If you use VMware vRealize® products or VMware NSX-T™ with VMware Identity Manager™ 3.3.2, 3.3.3, or 3.3.4, you can upgrade VMware Identity Manager to version 3.3.5.

For more information about the VMware Identity Manager 3.3.5 release, see the VMware Identity Manager 3.3.5 Release Notes.

Note:
  • If you applied security patch HW-137959, make sure you follow the instructions in Security Patch Process to Follow During Upgrade before and after you perform the upgrade.
  • You can also freshly install VMware Identity Manager 3.3.5.
    • For general info about performing a fresh 3.3.5 installation, see the 3.3 version of Installing and Configuring VMware Identity Manager for Linux guide, which also applies to 3.3.5.
    • In 3.3.5, you can install VMware Identity Manager in FIPS (Federal Information Processing Standard) mode. VMware Identity Manager does not support upgrading from a non-FIPS installation to a FIPS installation. To install VMware Identity Manager 3.3.5 in FIPS mode, also see Perform a Fresh Installation of VMware Identity Manager 3.3.5 in FIPS Mode
  • If you are a VMware vRealize® Automation™ customer, follow Enable Tenant-In-Host Name Multi-Tenancy with vRealize Automation 8.4.
  • For VMware Identity Manager 3.3.5 with Active Directory over Integrated Windows Authentication (IWA) or the Kerberos authentication adapter, the type of VMware Identity Manager connector you can use depends on the version of VMware Identity Manager you upgrade from.
    Important:
    • If you are upgrading from VMware Identity Manager 3.3.2 or 3.3.4 directly to 3.3.5, you can use the embedded connector or external Windows connectors.
    • If you are upgrading from VMware Identity Manager 3.3.3 directly to 3.3.5, continue to use external Windows connectors.

      In such cases, your 3.3.3 deployment uses solely external Windows connectors because migrating your IWA directory from an embedded connector or external Linux connector to an external Windows connector was a VMware Identity Manager 3.3.3 requirement.

    • Regardless of the version of VMware Identity Manager you are upgrading from, migrating IWA directories from an external Windows connector to an embedded connector is not supported.

VMware Identity Manager Upgrade Paths

The following upgrade path is supported:

  • From version 3.3.2, 3.3.3, or 3.3.4 directly to version 3.3.5.

VMware Identity Manager Connector Upgrade Paths

The following upgrade paths are supported:

  • A VMware Identity Manager Connector for Windows upgrade from 3.3.2, 3.3.3, or 3.3.4 to 3.3.5 for connector instances installed using the VMware Identity Manager Connector installer.
    Important: Migrating your IWA directory from an external Windows connector to an embedded connector is not supported.

The following upgrade paths are not supported:

  • A VMware Identity Manager Connector for Windows upgrade for connector instances installed by VMware vRealize® Suite Lifecycle Manager™.
  • A VMware Identity Manager Connector for Linux upgrade.

    The external VMware Identity Manager Linux-based connector is deprecated. New versions of the Linux connector are no longer available. You can continue to use previous versions of the Linux-based connector, but such versions do not have the newest functionality.

VMware Products That Can Upgrade to VMware Identity Manager 3.3.5

  • vRealize Products such as VMware vRealize Automation™, VMware vRealize Suite Lifecycle Manager, VMware vRealize® Operations™, VMware vRealize® Business™ for Cloud , VMware vRealize® Log Insight, and VMware vRealize® Network Insight™ for authentication and SSO.
    • vRealize products that are deployed and managed through vRealize Suite Lifecycle Manager only can consume VMware Identity Manager 3.3.1, 3.3.2, 3.3.3, 3.3.4 or 3.3.5.
    • vRealize Suite Lifecycle Manager can now handle a brand-new installation of VMware Identity Manager 3.3.1, 3.3.2, 3.3.3, 3.3.4, or 3.3.5 or an upgrade to 3.3.5 from VMware Identity Manager 3.3.2, 3.3.3, or 3.3.4.
    Caution: The following known limitations exist when you deploy VMware Identity Manager with vRealize Suite Lifecycle Manager.
    • Changing the VMware Identity Manager hostname causes several issues. Therefore, after you deploy VMware Identity Manager with vRealize Suite Lifecycle Manager, do not change the VMware Identity Manager hostname.
    • The steps to remove a node from a VMware Identity Manager cluster are not supported when you deploy VMware Identity Manager with vRealize Suite Lifecycle Manager.
  • NSX-T for Authentication and SSO
    • NSX-T can be deployed with VMware Identity Manager 3.3.1, 3.3.2, 3.3.3, 3.3.4 or 3.3.5, or upgraded to 3.3.5 from an earlier version.

Internet Connectivity

You can upgrade VMware Identity Manager online or offline.

