Powered by Algolia

    Infrastructure upgrade

    Upgrading infrastructure components individually might be a good choice to minimize risk, increase stability, and enhance security. Additionally, in the event of a bug occurring in some running version of services (JDK/Tomcat/Cassandra, etc.), upgrading to a higher version may be recommended to fix the bug. Hence, a patch upgrade may be required to upgrade individual services. The steps for upgrading each service are given in the document below.

    OpenIAM-JDK patches

    1. Check OpenIAM status and then stop OpenIAM services.
    openiam-cli status
    openiam-cli stop
    1. Download the required JDK at the following link.
    wget https://builds.openlogic.com/downloadJDK/openlogic-openjdk-jre/11.0.25+9/openlogic-openjdk-jre-11.0.25+9-linux-x64.tar.gz
    1. Extract the downloaded JDK using a tar command.
    tar -xvf openlogic-openjdk-jre-11.0.25+9-linux-x64.tar.gz
    1. Backup the existing JDK and replace it with the following commands.
    sudo mv /usr/local/openiam/jdk /root/jdk_openiam_backup
    sudo mv /root/openlogic-openjdk-jre-11.0.25+9-linux-x64 /usr/local/openiam/jdk
    1. Restore security certificates.
    cp /root/jdk_openiam_backup/lib/security/cacerts /usr/local/openiam/jdk/lib/security/
    1. Change ownership as follows.
    chown -R openiam:openiam /usr/local/openiam/jdk
    1. Restart OpenIAM services
    openiam-cli start
    openiam-cli status

    Tomcat patches

    To update Tomcat, start with downloading the latest Tomcat version, as shown below, and extracting the downloaded archive.

    wget --no-check-certificate https://dlcdn.apache.org/tomcat/tomcat-9/v9.0.98/bin/apache-tomcat-9.0.98.tar.gz
    tar -xvf apache-tomcat-9.0.98.tar.gz

    An essential step before updating any component is checking OpenIAM status and stopping it.

    openiam-cli status
    openiam-cli stop
    1. Backup the current Tomcat instance and replace it with the new one, as follows.
    sudo mv /usr/local/openiam/ui /root/ui-backup
    sudo mv /root/apache-tomcat-9.0.98 /usr/local/openiam/ui
    1. Restore web applications.
    cp -r /root/ui-backup/webapps/ /usr/local/openiam/ui
    1. Change ownership.
    chown -R openiam:openiam /usr/local/openiam/ui/
    1. Finally, restart OpenIAM UI services.
    openiam-cli start
    openiam log openiam-ui
    Note: Follow the two steps below if you encounter any issues related to permissions.
    1. Check service logs and for permission-related issues, restore default settings as shown below.
    journalctl -u openiam-ui
    ls -Z /usr/local/openiam/ui/bin/startup.sh
    restorecon -v /usr/local/openiam/ui/bin/startup.sh
    ls -Z /usr/local/openiam/ui/bin/startup.sh
    1. Start the OpenIAM UI service.
    systemctl start openiam-ui

    Elasticsearch JDK patch (JDK-21.0.4 LTS)

    Start by verifying the current Elasticsearch JDK version, as shown below.

    cat /usr/share/elasticsearch/jdk/release
    /usr/share/elasticsearch/bin/elasticsearch --version
    /usr/share/elasticsearch/jdk/bin/java -version
    1. Check Elasticsearch service status by running the following.
    systemctl status elasticsearch -l --no-pager
    cat /usr/lib/systemd/system/elasticsearch.service
    1. Stop OpenIAM and Elasticsearch.
    openiam-cli status
    openiam-cli stop
    service elasticsearch stop
    1. Download the new JDK from the URL given below and install it.
    wget https://github.com/adoptium/temurin21-binaries/releases/download/jdk-21.0.4%2B7/OpenJDK21U-jdk_x64_linux_hotspot_21.0.4_7.tar.gz
    tar -xvf OpenJDK21U-jdk_x64_linux_hotspot_21.0.4_7.tar.gz
    sudo mv /usr/share/elasticsearch/jdk /root/jdk_backup
    sudo mv /root/jdk-21.0.4+7 /usr/share/elasticsearch/jdk
    1. Restart Elasticsearch and check logs.
    service elasticsearch start
    tail -n 300 /var/log/elasticsearch/elasticsearch.log
    1. Verify Elasticsearch and JDK versions once again.
    cat /usr/share/elasticsearch/jdk/release
    /usr/share/elasticsearch/bin/elasticsearch --version
    /usr/share/elasticsearch/jdk/bin/java -version
    1. Finally, restart OpenIAM services with the commands below.
    openiam-cli start
    openiam-cli status

