Applying security updates

Apply security updates that are delivered with new releases of IBM Spectrum Protect.

Before you begin

Review the following information:

  • For details about security updates delivered with a release, see the What's new topic in IBM® Knowledge Center.
  • For information about the updates and any restrictions that can apply, see What you should know about security before you install or upgrade the server.
  • To determine the order in which you upgrade the servers and clients in your environment, answer the following questions:
    Table 1. Questions for consideration before upgrading
    Question Consideration
    What is the role of the server in the configuration?

    In general, you can upgrade the IBM Spectrum Protect servers in your environment first and then upgrade backup-archive clients. However, in certain circumstances, for example, if you use command routing functions, the server can act as the client in your configuration. In that instance, to prevent communication issues, the suggested approach is to upgrade clients first. For information about different scenarios, see Upgrade scenarios.
    What systems are used for administrator authentication?

    For administrator accounts, the sequence in which you upgrade is important to prevent authentication issues.

    • Clients on multiple systems that log on by using the same ID (either node or administrative ID) must be upgraded at the same time. Server certificates are transferred to clients automatically upon first connection.
    • Before you upgrade your server, consider all endpoints that the administrator uses to connect to for administration purposes. If a single administrative ID is used to access multiple systems, ensure that the server's certificate is installed on each system.
    • After an administrator ID authenticates successfully with the server by using IBM Spectrum Protect V8.1.2 or later software or Tivoli Storage Manager V7.1.8 or later software, the administrator can no longer authenticate with that server by using client or server versions earlier than V8.1.2 or V7.1.8. This is also true for a destination server when you authenticate with that destination IBM Spectrum Protect server as an administrator from another server. For example, this is true when you use the following functions:
      • Command routing
      • Server-to-server export
      • Connecting from an administrative client in the Operations Center
    In what sequence should I upgrade my systems?
    • If you upgrade servers before you upgrade client nodes:
      • Upgrade the hub server first and then any spoke servers.
      • When you upgrade a server to V8.1.2 or later, nodes and administrators that use earlier versions of the software can continue to communicate with the new server by using the existing communication protocol. The SESSIONSECURITY is set to TRANSITIONAL and if the server, node, or administrator has never met the requirements for the STRICT value, the server, node, or administrator continues to authenticate by using the TRANSITIONAL value. However, as soon as the server, node, or administrator meets the requirements for the STRICT value, the SESSIONSECURITY parameter value automatically updates from TRANSITIONAL to STRICT.
    • If you upgrade client nodes before you upgrade servers:
      • Upgrade administrative clients first, and then upgrade non-administrative clients. Clients at later release levels continue to communicate with servers at earlier levels.
        Important: If you upgrade any one of the administrative clients in your environment, all other clients that use the same ID as the upgraded client must be upgraded at the same time.
      • It is not necessary to upgrade all of your non-administrative clients at the same time, unless multiple clients are using the same ID to log on. Then, all other clients that use the same ID as the upgraded client must be upgraded at the same time and the server's certificate must be installed on each system.

About this task

If your environment includes IBM Spectrum Protect backup-archive clients or IBM Spectrum Protect servers that are earlier than V7.1.8 or V8.1.2, you might have to customize your configuration to ensure that communication between servers and clients is not interrupted. Follow the default procedure in this topic for installing or upgrading your environment.

Review Upgrade scenarios for other example scenarios that might apply to your environment.

Tip: To take advantage of the latest security enhancements, plan to update all IBM Spectrum Protect servers and backup-archive clients in your environment to the latest release level.

