Before you upgrade the VMware Identity Manager virtual appliance offline, perform these prerequisite tasks.

Important: Starting with VMware Identity Manager 19.03.0.0, the VMware Identity Manager service no longer includes an embedded connector and the external Linux-based connector is deprecated. New versions of the external Linux-based connector are no longer available.

If you are upgrading from a deployment that uses the embedded connector, you must switch to the external Windows-based connector. If you are using the external Linux-based connector, the best practice is to switch to the external Windows-based connector during this upgrade. Otherwise, you cannot use the newest functionality available in the updated connector. If you are using the external Windows-based connector, you can continue to use existing instances, but as a best practice upgrade the external Windows-based connector instances to enable the use of the newest functionality.

VMware Identity Manager 19.03.0.0 Windows connector does not support VMware ThinApp® packages. If your deployment provides access to ThinApp packages that you want to maintain, do not upgrade to VMware Identity Manager 19.03.0.0 Windows connector.

A migration package is available to you for migrating embedded-connector or external Linux-based-connector information to the external Windows-based connector.

When you run the migration package on the embedded-connector or external Linux-based-connector, all authentication methods, except for the Password authentication method, are disabled. The disablement allows configuration settings, such as the IP address of the connector, to be updated. After you install the corresponding Windows-based connector instances, you must re-enable the disabled authentication methods with the correct configuration settings.

  • Verify that at least 4 GB of disk space is available on the primary root partition of the virtual appliance.
  • Take a snapshot of your virtual appliance to back it up. For information about how to take snapshots, see the vSphere documentation.
  • If you revoked the db_owner role on the Microsoft SQL database, as described in https://docs.vmware.com/en/VMware-Identity-Manager/3.3/vidm-install/GUID-5B533EE2-8F6C-4716-A94A-8B7AA3F5BC75.html, you must add it back before performing the upgrade, otherwise upgrade will fail.

    Add the db_owner role to the same user that was used during installation:

    1. Log in to the Microsoft SQL Server Management Studio as a user with sysadmin privileges.
    2. Connect to the database instance for VMware Identity Manager.
    3. Enter the following commands.

      If you are using Windows Authentication mode, use the following commands:

      USE <saasdb>;
      ALTER ROLE db_owner ADD MEMBER <domain\username>; GO 
      						  

      Make sure that you replace <saasdb> with your database name and <domain\username> with the relevant domain and username.

      If you are using SQL Server Authentication mode, use the following commands:
      USE <saasdb>;
      ALTER ROLE db_owner ADD MEMBER <loginusername>; GO 
      						  

      Make sure that you replace <saasdb> with your database name and <loginusername> with the relevant username.

  • Take a snapshot or backup of the external database.
  • Verify that VMware Identity Manager is properly configured.
  • Confirm that a VMware Identity Manager upgrade exists. Check the My VMware site at my.vmware.com for upgrades.
  • If you are upgrading using the updateoffline.hzn script and your deployment includes a proxy server, disable the proxy server.
    Disable the proxy server from the command line.
    1. Run the following command.
      yast2

      The YaST2 Control Center dialog box opens.

    2. Select Network services.
    3. Select Proxy.

      The Proxy Configuration dialog box opens.

    4. If selected, deselect Enable proxy.
    5. Quit the YaST2 utility.

    After a successful upgrade, enable the proxy server again.

  • If the VMware Identity Manager deployment you are upgrading uses both the embedded connector and certificate-based authentication, take note of the settings for the CertificateAuthAdapter component configured in the embedded connector.
    Note: Because the embedded connector is no longer available, the CertificateAuthAdapter component configured in the embedded connector is also no longer available. The certificate (Cloud Deployment) authentication method replaces the CertificateAuthAdapter component. The migration process handles the conversion from the CertificateAuthAdapter component to the certificate (Cloud Deployment) authentication method.

    Now, before the migration, take note of the settings in the CertificateAuthAdapter component, so after the migration you can verify that the pre-migration settings match the post-migration settings.

    1. Log in to the VMware Identity Manager admin console and select Identity & Access Management > Setup.
    2. On the Connectors page, select the Worker link for the embedded-connector instance being replaced.
    3. Click Auth Adapters and then click CertificateAuthAdapter.
    4. Take note of the settings on the Certificate Service Auth Adapter page.
  • Prepare the connector migration file.

    To upgrade from a VMware Identity Manager version earlier than 19.03.0.0 to version 19.03.0.0 or later, download the migration package (cluster-support.tgz) from My VMware or My Workspace ONE to your existing VMware Identity Manager appliance under the /root directory.

    The migration package must be present under the /root directory whether your current deployment uses the embedded connector or not. During the upgrade, a script in the migration package creates a cluster-hostname-conn-timestamp.enc file to which the script saves the embedded-connector configuration information.

    If your current deployment uses the embedded connector, you can use the cluster...enc file when deploying the new external Windows-based connector by selecting the Are you migrating your Connector check box. The collected embedded-connector information, including directory and authentication methods, is migrated to the newly deployed external Windows-based connector. See the corresponding version of the Installing and Configuring VMware Identity Manager Connector (Windows) guide.

    If your current deployment uses one or more instances of the external Linux-based connector, which is now deprecated, the best practice is to update your deployment to use the external Windows-based connector. New versions of the external Linux-based connector are not available and existing versions do not have updated functionality that the new external Windows-based connector has. To switch external Linux-based connector instances to the external Windows-based connector, download the migration package to each of the corresponding Linux hosts, and run the generateClusterFile.sh migration script. The script saves the configuration information from a specific external Linux-based connector instance to the cluster...enc configuration package file. See Saving External Linux-Based Connector-Configuration Information. To migrate collected external Linux-based connector-information to the external Windows-based connector, copy each cluster...enc file to a separate Windows host, and install a new Windows-based connector instance using the cluster...enc configuration package file. See the corresponding version of the Installing and Configuring VMware Identity Manager Connector (Windows) guide.

    If your current deployment uses one or more instances of the external Windows-based connector, you can use the existing external Windows-based connector instances, but earlier external Windows-based connector instances are not up-to-date. To ensure full functionality of the external Windows-based connector, upgrade the connector instances. Upgrading external Windows-based connector instances does not require the use of the migration package. See the upgrade section of the corresponding Installing and Configuring VMware Identity Manager Connector (Windows) guide.

  • If VMware Identity Manager is deployed in a load-balancing environment, verify that the environment is properly configured.
    If you use an F5 load balancing server, when you upgrade to VMware Identity Manager 19.03.0.0, reconfigure the load balancer, if required. The requirement to reconfigure your F5 load balancing server depends on the version of VMware Identity Manager that you are upgrading from. To upgrade your F5 load balancing server, see Verifying F5 Load Balancer Configuration Before Upgrade.
    VMware Identity Manager Version Required Action
    Earlier than 3.3 Reconfigure the F5 load balancing server according to the referenced instructions.
    3.3 and later None. If you have an F5 load balancing server functioning with VMware Identity Manager 3.3 or later, the load balancing server is already appropriately configured.