Applying security updates
Apply security updates that are delivered with new releases of IBM Spectrum Protect.
Before you begin
Review the following information:
- For details about security updates delivered with a release, see the What's new topic in IBM® Knowledge Center.
- For information about the updates and any restrictions that can apply, see What you should know about security before you install or upgrade the server.
- To determine the order in which you upgrade the servers and clients in your environment, answer
the following questions:
Table 1. Questions for consideration before upgrading Question Consideration What is the role of the server in the configuration? In general, you can upgrade the IBM Spectrum Protect servers in your environment first and then upgrade backup-archive clients. However, in certain circumstances, for example, if you use command routing functions, the server can act as the client in your configuration. In that instance, to prevent communication issues, the suggested approach is to upgrade clients first. For information about different scenarios, see Upgrade scenarios.
What systems are used for administrator authentication? For administrator accounts, the sequence in which you upgrade is important to prevent authentication issues.
- Clients on multiple systems that log on by using the same ID (either node or administrative ID) must be upgraded at the same time. Server certificates are transferred to clients automatically upon first connection.
- Before you upgrade your server, consider all endpoints that the administrator uses to connect to for administration purposes. If a single administrative ID is used to access multiple systems, ensure that the server's certificate is installed on each system.
- After an administrator ID authenticates successfully with the server by using IBM
Spectrum Protect V8.1.2 or later software or Tivoli Storage
Manager V7.1.8 or later software, the administrator can no longer authenticate with that server by
using client or server versions earlier than V8.1.2 or V7.1.8. This is also true for a destination
server when you authenticate with that destination IBM
Spectrum Protect server as an administrator from another server.
For example, this is true when you use the following functions:
- Command routing
- Server-to-server export
- Connecting from an administrative client in the Operations Center
In what sequence should I upgrade my systems? - If you upgrade servers before you upgrade client nodes:
- Upgrade the hub server first and then any spoke servers.
- When you upgrade a server to V8.1.2 or later, nodes and administrators that use earlier versions of the software can continue to communicate with the new server by using the existing communication protocol. The SESSIONSECURITY is set to TRANSITIONAL and if the server, node, or administrator has never met the requirements for the STRICT value, the server, node, or administrator continues to authenticate by using the TRANSITIONAL value. However, as soon as the server, node, or administrator meets the requirements for the STRICT value, the SESSIONSECURITY parameter value automatically updates from TRANSITIONAL to STRICT.
- If you upgrade client nodes before you upgrade servers:
- Upgrade administrative clients first, and then upgrade non-administrative clients. Clients at
later release levels continue to communicate with servers at earlier levels. Important: If you upgrade any one of the administrative clients in your environment, all other clients that use the same ID as the upgraded client must be upgraded at the same time.
- It is not necessary to upgrade all of your non-administrative clients at the same time, unless multiple clients are using the same ID to log on. Then, all other clients that use the same ID as the upgraded client must be upgraded at the same time and the server's certificate must be installed on each system.
- Upgrade administrative clients first, and then upgrade non-administrative clients. Clients at
later release levels continue to communicate with servers at earlier levels.
About this task
If your environment includes IBM Spectrum Protect backup-archive clients or IBM Spectrum Protect servers that are earlier than V7.1.8 or V8.1.2, you might have to customize your configuration to ensure that communication between servers and clients is not interrupted. Follow the default procedure in this topic for installing or upgrading your environment.
Review Upgrade scenarios for other example scenarios that might apply to your environment.
Procedure
What to do next
Scenario | Considerations | Suggested upgrade approach |
---|---|---|
I use administrative command routing functions to route commands to one or more servers. I want to connect to an IBM Spectrum Protect server that is earlier than V8.1.2. |
|
|
My administrative client is at the latest release version, and I use the same administrator ID to authenticate to different systems by using the dsmadmc command. I have authenticated successfully to an IBM Spectrum Protect server in my environment that is running at the latest version. I now want to authenticate to a server at a version earlier than V8.1.2. |
|
|
The IBM Spectrum Protect server is already upgraded to the latest release level. I have an administrative client at release level V8.1.0 and I want to connect to the server from the Operations Center. |
|
|
I use node replication to protect my data. |
|
|
I want to upgrade my backup-archive clients before I upgrade my servers. |
|
|