Product considerations

If you are applying a patch:

Each significant version of Bravura Security software is likely to have different requirements for its database tables, table schema or data encoding.

Below is a compatibility matrix that should be taken into consideration when upgrading Bravura Security Fabric and Connector Pack in regards to MSSQL database requirements:

Latest version requirements

If you are installing the Analytics app feature as part of an upgrade you must install Microsoft’s SQL Reporting Services.

After installing Microsoft’s SQL Reporting Services gather the following information:

See Analytics for more information on this feature.

Establish a window to perform the upgrade when all replication nodes can be offline. It is highly recommended that replication queues be flushed to avoid data loss. Generally, in a replicated environment, plan for the following:

This process will vary based on the version you are upgrading from and to. This is detailed in the upgrade instructions and playbooks.

When configuring Bravura Security software, various files may have been added or modified to implement various features or customizations.

Carefully analyze and test all scripts, plugins, and configuration files; for example:

Note the following for custom scripts, plugins, and configuration files:

File Locations

When you install any Bravura Security product, the default path for program files is <Program files path>\Bravura Security\ as of 12.5.0.

Prior to 12.5.0, the path is <Program files path>\Hitachi ID\.

The directory name is not changed when upgrading.

Bravura Security Fabric directories and files

Three main directories are created when you install Bravura Security Fabric instance, as detailed below.

It is recommended that you do not change these directory locations during the setup process. You cannot install any of the directories required for Bravura Security Fabric on a mapped drive.

Instance directory

<Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\

Directories marked with include files installed by Connector Pack .

Directories marked with include folders and files installed with the optional Analytics app.

Directories marked with include optional files. They are only installed in a complete installation or if selected in a custom installation.

Table 2. Instance directory files

Directory	Contains
addon	Files required for add-on software, such as Local Reset Extension and SKA. Some files, required to target Netegrity SiteMinder, are installed by Connector Pack . If you installed a global Connector Pack , these files are contained in the Connector Pack global directory.
agent	Instance-specific user management connectors (agents). If you installed a global Connector Pack , user management connectors are contained in the Connector Pack global directory.
analytics	Analytics app specific folders
analytics \ DataSets	Contains * .rsd files which are Shared Dataset Definitions. These files are only used by SQL Server versions higher than Express. They contain datasets that are shared between reports.
analytics \ Hidden	Contains * .rdl files which are Report Definitions. These files are the drillthrough reports used by other reports. They are not visible to the end-user.
analytics \ ReportItems	This folder contains other folders. Each folder in this folder is a category in the Analytics app. Within these folders are * .rdl files which are Report Definitions. The folders need to be added to the CUSTOM ANALYTICCATEGORIES system variable to be visible. These reports are then visible to the end-users in the Analytics app.
cgi-bin	The user web interface modules (* .exe CGI programs).
db	The Bravura Security Fabric database sqlscripts.
db \ cache	Search engine temporary search results. These files are cleaned up nightly by psupdate .
db \ replication	Stored procedure replication queues, and temporary replicated batch data.
design	Files necessary to make modifications to the GUI. Some files are installed by Connector Pack . If you install a global Connector Pack , files related to connectors are located in the global design directory.
dictionary	A flat file, words.dat, that contains dictionary words. Bravura Security Fabric uses this file to determine if new passwords fail dictionary-based password-policy rules.
idapiservice	Files required to use the SOAP API.
interface	Instance-specific ticket management connectors (exit trap programs). If you installed a global Connector Pack , ticket management connectors are contained in the Connector Pack global directory.
lib	Contains the pslangapi.dll.
license	The license file for Bravura Security Fabric .
plugin	Plugin programs executed by Bravura Security Fabric .
psconfig	List files produced by auto discovery and the idmsetup.inf file.
report	Files and programs for report generation.
samples	Instance-specific sample scripts and configuration files. If you installed a global Connector Pack , connector-related sample files are contained in the Connector Pack global directory.
script	Configuration files and scripts used by connectors, psupdate , plugins and interface programs.
service	Service programs.
sessdata	Session data. A scheduled program removed old data files nightly.
skin	Compiled GUI files used at run-time (HTML and *.z).
smon	Monitored session data. This location can be changed by Recorded session management (smon) module options.
util	Command-line programs and utilities. If you install a global Connector Pack , tools related to connector configuration are located in the global util directory.
unix	The psunix archive, which is required to install the Unix Listener and supporting files on a Unix-based target system. If you installed a global Connector Pack , this directory is created in the Connector Pack global directory.
wwwdocs	Images and static HTML pages used by Bravura Security Fabric .

