FAQ - Upgrade procedures
A list of questions and answers related to upgrade procedures:
- Q:How do I upgrade a component that was originally installed without SSL configuration?
- A: To configure SSL attributes, perform the following steps:
- Q: How do I upgrade a component that was installed with default certificates?
- A: Define the JKS_SSL_PASSWORD environment variable as described in Enhanced security for default certificates. For the full upgrade procedure, see Upgrading. If you are using default certificates and want to install a new component to be connected to a back-level master, see Upgrading in a mixed-version environment when using default certificates.
- Q: What happens if I do not remember the password for the default certificates?
- A: Before starting the upgrade, test the passwords for the certificates
using the following keytool commands:
-
keytool -list -keystore TWSServerTrustFile.jks -storepass my_password
-
keytool -list -keystore TWSServerKeyFile.jks -storepass my_password
-
- Q: The upgrade failed because the password I provided for the certificates in the JKS_SSL_PASSWORD variable is incorrect. How can I recover from this error?
- A. Before restarting the upgrade, perform the following steps:
- Retrieve and test the password for the certificates, as described in Q: What happens if I do not remember the password for the default certificates?
- Restore the previous version of the ita.ini file.
- Restart the upgrade.
- Q: My environment is FIPS compliant. What happens if I upgrade to version 10.2.3?
- A: Version 10.2.3
does not support FIPS. If you want to upgrade to this version, your
environment will no longer be FIPS compliant. A new optional parameter named
enablefips is available in the
serverinst and twsinst scripts to
check FIPS settings before you upgrade. This is because you need to be aware
that by upgrading, your environment will no longer be FIPS
compliant.Upgrade scenarios vary depending on your upgrade path, as follows:
- If you are upgrading from version 10.2.1, or later
- FIPS is already disabled by default in this version. If do not specify the enablefips parameter or you set it to false, the upgrade proceeds. If you set the enablefips parameter to true, the upgrade stops with an error message and you have to set enablefips to false to proceed.
- If you are upgrading from a version earlier than 10.2.1
- You can proceed in one of the following ways:
- Disable FIPS before upgrading by editing the
following options in the configuration files:
- localopts
- set SSL Fips enabled to no
- ita.ini
- set fips_enable to no
- Set the enablefips parameter to false. A warning message is displayed to inform you that FIPS is being disabled and the localopts and ita.ini files are automatically updated with the new FIPS configuration (the previous SSL Fips enabled option is removed and the new SSL FIPS compliance option is added and set to no/false) . The upgrade proceeds.
- Disable FIPS before upgrading by editing the
following options in the configuration files:
- Can I install a backup master domain manager at version 10.2.3 in a back-level environment?
- If you have a back-level environment, for
example version 9.4, you can install a backup master domain manager at version 10.2.3, but it is recommended you check your security
configuration.
Most 9.4 environments are not configured with SSL, which is enabled by default starting from version 10.1. To ensure communication between all components, see Ensuring communication in your environment
- How can I get the dynamic agent installed on the new backup master domain manager to communicate with the back-level master domain manager?
- In back-level environments, for example 9.4, SSL is not enabled by default and TLS version 1.2 needs to be enabled on the back-level master domain manager to enable communication. Perform the following steps on the back-level master domain manager, as described in Configuring TLS to the appropriate version.