Share all details about your problem, including any error messages you may have received.
Hi everyone,
We are currently running SailPoint IdentityIQ 8.3p4 on Apache Tomcat 9.0.88, and I’m planning to upgrade Tomcat to version 9.0.104 as part of our environment optimization and patch alignment. Before proceeding, I’d like to get input from the community regarding:
Compatibility – Has anyone tested or is currently running IIQ 8.3p4 (or 8.3p5) on Tomcat 9.0.104?
Upgrade Best Practices – Are there recommended steps specific to IIQ when upgrading Tomcat? Any IIQ-specific tips would be appreciated.
JVM Settings & Performance Tweaks – Any tuning recommendations for Tomcat or JVM options that have worked well with IIQ in production?
Patch Impact – We are also considering applying the newly released IIQ 8.3p5 patch. Would you recommend upgrading the patch first, or upgrading Tomcat first?
I’ve already reviewed the installation guide for the patch, and the process appears straightforward. I’m planning to start with the development environment and test everything thoroughly before moving to higher environments.
Would love to hear your thoughts, lessons learned, or validation steps you’d recommend!
I do things a little differently but in general, if it’s a pretty standard install, you save off everything that you changed after your initial install and then re-apply those things after. The compatibility matrix doesn’t distinguish between minor versions. I just upgraded one client who likes using the MSI file and another who I set up using the 64 bit zip file.
Some things to consider:
Upgrade your Java first, if you are concerned enough to upgrade Tomcat then upgrade Java too. But be careful. I use the Eclipse Tellurium JDKs, I prefer the JDK17 but some clients have code that can’t be run on JDK17 and so you have to use JDK11. If you use JDK17 you will have to upgrade your SSB to the v7.0.2 (or you can use v7.0.3 when I finally get it approved).
Most of the time the following assets need to be backed up for re-apply:
conf/server.xml
webapps/identityiq
java’s lib/security/cacerts
Your tomcat certs
Your iiq.cfg and iiq.dat files
If you use the MSI then you will have to do an uninstall and that wipes out the entire folder, so it’s imperative that you have a good backup of at least the above assets.
After your install you will need to run the tomcat9w.exe and change the java version on the Java tab.
Upgrade java first, then tomcat, then IIQ is best practice. If you have time, check functionality in between each step.
As far as JVM settings, if you use the MSI it will wipe out your JVM memory settings. In general, I recommend that you build your servers with 12GB of RAM and then use 8GB for the heap so your Java memory settings are 4096/8192/512. You set these with the tomcat9w.exe file. If you are stuck with 8GB RAM then you can get away with 2048/4096/512. Always leave “headroom” meaning don’t chew up all the RAM for your Java heap. There’s always something else running on the system, whether it’s Windows or Linux. I have never seen a client need more than 8GB of RAM for the IIQ Heap. If you are getting heap size errors with 8GB of Heap, you have some really bad code running in your system.
Thank you so much for the detailed and very helpful response!
Just to confirm, we are currently running Java 11.0.6+8-LTS, and we’re planning to upgrade Tomcat to 9.0.104.
Based on your input and my review, both the Java and Tomcat versions are compatible with IIQ 8.3p4/8.3p5, so I should be good to proceed with upgrading Tomcat first, followed by the SailPoint patch upgrade.
I’ll make sure to back up all the critical files you mentioned and test functionality thoroughly after each step.
If you happen to have a simple step-by-step checklist or process you follow during a Tomcat upgrade for IIQ, I’d love to take a look — it would be really helpful as a reference.
Thanks again for your guidance — I really appreciate it!