Migrating from Ansible Installer

Assumptions

HYPR is functional and services are running
Vault is populated properly

Backup Vault data

Log into the Vault web UI

You can get the Vault access token
From file /etc/systemd/system/hypr-cc.service
From line --vault.namespace=staging_single --spring.cloud.vault.token=<use this token to log into Vault UI>

Copy the contents shown in the web console to a local text file

  • controlCenterConfig
  • uafServerConfigBean
  • loggingConfigs
  • pushConfig (this has been moved to the ControlCenter UI)
2918

Stop HYPR services

service hypr stop
systemctl disable hypr

service mysql stop
systemctl disable mysql

service nginx stop
systemctl disable nginx

service redis-server stop
systemctl disable redis-server

service redis-sentinel stop
systemctl disable redis-sentinel

On the master node

Step1: Copy the new install pkg to

Unzip install pkg to a corresponding <install dir>. Example: /opt/hypr/ServerInstaller-6.2.0
This leaves the existing install untouched

Ensure that the folder is ownershup

Step2: Create metadata file to match new install process

Create install metadata file in the

vi .install

Paste the following content. Replace the password placeholders as indicated inline. Quotes are not needed. Save file and exit.

UAF_PASSWORD=< get from Vault uafServerConfigBean  > hibernate.connection.password>
FIDO2_PASSWORD=< pick a password. 16 chars, upper/lower case, numbers >
EVENT_PASSWORD=< get from Vault loggingConfigs > hibernate.connection.password> 
VAULT_PASSWORD=< get from <old install dir>/vault-0.10.3/vault.config >
REDIS_PASSWORD=< get from Vault controlCenterConfig > reddisonConfig > password>
CC_SERVICE_ACC_PASSWORD=< get from Vault controlCenterConfig > hypr.cc.serviceaccount.password>
VAULT_UNSEAL_KEY1=<get from /etc/systemd/system/hypr-cc.service>
VAULT_ROOT_TOKEN=<get from /etc/systemd/system/hypr-cc.service>

Encrypt the file using:

openssl enc -aes-256-cbc -salt -e -in ".install" -out ".install.enc" -k <env password of your choosing>

Remove the unencrypted version

rm -rf .install

Step 3: Update env.sh

In the new install dir env.sh
Fill in 📌 SINGLE node setup or 📌 CLUSTER setup sections depending on your setup

HYPR_INSTALL_DIR: Set this to the new install dir created above
HYPR_USER/HYPR_GROUP: Set this to the user/group running HYPR services. Must own /opt/hypr

CLUSTER_NAME corresponds to the Vault namespace. Choose a new one to avoid overwriting existing install config

Ports have changed, default ports are
UAF 8008, CC 8009, FIDO2 4081

If you want to continue running on older ports, set the following variables in env.sh
UAF_PORT, CC_PORT, FIDO2_PORT

MYSQL_HOST: To the current DB < get from Vault uafServerConfigBean > hibernate.connection.url >
Example: ec2-3-200-200-32.compute-1.amazonaws.com
Should look like:
export MYSQL_HOST=${MYSQL_HOST=“ec2-3-200-200-32.compute-1.amazonaws.com”}

Confirm the the DB users, match the DB users setup on your previous install. Update these
UAF_DB_NAME=< get from Vault uafServerConfigBean > hibernate.connection.url >
UAF_DB_USER=< get from Vault uafServerConfigBean > hibernate.connection.username >

CC_DB_NAME=< get from Vault controlCenterConfig > hibernate.connection.url >
CC_DB_USER=< get from Vault controlCenterConfig > hibernate.connection.username >

EVENT_DB_NAME=< get from Vault > loggingConfigs > hibernate.connection.url >
EVENT_DB_USER=< get from Vault > loggingConfigs > hibernate.connection.username >

VAULT_DB_USER=< get from /vault-0.10.3/vault.config >
VAULT_DB_NAME=< get from /vault-0.10.3/vault.config >

Match the DB encryption key with the existing install:
UAF_JASYPT_PASS=< get from Vault > uafServerConfigBean > jasypt.password >

Populate FIDO2 schema is target DB

See: https://docs.hypr.com/installinghypr/docs/installing-v620#using-your-own-database

We only need to run the scripts for FIDO2
Copy the FIDO2 specific lines to a separate file - fido2.sql

CREATE DATABASE IF NOT EXISTS fido2 CHARACTER SET = utf8mb4 COLLATE = utf8mb4_0900_as_cs;
CREATE USER IF NOT EXISTS ‘fido2’@‘%’ IDENTIFIED WITH mysql_native_password BY ‘xxxx’;
GRANT ALL PRIVILEGES ON fido2.* TO ‘fido2’@‘%’ WITH GRANT OPTION;

Apply to your target DB. If you are using the MySQL command line, it would be:

# If running against a remote DB host, use
./mysql -u root -h <db host> -p < /path/to/fido2.sql

# If running against a local DB host, use
./mysql -u root -p < / /path/to/fido2.sql

# You will be prompted for the password

Start HYPR dependencies

https://docs.hypr.com/installinghypr/docs/installing-v620#step-1-install-hypr-dependencies-mysql-redis-vault-nginx-run-the-following

Start HYPR services

https://docs.hypr.com/installinghypr/docs/installing-v620#step-2-install-and-start-hypr-services-run-the-following

To setup worker nodes:

Copy the install pkg to the worker node. Unzip to the same location as on the master
Follow: https://docs.hypr.com/installinghypr/docs/installing-v620#installing-dependencies-on-a-worker-node

Install new systemd services

Systemd services differ from older versions. These need to be setup again.

sudo su
rm -rf /etc/systemd/system/hypr-*
systemctl daemon-reload

Setup the systemd services via: https://docs.hypr.com/installinghypr/docs/installing-v620#installing-systemd-services