FAQ - Upgrade procedures

A list of questions and answers related to upgrade procedures:

Q:How do I upgrade a component that was originally installed without SSL configuration?
A: To configure SSL attributes, perform the following steps:
  1. Set the security_level parameter to force_enabled in the workstation definition and the secureaddr parameter to the secure port, as described in Configuring SSL attributes.
  2. Set the nm SSL full port parameter to the value of the secure port in the localopts file. For more information, see Localopts details
Q: How do I upgrade a component that was installed with default certificates?
A: Define the JKS_SSL_PASSWORD environment variable as described in Enhanced security for default certificates. For the full upgrade procedure, see Upgrading. If you are using default certificates and want to install a new component to be connected to a back-level master, see Upgrading in a mixed-version environment when using default certificates.
Q: What happens if I do not remember the password for the default certificates?
A: Before starting the upgrade, test the passwords for the certificates using the following keytool commands:
  • keytool -list -keystore TWSServerTrustFile.jks 
    -storepass my_password
  • keytool -list -keystore TWSServerKeyFile.jks 
    -storepass my_password
Q: The upgrade failed because the password I provided for the certificates in the JKS_SSL_PASSWORD variable is incorrect. How can I recover from this error?
A. Before restarting the upgrade, perform the following steps:
  1. Retrieve and test the password for the certificates, as described in Q: What happens if I do not remember the password for the default certificates?
  2. Restore the previous version of the ita.ini file.
  3. Restart the upgrade.
Q: My environment is FIPS compliant. What happens if I upgrade to version 10.2.3?
A: Version 10.2.3 does not support FIPS. If you want to upgrade to this version, your environment will no longer be FIPS compliant. A new optional parameter named enablefips is available in the serverinst and twsinst scripts to check FIPS settings before you upgrade. This is because you need to be aware that by upgrading, your environment will no longer be FIPS compliant.
Upgrade scenarios vary depending on your upgrade path, as follows:
If you are upgrading from version 10.2.1, or later
FIPS is already disabled by default in this version. If do not specify the enablefips parameter or you set it to false, the upgrade proceeds. If you set the enablefips parameter to true, the upgrade stops with an error message and you have to set enablefips to false to proceed.
If you are upgrading from a version earlier than 10.2.1
You can proceed in one of the following ways:
  • Disable FIPS before upgrading by editing the following options in the configuration files:
    localopts
    set SSL Fips enabled to no
    ita.ini
    set fips_enable to no
    You can then proceed with the upgrade without specifying the enablefips parameter, which is set to false by default.
  • Set the enablefips parameter to false. A warning message is displayed to inform you that FIPS is being disabled and the localopts and ita.ini files are automatically updated with the new FIPS configuration (the previous SSL Fips enabled option is removed and the new SSL FIPS compliance option is added and set to no/false) . The upgrade proceeds.
Can I install a backup master domain manager at version 10.2.3 in a back-level environment?
If you have a back-level environment, for example version 9.4, you can install a backup master domain manager at version 10.2.3, but it is recommended you check your security configuration.

Most 9.4 environments are not configured with SSL, which is enabled by default starting from version 10.1. To ensure communication between all components, see Ensuring communication in your environment

How can I get the dynamic agent installed on the new backup master domain manager to communicate with the back-level master domain manager?
In back-level environments, for example 9.4, SSL is not enabled by default and TLS version 1.2 needs to be enabled on the back-level master domain manager to enable communication. Perform the following steps on the back-level master domain manager, as described in Configuring TLS to the appropriate version.
For more information, see Switching from SSLv3 to TLSv1.2 and steps 2 and 3 in How to Run Composer on a 9.5 FTA Connecting to a 9.4 MDM