Server updates - OS updates

To ensure secure operation, servers in the infrastructure have to be kept up to date. This tutorial addresses the need for OS updates of the IdM server and gives basic guidelines and recommendations.

Each organization has some sort of schedule to apply OS patches: weekly, monthly, quarterly, never (not a good one), etc. You can patch the OS according to your strategy, but we recommend to perform patching at least once every three months. IdM relies on packages and libraries from the operating system and if those are not patched, security of the whole IdM solution also deteriorates.

Before applying updates, there are few things to consider:

• Impact on users
  • IdM is often deployed as a self-service portal for users. You should plan the downtime such that minimal number of users is affected.
  • Users may make changes in the IdM that start some long running tasks (e.g. automatic roles changes). Those tasks are executed asynchronously and may be running even if the user who started the task has already logged off.
• Impact on IdM batch jobs (long running tasks - LRT)
  • IdM has internal cron that schedules LRT jobs. To make things safe, no job should be running when you are doing the update. The safest way to achieve this is to stop the IdM service before applying updates.
  • LRTs run usually at night so it is not entirely necessary to stop the IdM, but you have to make sure you have enough time to perform the patching (and possible rollback) before jobs start to execute.
  • Restarting IdM cancels the LRT that was currently running, LRT will not pick up automatically after IdM goes up again.
• Impact on end systems connected to IdM
  • There is no direct impact on other systems.
  • There may be some impact on connections the IdM makes in order to manage end systems.
    • Some end systems use SSL-secured form of communication and IdM needs to have their certificate in its Java truststore. If the truststore was improperly configured and gets regenerated (i.e. due to ``ca-certificates`` package update), all extra certificates are lost making SSL connections to end systems fail. This should not happen because IdM should use its own, explicitly created and configured, truststore.
    • Some end systems that are connected via WinRM. The WinRM library uses Python and some of Python's libraries come from the OS packages. Upgrading those packages system-wide has small but possible impact on the way the WinRM/Python works.
• Impact on OS
  • OS may seemingly not boot after the updates (boot or network issues, SSHd/RDP daemon issues). We recommend to have complete backup of ``/boot`` and ``/etc`` directories. Out-of-band access to a machine is a must.
  • In our deployments, we use mainly RHEL/CentOS (sometimes Debian) and Windows OSes. If you deploy IdM accordingly (tutorials here and here, OS updates are generally painless.
  • Packages from OS that IdM deployment uses
    • Java (openjdk package referenced through ``/usr/lib/…`` and therefore through ``/etc/alternatives/…``). Java patchset may be updated, bud the version should stay the same (e.g. update ``1.8u27→1.8u90`` is OK, but update ``Java8→Java9`` is not).
    • PostgreSQL is installed generally from OS or PGDG repositories and is considered pretty stable. Updating package when PostgreSQL version stays the same is OK. Updating PostgreSQL version (e.g. ``9.6→10``) should be OK, but we recommend at least to make a backup of IdM database (in case you have to rollback the previous PostgreSQL version).
    • Apache HTTPD. Deployment should be stable and no special care is needed. We recommend to have a backup of vhost configuration.
  • Windows-based installations have all deployment components installed by-hand and therefore are not really susceptible to break by OS updates. But this also means you have to update all deployment components manually.