    Flyway JRE patch

    1. Verify JRE version across all nodes.
    cluster openiam-cli status
    /usr/local/openiam/flyway/jre/bin/java --version
    1. Run the following commands for all three HA nodes.
    wget https://builds.openlogic.com/downloadJDK/openlogic-openjdk-jre/11.0.25+9/openlogic-openjdk-jre-11.0.25+9-linux-x64.tar.gz
    tar -xvf openlogic-openjdk-jre-11.0.25+9-linux-x64.tar.gz
    sudo mv /usr/local/openiam/flyway/jre /root/flyway_jre_backup
    sudo mv /root/openlogic-openjdk-jre-11.0.25+9-linux-x64 /usr/local/openiam/flyway/jre
    chown -R openiam:openiam /usr/local/openiam/flyway/jre
    1. Verify the update. 
    cluster openiam-cli status
    /usr/local/openiam/flyway/jre/bin/java --version

    Cassandra patch

    1. It is important to create a backup directory for existing configuration. Hence, create the following directories in /root to store backups of the existing configuration.
    mkdir -p /root/backup-cass/etc-cass
    mkdir -p /root/backup-cass/var-lib-cass
    Copy the existing configuration and data files:
    cp -r /etc/cassandra /root/backup-cass/etc-cass
    cp -r /var/lib/cassandra /root/backup-cass/var-lib-cass
    1. Verify current version. Run the following commands to check the current version of Cassandra.
    nodetool version
    cassandra -v

    Example output should look as follows.

    ReleaseVersion: 4.0.12
    4.0.12
    1. Take a snapshot of all Keyspaces with the command below ...
    nodetool snapshot

    ... and verify the snapshot directory.

    ls /var/lib/cassandra/data/system/size_estimates-*/snapshots

    The output should look as follows.

    1737524024387
    1. Download new RPM packages from the link below.
    wget https://apache.jfrog.io/artifactory/cassandra-rpm/40x/cassandra-tools-4.0.15-1.noarch.rpm
    wget https://apache.jfrog.io/artifactory/cassandra-rpm/40x/cassandra-4.0.15-1.noarch.rpm
    1. Check and stop services.
    openiam-cli status
    openiam-cli stop
    1. Verify and stop Cassandra and JanusGraph services.
    systemctl status cassandra
    systemctl status janusgraph
    systemctl stop janusgraph
    systemctl stop cassandra
    1. Check installed Cassandra packages.
    rpm -qa | grep cass

    The output should look as follows.

    cassandra-tools-4.0.12-1.noarch
    cassandra-4.0.12-1.noarch
    1. Remove old RPM packages.
    rpm -e cassandra-tools-4.0.12-1.noarch
    rpm -e cassandra-4.0.12-1.noarch

    Verify removal with the following commands.

    rpm -qa | grep cass

    Clear JanusGraph data.

    rm -rf /var/lib/cassandra/data/janusgraph/*
    1. Install new Cassandra packages.
    rpm -ivh cassandra-4.0.15-1.noarch.rpm
    rpm -ivh cassandra-tools-4.0.15-1.noarch.rpm

    Verify the installation.

    rpm -qa | grep cass

    The output of the above command look as follows.

    cassandra-4.0.15-1.noarch
    cassandra-tools-4.0.15-1.noarch
    1. Restore configuration
    cp /root/backup-cass/etc-cass/cassandra/default.conf/cassandra.yaml /etc/cassandra/default.conf/
    1. Start Cassandra and JanusGraph services with the commands below.
    systemctl start cassandra
    systemctl start janusgraph

    Check service status:

    systemctl status cassandra
    systemctl status janusgraph
    1. Verify the upgrade with the below commands.
    cassandra -v
    nodetool version

    Example output of this commands looks as shown below.

    ReleaseVersion: 4.0.15
    4.0.15
    1. Start OpenIAM Services
    openiam-cli start
    openiam-cli status
    1. For OpenIAM UI login issues after Cassandra upgrade please rebuild the graph.
    curl http://localhost:9080/openiam-esb/authmanager/rebuildGraph

    Use the command above to rebuild the graph, if there are any login issues in OpenIAM UI.

    Previous
    Upgrading from versions 4.2.1.x to version 4.2.1.12 in RPM
    Next
    Upgrading from versions 4.2.1.x to version 4.2.1.13 in RPM