SpanKey Upgrade Guide from version 1.x.x to 2.x.x
  Download PDF

1. Introduction

In this documentation, we will see how to upgrade SpanKey Server and Client from version 1 to version 2.

Note

SpanKey Server v1 and v2 can work with both SpanKey Client v1 and v2 for NSS request only. For SSH key management features, you must use matching Server and Client versions.

2. Upgrade SpanKey Server

In this document, we will upgrade the Spankey Server from v1.0.3-6 to v2.0.1

The last version of SpanKey Server can be downloaded on the RCDevs Website or on the RCDevs Repository.

2.1 Upgrade through the Shell Script

Download the last Spankey Server package on the RCDevs Website and copy it on your WebADM server. Once copied, you have to unzip the package.

-bash-4.2# gunzip spankey-2.0.1.sh.gz 
-bash-4.2# ll
total 3836
-rw-r--r-- 1 root root 3925556 16 oct.  12:34 spankey-2.0.1.sh

The package is uncompressed, I can now run it with bash to perform the upgrade :

-bash-4.2# sh spankey-2.0.1.sh 
SpanKey v2.0.1 Self Installer
Copyright (c) 2010-2018 RCDevs SA, All rights reserved.
Please report software installation issues to bugs@rcdevs.com.

Verifying package update... Ok
An SpanKey installation is already present in '/opt/webadm/websrvs'.
Installed SpanKey version is 2.0.1.
Remove(R) or upgrade(U) or quit(Q)? U
Are you sure you want to upgrade the SpanKey installation in '/opt/webadm/websrvs' (y/n)? y
Extracting files, please wait... Ok
Removing temporary files... Ok
SpanKey has been successfully upgraded.
Restart WebADM services (y/n) y
Stopping WebADM HTTP server... Ok
Stopping WebADM Watchd server....... Ok
Stopping WebADM Session server... Ok
Checking libudev dependency... Ok
Checking system architecture... Ok
Checking server configurations... Ok

No Enterprise license found (using bundled Freeware license)
Please contact sales@rcdevs.com for commercial information

Starting WebADM Session server... Ok
Starting WebADM PKI server... Ok
Starting WebADM Watchd server... Ok
Starting WebADM HTTP server... Ok

Checking server connections. Please wait... 
Connected LDAP server: LDAP Server (127.0.0.1)
Connected SQL server: SQL Server (127.0.0.1)
Connected PKI server: PKI Server (127.0.0.1)
Connected Session server: Session Server (::1)

Checking LDAP proxy user access... Ok
Checking SQL database access... Ok
Checking PKI service access... Ok
Please read the RELEASE_NOTES and README files in /opt/webadm/websrvs/spankey.

2.2 Upgrade through the RCDevs Repository

To upgrade RCDevs packages with the RCDevs repository, the initial package installation must be done through the repository. To install RCDevs repository and install packages through the repo, please follow the RCDevs Repository documentation.

To upgrade Spankey Server package through the RCDevs repository:

2.2.1 RHEL/CentOS

-bash-4.2# yum update spankey -y

Don’t forget to restart WebADM services once the packages are updated through the repository.

-bash-4.2# /opt/webadm/bin/webadm restart
Stopping WebADM HTTP server... Ok
Stopping WebADM Watchd server........... Ok
Stopping WebADM Session server... Ok
Checking libudev dependency... Ok
Checking system architecture... Ok
Checking server configurations... Ok

No Enterprise license found (using bundled Freeware license)
Please contact sales@rcdevs.com for commercial information

Starting WebADM Session server... Ok
Starting WebADM PKI server... Ok
Starting WebADM Watchd server... Ok
Starting WebADM HTTP server... Ok

Checking server connections. Please wait... 
Connected LDAP server: LDAP Server (127.0.0.1)
Connected SQL server: SQL Server (127.0.0.1)
Connected PKI server: PKI Server (127.0.0.1)
Connected Session server: Session Server (::1)

Checking LDAP proxy user access... Ok
Checking SQL database access... Ok
Checking PKI service access... Ok

2.2.2 Debian/Ubuntu

-bash-4.2# apt-get update spankey

Don’t forget to restart WebADM services once the packages is updated through the repository.

-bash-4.2# /opt/webadm/bin/webadm restart
Stopping WebADM HTTP server... Ok
Stopping WebADM Watchd server........... Ok
Stopping WebADM Session server... Ok
Checking libudev dependency... Ok
Checking system architecture... Ok
Checking server configurations... Ok

No Enterprise license found (using bundled Freeware license)
Please contact sales@rcdevs.com for commercial information

Starting WebADM Session server... Ok
Starting WebADM PKI server... Ok
Starting WebADM Watchd server... Ok
Starting WebADM HTTP server... Ok

Checking server connections. Please wait... 
Connected LDAP server: LDAP Server (127.0.0.1)
Connected SQL server: SQL Server (127.0.0.1)
Connected PKI server: PKI Server (127.0.0.1)
Connected Session server: Session Server (::1)

Checking LDAP proxy user access... Ok
Checking SQL database access... Ok
Checking PKI service access... Ok

2.3 Update the Configuration

Once you have updated the Spankey server package, you must check and update the configuration in WebADM. Specific changes to settings depend on which Spankey version was installed before the upgrade.

To update the configuration, go on the WebADM Admin GUI, click on the Applications tab, under the categories box, select Authentication. Check the Status of SpanKey server, if the status is Not Configured then click CONFIGURE button.

Review the settings on the following page and scroll down to the end of SpanKey configuration page and click Apply. After that, the Status should be Enabled.

You SpanKey server is now up to date and running.

3. Upgrade SpanKey Client

SpanKey Client v2 includes multiple major changes. To upgrade SpanKey Client from the version 1.x.x to the version 2.x.x, you must first uninstall the version 1.x.x of SpanKey Client, this is required to prevent conflicts between the two versions.

3.1 Remove old SpanKey Client v1.x.x

3.1.1 RHEL/CentOS

-bash-4.2# yum remove spankey_client -y

3.1.2 Debian/Ubuntu

-bash-4.2# apt-get remove spankey-client 

Complete the uninstallation by following the packages manager.

3.2 Install the SpanKey Client v2.x.x

3.2.1 RHEL/CentOS

-bash-4.2# yum install spankey_client -y

3.2.2 Debian/Ubuntu

-bash-4.2# apt-get install spankey-client 

Complete the installation by following the packages manager.

4. SpanKey Client Configuration

Once Spankey Client is installed, you have to run a setup script which configures it. Execute the setup script and provide the settings as per your setup.

-bash-4.2# /opt/spankey/bin/setup 
Enter one of your running WebADM server IP or hostname: 192.168.3.191
Detected hostname is 'rcvm7'. Would you like to use it as client id (y/n)? y
Do you want to enable SpanKey Client for OpenSSH server (y/n)? y
Do you want to enable SpanKey Client NSS plugin (y/n)? y
Do you want to register SpanKey Client logrotate script (y/n)? y
Do you want SpanKey Client to be automatically started at boot (y/n)? y

Primary OpenOTP service URL is: 'https://192.168.3.191:8443/spankey/'
Secondary OpenOTP service URL is: 'NONE'.
Use 'rcvm7' as client id: Yes
Enable SpanKey Client for OpenSSH server: Yes
Enable SpanKey Client NSS plugin: Yes
Register SpanKey Client logrotate script: Yes
SpanKey Client must be automatically started at boot: Yes

Do you confirm (y/n)?: y

Applying SpanKey Client setting from default configuration files... Ok
Retrieving WebADM CA certificate from host '192.168.3.191'... Ok
The setup needs now to request a signed 'SpanKey' client certificate.
This request should show up as pending in your WebADM interface and an administrator must accept it.
Waiting for approbation...

A certificate Request will be pending in WebADM, you have to login on the WebADM web interface to approve the SSL certificate request.

Click on the red button at the end of the home page.

You should see the pending certificate request in pending. Click on the Accept button to generate and to deliver the certificate to the SpanKey Client.

After this, the spankey setup script should continue:

Waiting for approbation... Ok
Updating entry 'client_id' in file '/opt/spankey/conf/spankey.conf'... Ok
Updating file '/etc/ssh/sshd_config'... Ok
Updating file '/etc/nsswitch.conf'... Ok
Updating file '/etc/pam.d/password-auth'... Ok
Registering SpanKey Client service... Ok
Adding logrotate script... Ok

SpanKey Client has successfully been setup.

Do not forget to start SpanKey itself and restart the following daemons:
 - sshd
 - nscd

Restart the following services after the setup script is completed:

systemctl restart sshd
systemctl restart nscd
systemctl restart spankey

The upgrade is now completed. You should be able to login to the server where SpanKey client is installed.

17:50 $ ssh -i Administrator.pem Administrator@192.168.3.191

Hello

Session recording is enabled.
Session lock idle time is 1 minute.
Session's max duration is 30 minutes.

bash-4.2$ whoami
Administrator
bash-4.2$