In place rolling upgrade

Use the in place rolling upgrade model when all existing Venafi servers will be updated to 23.1, but because you have redundancy and an application delivery controller, and because you are only doing servers one server at a time all services that the cluster provides can remain available throughout the upgrade. This upgrade results in no outage. This process takes significantly longer than offline upgrades. It also requires multiple configuration changes to the application delivery controller settings throughout the upgrade process. During the upgrade, you need to wait until there are no active connections on the ports that Venafi services before you can perform the upgrade on each Venafi server.

When performing this upgrade, follow all the steps in each of the following sections.

Getting Started

  1. Download, distribute, and unzip installation files for the 23.1.x upgrade.
  2. [Optional] Export your software encryption key (if used).

    For more information, see Backing up the software encryption key.

  3. Update your application delivery controller to remove the first Venafi server from the resource group.
  4. Wait until there are no active connections.

    NOTE  Use a utility like netstat -an | findstr ESTABLISHED to verify that there are no established (active) connections on the IIS listening IP/Ports. Do not continue until there are no active connections (or these users will experience down time).

Begin the upgrade

  1. On the Venafi server being upgraded, open Venafi Configuration Console and click the Product node.

  2. Stop all Venafi Windows services, including:

    • Venafi Platform

    • Logging
    • API Host
    • Website (IIS)
    • Enrollment over Secure Transport Service

    NOTE  When you stop Venafi Windows services, be aware that the services may have been manually configured to recover on failures by automatically restarting services. In this case you will either want to reset your recovery options to "Take no Action" or disable the service altogether before proceeding.

    If services are set to automatically restart, the upgrade can fail.

  3. Close the Venafi Configuration Console and all other Venafi-related applications (WinAdmin, Venafi Support Tool, etc.).

    If multiple user accounts connect to the Venafi server, use the Task Manager Users tab to terminate any background user sessions from other logged-in users. This ensures that no Venafi files are in use by any user, making the upgrade process more efficient.

Database configuration

  1. Back up your database.

    For instructions on how to perform the database backup, visit Microsoft's SQL documentation: Create a Full Database Backup.

  2. [Conditional] If using answer file(s): Update the answer file so the DBO credentials are included, and new components (if desired) are added to the appropriate servers.

    For detailed information about the schema and settings of the answer file, see Creating and using answer files.

Run the installation MSI

  1. Verify that the extracted Venafi Trust Protection Platform 23.1.x.zip is available on the server.
  1. From an elevated command prompt, change your directory to the extracted zip folder and enter the following command:

    VenafiTPPInstall-23.1.x.msi

  2. When the Welcome window appears, click Next.

  3. Read the terms stated in the License Agreement window. If you agree, select I accept the terms in the license agreement, and then click Next.

Configure the server

  1. Either use the configuration wizard GUI to complete the configuration steps for the upgrade, or use the TPPConfiguration.exe CLI to do a silent upgrade using the appropriate updated answer file.

    If you have questions about the command line interface, see Upgrade using the command line.

  2. [Conditional] If you used the upgrade wizard GUI in step 1: In the Venafi Configuration Console, enable any new components that you want for each server.
  3. In the Venafi Configuration Console, click the Product node.
  4. Start all Venafi Windows services.
  5. If this server has the WebConsole component installed, open the console (without the application delivery controller; for example, use https://localhost/Aperture)
  6. Update your application delivery controller by placing this server back into the resource group.
  7. Repeat all steps (starting with the Getting Started section above) for the next Venafi server.

Validate the installation

  • Validate that each server in the cluster is performing its assigned role.

    For example, on a server that has the Venafi Web Console, try renewing a certificate or rotating an SSH key. On a code signing server, try signing code. For a server, validate that connections are happening as expected.