Post upgrade

Carry out the following tasks once system-wide access is restored.

Enable Bravura Security tasks

Enable Bravura Security tasks in the operating system task scheduler

Enable auto discovery on the primary node

Enable the PSUPDATE scheduled job on the primary node:

For Bravura Security Fabric versions 12.1.5 and 12.2.0, run psupdate.exe -schedule .

After running setup to upgrade to the latest version or patch to a new build, verify that the upgrade or patch was successful; for example:

Review log files

Review log files from for the last three days including 12 hours of hours of usage from all three nodes to allow for health check of system operation

New features may be included in the upgraded version of the product that has not been enabled during the upgrade process or may require additional configuration. If you require assistance, contact support@bravurasecurity.com .

Remove old installation files to avoid confusing with new upgrade/patch files. Bravura Security recommends keeping only the last two copies of installation files (previous install and current install).

REST API authorization policies

If you upgraded to 12.6.0 before revision 36570, run the PolicyUpgrade stored procedure manually following upgrade to add REST API authorization policies.

Access to user profiles

By default, the "View profile information" privilege is granted to Access to user profiles rules - ALLREQUESTERS, API_REQUEST, and ALL_SELF_REQUEST. However, this privilege is not granted to rules created before upgrading.

Privileged access to systems

By default, permission for users to "Request check-out to managed group sets" are granted to Privileged access to systems groups - ALLREQUESTERS and ALLRECIPIENT. However, this permission is not granted to managed system policies created before upgrading.

Import rules

Managed account import rules created before the upgrade cannot be associated with local workstation service managed system policies. All newly created managed account import rules can be associated with local workstation service managed system policies.

Local workstation service

You must uninstall the Bravura Privilege Local Workstation Service (hipamlws) and re-install and re-register a 12.x version of the service.

Managed accounts

As of 10.x, managed accounts can only belong to a single policy. Run the Managed systems and accounts -import method report to verify if accounts are attached to multiple policies:

You will need to manually select which policy managed accounts should belong to.

If accounts still belong to more than one policy at upgrade, the following rules will be applied to them:

In other words, 1) if you have a managed account on multiple policies, regardless of whether it’s on the primary policy, it will be moved to the primary policy, and 2) if you have an account that belongs on a single policy, it will be left on that policy, regardless of whether it’s the primary policy.

Disclosure plugins

If upgrading from 9.x or older to 12.x, you must manually update the Remote Desktop access disclosure plugin. To do this, remove the legacy Remote Desktop disclosure plugin from existing managed system policies and replace it with the new one.

If you want to continue to use the legacy Remote Desktop disclosure plugin, you must update the following disclosure attributes:

Uninstall any versions of Firefox native browser extensions 11.1.x or older on the instance server and client workstations, and install the latest version, which is located in the \<instance>\addon\idarchive directory.

Guacamole

As of 12.x, previous versions of Guacamole will no longer work. You must upgrade Guacamole with the latest RPMs in the idmunix*.tar.gz file located in \<instance>\addon\idmunix. As well, you have the option of installing Guacamole using Docker.

When Guacamole is upgraded, you will no longer need to configure an API user or modify the guacamole.properties file.

Database encryption

If upgrading from 9.x or older, you should run update_db_crypto on relevant tables. As of Bravura Security Fabric 9.0, the database encryption key was updated from using AES-128 to AES-256 encryption. This will affect answers to security questions and other information.

See Migration for more information.

Detection of attribute names conflict

If name conflicts between resource attributes and profile attributes are detected, post upgrade steps should contain this message: "Resource attribute conflict resolution". The post-upgrade report will contain this message about the resource attribute name changes: "Resource attribute <resourceAttrName> renamed to <resourceAttrName_RESATTR>."

Language packs

The upgrade process only upgrades the US English (en-us) language pack. If other language packs are installed before the upgrade, you must install the language packs again after the upgrade.

See Supporting multiple languages and locales for more information regarding installing language packs.

Browser caching

Using the same desktop browser that was used to log in to the instance before the upgrade and then logging in again after the upgrade is complete may sometimes not render correctly. For example, the user ID in the top right may have a dot where an icon should be, and you cannot click on the user name (it does nothing).

You must refresh and reload the browser to display it properly.

Logging Service (idmlogsvc) configuration file

When upgrading Bravura Security Fabric , the idmlogsvc.cfg configuration file will be retained from the previous version. A new configuration file named idmlogsvc.bak will be created and will contain the configuration settings of idmlogsvc.cfg for the newer version of Bravura Security Fabric .

This configuration file should be reviewed for any changes between idmlogsvc.cfg (configuration settings from the previous version) and idmlogsvc.bak (configuration settings for new version) after the upgrade is complete.