Upgrade Autonomous Identity
Autonomous Identity provides an upgrade command to update your core software to the latest version while migrating your data.
Upgrade Considerations
-
Database Systems are the Same. If your current database is Apache Cassandra, you cannot upgrade to a MongoDB-based system. You will need to run a clean installation with the new version.
-
Host IPs should be the Same. Host IP addresses must be the same for existing components. You must update the
~/autoid-config/hosts
file by adding the IP addresses for the Elasticsearch entries. See the instructions below. -
Registry Key Required. To download the deployment images for the upgrade, you still need your registry key to log into the ForgeRock Google Cloud Registry (gcr.io). Copy your registry key from your previous build to your new upgrade.
Make sure to test the upgrade on a staging or QA server before running it in production. |
Upgrade Paths
The upgrade assumes the following upgrade paths depends on your current deployment version. The preferred upgrade path is to the latest patch release. The following chart summarizes these upgrade paths:
Version | Upgrade To | See |
---|---|---|
2021.8.x (2021.8.0–2021.8.2) |
2021.8.3 |
|
2021.8.x (2021.8.0–2021.8.2) Air-Gapped |
2021.8.3 Air-Gapped |
|
2021.3.x (2021.3.0–2021.3.5) |
2021.3.0–2021.3.4 → 2021.3.5 → 2021.8.0 → 2021.8.3 |
Upgrade from Autonomous Identity 2021.8.0 to 2021.8.3
The following instructions are for upgrading from Autonomous Identity version 2021.8.x (2021.8.0, 2021.8.1, 2021.8.2) to the latest version 2021.8.3 in non air-gapped deployments.
Upgrade from 2021.8.x to 2021.8.3 Non Air-Gap:
-
Start on the target server, and back up your
/data/conf
configuration file. The upgrade overwrites this file when updating, so you must restore this file after running the upgrade.$ sudo mv /data/conf ~/backup-data-conf-2021.8.x
-
Next, if you changed any analytic settings on your deployment, make note of your configuration, so that you can replicate those settings on the upgraded server. Log in to Autonomous Identity, navigate to Administration > Analytic Settings, and record your settings.
-
On the deployer machine, back up the 2021.8.x
~/autoid-config
directory or move it to another location.$ mv ~/autoid-config ~/backup-2021.8.x
-
Create a new
~/autoid-config
directory.$ mkdir ~/autoid-config
-
Copy your
autoid_registry_key.json
,ansible.cfg
, andvault.yml
files from your backup directory to~/autoid-config
. If yourvault.yml
file is encrypted, copy the.autoid_vault_password
file to~/autoid-config
. -
Copy your original SSH key into the new directory.
$ cp ~/.ssh/id_rsa ~/autoid-config
-
Change the permission on the SSH key.
$ chmod 400 ~/autoid-config/id_rsa
-
Check if you can successfully SSH to the target server.
$ ssh autoid@<Target-IP-Address> Last login: Wed Dec 15 18:19:14 2021
-
Stop the stack.
If you are upgrading a multi-node deployment, run this command on the Docker Manager node. $ docker stack rm configuration-service consul-server consul-client nginx jas swagger-ui ui api notebook
You should see:
Removing service configuration-service_configuration-service Removing service consul-server_consul-server Removing service consul-client_consul-client Removing service nginx_nginx Removing service jas_jasnode Removing service swagger-ui_swagger-ui Removing service ui_zoran-ui Removing service api_zoran-api Nothing found in stack: notebook
-
For multinode deployments, run the following on the Docker Worker node:
$ docker swarm leave
-
Enter
exit
to end your SSH session. -
From the deployer, restart Docker command:
$ sudo systemctl restart docker
-
On the deployer node, change to the
~/autoid-config
directory.$ cd ~/autoid-config
-
Log in to the ForgeRock Google Cloud Registry (gcr.io) using the registry key. The registry key is only available to ForgeRock Autonomous Identity customers. For specific instructions on obtaining the registry key, see How To Configure Service Credentials (Push Auth, Docker) in Backstage.
$ docker login -u _json_key -p "$(cat autoid_registry_key.json)" https://gcr.io/forgerock-autoid
You should see:
Login Succeeded
-
Run the
create-template
command to generate thedeployer.sh
script wrapper and configuration files. Note that the command sets the configuration directory on the target node to/config
. The--user
parameter eliminates the need to usesudo
while editing the hosts file and other configuration files.$ docker run --user=$(id -u) -v ~/autoid-config:/config \ -it gcr.io/forgerock-autoid/deployer:2021.8.3 create-template
-
Configure your upgraded system by editing the
~/autoid-config/vars.yml
,~/autoid-config/hosts
, and~/autoid-config/vault.yml
files on the deployer machine.You must keep your configuration settings consistent from one system to another. -
Download the images. This step downloads software dependencies needed for the deployment and places them in the
autoid-packages
directory. Make sure you are in the~/autoid-config
directory.$ ./deployer.sh download-images
-
Run the upgrade.
