Replace rolling upgrades

The replace rolling upgrades model involves deploying new Windows servers that you are installing 23.1 on, and joining them to your existing Venafi database for the cluster, then replacing the existing servers with the new servers. It requires you deploy one new server for each existing server. For example, if you have six Venafi servers on your origin version (that you are upgrading from), you would need to deploy six new Windows servers, each one matching exactly the configuration of the server it will replace (including Venafi components, processing engine assignments, and network discovery zones).

This model can often result in a cleaner upgrade process, and allows you to upgrade your Windows operating system at the same time you are upgrading your Venafi version, but results in extra manual configuration or steps that need to be scripted.

When performing this upgrade, follow all the steps in each of the following sections.

Getting Started

  1. Create new Windows servers that match 1:1 the roles of the servers in your current Venafi deployment cluster.
  2. Download, distribute, and unzip installation files for the 23.1.x upgrade.
  3. [Optional] Export your software encryption key (if used).

    For more information, see Backing up the software encryption key.

Database configuration

  1. Back up your database.

    For instructions on how to perform the database backup, visit Microsoft's SQL documentation: Create a Full Database Backup.

  2. [Conditional] If using answer file(s): Update the answer file so the DBO credentials are included, and new components (if desired) are added to the appropriate servers.

    For detailed information about the schema and settings of the answer file, see Creating and using answer files.

Run the installation MSI

  1. Verify that the extracted Venafi Trust Protection Platform 23.1.x.zip is available on the server.
  1. From an elevated command prompt, change your directory to the extracted zip folder and enter the following command:

    VenafiTPPInstall-23.1.x.msi

  2. When the Welcome window appears, click Next.

  3. Read the terms stated in the License Agreement window. If you agree, select I accept the terms in the license agreement, and then click Next.

  1. Run the previous steps on all the new Windows Venafi server. Do not modify your existing (production) servers.

Configure the server

  1. Either use the configuration wizard GUI to complete the configuration steps for the upgrade, or use the TPPConfiguration.exe CLI to do a silent upgrade using the appropriate updated answer file.

    If you have questions about the command line interface, see Upgrade using the command line.

  2. [Conditional] If you used the upgrade wizard GUI in step 1: In the Venafi Configuration Console, enable any new components that you want for each server.
  3. In the Venafi Configuration Console, click the Product node.
  4. Start all Venafi Windows services.
  5. If this server has the WebConsole component installed, open the console (without the application delivery controller; for example, use https://localhost/Aperture)
  6. Repeat on all Venafi servers.

Configure the application delivery controller

  1. Update your application delivery controller to add all the new Windows servers to the resource group.
  2. Update your application delivery controller to remove the old Windows servers from the resource group.
  3. Wait until there are no active connections.

    NOTE  Use a utility like netstat -an | findstr ESTABLISHED to verify that there are no established (active) connections on the IIS listening IP/Ports. Do not continue until there are no active connections (or these users will experience down time).

  4. Uninstall Venafi Trust Protection Platform from all old Venafi servers.

    For additional information, see Uninstalling Venafi Trust Protection Platform.

  5. Remove all old Venafi servers (engines) from the Venafi cluster in Policy Tree.

Validate the installation

  • Validate that each server in the cluster is performing its assigned role.

    For example, on a server that has the Venafi Web Console, try renewing a certificate or rotating an SSH key. On a code signing server, try signing code. For a server, validate that connections are happening as expected.