IBM Support

Upgrading Secret Server with web clustering

Question & Answer


Question

How do I upgrade IBM Security Secret Server with web clustering?

Answer

Secret Server has a built-in web installer. The web installer is a series of pages inside Secret Server that allow you to download and run updates.  Secret Server will still be accessible by users for most of the upgrade process. You can bring down outside access to the site if you want to prevent users from making changes during the upgrade. Preventing user access will make restoring the database and site backups simpler if you decide to roll back the upgrade immediately afterward.

Remember: Remember the following important guidelines:
  • You do not need to download the installer or setup.exe file.
  • Never overwrite or delete your encryption.config file.
  • Back up your Secret Server folder and database before you perform the upgrade.
IMPORTANT: If you are upgrading to 10.7.000000, requires SQL Server 2012 or later as the database for Secret Server. For more information, see the release notes.
IMPORTANT: Upgrading to Secret Server version 10.0.000000 and above will require configuring integrated pipeline mode on the Secret Server Application Pool. See Configuring IIS for installing or upgrading to Secret Server for details on configuring integrated pipeline mode in IIS. If using Integrated Windows Authentication you will also need to update IIS authentication settings as detailed in Setting up integrated Windows Authentication in Secret Server.

IMPORTANT: Upgrading to Secret Server version 10.5.00000 and above will require Windows Server 2008 R2 or greater.

 
Before you begin
  1. Ensure that you have account credential information and access for the server that is hosting the Secret Server and the SQL Server instance that is hosting your Secret Server database.
  2. Have a recent backup of the application files and database available.
  3. If you use clustering, stop the application pools on all of the servers except the one that is currently the "primary."
 
Upgrade Steps - Clustered Environment  
 
  1. Follow the instructions in Upgrading Secret Server or Upgrading Secret Server without outbound access as applicable to upgrade your primary server.
  2. Once upgraded and working, copy the web application folder (without the database.config or the encryption.config) to all secondary servers and replace the content of the existing web application folder with the new.
    • If Thycotic Management Server (TMS) is installed and clustered you will need to copy the TMS directory to the secondary servers as well. The TMS directory is included by default for new installs of Secret Server 10.5 and later. TMS is used by advanced session recording and Privilege Manager. If the TMS folder and site does not exist in IIS then no additional actions need to be taken beyond copying the Secret Server directory.
  3. Start Secondary Servers and confirm they still work.

EFS & DPAPI Encryption
After the initial configuration of clustering you will not need to copy the database.config or encryption.config files to the other servers when upgrading. If you need to copy those files because of changes to database configuration and are using DPAPI, disable DPAPI encryption in Secret Server by going to Admin->Configuration and click Decrypt Key to not use DPAPI under the Security tab before copying those files to secondary servers.
EFS encryption is tied to the user account running the Secret Server application pool, so it is not machine specific. Copying EFS encrypted files between Secret Server instances will not result in errors, but is not needed.
Upgrade steps - Database Mirroring
 
  1. If there is more than one web server running secret server, ensure all instances are pointing to the Primary database.
  2. Stop all but the primary web server
  3. Perform the upgrade on the single instance
  4. Once upgraded and working, copy the web application folder to all secondary servers
  5. Start the Secondary Servers and confirm they work
  6. Ensure all instances are properly activated
  7. Ensure that the primary database changes have been replicated to the mirror database.
  8. If the secondary web server was pointing originally to the Secondary database, adjust the secondary web server to point back to the Secondary database.

Upgrade Steps - Remote DR Instance
 
  1. Perform the upgrade on the primary instance
  2. Backup the primary instance
  3. Copy the database backup to the remote DR instance and restore the database
  4. Once upgraded and working, copy the web application folder (but not the database.config file or the encryption.config file) to the remote DR instance (overwriting the existing files)
  5. Restart IIS or recycle the application pool running Secret Server on the remote DR instance
  6. Confirm that the remote DR instance is working correctly

Error Conditions
 
  • Encryption configs don't match - see this Encryption key doesn't match error
  • Version does not match - If a secondary node is not properly updated from the primary node after an upgrade, that node will not run because the application version does not match the database. The fix is to copy the application folder (minus the database.config or the encryption.config) to replace the files on the secondary server.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSWHLP","label":"IBM Security Secret Server"},"Component":"--","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
30 January 2020

UID

ibm11285030

Page Feedback