Apply ActivID AS Updates

The update process for both hot fixes and service packs is the same.

Important: Review the release notes provided with the update package BEFORE applying the update. They contain specific instructions for the update process.

Prerequisites

  • The ActivID AS software update script (<ACTIVID_HOME>/ActivID_AS/bin/updateSoftware.sh) should be launched as an authorized user account.
    • Note: If the authorized user account is not root, then a user with the necessary permissions should be configured in the system sudoers

  • Make sure the following third-party software is installed:

    • xdelta

    • rpm

    • cpio

    • zip

Install the HID Global Signature Public Key

Each ActivID AS RPM package is signed with a PGP key to verify their integrity and origin.

The hot fixes or service packs might require installing the latest HID Global Code Signing key.

You should install the HID Global Code Signing key on the Unix host so that the ActivID AS software update script is able to verify ActivID AS RPM packages.

For further information, go to the HID Security Center at https://www.hidglobal.com/security-center.

Note: The keys sign the specified ActivID AS product version and corresponding hot fixes and service packs.

  1. Get the HID Global Code Signing keys using one of the following methods:

    • (Recommended) From the HID Global Security Center at https://www.hidglobal.com/security-center/keys
    • From a public web site, such as https://pgp.mit.edu, using the <Key Name> as the "Search String" to extract a key.
      • Note: The availability of the keys might vary from one site to another.
    • From the HID-Global-Code-Signing folder on the ActivID AS 8.6 Service Pack delivery disk.

    The following table lists all the keys that are currently available.

    ActivID AS Version Key Name Short Key ID Full Key ID Fingerprint

    8.1

    HID Global Code Signing (DIDS1701001)

    560E7824

    0xC2BFB923560E7824

    7F5E 3AFF DC86 0305 64BF BD14 C2BF B923 560E 7824

    8.1.1

    HID Global Code Signing (DIDS1802002)

    79FFF219

    0xA1CE717E79FFF219

    BC71 0383 6C7E DC8F 2094 6B19 A1CE 717E 79FF F219

    8.2/8.3

    HID Global Code Signing (DIDS1811002)

    9DFFAE6D

    0xB703782E9DFFAE6D

    6CCD ADB4 7CB6 CBF1 0C94 3474 B703 782E 9DFF AE6D

    8.4

    HID Global Code Signing  (DIDS1912001)

    AE11FC7F

    0x2CAF27EEAE11FC7F

    952D 053D 9716 2D7A BD24 4C5C 2CAF 27EE AE11 FC7F

    8.5

    HID Global Code Signing 

    (DIDS2011007)

    F61FF45B

    0x7BF02F2CF61FF45B

    B9B8 A9E5 8E1E 6346 7BD9 6A65 7BF0 2F2C F61F F45B

    8.6

    HID Global Code Signing

    (DIDS2212000)

    B16ABCBC

    0x870C5135B16ABCBC

    FA74 6D87 305C 8378 BA37 5BDA 870C 5135 B16A BCBC
Important: You must install ALL the keys listed in the table, not only the key for the ActivID AS version you are deploying.
  1. Then on all the nodes in your deployment and for each key:
  1. Copy the key file to the local system.
  2. In a terminal window, import the key file in the local RPM database using the following command:
Copy 
rpm --import <key file name>
  1. Verify that HID Global Code Signing key is correctly installed using the following command:
Copy 
rpm -qa gpg-pubkey*

You can manually verify the ActivID AS RPM package signatures using the following command:

Copy 
rpm -K <rpm-filename>

Or

Copy 
rpm -K *.rpm

It should display the following:

<rpm name>: sha1 pgp md5 OK

Other useful commands are:

Copy

Display the list of all keys installed for RPM verification

rpm -qa gpg-pubkey*

Copy

Display details about a specific key

rpm –qi <key name>
Copy

Remove a specific key

rpm –ev <key name>

Apply a Hot Fix Update

Prerequisites: You have installed the latest version of the HID Global Code Signature Public Key.
  1. Verify the required prerequisites.
  2. Download the software update package delivery to the ActivID AS host.

    It can be copied anywhere on the file system where the authorized user account has access.

  3. Make sure the expected HID Global Signature Public Key is installed.
  4. Make sure the expected ActivID Authentication Server version is already installed using the following command:
Copy 
<ACTIVID_HOME>/ActivID_AS/bin/updateSoftware.sh -v
  1. If specified in the update release notes, apply any third-party updates.
  2. As root (or an authorized user account), run the updateSoftware.sh script to install the hot fix RPM using the following command:
Copy 
<ACTIVID_HOME>/ActivID_AS/bin/updateSoftware.sh <OPTION>

Where following possible values for <OPTION> are:

<OPTION> Description

-p <rpm file path>

  • Install the hot fix .rpm file provided by <rpm file path> value.

