SSH

Upgrading Previously Installed Tectia Server Software

[Note]Note

Before starting the upgrade, make backups of all configuration files where you have made modifications.

When upgrading a maintenance release of Tectia Server on Windows, usually no rebooting of the computer is needed. Check the release notes to see if the current Server release can be upgraded without reboot. On Unix, upgrading does not require a reboot.

If you are running both Tectia Client and Tectia Server on the same machine, install the same release of each Tectia product, because there are dependencies between the common components.

Check if you have some Secure Shell software, for example earlier versions of Tectia products or OpenSSH server or client, running on the machine where you are planning to install the new Tectia versions.

Before installing Tectia Server on Unix platforms, stop any OpenSSH servers running on port 22, or change their listener port. You do not need to uninstall the OpenSSH software.

When upgrading on SUSE, also install the prerequisite packages:

# zypper install insserv-compat

The following table shows you which Tectia versions you need to uninstall before you can upgrade to Tectia Server 6.6. When upgrading versions marked upgrade on top, the earlier version is automatically removed during the upgrade procedure.

Table 2.2. Upgrade lines

Tectia versionAIXHP-UXLinuxSolarisWindows
4.xremoveremoveremoveremoveremove
5.x-6.0upgrade on topupgrade on topupgrade on topremoveremove
6.1-6.6upgrade on topupgrade on topupgrade on topremoveupgrade on top

The configuration file format and file locations have been changed in Tectia Server 5.0 and the Unix DTD directories in version 6.2. Because of this, the configuration files behave differently when upgrading from 4.x and from 5.x-6.1 compared to when upgrading from 6.2 and later versions.

When necessary, you can modify the configuration files by using the Tectia Connections Configuration GUI or by editing the XML configuration files manually with an ASCII text editor or an XML editor. Please see example files ssh-server-config-example.xml for Tectia Server and ssh-broker-config-example.xml for Tectia Client.

Configuration File Access Permissions on Windows

When upgrading a previously installed version of Tectia Server on Windows, the access permissions for existing configuration files will be checked during the upgrade installation.

The access permissions for the ssh-server-config.xml configuration file should be as follows:

  • The owner of the file is a member of the Administrators group.

  • Only Administrators and SYSTEM may have full control of the file.

  • Users are not allowed to modify the file.

  • Other accounts do not have access to the file.

If the access permissions are not safe, you will see the Configuration File Permissions dialog box during the upgrade installation. Do one of the following:

  • Reset the permissions for the configuration file to the default safe state and continue with the installation. (Recommended)

  • Ignore the incorrect permissions and continue with the installation without fixing the permissions. Note that if you decide to do this, the server might not be able to start. You can fix the permissions manually later.

  • Cancel the installation.

    [Note]Note

    Your previous installation of Tectia Server has already been removed, so if you cancel the installation, your machine will be left with no version of Tectia Server installed.

Unsafe configuration file permissions on Windows

Figure 2.1. Unsafe configuration file permissions on Windows


Silent Upgrade on Windows

When doing a silent upgrade on Windows (see also Silent Installation) using the /q command-line option for msiexec.exe, the access permissions of an existing Tectia Server configuration file are checked. (The correct configuration file access permissions are described in Configuration File Access Permissions on Windows.) If the access permissions are incorrect, the server will, by default, be uninstalled.

To override the default behavior, specify the desired value (1 or 2) for the SSHMSI_SSH_FILE_PERMISSIONS property of the MSI installation package. Possible values are:

  • Cancel or 0 (default) – abort the installation.

  • Reset or 1 (recommended) – reset the configuration file access permissions to the default state.

  • Ignore or 2 – continue the installation without modifying configuration file access permissions. Note that in this case the server and configuration utility may not be able to start until you fix the access permissions manually.

The following command can be used to upgrade Tectia Server silently in the default installation directory, resetting the configuration file access permissions to the default state:

msiexec /q /i ssh-tectia-server-<v>-windows-<p>.msi SSHMSI_SSH_FILE_PERMISSIONS=1

In the command, <v> is the current version of Tectia Server (for example, 6.6.3.123), and <p> is the platform architecture (x86_64 for 64-bit Windows versions).