Upgrading to VMware Identity Manager 3.3.1

January 14, 2020

Reading time: 4 minutes

I recently had the pleasure of upgrading two virtual appliance-based VMware Identity Manager 3.3.0 deployments to 3.3.1 using the offline update method without the assistance of vRealize Suite Lifecycle Manager. When I reviewed the update documentation, I found that this release didn’t support the offline update process I previously utilized, so I figured I’d create a quick post providing an overview of the supported update processes for 3.3.1.

What Changed?

In previous releases of VMware Identity Manager 3.x, the virtual appliance offline upgrade process I followed involved upgrading each appliance using an onsite web-based repository as documented in the VMware Identity Manager Prepare a Local Web Server for Offline Upgrade documentation. I’d then follow the process for executing the upgrade from the local web server, as documented in the VMware Identity Manager Configure Appliance and Perform Offline Upgrade documentation. This process was straightforward and made it easy to update multiple virtual appliances from a central repository. However, 3.3.1 does not appear to support this method and only supports one offline upgrade process, as documented in the VMware Identity Manager 3.3.1 Using the updateoffline.hzn Script for Offline Upgrade documentation.

Supported Upgrade Methods

VMware Identity Manager 3.3.1 supports three upgrade methods. The most obvious and VMware’s preferred method is to utilize vRealize Suite Lifecycle Manager 8.0 as VMware Identity Manager 3.3.1 was released to support vRealize Automation 8.0, which requires that security group information be passed as part of the SAML token. This capability was added in 3.3.1 and has been needed for a long time when supporting authentication to third-party applications. Additionally, VMware supports two upgrade methods utilizing the CLI; one online and one offline.

vRealize Suite Lifecycle Manager 8.0 Upgrade Method

By far, the upgrade process using vRealize Suite Lifecycle Manager (vRSLCM) 8.0 is the easiest. If you already have vRSLCM 8.0 deployed in your environment and your VMware Identity Manager deployment conforms to vRealize Suite Lifecycle Manager supported form-factor, I recommend that you follow the vRSLMC 8.0 Upgrade VMware Identity Manager process. Otherwise, the upgrade must be performed outside vRealize Suite Lifecycle Manager using the online or offline upgrade methods.

Online Upgrade Method

The online upgrade method is almost the same as it has been for all of the 3.x releases. This process involves verifying that your deployment meets all of the VMware Identity Manager Prerequisites for Online Upgrade. The difference in this process is documented in the VMware Identity Manager Performing an Online Upgrade to Version 3.3.1 steps 3 and 4. This process requires that you explicitly specify the target version of VMware Identity Manager as part of the upgrade process.

Offline Upgrade Method

As I mentioned previously, this release of VMware Identity Manager doesn’t support upgrading for a local web-based update repository. Instead, you will need to follow the Upgrading VMware Identity Manager Offline process. Additionally, before starting the upgrade process, there are a couple of steps in the VMware Identity Manager 3.3.1 Release Notes that must be completed. These steps are:

Before you start the upgrade to 3.3.1, edit the /etc/init.d/horizon-workspace script. Replace the line

# Should-Start:      $named $remote\_fs $time hzn-sysconfig elasticsearch thinapprepo

with

# Should-Start:      $named $remote\_fs $time hzn-sysconfig thinapprepo

Save the file and proceed with the upgrade.

Note: When you upgrade to VMware Identity Manager 3.3.1 for Linux, if you see the following error message and the upgrade is aborted, follow these steps to update the certificate. After the certificate is updated, restart the upgrade.

"Certificate auth configuration update required for tenant <tenantName> prior to upgrade. Pre-update check failed, aborting upgrade."

Log in to the VMware Identity Manager console.
Navigate to Identity & Access Management > Setup.
In the Connectors page, click the link in the Worker column
Click the Auth Adapters tab, then click CertificateAuthAdapter.
In the Uploaded CA Certificates section, click the red X next to the certificate to remove it.
In the Root and intermediate CA Certificates section, click Select File to re-add the certificate.
Click Save.

After completing the above steps, your offline upgrade process should execute smoothly. Good luck with your upgrade, and if you have any questions, feel free to leave a comment below!