This is an old revision of the document!
Server updates - OS updates
Page in construction, please do not use (yet).
To ensure secure operation, servers in the infrastructure have to be kept up to date. This tutorial addresses the need for OS updates of the IdM server and gives basic guidelines and recommendations.
Update strategy
Each organization has some sort of schedule to apply OS patches: weekly, monthly, quarterly, never (not a good one), etc. You can patch the OS according to your strategy, but we recommend to perform patching at least once every three months. IdM relies on packages and libraries from the operating system and if those are not patched, security of the whole IdM solution also deteriorates.
Things to consider
Before applying updates, there are few things to consider:
- Impact on users
- IdM is often deployed as a self-service portal for users. You should plan the downtime such that minimal number of users is affected.
- Users may make changes in the IdM that start some long running tasks (e.g. automatic roles changes). Those tasks are executed asynchronously and may be running even if the user who started the task has already logged off. TODO
- Impact on IdM batch jobs (long running tasks - LRT)
- IdM has internal cron that schedules batch jobs. To make things safe, no job should be running when you are doing the update. The safest way to achieve this is to stop the IdM service before applying updates.
- Batch jobs run usually at night so it is not entirely necessary to stop the IdM, but you have to make sure you have enough time to perform the patching (and possible rollback) before the batch jobs start to execute.
- Restarting IdM cancels the LRT that was currently running, LRT will not pick up automatically after IdM goes up again.