-
If you are upgrading from version 2021.8.0, run the following:
$ ./deployer.sh debug upgrade_2020_8 $ docker stack rm configuration-service consul-server consul-client nginx jas swagger-ui ui api notebook $ ./deployer.sh debug patch_log4j
-
If you are upgrading from version 2021.8.1 or 2021.8.2, run the following:
$ ./deployer.sh debug patch_log4j
-
-
SSH to the target server.
-
On the target server, restore your
/data/conf
configuration file from your previous installation.$ sudo mv ~/backup-data-conf-2021.8.x /data/conf
-
On the target server, edit the
/opt/autoid/res/jas/docker-compose.yml
and set theJAS_AUTH_ENABLED
totrue
.If you freshly installed 2021.8.3 or run an upgrade where the log4j patch was not applied previously, you can skip steps 19–22. JAS_AUTH_ENABLED=true
-
Restart the JAS container.
$ docker stack rm jas $ docker stack deploy -c /opt/autoid/res/jas/docker-compose.yml jas
-
Remove the nginx container.
$ docker stack rm nginx
-
Redeploy the stack.
$ docker stack deploy -c /opt/autoid/res/nginx/docker-compose.yml nginx
-
Re-apply your analytics settings to your upgraded server if you made changes on your previous Autonomous Identity machine. Log in to Autonomous Identity, navigate to Administration > Analytics Settings, and edit your changes.
-
Log out and then log back in to Autonomous Identity.
You have successfully upgraded your Autonomous Identity server to 2021.8.3.
Upgrade from Autonomous Identity 2021.8.x to 2021.8.3 Air-Gapped
The following instructions are for upgrading from Autonomous Identity version 2021.8.x (2021.8.0, 2021.8.1, 2021.8.2) to 2021.8.3 on air-gapped deployments.
Upgrade from 2021.8.x to 2021.8.3 Air-Gapped:
-
Start on the target server, and back up your
/data/conf
configuration file. The upgrade overwrites this file when updating, so you must restore this file after running the upgrade.$ sudo mv /data/conf ~/backup-data-conf-2021.8.x
-
Next, if you changed any analytic settings on your deployment, make note of your configuration, so that you can replicate those settings on the upgraded server. Log in to Autonomous Identity, navigate to Administration > Analytic Settings, and record your settings.
-
On the deployer machine, back up the 2021.8.x
~/autoid-config
directory or move it to another location.$ mv ~/autoid-config ~/backup-2021.8.x
-
Create a new
~/autoid-config
directory.$ mkdir ~/autoid-config
-
Copy your
autoid_registry_key.json
,ansible.cfg
, andvault.yml
files from your backup directory to~/autoid-config
. If yourvault.yml
file is encrypted, copy the.autoid_vault_password
file to~/autoid-config
. -
Copy your original SSH key into the new directory.
$ cp ~/.ssh/id_rsa ~/autoid-config
-
Change the permission on the SSH key.
$ chmod 400 ~/autoid-config/id_rsa
-
Stop the stack.
If you are upgrading a multi-node deployment, run this command on the Docker Manager node. $ docker stack rm configuration-service consul-server consul-client nginx jas swagger-ui ui api notebook
You should see:
Removing service configuration-service_configuration-service Removing service consul-server_consul-server Removing service consul-client_consul-client Removing service nginx_nginx Removing service jas_jasnode Removing service swagger-ui_swagger-ui Removing service ui_zoran-ui Removing service api_zoran-api Nothing found in stack: notebook
-
For multinode deployments, run the following on the Docker Worker node:
$ docker swarm leave
-
From the deployer, restart Docker:
$ sudo systemctl restart docker
-
On the deployer node, change to the
~/autoid-config
directory.$ cd ~/autoid-config
-
Log in to the ForgeRock Google Cloud Registry (gcr.io) using the registry key. The registry key is only available to ForgeRock Autonomous Identity customers. For specific instructions on obtaining the registry key, see How To Configure Service Credentials (Push Auth, Docker) in Backstage.
