Skip to main content

Reduce sources of change

The following steps are required to reduce sources of change before upgrading in a replicated environment.

Prepare custom component upgrade

Depending on the specific customizations identified in Review customizations , carry out steps to prepare for custom component upgrade; for example, this may include running custom upgrade scripts, and/or removing custom components in favor of base product new features.

Disable OTP randomization (Rolling upgrade)

If you are following the rolling upgrade path, disable password randomization for all OTP API accounts:

  1. Create a DWORD entry (DisableAllOTP) in the IDAPI directory of the instance registry key.

    HKLM\SOFTWARE\Bravura Security\Bravura Security Fabric\<instance>\

  2. Set DisableAllOTP to 1.

Allow check-outs while randomization is disabled

When you disable randomization, Bravura Security Fabric ’s default behavior is to check in and block any check-outs for accounts, account sets, or group sets that are members of the affected managed system policies. You can choose to allow check-outs while randomization is disabled.

Check-ins will not cause the password to be randomized; this could present a security risk if users have access to account passwords, as they will not be randomized until randomization is re-enabled.

After a managed system policy is enabled, passwords must be randomized initially before any accounts are available for check-out. You can do this either by waiting for the managing service to poll the member systems, or by manually randomizing them.

To allow check-outs for all policies while randomization is disabled:

  1. Click Manage the system > Maintenance > System variables.

  2. Set RES DISABLE RANDOMIZATIONS ALLOW CHECKOUTS to Enabled.

  3. Click Update.

Replication will propagate the setting to secondary nodes automatically.

To allow check-outs for selected policies instead of all policies:

  1. Click Manage the system > Privileged access > Managed system policies.

  2. Select the managed system policy.

  3. In the General tab, select the checkbox for Allow check-outs when randomization is disabled.

  4. Click Update.

    If the Allow check-outs when randomization is disabled option for the managed system policy is deselected, the global setting RES DISABLE RANDOMIZATIONS ALLOW CHECKOUTS applies.

Disable automatic password randomization system-wide

Disable the system variable RESOURCE AUTOMATICALLY RANDOMIZE PASSWORDS (Manage the system > Privileged access > Options > Password randomization).

The local workstation service immediately randomizes the initial passwords for local workstation service mode resources where there is no known password at the next poll. Randomization in response to events such as manual randomization, overrides or check-ins are not affected by this variable.

When disabled, passwords are not initialized and cannot be randomized in response to events until they have been initialized.

The setting will be replicated to secondary nodes.

Disable all password randomizations in all policies

Temporarily disable password randomization for all managed system policies. This will override all other randomization settings, including scheduled randomization or randomization after an account is checked in. During this time, passwords that need to be randomized or overridden will be blocked and queued until password randomization is re-enabled.

  1. Log in to Bravura Security Fabric .

  2. Click Manage the system >Privileged access >Managed system policies.

  3. Scroll to the bottom of the page.

  4. Select Disable all password randomizations in all policies.

  5. Click OK to confirm the selection.

    disablerandomization

Replication will propagate the disabled password randomization policy to all other nodes automatically. It is recommended to double-check on each node manually or at least check the nodes which have managed system policies configured to run on them.

Note

This setting does not actually disable randomization inside each managed system policy; it simply stops any randomization from happening.

Disable auto discovery

Disable the PSUPDATE scheduled job:

  1. Log into Bravura Security Fabric as an administrator with the "Maintain servers" administrative privilege.

  2. Click Maintenance > Scheduled jobs.

  3. Select PSUPDATE and disable.

    Ensure that auto discovery has finished running. Do not kill the processes if they are running and just allow them to complete.

Ensure no maintenance tasks scheduled on SQL nodes (Not Rolling upgrade path)

Check with your DBA to ensure that database maintenance tasks, such as a database reindex, will not be running during patching.

Disable Bravura Security tasks

  1. Disable Bravura Security tasks in the operating system task scheduler.

    taskscheduler

  2. Verify Bravura Security processes are no longer running.

    While logged into each application node, use Task Manager and verify no processes are running under the Bravura Security service user (psadmin), other than the Bravura Security instance services; in particular the following processes should not be running:

    • psupdate

    • idtrack

    • autores

    • pwdconficts

      This program should not run until all nodes are operational, otherwise it will identify a range of issues since the nodes are in a problematic state due to the database resynchronization being done

    • Heath checks

In this section: