Skip to main content
  • Bravura Security Fabric Documentation
  • Maintenance
  • Operating system patch management

Operating system patch management

This section provides guidance on the key things to consider when applying Microsoft patches to Bravura Security Fabric instance servers. Always check the Microsoft website for their latest recommendations.

This topic covers Windows Server Operating System patching only and does not cover Bravura Security Fabric patching. For all Bravura Security Fabric patching see Upgrade and Migration .

Best practices

  • Prepare a company patch strategy that includes:

    • A schedule.

    • A list of servers to be included and excluded.

    • A communication plan to ensure all stakeholders are aware of the upcoming changes to the environment and any potential outages.

  • Identify servers that cannot be rebooted automatically and organize for a manual restart if required.

  • Microsoft typically releases their patches on the second Tuesday of the month. Schedule patching the development and test environments after the patches are released to ensure no issues before proceeding to patch the production environment.

  • Perform testing after the patching to ensure Bravura Security Fabric performs as expected.

  • Consider using a centralized patch management solution.

Downtime

Downtime is a crucial factor when patching. It is recommended that you create a downtime plan that is agreed upon by all stakeholders to reduce the effort of repeatedly re-organizing each time you want to apply patches. Below are a few examples:

  • Follow the standard maintenance window; for example, a routine maintenance window for the development and test environment might be at 11 pm to 4 am on a particular weekday, and 11 pm to 4 am on the weekend for the production environment.

  • A particular patching window that is only approved to perform patching, and only for a single deployment environment. For example, a pre-set time on the second Friday of the month to patch the development environment, and another time on the second Saturday for the test environment, and the third Saturday to patch production.

When devising your plan also consider:

  • If the production environment cannot have a complete outage, group the nodes, with each group being patched at different times.

  • Coordinate each node's database server patching with the node itself; otherwise, you get two outages per node instead of just one. This may include coordination with the OS and database administrators.

Backup

Before applying patches, ensure you have a successful backup in a known state with the non-log services stopped.

Before applying OS patches

To ensure Bravura Security Fabric is not adversely affected during the patching process, the following is recommended before applying operating system patches:

  1. Turn off auto discovery.

  2. For Bravura Privilege disable randomization.

  3. Disable any windows scheduled tasks that are related to the Bravura instance.

  4. Disable Bravura Security Fabric scheduled tasks, including auto-discovery.

  5. Stop the Web Server (IIS) or remove the server from the load balance list.

  6. Shutdown the database service (iddb) service. If the server is in a replicated environment, flush the queues first:

    1. Stop all Bravura Security services, except the logging service (logging) and database service (iddb) on all replication nodes and allow the replication queues to empty.

    2. Once all queues are empty, stop the database service on each node.

After applying OS patches

  1. Check server logs for any new errors.

  2. Add the node back to the load balancer if it was removed before patching.

  3. If the server is a replicated instance, wait until the queues have decreased or close to empty before turning the Bravura Security services back on.

  4. Enable all OS and Bravura tasks that were disabled for patching.

  5. For Bravura Privilege, re-enable randomization.

  6. Run tests to ensure Bravura Security Fabric is operating as expected.

In this section: