Upgrading from 3.9 to 6.2

Notable configuration changes

Redis

Starting with 6.2.0, Redis is a requirement for the UAF service

Support added for AWS ElasticCache replica mode in UAF and FIDO2 services.The Redis instance is shared across the various services. The following Redis configurations are supported:

  • Single node
  • Sentinel
  • Master with read replicas/AWS ElasticCache

Consult the configuration templates in ServerInstaller pkg

  • FIDO2/fido2ServiceConfigs.sh
  • UAF/uafServerConfigBean.sh

Event level is set to INFO by default for performance considerations

This reduces the granularity of events in the audit log. To use full audit logs this can be set to DEBUG

Installer

/decryptMetadata.sh script has been added to the install pkg. Convenience for decrypting the
encrypted metadata

Upgrade process

On master node

Step 1 Backup current <install dir> by making a copy <install dir>-copy
Step 2 Shut down dependencies and services via

  • ./stopHyprDependencies.sh
  • ./stopHyprServices.sh

Step 3 Switch to the <install dir>
Remove existing war files

rm -f CC/CC-*.jar UAF/HYPR-*.war FIDO2/fido2-*.war

Step 4
Un-tar the new <install pkg> (ServerInstaller-*.tar.gz) in the current <install dir>
This will:

  • replace scripts in the <install dir> with the new versions
  • replace war/jar files for relevant components
  • leave existing config in (mysql/mysql-8.0.18-linux-x86_64-minimal redis/redis-4.0.13 vault/vault-0.10.3) untouched
# Un-tar install pkg, overlay on existing
# HYPR_GROUP:HYPR_USER. The should match the values defined in env.sh 

tar -xvf <install pkg> -C /opt/hypr/<install dir> --group=<HYPR_GROUP> --user=<HYPR_USER>

Confirm that the .install file is still present in the <install dir>

Step 5
Restore env.sh file from the copy made in Step 1
Confirm that the following lines are present in your env.sh. Add if missing. These were added in 3.9 for FIDO2

# DB
export MYSQL_DATA_DIR=${MYSQL_DATA_DIR="${MYSQL_INSTALL_DIR}/mysql-data"}

# Since 3.9.0
# FIDO2 share DB connection with UAF, but have separate schema
export FIDO2_DB_NAME=${FIDO2_DB_NAME="fido2"}
export FIDO2_DB_USER=${FIDO2_DB_USER="fido2"}
export FIDO2_DB_PASSWORD=${FIDO2_DB_PASSWORD=$(getPassword "FIDO2_PASSWORD" "${HYPR_INSTALL_INFO}")}

# UAF 
# Additonal pramas to be applied to the Java startup commands for the HYPR services
# For example, these can be used to attach apm agents
# Since 3.9.0
export UAF_AGENT_LIB_PARAMS=${UAF_AGENT_LIB_PARAMS=""}
# Since 3.9.0
export UAF_ADDITIONAL_STARTUP_PARAMS=${UAF_ADDITIONAL_STARTUP_PARAMS=""}


##############################################################################
# Since 3.9.0 - FIDO2 Server config
##############################################################################
export FIDO2_XMS=${FIDO2_XMS=256m}
export FIDO2_XMX=${FIDO2_XMX=2g}
export FIDO2_PORT=${FIDO2_PORT=4081}
export FIDO2_DEBUG=${FIDO2_DEBUG=false}

export FIDO2_DB_HOST=${FIDO2_DB_HOST=${MYSQL_HOST}}
export FIDO2_DB_PORT=${FIDO2_DB_PORT=${MYSQL_PORT}}

# FIDO2 defaults to UAF DB settings, shared DB
export FIDO2_DB_DIALECT=${FIDO2_DB_DIALECT=${UAF_DB_DIALECT}}
export FIDO2_DB_DRIVER_CLASS=${FIDO2_DB_DRIVER_CLASS=${UAF_DB_DRIVER_CLASS}}

# Key for encrypting sensitive information in the Database
# Please select a random string at least 32 chars long
export FIDO2_JASYPT_PASS=${FIDO2_JASYPT_PASS=${UAF_JASYPT_PASS}}

# Additonal pramas to be applied to the Java startup commands for the HYPR services
# For example, these can be used to attach apm agents
# Since 3.9.0
export FIDO2_AGENT_LIB_PARAMS=${FIDO2_AGENT_LIB_PARAMS=""}
# Since 3.9.0
export FIDO2_ADDITIONAL_STARTUP_PARAMS=${FIDO2_ADDITIONAL_STARTUP_PARAMS=""}

# CC
# Additonal pramas to be applied to the Java startup commands for the HYPR services
# For example, these can be used to attach apm agents
# Since 3.9.0
export CC_AGENT_LIB_PARAMS=${CC_AGENT_LIB_PARAMS=""}
# Since 3.9.0
export CC_ADDITIONAL_STARTUP_PARAMS=${CC_ADDITIONAL_STARTUP_PARAMS=""}

Step 5 Start UAF with re-init vault flag
This is needed to update the UAF vault config with settings for Redis. The Redis settings already exist from the previous install, needs to be updated in Vault

./startHyprServices --[cluster|single] --uaf --enc --reinit-vault

# You should see the following in the output

**** Loading loggingConfigs config into Vault ****
Curl cmd return code: 0

 βœ…  Loaded /opt/hypr/UAF/loggingConfigs.json into Vault
Deleting /opt/hypr/UAF/loggingConfigs.json
Generating /opt/hypr/UAF/uafServerConfigBean.json

 **** Loading uafServerConfigBean config into Vault ****
Curl cmd return code: 0

 βœ…  Loaded /opt/hypr/UAF/uafServerConfigBean.json into Vault
Deleting /opt/hypr/UAF/uafServerConfigBean.json

On each worker node

Repeat steps 1 - 4