Migrating from Ansible Installer
Assumptions
HYPR is functional and services are running
Vault is populated properly
Backup Vault data
Log into the Vault web UI
You can get the Vault access token
From file /etc/systemd/system/hypr-cc.service
From line --vault.namespace=staging_single --spring.cloud.vault.token=<use this token to log into Vault UI>
Copy the contents shown in the web console to a local text file
- controlCenterConfig
- uafServerConfigBean
- loggingConfigs
- pushConfig (this has been moved to the ControlCenter UI)

Stop HYPR services
service hypr stop
systemctl disable hypr
service mysql stop
systemctl disable mysql
service nginx stop
systemctl disable nginx
service redis-server stop
systemctl disable redis-server
service redis-sentinel stop
systemctl disable redis-sentinel
On the master node
Step1: Copy the new install pkg to
Unzip install pkg to a corresponding <install dir>
. Example: /opt/hypr/ServerInstaller-6.2.0
This leaves the existing install untouched
Ensure that the folder is ownershup
Step2: Create metadata file to match new install process
Create install metadata file in the
vi .install
Paste the following content. Replace the password placeholders as indicated inline. Quotes are not needed. Save file and exit.
UAF_PASSWORD=< get from Vault uafServerConfigBean > hibernate.connection.password>
FIDO2_PASSWORD=< pick a password. 16 chars, upper/lower case, numbers >
EVENT_PASSWORD=< get from Vault loggingConfigs > hibernate.connection.password>
VAULT_PASSWORD=< get from <old install dir>/vault-0.10.3/vault.config >
REDIS_PASSWORD=< get from Vault controlCenterConfig > reddisonConfig > password>
CC_SERVICE_ACC_PASSWORD=< get from Vault controlCenterConfig > hypr.cc.serviceaccount.password>
VAULT_UNSEAL_KEY1=<get from /etc/systemd/system/hypr-cc.service>
VAULT_ROOT_TOKEN=<get from /etc/systemd/system/hypr-cc.service>
Encrypt the file using:
openssl enc -aes-256-cbc -salt -e -in ".install" -out ".install.enc" -k <env password of your choosing>
Remove the unencrypted version
rm -rf .install
Step 3: Update env.sh
In the new install dir env.sh
Fill in 📌 SINGLE node setup or 📌 CLUSTER setup sections depending on your setup
HYPR_INSTALL_DIR: Set this to the new install dir created above
HYPR_USER/HYPR_GROUP: Set this to the user/group running HYPR services. Must own /opt/hypr
CLUSTER_NAME corresponds to the Vault namespace. Choose a new one to avoid overwriting existing install config
Ports have changed, default ports are
UAF 8008, CC 8009, FIDO2 4081
If you want to continue running on older ports, set the following variables in env.sh
UAF_PORT, CC_PORT, FIDO2_PORT
MYSQL_HOST: To the current DB < get from Vault uafServerConfigBean > hibernate.connection.url >
Example: ec2-3-200-200-32.compute-1.amazonaws.com
Should look like:
export MYSQL_HOST=${MYSQL_HOST=“ec2-3-200-200-32.compute-1.amazonaws.com”}
Confirm the the DB users, match the DB users setup on your previous install. Update these
UAF_DB_NAME=< get from Vault uafServerConfigBean > hibernate.connection.url >
UAF_DB_USER=< get from Vault uafServerConfigBean > hibernate.connection.username >
CC_DB_NAME=< get from Vault controlCenterConfig > hibernate.connection.url >
CC_DB_USER=< get from Vault controlCenterConfig > hibernate.connection.username >
EVENT_DB_NAME=< get from Vault > loggingConfigs > hibernate.connection.url >
EVENT_DB_USER=< get from Vault > loggingConfigs > hibernate.connection.username >
VAULT_DB_USER=< get from /vault-0.10.3/vault.config >
VAULT_DB_NAME=< get from /vault-0.10.3/vault.config >
Match the DB encryption key with the existing install:
UAF_JASYPT_PASS=< get from Vault > uafServerConfigBean > jasypt.password >
Populate FIDO2 schema is target DB
See: https://docs.hypr.com/installinghypr/docs/installing-v620#using-your-own-database
We only need to run the scripts for FIDO2
Copy the FIDO2 specific lines to a separate file - fido2.sql
CREATE DATABASE IF NOT EXISTS fido2 CHARACTER SET = utf8mb4 COLLATE = utf8mb4_0900_as_cs;
CREATE USER IF NOT EXISTS ‘fido2’@‘%’ IDENTIFIED WITH mysql_native_password BY ‘xxxx’;
GRANT ALL PRIVILEGES ON fido2.* TO ‘fido2’@‘%’ WITH GRANT OPTION;
Apply to your target DB. If you are using the MySQL command line, it would be:
# If running against a remote DB host, use
./mysql -u root -h <db host> -p < /path/to/fido2.sql
# If running against a local DB host, use
./mysql -u root -p < / /path/to/fido2.sql
# You will be prompted for the password
Start HYPR dependencies
Start HYPR services
To setup worker nodes:
Copy the install pkg to the worker node. Unzip to the same location as on the master
Follow: https://docs.hypr.com/installinghypr/docs/installing-v620#installing-dependencies-on-a-worker-node
Install new systemd services
Systemd services differ from older versions. These need to be setup again.
sudo su
rm -rf /etc/systemd/system/hypr-*
systemctl daemon-reload
Setup the systemd services via: https://docs.hypr.com/installinghypr/docs/installing-v620#installing-systemd-services
Updated over 1 year ago