By default, the VMware Identity Manager appliance uses the VMware website for the upgrade procedure. This approach requires the appliance to have Internet connectivity. You must also configure proxy server settings for the appliance, if applicable.

If your virtual appliance does not have Internet connectivity, you can perform the upgrade offline. For an offline upgrade, you download the upgrade package from My VMware. You use the updateoffline.hzn script to perform the upgrade.

If you are upgrading to VMware Identity Manager 3.3.5 using vRealize Suite Lifecycle Manager, only the offline upgrade is supported.

Upgrade Scenarios

Hardware Sizing Requirements

The hardware-sizing requirements in the following table are specific to VMware Identity Manager 3.3.5. See the 3.3 version of the Installing and Configuring VMware Identity Manager for Linux guide for a broader list of hardware-sizing requirements, which also apply to 3.3.5.

Important:

For best results, implement the following sync-related practices.

  • Because the initial directory sync is an intensive, resource consuming operation, perform the initial directory sync on one tenant at a time.
  • Stagger directory syncs across tenants to avoid the resource consumption of running directory syncs on two or more tenants at the same time.

You can use the internal PostgreSQL database or an external Microsoft SQL database. Both options can provide high availability.

To achieve high availability with the internal PostgreSQL database, you must leverage vRealize Suite Lifecycle Manager. See the table that follows and see the vRealize Suite Lifecycle Manager 8.4 Installation, Upgrade, and Management guide.

For an external Microsoft SQL database configuration, see the 3.3 version of the Installing and Configuring VMware Identity Manager for Linux guide.

Note:
  • For new deployments, the default VMware Identity Manager sizing requirements are as follows:
    • 4vCPU
    • 8 GB Memory
    • 100 GB disk space
  • If you are using VMware Identity Manager 3.3.4 with vRealize Automation 8.3, the following minimum sizing requirements apply:
    • 8vCPU
    • 16 GB Memory
    • 100 GB disk space
Important:

To upgrade to 3.3.5, confirm that the VMware Identity Manager sizing matches the guidelines in the following bullets and table.

  • If you used default sizing for VMware Identity Manager 3.3.2, before or after you upgrade to 3.3.5, adjust the sizing based on the 3.3.3 and 3.3.4 default sizing in the preceding note.
  • If you used default sizing for VMware Identity Manager 3.3.2 with vRealize Automation, before or after you upgrade to 3.3.5, adjust the sizing based on 3.3.3 and 3.3.4 default vRealize Automation sizing in the preceding note.
  • If you used default sizing for VMware Identity Manager 3.3.3, you do not need to adjust the sizing for 3.3.5. The default sizing for 3.3.3, 3.3.4, and 3.3.5 is the same as indicated in the preceding note.
Directory Sync of Users and Groups per Tenant* VMware Identity Manager Appliance with Internal PostgreSQL Database and Embedded Connector, per Node Requirements External Windows-Based Connector, per Connector-Instance Requirements
Maximum:
  • 3,000 users
  • 30 groups
A single node or a three-node cluster:
  • 4 vCPU
  • 8 GB memory
  • 100 GB disk space
Note: Select the Extra Small sizing option when you deploy the OVA.
  • 2 vCPU
  • 6 GB memory
  • 30 GB disk space
Maximum:
  • 5,000 users
  • 50 groups
A single node or a three-node cluster:
  • 6 vCPU
  • 10 GB memory
  • 100 GB disk space
Note: Select the Small sizing option when you deploy the OVA.
  • 2 vCPU
  • 6 GB memory
  • 30 GB disk space
Maximum:
  • 10,000 Users
  • 100 groups
Three-node cluster:
  • 8 vCPU
  • 16 GB memory
  • 100 GB disk space
Note: Select the Medium sizing option when you deploy the OVA.
  • 4 vCPU
  • 6 GB memory
  • 50 GB disk space
Maximum:
  • 25,000 users
  • 250 groups
Three-node cluster:
  • 10 vCPU
  • 16 GB memory
  • 100 GB disk space
Note: Select the Large sizing option when you deploy the OVA.
  • 4 vCPU
  • 8 GB memory
  • 50 GB disk space
Maximum:
  • 50,000 users
  • 500 groups
Three-node cluster:
  • 12 vCPU
  • 32 GB memory
  • 100 GB disk space
Note: Select the Extra Large sizing option when you deploy the OVA.
  • 4 vCPU
  • 16 GB memory
  • 60 GB disk space
Maximum:
  • 100,000 users
  • 1,000 groups
Three-node cluster:
  • 14 vCPU
  • 48 GB RAM
  • 100 GB disk space
Note: Select the Extra Extra Large sizing option when you deploy the OVA.
  • 4 vCPU
  • 16 GB memory
  • 60 GB disk space

*If either the number of users or the number of groups for a tenant exceeds the Maximum, see the next row.