$ docker login -u _json_key -p "$(cat autoid_registry_key.json)" https://gcr.io/forgerock-autoid
You should see:
Login Succeeded
-
Run the
create-template
command to generate thedeployer.sh
script wrapper and configuration files. Note that the command sets the configuration directory on the target node to/config
. The--user
parameter eliminates the need to usesudo
while editing the hosts file and other configuration files.$ docker run --user=$(id -u) -v ~/autoid-config:/config \ -it gcr.io/forgerock-autoid/deployer:2021.8.3 create-template
-
Configure your upgraded system by editing the
~/autoid-config/vars.yml
,~/autoid-config/hosts
, and~/autoid-config/vault.yml
files on the deployer machine.You must keep your configuration settings consistent from one system to another. -
Download the images. This step downloads software dependencies needed for the deployment and places them in the
autoid-packages
directory. Make sure you are in the~/autoid-config
directory.$ ./deployer.sh download-images
-
Create a tar file containing all of the Autonomous Identity binaries.
$ tar czf autoid-packages.tgz deployer.sh autoid-packages/*
-
Copy the autoid-packages.tgz , deployer.sh , and SSH key (id_rsa ) to a portable hard drive.
-
On the air-gapped target machine, backup your previous
~/autoid-config
directory, and then create a new~/autoid-config
directory.$ mkdir ~/autoid-config
-
Copy the
autoid-package.tgz
tar file from the portable storage device. -
Unpack the tar file.
$ tar xf autoid-packages.tgz -C ~/autoid-config
-
Copy the SSH key to the
~/autoid-config
directory. -
Change the privileges to the file.
$ chmod 400 ~/autoid-config/id_rsa
-
Change to the configuration directory.
$ cd ~/autoid-config
-
Import the deployer image.
$ ./deployer.sh import-deployer
You should see:
… db631c8b06ee: Loading layer [=============================================⇒] 2.56kB/2.56kB 2d62082e3327: Loading layer [=============================================⇒] 753.2kB/753.2kB Loaded image: gcr.io/forgerock-autoid/deployer:2021.8.3
-
Create the configuration template using the
create-template
command. This command creates the configuration files:ansible.cfg
,vars.yml
,vault.yml
andhosts
.$ ./deployer.sh create-template
You should see:
Config template is copied to host machine directory mapped to /config
-
Configure your upgraded system by editing the
~/autoid-config/vars.yml
,~/autoid-config/hosts
, and~/autoid-config/vault.yml
files on the deployer machine.You must keep your configuration settings consistent from one system to another. -
Run the upgrade.
-
If you are upgrading from version 2021.8.0, run the following:
$ ./deployer.sh debug upgrade_2020_8 $ docker stack rm configuration-service consul-server consul-client nginx jas swagger-ui ui api notebook $ ./deployer.sh debug patch_log4j
-
If you are upgrading from version 2021.8.1 or 2021.8.2, run the following:
$ ./deployer.sh debug patch_log4j
-
-
On the target server, restore your
/data/conf
configuration file from your previous installation.$ sudo mv ~/backup-data-conf-2021.8.x /data/conf
-
On the target server, edit the
/opt/autoid/res/jas/docker-compose.yml
and set theJAS_AUTH_ENABLED
totrue
.If you freshly installed 2021.8.3 or run an upgrade where the log4j patch was not applied previously, you can skip steps 28–31. JAS_AUTH_ENABLED=true
-
Restart the JAS container.
$ docker stack rm jas $ docker stack deploy -c /opt/autoid/res/jas/docker-compose.yml jas
-
Remove the nginx container.
$ docker stack rm nginx
-
Redeploy the stack.
$ docker stack deploy -c /opt/autoid/res/nginx/docker-compose.yml nginx
-
Re-apply your analytics settings to your upgraded server if you made changes on your previous Autonomous Identity machine. Log in to Autonomous Identity, navigate to Administration > Analytics Settings, and edit your changes.
-
Log out and then log back in to Autonomous Identity.
You have successfully upgraded your Autonomous Identity server to 2021.8.3.
Upgrade from Autonomous Identity 2021.3.x to 2021.8.3
The following instruction is for an upgrade from Autonomous Identity 2021.3.x (2021.3.0, 2021.3.1, 2021.3.2, 2021.3.3, 2021.3.4, and 2021.3.5) to version 2021.8.3 in non air-gapped deployments.
As a reminder, upgrade from 2021.3.x to 2021.8.3 requires multiple updates to account for numerous backend component and feature changes for each major release:
-
2021.3.0–2021.3.4 → 2021.3.5
-
2021.3.5 → 2021.8.0
-
2021.8.0 → 2021.8.3
Upgrade from 2021.3.x to version 2021.8.3:
-
If you are on version 2021.3.0–2021.3.4, you must upgrade to the latest patch release to version 2021.3.5. See Upgrading Autonomous Identity to 2021.3.5.
-
From version 2021.3.5, upgrade to version 2021.8.0. Follow the instructions in Upgrading Autonomous Identity from 2021.3.5 to 2021.8.0.
-
From version 2021.8.0, upgrade to the latest patch version, 2021.8.3. Follow the instructions in Upgrade from Autonomous Identity 2021.8.0 to 2021.8.3.