Before you upgrade in place

Fulfill these requirements before upgrading PingDS software, especially before upgrading the software in a production environment. Also refer to the requirements listed in release notes.

Global server IDs

Before upgrading, make sure you use unique global server IDs. Prior to DS 7.0, each server could have multiple server IDs. Global server IDs were supported but optional in DS 6.5.

To update each DS 6.5 to use a unique global server ID, set the server-id global configuration property. The following example sets the global server ID to 1:

$ dsconfig \
 set-global-configuration-prop \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --set server-id:1 \
 --trustAll \
 --no-prompt

Server IDs were originally numeric for compatibility with DS 6.5 and earlier servers. In DS 7.0 and later, use strings as server IDs.

Supported Java

Always use a JVM with the latest security fixes.
Make sure you have a required Java environment installed on the system.

If your default Java environment is not appropriate, use one of the following solutions:
- Edit the default.java-home setting in the opendj/config/java.properties file.
- Set OPENDJ_JAVA_HOME to the path to the correct Java environment.
- Set OPENDJ_JAVA_BIN to the absolute path of the java command.
When running the dskeymgr and setup commands, use the same Java environment everywhere in the deployment and refer to CAs from deployment IDs.

DS software supports the following Java environments:

Vendor	Versions
OpenJDK, including OpenJDK-based distributions: AdoptOpenJDK/Eclipse Temurin Java Development Kit (Adoptium) Amazon Corretto Azul Zulu Red Hat OpenJDK Ping Identity tests most extensively with AdoptOpenJDK/Eclipse Temurin. Use the HotSpot JVM if possible.	17⁽¹⁾, 21
Oracle Java	17⁽¹⁾, 21

Vendor

Versions

OpenJDK, including OpenJDK-based distributions:

AdoptOpenJDK/Eclipse Temurin Java Development Kit (Adoptium)
Amazon Corretto
Azul Zulu
Red Hat OpenJDK

Ping Identity tests most extensively with AdoptOpenJDK/Eclipse Temurin.

Use the HotSpot JVM if possible.

17⁽¹⁾, 21

Oracle Java

17⁽¹⁾, 21

⁽¹⁾ DS requires Java 17.0.8 or later.

TLS cipher support depends solely on the JVM. For details, refer to TLS settings.

CAs from deployment IDs

Due to a change to the Java platform between versions 11 and 17, the keys you generate with the dskeymgr and setup commands using Java 11 are incompatible with keys generated using Java 17 and later.

Using different Java versions is a problem if you use deployment ID-based CA certificates. Replication breaks, for example, when you use the setup command for a new server with a more recent version of Java than was used to set up existing servers.

For details on resolving the issue, refer to Incompatible Java versions.

Required credentials

Perform the upgrade procedure as the user who owns the server files.

Make sure you have the credentials to run commands as this user.

Back up first

Before upgrading, perform a full file system backup of the current server so that you can revert on failure. Make sure you stop the directory server and back up the file system directory where the current server is installed.

Backup archives are not guaranteed to be compatible across major and minor server releases. Restore backups only on directory servers of the same major or minor version.

Disable Windows service

If you are upgrading a server registered as a Windows service, disable the Windows service before upgrade:

C:\path\to\opendj\bat> windows-service.bat --disableService

After upgrade, enable the server as a Windows service again.

Next steps

Perform these steps before you upgrade
Upgrade each:
Perform these steps after you upgrade

PingDS 7.5.1