Upgrade steps Rolling upgrade - Primary server
Carry out the following tasks on the primary node before moving on to each secondary node.
Restrict access
Restrict access via a global load balancer to the upgrading node
Restrict all traffic to and from the primary node.
Configure firewalls to isolate upgrading node
Block all Bravura Security traffic to and from the upgrading node.
For example, in Windows Firewall, configure rules to block Bravura Security outbound traffic from upgrading node to other nodes, and rules to block inbound Bravura Security traffic from other nodes to the upgrading node.
Ensure Bravura Security traffic is isolated between the old version, upgraded and upgrading node.
Any changes made on nodes of differing states will be delayed until all nodes are upgraded and thus on the same build version.
Restrict access to the IIS server
Restrict access to the IIS server to only a local IP address and the loopback interface by using the IP and Domain Restrictions IIS feature.
You may need to install the IP and Domain Restrictions security feature for IIS.
IP and Domain Restriction settings:
Mode | Requestor | Entry type |
Allow | 127.0.0.1 | Local |
Allow | Local IP address of IIS server | Local |
Deny | 0.0.0.0/32 | Local |
If a load balancer or round-robin DNS has been configured in front of the Bravura Security Fabric , remove all application nodes from availability to the load balancer to stop new user sessions from being created (and avoid interrupting them when services go down). Optionally, redirect users to a static web page that mentions the cause and duration of the outage (and can be updated with notes if the outage takes longer than expected).
Backup the primary application node and database
Back up the application node
Virtualized servers If you are using a virtualization solution to run your Bravura Security Fabric nodes as virtual machines, create a snapshot of each of node. Create a snapshot of each node’s corresponding database server if the application and database are not on the same server.
Physical servers If you are running the application and database nodes on bare-metal, image the server disks, including all disks where Bravura Security Fabric and its backend database files are stored. To determine the paths, you can check in the Windows registry:
HKLM\SOFTWARE\Bravura Security\Bravura Security Fabric\<instance>\PsInstallDir
HKLM\SOFTWARE\Bravura Security\Bravura Security Fabric\<instance>\PsTempDir
Backup the database on the primary node
Regardless of the chosen backup strategy, create an explicit SQL backup. A database backup provides additional flexibility in some recovery scenarios. It can potentially allow an administrator to quickly re-run a patch after fixing issues that may have caused it to fail.
If the database is hosted on a SAN or a shared database cluster where a snapshot or disk image is impossible, create a database backup to accompany the snapshot or disk image made for the application.
Upgrade Connector Pack
Upgrade Connector Pack if necessary.
This step may not be necessary if no connector changes are made. It is not necessary for a build patch.
If custom connectors are used, they may need to be manually reloaded.
See Upgrading Connector Pack .
If Connector Pack is 3.1.x or older, you need to uninstall the old Connector Pack , and install a new one.
Note
The loadplatform program may fail, since the Database Service has been stopped; however the program will run as part or the post-installation tasks once Bravura Security Fabric has been upgraded.
Ensure services and IIS are off on each node after the Connector Pack upgrade.
Add custom components
If you are adding component customizations for this upgrade, add or remove updated files as applicable. You may need to uninstall previous custom components. Back up custom components if this is not already done.
Do not load components after modifying them at this time. The installer will complete this in the following step.
Start setup on the primary node
To run the installer:
Run
setupas an Administrator with the latest MSI.The
setupprogram shows you the list of existing instances on the server.
Select the instance you want to upgrade or patch, then click the Upgrade link for that instance.
If the instance you want is not listed, refer to Run installer for pre-upgrade checks.
Read the product setup warning and click Yes to continue.
Enter the psadmin credentials.
Select Proceed with a rolling upgrade.
Complete pre install checks.
Click Next after the pre-installation check.
Select Backup files if you want the installer to backup the files.
Choose if you want the installer to backup the database before the upgrade or patch.
If you chose to do a database backup, enter the database user’s password and a name for the backup database.
During the upgrade, if prompted, update or add new encryption keys.
Bravura Security Fabric uses several encryption keys to ensure your data is secure.
If you want to install the Analytics app, configure options to connect with SQL Server Reporting Services (SSRS) .
Click Skip if you do not want to install this feature now. Skip to Step 13.
If you skip SSRS setup now you can set it up after installing Bravura Security Fabric software, as documented in Reports.
You must have access to SQL Server Reporting Services to use this feature.
To configure SSRS options and install the Analytics app:
Enter the Report Servers web service URL.
Enter the SSRS service username and password.
Click Next .
The SQL Server Reporting Service Configuration - Database User page is displayed.
Enter the name of server where your instance database resides.
If you want
setupto create and configure a new dedicated database user that can query the instance database, enable the Create a dedicated database user? option.
Enter the database administrator name and password so the installer can create the new dedicated database user.
If you already have a dedicated database user created and configured, enter those details and click Next , otherwise, add a password for the new dedicated database user.
Enter a valid license for the upgrade if prompted.
Click Install to start the upgrade or patch.
The installer begins copying files to your computer. The Completed the Bravura Security Fabric (<instance>) Setup Wizard page appears after the Bravura Security Fabric features have been successfully installed.
Remain on the page until you run the installer on each secondary node.
Caution
Do not stop the post-installation tasks. The installer is attempting to load connectors from the Connector Pack, language tags, and reports.
The Database service (
iddb) and File replication service (idfilerep) need to be running on the primary node for post upgrade tasks to properly sync files on secondary nodes.
Manually rebuild skins if required
The Bravura Security Fabric installer normally rebuilds user interface skins during post-upgrade tasks. If the skins failed to rebuild or there were issues, rebuild the skins manually.
See Customization for more information.
For secondary nodes, you have the option to resynchronize files from primary.
Manually reload connector pack if required
The Bravura Security Fabric installer normally loads connectors during post-upgrade tasks. If loading connectors failed or there were issues, reload connectors using the command:
loadplatform -target
See loadplatform usage for information.
Manually reload components if required
The Bravura Security Fabric installer normally reloads components during post-upgrade tasks. If component initialization fails or has issues during the upgrade:
From a command prompt, navigate to the instance directory.
Run the command:
instance.bat
Run the command:
script\manage_components.py load --upgrade
Confirm they succeed.
The API service (idapi) is required for this step.
Turn on IIS Service
Before running the installer on the node, you turned off the IIS service. You should now remove the IIS server access restrictions to localhost or re-enable completely.
Run smoke tests
Carry out the following tasks:
Start the Asynchronous Request, Messaging, API and API SOAP services
Verify skins.
Verify that end users can authenticate.
Start the Workflow Manager service and Privileged Access Manager service
Verify workflow.
Verify requests to access a password using an auto-approved case.
Verify requests to access a password using an authorization case.
Start the rest of the services
Use the installer to continue past the page.
If any of the post-installation tasks produce warnings or errors, click:
Report for details on all post-installation tasks
or,
Messages... for details on a specific post-installation task
Otherwise, wait until the status changes to success, then click Finish.
If connectors (agents) were not installed successfully, see Troubleshooting Connector Pack installation.
Restore access
Restore access to the upgraded node via the load balancer. This step will put the upgraded node back into production.
Any changes made on nodes of differing states will be delayed until all nodes are upgraded and thus on the same build version.
Remove all traffic restrictions to and from upgraded node.
Confirm end users can access nodes from globally available URLs.
Next
Carry out further post upgrade steps as necessary.