5.4
When you upgrade from ACS 5.3 to ACS 5.4 version, it is mandatory to install the patch 8 or a subsequent patch before you start upgrading to ACS 5.4.
These are the two ways in which you can upgrade an ACS server from 5.3 to 5.4. You can use either one of these methods to upgrade:
Upgrading an ACS Server Using the Application Upgrade Bundle
To upgrade an ACS server from 5.3 to 5.4:
Step 1 Place the ACS 5.4 application upgrade bundle
(ACS_5.4.tar.gz) in a remote repository.
To configure the repository, follow the procedure that is given in the CLI Reference Guide for Cisco Access Control System 5.4.
Step 2 Enter the following application upgrade command in
EXEC mode, to upgrade ACS.
application upgrade ACS_5.4.tar.gz repository-name
ACS displays the following confirmation message:
Do you want to save the current configuration? (yes/no) [yes]?
Note When you upgrade ACS
from an older version to version 5.4, if the upgrade bundle size
exceeds the allowed disk quota, a warning message is displayed in
the CLI, and an alarm is triggered in ACS Monitoring and Reports.
When the ACS upgrade is complete, the following message appears:
% CARS Install application required post install reboot...
The system is going down for reboot NOW!
Application upgrade successful
While ACS upgrades the ACS 5.3 configuration data, it also converts the ACS 5.3 Monitoring and Report Viewer data to the 5.4 format.
Step 4 To monitor the status of the data upgrade, from the
Monitoring and Report Viewer, choose Monitoring Configuration > System Operations > Data Upgrade Status.
The Data Upgrade Status page appears, indicating the status of the Monitoring and Report Viewer data upgrade.
When the database upgrade completes, ACS displays the following message:
Upgrade completed successfully.
Step 6 Enter the show application version acs command to
check whether the ACS version was upgraded successfully.
The following message is displayed:
Step 7 Enter the show application status acs command in EXEC
mode to check whether all the processes are up and running
successfully, and press Enter.
Process 'view-database' running
Process 'view-jobmanager' running
Process 'view-alertmanager' running
Process 'view-collector' running
Process 'view-logprocessor' running
Now you can see that all the processes are up and running and that ACS is successfully upgraded to version 5.4.
Reimaging and Upgrading an ACS Server
This section explains how to upgrade ACS 5.3 to 5.4 by backing up the ACS 5.3 data and restoring it on re-imaged ACS 5.4 server. You must have physical access to the ACS box to perform this upgrade procedure.
To perform a reimage and upgrade to ACS 5.4:
Step 1 Back up the ACS data from the ACS 5.3 server.
Step 2 Enter the following backup command in EXEC mode to perform a backup
and place the backup in a repository.
backup backup-name repository repository-name
Note When you back up
your data, if the data size exceeds the allowed disk quota, a
warning message is displayed in the CLI, and an alarm is triggered
in ACS Monitoring and Reports.
Note Ensure that you use
a remote repository for the ACS 5.3 data backup. Otherwise, you
might lose the backed-up data after you install 5.4.
Step 3 Use the ACS 5.4 recovery DVD to install ACS 5.4. See
Reimaging the ACS Server
This reimages the ACS server to a fresh ACS 5.4 server that does not have any configuration data.
Step 4 Configure a repository in the fresh ACS 5.4 server to
restore the backed-up data.
Step 5 Restore the data that was previously backed up in
step 2 to the ACS 5.4 server.
Enter the restore command in EXEC mode to restore the backup:
restore filename repository repository-name
Note When you restore the
backed-up data, if the data size exceeds the allowed disk quota, a
warning message is displayed in the CLI, and an alarm is triggered
in ACS Monitoring and Reports.
Note If you restore the
CARS backup in a different hardware, then you must change the the
IP address of the ACS machine to bring it up and running.
While restoring the data, using the 5.3 backup file, this command restores the ACS 5.3 configuration data. It also converts and upgrades the ACS 5.3 Monitoring and Report Viewer data to the 5.4 format.
If the backed up data size exceeds the allowed disk quota of ACS, a warning message is displayed in the CLI, and an alarm is displayed in ACS Monitoring and Reports.
Step 6 To monitor the status of the data upgrade, from the
Monitoring and Report Viewer, choose Monitoring Configuration > System Operations > Data Upgrade Status.
The Data Upgrade Status page appears, indicating the upgrade status of the Monitoring and Report Viewer data.
When the database upgrade completes, the following message is displayed.
Upgrade completed successfully.
Warning The ACS restore
does not update pki on mgmt/eap. HTTPS uses a self-signed
certificate, even though the only cert in the GUI/db was the CA
signed one.
The work-around for this is:
1. Create a self-signed temporary self-signed cert and assign
EAP/mgmt to it.
2. Re-assign EAP/mgmt to CA signed cert
3. Delete self-signed cert.
Note If the backup data is huge in size,
then the extraction process might take a minimum of 1 hour to many
hours to complete.
Note Restore the backup
file in the same ACS server, to avoid IP conflict issues.
Upgrading an ACS Server from 5.2 to 5.4
To upgrade your ACS 5.2 server to ACS 5.4, follow the same procedure that was described in Upgrading an ACS Server from 5.3 to 5.4.
Applying an ACS Patch
You can download the ACS 5.4 cumulative patches from the following location:
http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm
To download and apply the patches:
Step 1 Log into Cisco.com and navigate to Network Management > Security and Identity Management > Cisco Secure Access Control Server Products > Cisco Secure Access Control System > Cisco Secure Access Control System 5.4.
Step 3 Install the ACS 5.4 cumulative patch by running the
following acs patch
command in EXEC mode. To install the ACS patch:
acs patch install patch-name .tar.gpg repository repository-name
ACS displays the following confirmation message:
Installing an ACS patch requires a restart of ACS services.
Would you like to continue? yes/no
The ACS version is upgraded to the applied patch. Check whether all services are running properly, using
the CLI show application status acs command from EXEC mode.
Step 5 Enter the show application version acs command in
EXEC mode and verify if the patch is installed properly or not. ACS
displays the following message:
acs/admin# show application version acs
------------------------------
Note During the patch
installation, if the patch size exceeds the allowed disk quota, a
warning message is displayed in the CLI, and an alarm is triggered
in ACS Monitoring and Reports.
Upgrading ACS 5.2 or 5.3 on CSACS-1120 or CSACS-1121 to SNS-3415
If you have ACS 5.2 or 5.3 installed on CSACS-1120 or CSACS-1121 appliance and would like to upgrade to SNS-3415, then you need to follow the steps given below.
Step 1 Back up your existing ACS 5.2 or 5.3 setup.
Step 2 Get SNS-3415 box with ACS 5.4 installed on it.
Step 3 Restore the ACS 5.2 or 5.3 back up taken in step
1.
Note The application upgrade command is not applicable if you
want to move to ACS 5.4 on a SNS-3415 appliance. You must install
ACS 5.4 on the SNS-3415 appliance and restore the backup obtained
from your CSACS-1120 or CSACS-1121 appliance.