Upgrading Autonomous Identity
Autonomous Identity provides an upgrade command to update your core software to the latest version while migrating your data.
The upgrade assumes the following:
Database Systems are the Same. If your current database is Apache Cassandra, you cannot upgrade to a MongoDB-based system. You will need to run a clean installation with the new version.
Host IPs should be the Same. Host IP addresses must be the same for existing components. You must update the
~/autoid-config/hostsfile by adding the IP addresses for the Elasticsearch entries. See the instructions below.
Registry Key Required. To download the deployment images for the upgrade, you still need a registry key to log into the ForgeRock Google Cloud Registry (gcr.io). The registry key is only available to ForgeRock Autonomous Identity customers. For specific instructions on obtaining the registry key, see How To Configure Service Credentials (Push Auth, Docker) in Backstage.
|Make sure to test the upgrade on a staging or QA server before running it in production.|
The upgrade assumes the following upgrade paths depends on your current deployment version. The preferred upgrade path is from your current version to the next major release version to the latest patch version. The following chart summarizes these upgrade paths:
2021.3.0–2021.3.4 → 2021.3.5 → 2021.8.0
|After you upgrade your Autonomous Identity version to 2021.8.0, ForgeRock strongly encourages you to upgrade your Autonomous Identity version to 2021.8.4, which includes important security fixes and features.|
The following instructions are for an upgrade from Autonomous Identity version 2021.3.5 to 2021.8.0.
|If you are upgrading from Autonomous Identity version 2021.3.0 to 2021.3.4, you must first upgrade to 2021.3.5, then to version 2021.8.0. See Upgrading Autonomous Identity to 2021.3.5.|
Upgrade to version 2021.3.5 to 2021.8.0:
On the deployer machine, back up the 2021.3.5
~/autoid-configdirectory or move it to another location.
$ mv ~/autoid-config ~/backup-2021.3
Create a new
$ mkdir ~/autoid-config
autoid_registry_key.jsonfrom your backup directory to
Copy your original SSH key into the new directory.
$ cp ~/.ssh/id_rsa ~/autoid-config
Change the permission on the SSH key.
$ chmod 400 ~/autoid-config/id_rsa
Check if you can successfully SSH to the target server.
$ ssh autoid@<Target-IP-Address> Last login: Tue Aug 15 18:19:14 2021
Stop the stack.
$ docker stack rm configuration-service consul-server consul-client nginx jas openldap selfservice swagger-ui ui api notebook
You should see:
Removing service configuration-service_configuration-service Removing service consul-server_consul-server Removing service consul-client_consul-client Removing service nginx_nginx Removing service jas_jasnode Removing service openldap Removing service selfservice_selfservice Removing service swagger-ui_swagger-ui Removing service ui_zoran-ui Removing service api_zoran-api Nothing found in stack: notebook
exitto end your SSH session.
From the deployer, repeat the restart Docker command:
$ sudo systemctl restart docker
On the deployer node, change to the
$ cd ~/autoid-config
Log in to the ForgeRock Google Cloud Registry (gcr.io) using the registry key. The registry key is only available to ForgeRock Autonomous Identity customers. For specific instructions on obtaining the registry key, see How To Configure Service Credentials (Push Auth, Docker) in Backstage.
$ docker login -u _json_key -p "$(cat autoid_registry_key.json)" https://gcr.io/forgerock-autoid
You should see:
create-templatecommand to generate the
deployer.shscript wrapper and configuration files. Note that the command sets the configuration directory on the target node to
--userparameter eliminates the need to use
sudowhile editing the hosts file and other configuration files.
$ docker run --user=$(id -u) -v ~/autoid-config:/config -it gcr.io/forgerock-autoid/deployer:2021.8.0 create-template
Configure your upgraded system by editing the
~/autoid-config/vault.ymlfiles on the deployer machine.
You must keep your configuration settings consistent from one system to another. For 2021.3.x to 2021.8.x upgrades, do not copy-n-paste your hosts file as they are slightly different.
Download the images. This step downloads software dependencies needed for the deployment and places them in the
autoid-packagesdirectory. Make sure you are in the
$ ./deployer.sh download-images
SSH to the target node.
Stop the Spark master and workers.
Rename two log4j jar files in the
/opt/autoid/elastic/opendistroforelasticsearch-1.9.0/libfolder. The upgrade installs an older version of the files, and another upgrade to the latest patch release installs the new version of these files.
$ cd /opt/autoid/elastic/opendistroforelasticsearch-1.9.0/lib/ $ sudo mv log4j-api-2.17.0.jar log4j-api-2.17.0.jar.bak $ sudo mv log4j-core-2.17.0.jar log4j-core-2.17.0.jar.bak
Exit your SSH session.
Run the upgrade.
$ ./deployer.sh upgrade
SSH to the target server.
If you freshly installed 2021.8.0 or run an upgrade where the log4j patch was not applied previously, you can skip steps 22–25.
On the target server, edit the
/opt/autoid/res/jas/docker-compose.ymland set the
Restart the JAS container.
$ docker stack rm jas $ docker stack deploy -c /opt/autoid/res/jas/docker-compose.yml jas
Remove the nginx container.
$ docker stack rm nginx
Redeploy the stack.
$ docker stack deploy -c /opt/autoid/res/nginx/docker-compose.yml nginx
Log out and then log back in to Autonomous Identity.
Add a reference to the Autonomous Identity UI to your
/etc/hostsor DNS server.
<Public IP Address> autoid-ui.forgerock.com
Redo the attribute mappings. See Set Attribute Mappings.
Then, run the analytics pipeline with a new role mining analytics step, analytics mine:
$ analytics ingest $ analytics train $ analytics mine $ analytics predict-as-is $ analytics predict-recommendation $ analytics publish $ analytics create-assignment-index
You have successfully upgraded your Autonomous Identity server to 2021.8.0. Upgrade your system to the latest patch release for the important new features and security fixes.