Upgrading OneSpan Authentication Server
Before you begin
Ensure that you successfully completed and verified the required pre-upgrade tasks and settings (see Pre-upgrade tasks and considerations), in particular that:
- You are logged on using a user account with sufficient administrative privileges on the machine to run the upgrade.
When upgrading from OneSpan Authentication Server 3.14 or an earlier supported version using the embedded PostgreSQL database, the embedded database and existing data are automatically migrated from the PostgreSQL database to a new MariaDB database.
This migration can take quite some time depending on the size of the database. To minimize migration time, you can reduce the amount of data to migrate before starting the upgrade by exporting and deleting audit data from the database. For more information, refer to the OneSpan Authentication Server Administrator Guide, Section "Audit Message Import/Export".
Upgrading OneSpan Authentication Server
To upgrade OneSpan Authentication Server
- Open a terminal window.
Ensure that the terminal window resolution is at least 80x24. Otherwise the Configuration Wizard cannot start automatically after the installation or upgrade.
-
If required, log in as root using the hyphen option (su -).
This ensures you load the root profile, not the default profile.
-
Run ./upgrade.sh from the Installation CD.
-
If required, specify the user account that the OneSpan Authentication Server daemon should run as, by default vasco-ias.
If you specify a user that does not exist, the upgrade script will automatically create that user.
-
If required, specify the user account that the Message Delivery Component daemon should run as, by default vasco-mdc.
If you specify a user that does not exist, the upgrade script will automatically create that user.
-
If required, specify whether to encrypt the embedded MariaDB database and database connections.
If you want to use encryption for the data store and all connections to the embedded database, type yes. Type no to leave it unencrypted.
Once you decide to use (or not use) encryption for the embedded database and all database connections, encryption will remain permanently enabled (or disabled). You cannot change this setting at a later time!
This step is only necessary if the script detects an outdated embedded PostgreSQL installation that needs to be replaced with an embedded MariaDB.
-
Confirm that the script will stop any OneSpan Authentication Server daemons and upgrade your system.
-
If required, install missing dependencies.
The script is designed to install as many dependencies as possible. However, due to license and other restrictions, not all required standard packages are shipped with the OneSpan Authentication Server setup. Any required dependency that is not already installed and cannot be installed by the script automatically, is listed and you are prompted to install it now.
- Open a separate terminal window.
- Install the required packages according to your Linux distribution.
- Return to the terminal window where the OneSpan Authentication Server script is running and press Enter.
The following default packages need to be additionally installed on Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, and Rocky Linux 8:
- chkconfig
- coreutils
- initscripts
- gtk2
- ncurses-libs
- redhat-lsb-core
- unixODBC
Example: yum install chkconfig coreutils initscripts gtk2 ncurses-libs redhat-lsb-core unixODBC
The following default packages need to be additionally installed on Red Hat Enterprise Linux 7 if you want to install the embedded MariaDB:
- boost-program-options
- iproute
- libcom_err
- libnsl
- libpmem
- openssl
- openssl-libs
- pam
- pcre2
- perl (including perl-DBI, perl-File-Copy, perl-Sys-Hostname)
- pv (EPEL package)
- socat
- zlib
Example: yum install perl-DBI boost-program-options socat libpmem
The following default packages need to be additionally installed on Red Hat Enterprise Linux 8 and Rocky Linux 8 if you want to install the embedded MariaDB:
- boost-program-options
- compat-openssl10
- iproute
- libpmem
- libnsl
- openssl
- openssl-libs
- pam
- pcre2
- perl (including perl-DBI, perl-File-Copy, perl-Sys-Hostname)
- socat
- zlib
Example: yum install openssl-libs openssl compat-openssl10 libnsl libpmem
The following default packages need to be additionally installed on Red Hat Enterprise Linux 9 and Rocky Linux 9:
- chkconfig
- coreutils
- initscripts
- gtk2
- ncurses-compat-libs (EPEL package)
- unixODBC
Example: dnf install chkconfig coreutils initscripts gtk2 ncurses-compat-libs unixODBC
The following default packages need to be additionally installed on Red Hat Enterprise Linux 9 and Rocky Linux 9 if you want to install the embedded MariaDB:
- boost-program-options
- iproute
- libedit
- libpmem
- ncurses-libs
- openssl
- openssl-libs
- pam
- pcre2
- perl (including perl-DBI, perl-File-Copy, perl-Sys-Hostname)
- socat
- zlib
Example: dnf install openssl-libs openssl libpmem socat zlib
Some packages are part of the Extra Packages for Enterprise Linux (EPEL) repository. If you haven't done so already, you need to include the EPEL repository before you can install any packages from it:
- RHEL 7: sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
- RHEL 9: sudo dnf install epel-release
The following default packages need to be additionally installed on Ubuntu Server 22.04 LTS:
- libgtk2.0-0
- libncurses5
- init-system-helpers
- unixodbc
Example: apt install libgtk2.0-0 libncurses5 init-system-helpers unixodbc
The following default packages need to be additionally installed on Ubuntu Server 22.04 LTS if you want to install the embedded MariaDB:
- iproute2
- libpmem1
- libcrypt1
- libedit2
- libgcc-s1
- libncurses6
- libpam0g
- libpcre2-8-0
- libssl3
- libtinfo6
- liburing2
- perl
- procps
- psmisc
- socat
- zlib1g
Example: apt install iproute2 libpmem1 libcrypt1 libedit2
On Red Hat Enterprise Linux 7, you need to update OpenSSL if the following error message occurs during installation:
error: Failed dependencies:
libcrypto.so.10(OPENSSL_1.0.2)(64bit) is needed by MariaDB-client-10.6.12-1.el7.centos.x86_64
Error: Cannot install package(s).
- With internet access, you can update OpenSSL with yum install openssl-libs openssl
- In environments without internet access, you can update OpenSSL from the OneSpan Authentication Server ISO image using sudo rpm -U libsepol-2.5-10.el7.x86_64.rpm openssl-1.0.2k-19.el7.x86_64.rpm openssl-libs-1.0.2k-19.el7.x86_64.rpm. The RPM files are located in Software/Linux/IAS_3.20/redhat/rhel7.
When you install the embedded MariaDB database on Red Hat Enterprise Linux, you might get a conflict with older MariaDB or MySQL packages, such as:
file /etc/my.cnf from install of MariaDB-common-10.11.5-1.el7.centos.x86_64 conflicts with file from package mysql-libs-5.1.73-3.el6_5.x86_64
or
error: Failed dependencies:
mariadb-libs < 1:10.1.0 conflicts with MariaDB-compat-10.11.5-1.el7.centos.x86_64
mariadb-libs is obsoleted by MariaDB-compat-10.11.5-1.el7.centos.x86_64
To resolve this issue, the conflicting package needs to be removed. This can be done using rpm --erase --nodeps <package-name> for mariadb-libs.
This command normally needs to be executed with root permissions (e.g. using sudo).
When you install the embedded MariaDB database on Red Hat Enterprise Linux 9 or Rocky Linux 9, you might get a package conflict, such as:
Package rhel9/MariaDB-shared obsoletes following packages: mariadb-connector-c, mariadb-connector-c-config
To resolve this issue, the conflicting package needs to be removed. This can be done using the following command:
dnf remove mariadb-connector-c*
Note that removing the mariadb-connector-c and mariadb-connector-c-config packages might also implicitly remove other applications installed.
The upgrade script upgrades all required components.
Next steps
When the required components have been upgraded, the Configuration Wizard is started to complete the upgrade configuration (see Configuring OneSpan Authentication Server (upgrade)).