Log directory

<Program Files path>\Bravura Security\Bravura Security Fabric\Logs\<instance>\

Any operation that is run by Bravura Security Fabric is logged. Those logs are invaluable when debugging an issue. The log directory by default is <Program Files path>\Bravura Security\Bravura Security Fabric\Logs\<instance>\ . Each instance of Bravura Security Fabric that is installed will have at least one sub-directory within this directory.

The rotatelog scheduled job, which runs on a nightly basis, rotates the logs into a new folder, to reduce disk space usage.

Locks directory

<Program Files path>\Bravura Security\Bravura Security Fabric\Locks

Certain target systems can only be accessed serially, such as Lotus Notes. This is a limitation of the API used to access the target system. In these cases Bravura Security Fabric drops a lock file in the locks directory when an operation is being performed that should only be performed serially. For this reason the locks directory must be the same for all instances of Bravura Security Fabric that are installed on the same server.

Connector pack directories and files

When you install Connector Pack , files are placed in different locations depending on type of Connector Pack .

For an instance-specific connector pack, the installer, connector-pack-x64.msi, installs connectors and supporting files in:

<Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\

For a global connector pack, the installer, connector-pack-x64.msi, installs connectors and supporting files in:

<Program Files path>\Bravura Security\Connector Packs\global\

The table below describes the function of directories that are created when a Connector Pack is installed:

Table 3. Connector Pack directory files

Directory	Contains
addon	Files required to target Netegrity SiteMinder systems
agent	User management connectors (agents)
design	Connector Pack -related files necessary to make modifications to the GUI; for example target system address help pages. See the “Customization Guide” for details.
interface	Ticket management connectors (exit trap programs)
samples	Sample scripts and configuration files
unix	The psunix archive, which is required to install the Unix Listener and supporting files on a Unix-based target system
util	Tools to support the configuration of various target systems

After an upgrade, service configuration is reset to the default. If you have set the startup type of a service (for example, if you have set a service to delayed start), this change must be made again after upgrading.

Saved reports will not be preserved when upgrading from earlier versions. After the upgrade, scheduled reports can be viewed on the Manage the system > Maintenance > Scheduled jobs page, but cannot be run or modified.

Reports in Bravura Security Fabric versions 9.0 or later are SQLite databases.

After upgrades or patches you can expect to see errors from loadreports on reports not covered in your product license.

In addition to configuration files, your Bravura Security Fabric instance may contain custom binaries and/or schema. These could include web modules, connectors, plugin programs, external interface programs, and so on.

Once custom binaries are identified, their purpose should be determined to decide whether they are still necessary. For example, if the custom binary was created to resolve a product deficit, the deficit was likely resolved in the base product. Similarly, if the purpose of the binary was to add custom functionality, it is also possible that the feature was added to the base product.

Read the Release notes to determine whether a custom binary is necessary. If it is still not obvious, contact support@bravurasecurity.com for assistance.

Only in very specific cases will an older binary be usable in a newer product. A previous service engagement or product fixes on an existing instance (including binary and/or schema) might require assistance from Support to either initiate a new service engagement, verify the fixes provided in a previous release, or indicate a new feature or functionality that supersedes fixes in older functionality.

Determine the level of product customization

Bravura Security Fabric is a comprehensive suite of products comprising many binaries and scripts, which are designed to work together as a unified identity, privilege, and password management platform.

When troubleshooting or preparing for an upgrade or migration, you must identify if and where the Bravura Security Fabric instance is using stock code versus something customized.

The default installer available from Bravura Security is the stock release build and does not contain any customer-specific customizations unless those features have been incorporated into the base product. If there are customized features or fixes in your current version that should be preserved in the new destination product version, let your Account Manager or Support know, so Bravura Security developers can look for differences and carry them forward if feasible, creating a custom build of the new version.

There are several ways to check for specific versioning changes in your current instance:

• Look for the version displayed in the default product Web UI footer, as shown above. This is the version of the CGI binary that renders that specific page.

• Check binary versions and their builds in Windows Explorer by right-clicking the file > Properties > Details. Alternatively, you can check version information using the getfileinfo program .

• Write a complete list of versions for each binary in the product in a text file by running the following in a command prompt from the instance's util directory:

  instdump.exe -binaryversion -outfile binversions.txt

  See instdump for more usage information.