Procedure

  1. Install or upgrade IBM Spectrum Protect servers in your environment. For more information, see Installing and upgrading the server.
    1. Upgrade the Operations Center and the hub server. For more information, see Installing and upgrading the Operations Center.
    2. Upgrade spoke servers.
    3. Configure or verify server-to-server communications. For more information, see the following topics:
      Tip:
      • Beginning in IBM Spectrum Protect V8.1.2 and Tivoli® Storage Manager V7.1.8, the SSL parameter uses SSL to encrypt communication with the specified server even if the SSL parameter is set to NO.
      • Beginning with V8.1.4, certificates are automatically configured between storage agents, library clients, and library manager servers. Certificates are exchanged the first time a server-to-server connection is established to a server with enhanced security.
  2. Install or upgrade administrative clients. For more information, see Installing and configuring clients.
  3. Enable secure communications between all systems that administrators use to log in for administration purposes.
    • Ensure that the IBM Spectrum Protect software that the administrator account uses to log on is upgraded to V8.1.2 or later.
    • If an administrative ID logs on from multiple systems, ensure that the server's certificate is installed on each system.
  4. Install or upgrade non-administrative clients. For more information, see Installing and configuring clients.
    Remember: You can upgrade your non-administrative clients in phases. You can continue to connect to servers at later release levels from clients at earlier release levels by issuing the UPDATE NODE command and setting the SESSIONSECURITY parameter to TRANSITIONAL for each node.
    update node nodename sessionsecurity=transitional

What to do next

Other upgrade scenarios might apply to your environment. Review example upgrade scenarios in the following table.
Table 2. Upgrade scenarios
Scenario Considerations Suggested upgrade approach
I use administrative command routing functions to route commands to one or more servers. I want to connect to an IBM Spectrum Protect server that is earlier than V8.1.2.
  • With command routing, the server can act as the administrative client.
  • Command routing uses the ID and the password of the administrator who is issuing the command.
  • If you use a single administrative ID to access multiple systems, ensure that the server's certificate is installed on each system.
  • Upgrade the administrative client first.
    Important: Clients on multiple systems that log on by using the same node or administrative ID must be upgraded at the same time.
  • On each server to which commands are being routed, verify that the following information is configured:
    • The same administrator ID and password
    • The required administrative authority on each server
    • The required certificates are installed
  • Upgrade the servers that the administrator account uses to log on to V8.1.2 or later.
My administrative client is at the latest release version, and I use the same administrator ID to authenticate to different systems by using the dsmadmc command. I have authenticated successfully to an IBM Spectrum Protect server in my environment that is running at the latest version. I now want to authenticate to a server at a version earlier than V8.1.2.
  • After an administrator authenticates to an IBM Spectrum Protect server V8.1.2 or later by using a version of the client at V8.1.2 or later, the administrative ID can only authenticate with that server on clients or servers that are using V8.1.2 or later.
  • If you use a single administrative ID to access multiple systems, plan to upgrade all of those systems with V8.1.2 or later software to ensure that the server's certificate is installed on all systems to which the administrator logs on.
  • Ensure that all IBM Spectrum Protect software that the administrators use to log on is upgraded to V8.1.2 or later. The preferred action is to upgrade all the servers in your environment to the latest version.
  • If necessary, create a separate administrator account to use only with clients and servers that are using V8.1.1 or earlier software.
The IBM Spectrum Protect server is already upgraded to the latest release level. I have an administrative client at release level V8.1.0 and I want to connect to the server from the Operations Center.
  • If you upgrade any one of the administrative clients in your environment, all other clients that use the same ID as the upgraded client must be upgraded at the same time.
  • To use an administrator ID in a multiple-server configuration, the ID must be registered on the hub and spoke servers with the same password, authority level, and required certificates.
  • On each server, verify that the following information is set up:
    • The same administrator ID and password
    • The required administrative authority on each server
    • The required certificates
  • Upgrade non-administrative clients in a phased manner.
I use node replication to protect my data.
  • The replication heartbeat initiates a certificate exchange when the first server-to-server connection is established after you upgrade the server.
  • Upgrade your servers before you upgrade your clients; follow the default procedure.
I want to upgrade my backup-archive clients before I upgrade my servers.
  • After you upgrade a server to V8.1.2 or later, nodes and administrators that are using earlier versions of the software will continue to communicate with the server by using the TRANSITIONAL value until the entity meets the requirements for the STRICT value.
  • Communication between servers and clients will not be interrupted.
  • If you upgrade your clients before you upgrade your servers, upgrade administrative clients first, and then upgrade non-administrative clients. Clients at later release levels continue to communicate with servers at earlier levels.