Server Upgrade

To validate the authenticity and integrity of the Debian and the RPMClosedFile format for software package distributed by RPM Package Manager software package, see Validating Debian and RPM Packages.

Always test the upgrade process in the development or staging environment before applying it in production.
Always backup the CORE database before upgrading CORE servers.

Server Upgrade Quickstart

  1. Check and execute the Server Pre-upgrade steps.
  2. Upgrade:
  3. Check and execute the Server Post-Upgrade steps.
  4. Restart the EKMClosedEnterprise Key Management - previous name of the product. Service (see EKM Service Management).
  5. Note
    AS NEEDED, the EKMClosedEnterprise Key Management - previous name of the product. service restart will migrate the CORE Data Base to the enhanced schema specified by the new release. It is a one-time procedure that may result in a longer restart time.

  6. Test the upgraded system by running the ucl server test command.
  7. Note
    If you run the command while the upgraded server is engaged in the EKMClosedEnterprise Key Management - previous name of the product. service restart, the server shall appear "unreachable". Wait and repeat the command. As needed, proceed to Server Upgrade Troubleshooting.

Server Pre-upgrade

Always backup the CORE database before upgrading CORE servers.

Before upgrading CORE server software, save custom changes you made in the listed files that are overwritten during the upgrade.

Server Post-Upgrade

The post-upgrade may require multiple steps if there is a significant gap between your previous and the new releases. The following table summarizes the required procedures. To use this table:

  1. Select the Upgrading from Release ... and follow the instructions specified in the Upgrade to Release ...
  2. Once this step is finished, continue the same procedure, starting from the release in Upgrade to Release ...

For example, to upgrade from 2.0.1904 to 2.0.2010, you will have to perform procedures specified in Post-upgrade to 2.0.1907, Post-upgrade to 2.0.2001, and Post-upgrade to 2.0.2007.

Upgrading from Release ... Upgrade to Release ... Requirement
2.0.1806 or earlier Post-upgrade to 2.0.1807 As needed
2.0.1807 or earlier Server Upgrade Mandatory
2.0.1904 or earlier Post-upgrade to 2.0.1907 Mandatory
2.0.1910 or earlier Post-upgrade to 2.0.2001 As needed
2.0.2004 or earlier Post-upgrade to 2.0.2007 Mandatory
2.0.2112 or earlier Post-upgrade to 2.0.2007 Recommended

Post-upgrade to 2.0.1807

Post-upgrade to 2.0.1808

Post-upgrade to 2.0.1907

Post-upgrade to 2.0.2001

Post-upgrade to 2.0.2007

Post-upgrade to 2.0.2112

TLS 1.3 Support

Starting with CORE release 2.0.2112, you can upgrade TLSClosedTransport Layer Security - a cryptographic protocol that provides communications security over a computer network cipher suites to support TLS1.2 and TLS1.3 protocols.

Prerequisites:

Procedure: Edit the server.xml file and modify the <Connector port="443"> SSLClosedSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. specification as follows:

SSLEnabled="true" scheme="https" secure="true" clientAuth="want" sslProtocol="TLS" sslEnabledProtocols="TLSv1.3,TLSv1.2" ciphers="HIGH+AESGCM"

Server Upgrade Troubleshooting

  1. Restart the server and repeat the ucl server test from EP1.
  2. If the "server unreachable" problem remains:
    1. Examine Tomcat Logs on the unreachable server.
    2. If it does not reveal a reasonable cause, proceed to repair the upgrade

Rollback of Server Upgrade

In case the upgrade fails or the system becomes unstable after the upgrade, proceed as follows:

  1. Contact support@unboundsecurity.com and proceed as advised.
  2. If rollback of the upgrade is required, it may be Partial Rollback if one of the CORE server pairs has not been upgraded. Otherwise, Complete Rollback is required.
  3. When upgrading from CORE version 2.0.2112 or later, you can also restore the new keys that were generated on the upgraded system.

Partial Rollback

If you have at least one pair that hasn't been upgraded, proceed as follows:

  1. On all upgraded CORE servers - perform the CORE server Clean-up procedure.
  2. Leave the rest of the servers running the current version.
  3. Use the Root SOClosedSecurity officer - UKC partition administrator role. credentials to connect to one of the running EP servers and update the cluster's topology by deleting all wiped-out servers in step #1.
  4. Run the ucl server test -full command to confirm that all servers in the remaining cluster are running the current software.
  5. To restore the servers from step #1, use them to expand the current cluster. See Cluster Scale-out.

Complete Rollback

The complete rollback is required when all servers in the CORE cluster have been upgraded. In such a case, the rollback procedure becomes that database restore procedure:

  1. Perform the Clean-up procedure on all servers.
  2. Install the last running software version on all servers.
  3. Select one EP-Partner pair specified in the cluster topology, restore the database on it and bootstrap the pair applying the -restore option. See Database Restore.
  4. To restore the rest of the servers, see Cluster Scale-out.