  • Apply the following on each ActivID AS customizable configuration file found in the file system:

    • If it is a properties file, merge it with the updated version available in the hot fix.

    • If it is not a properties file, back it up (add the ‘.rpmsave’ suffix to the file name) and install the new one found in the hot fix (a manual merge is required).

  • If required, in the <ACTIVID_HOME>/ActivID_AS/deploy folder, re-generate the WAR/EAR files that need to be redeployed on the application server.

  • Provide details about the hot fix installation in the log files located in the home/ftadmin/softupdate/logs folder.

-v

Display information about ActivID AS installation.

-g

Re-generate the ActivID AS applications WAR/EAR files in the <ACTIVID_HOME>/ActivID_AS/deploy folder.

When the process is complete, the script lists the:

  • ActivID AS applications that should be re-deployed.

  • Configuration files that should be merged manually.

  1. Update your security domains with the latest dataset using the following command as ftadmin:
Copy 
ACTIVID_HOME/ActivID_AS/bin/manageDomains.sh -u
Important: If your deployment has multiple ActivID AS server nodes, apply this step on only one of the nodes.
  1. Based on the software update script output, re-deploy the updated ActivID AS applications on the application server and merge any configuration files.
  2. If specified in the update release notes, restart the ActivID AS applications.
Important: If your deployment has multiple ActivID AS server nodes, apply this step on all the nodes.
  1. Apply any required customization available with the new version of the software (see the release notes provided with the update and Customizing Your Authentication Server).

Apply a Service Pack Update

Prerequisites: You have installed the latest version of the HID Global Code Signature Public Key.
Important:  Installing the ActivID AS 8.6 (8.1 SP6) Service Pack

If ActivID AS 8.5 is NOT installed on the default installation path (/usr/local/activid), you must install the ActivID AS 8.6 (8.1 SP6) service pack as follows:

  1. Create a symlink to the default installation path using the following command:
    Copy
    ln -s <Custom-Install-Path>/ /usr/local/activid
  2. Install the ActivID AS 8.6 (8.1 SP6) service pack as described below.
  3. Remove the symlink after the update has been successfully applied using the following command:
    Copy
    rm /usr/local/activid
  1. ONLY if specified in the update release notes, stop all the ActivID AS applications.

This will cause a short interruption of services.

Important: If your deployment has multiple ActivID AS server nodes, apply this step on all the nodes.
  1. On each ActivID AS node:
    1. Verify the required prerequisites.
    2. Download the software update package delivery to the ActivID AS host.

      It can be copied anywhere on the file system where the authorized user account has access.

    3. Make sure the expected HID Global Signature Public Key is installed.
    4. Make sure the expected ActivID Authentication Server version is already installed using the following command:
Copy 
<ACTIVID_HOME>/ActivID_AS/bin/updateSoftware.sh -v
  1. If specified in the update release notes, apply any third-party updates.
  2. As root (or an authorized user account), run the updateSoftware.sh script to install the service pack RPM using the following command:
Copy 
<ACTIVID_HOME>/ActivID_AS/bin/updateSoftware.sh <OPTION>

Where following possible values for <OPTION> are:

<OPTION> Description

-p <rpm file path>

  • Install the service pack .rpm file provided by <rpm file path> value.

  • Apply the following on each ActivID AS customizable configuration file found in the file system:

    • If it is a properties file, merge it with the updated version available in the service pack.

    • If it is not a properties file, back it up (add the ‘.rpmsave’ suffix to the file name) and install the new one found in the service pack (a manual merge is required).

  • If required, in the <ACTIVID_HOME>/ActivID_AS/deploy folder, re-generate the WAR/EAR files that need to be redeployed on the application server.

  • Provide details about the service pack installation in the log files located in the home/ftadmin/softupdate/logs folder.

-v

Display information about ActivID AS installation.

-g

Re-generate the ActivID AS applications WAR/EAR files in the <ACTIVID_HOME>/ActivID_AS/deploy folder.
Note: For service packs, the RPM file is provided in the ActivID-Service-Pack folder on the ActivID AS Service Pack delivery disk.

When the process is complete, the script lists the:

  • ActivID AS applications that should be re-deployed.

  • Configuration files that should be merged manually.

  1. Update your security domains with the latest dataset using the following command as ftadmin:
Copy 
ACTIVID_HOME/ActivID_AS/bin/manageDomains.sh -u
Important: If your deployment has multiple ActivID AS server nodes, apply this step on only one of the nodes.
  1. Based on the software update script output, re-deploy the updated ActivID AS applications on the application server and merge any configuration files.
  2. If specified in the update release notes, restart the ActivID AS applications.
Important: If your deployment has multiple ActivID AS server nodes, apply this step on all the nodes.
  1. Apply any required customization available with the new version of the software (see the release notes provided with the update and Customizing Your Authentication Server).