  • For even more details such as file description, including who each binary was built for, and information on other files like config and non-binaries, and the CommonFiles required by some of these binaries, use PowerShell from the instance directory. For example:

    dir cgi-bin\, agent\, agent\cmn\, interface\, plugin\, service\, util\, design\, report\, wwwdocs\, C:\Program Files\Common Files\Bravura Security\ | Get-ItemProperty | Format-list -Property * -Force > binversions-verbose.txt

    (For versions 12.4 or older replace "Bravura Security" with "Hitachi ID". )

    If the agent directory is in the Global Connector Pack location, replace that location in the cmdlet above.

    Add other locations, or use a subset of the command for a specific troubleshooting task.

• Check if SQL stored procedures in the backend database are customized by comparing them with the default code listed in the instance's db\functions-mssql.sq l.

  Similarly, the default backend SQL database schema is provided in db\dbdefault-mssql.sql

• Look for custom product UI skins in design\custom .

  When upgrading to a newer version these may not be used as-is, because the UI changes between versions. However, they are useful to determine what has to be changed.

• Look for custom components in component\Custom (ignore the samples).

  Configuration for installed components and other parts of the product are in db/extdb.db .

• Identify custom plugin scripts by modification date in the instance's plugin directory

• Look for other custom scripts, such as pxnull-itsm.cfg which contains exit trap email notifications, in the instance's script\directory. The date/timestamp is also useful here for identifying modified scripts.

• See details of the license currently active on a product application node by running the following in a command prompt from the instance's util directory:

  licviewer ..\license\idmsuite.lic

  See licviewer for more usage information

  The license file format was modified in Hitachi ID Suite 10.1.0, so a licviewer program from either side of that version is not compatible with the file from the other side.

A new version of Bravura Security Fabric may need a newer version of the target system client software installed on the primary node.

As of 9.0, Bravura Security Fabric is completely 64-bit, so it requires any target tools (for example, database clients, SDKs or any software our product loads directly to integrate with targets), to also be installed as 64-bit versions. This means that for fresh installs (including replication migrations), the 64-bit clients must be installed, and for cloned migration, the 32-bit clients must be uninstalled and the 64-bit client installed.

Refer to Connector Pack documentation for details on any targets that require target clients or tools.

All custom web interface modifications should be reviewed. Some existing modifications will require modification or deletion, while new modifications may need to be added.

The best method to address this issue is to go through every file in the custom directory in the source instance and confirm the same file exists in the destination instance src directory. If a file does not exist in the new instance, the custom version of the file can probably be deleted. If a file does exist, go through the entire file and search for each tag or KVGroup in the new instance. If the tag or KVGroup does not exist, it can probably be deleted from the file. If it does exist, compare the custom version to the default version in the new instance and figure out what if any modification will need to be made to the custom version.

Finally, test all the web pages and verify that the desired modifications have been migrated properly. Also look for new web interface constructs that may require new modifications.

See Customization for more information.

Check the Bravura Security portal or contact support@bravurasecurity.com to find out what language packs are available for the new version. The lack of a language pack might cause delays in the migration project if it does not yet exist.

As mentioned in Inventory of systems , there are a number of potentially related supporting systems to consider in addition to the Bravura Security Fabric servers themselves. These systems fall into two categories; systems with Bravura Security Fabric software components installed on them, and other technologies that support the Bravura Security Fabric server.

Bravura Security's Mainframe Connector does not directly integrate with the operating system, it integrates with one of the three operating system security modules described in Mainframe in the Connector Pack documentation.

As long that those modules' plugin infrastructure does not change, the integration is supported.

Bravura Security recommends testing the integration several months before the production upgrade, so there can be time for us to address any issues introduced by the new version.

The current Mainframe Connector can communicate with connector packs 2.3.0 or newer.

Verify the minimum Python requirements for the upgrade.

Python must be installed for all users.

The upgrade in support may cause issues with some scripts.

See also

Bravura One app must be the same version as the instance so ensure this is included in your upgrade plan. For more information about the Bravura One app see Mobile Access in the Bravura Security Fabric documentation.

Upgrading from version 10.1.4 or below will require that the Bravura One app be registered again from the mobile devices if two-factor authentication has been enabled to scan a QR Code for mobile authentication for phone-assisted login.

Bravura Security Proxy servers can be upgraded in any order after the application nodes are upgraded, as long as it is done before file changes are propagated post upgrade .

Review the latest Release notes to identify changes that might affect expected product behavior.

Pay particular attention to:

Verify there are no pending Windows updates to be installed, and verify that no server restarts are scheduled before starting the upgrade or patching process.

Ensure that you know the Bravura Security Fabric service user (psadmin) password. This will be required to upgrade existing systems.

Learn more about Changes to the service account (psadmin) with serviceacct.

Review the following: