Before upgrading

Before starting to upgrade the product, verify that your network has the minimum required supported versions of the operating system, product, and database.

Supported operating systems

To obtain an updated list of the supported operating systems, see Supported Operating Systems.

For a complete list of system requirements (disk spaces, temporary spaces and RAM usage), see HCL Workload Automation Detailed System Requirements.

Supported databases

For an up-to-date list of supported databases, see Supported Software.

Product level prerequisites for master domain manager and its backup, dynamic domain manager and its backup, and agents

Before you start the upgrade, verify that your environment has the required product level prerequisites. For a complete list of product level prerequisites, see HCL Workload Automation Detailed System Requirements.

User authorization requirements

Before starting to upgrade, verify that the user running the installation process has the following authorization requirements:
UNIX and Linux operating systems
root access
Windows operating system

If you set the Windows User Account Control (UAC), your login account must be a member of the Windows Administrators group or domain administrators group with the right Act as Part of the Operating System.

You must run the installation as administrator.

SSL mode configuration

If the HCL Workload Automation environment is configured in SSL mode, ensure one of the following conditions is met in the localopts file before you upgrade master domain manager, backup master domain manager, dynamic domain manager, or fault-tolerant agents to Version 10.2.1 or later:
  • the ssl version parameter is set to atleast.TLSv1.2 OR
  • the ssl cipher parameters is set to a high value.

For more information about the localopts file, see Setting local options.

Securing your environment with certificates

Starting from version 10.2.1, using certificates is mandatory when installing or upgrading the product. You can use default certificates, generated automatically by the product with the password you specify, or you can define your own custom certificates. For more information, see Enhanced security for default certificates. If you were using default certificates in previous releases, you can convert them as described in Upgrading in a mixed-version environment when using default certificates.

In the typical upgrading procedures described in this section, default certificates are used.

Upgrading to 10.1 Fix Pack 1 or later using custom certificates

In 10.1 FP1 version, the JWT feature has been introduced. Performing an upgrade of the master domain manager to 10.1 FP1 from any previous version, can potentially cause problems with JWT functionality if the master domain manager is using custom certificates with a custom label.

When upgrading to V10.1 Fix Pack 1 or later, a number of changes are performed in the server.xml file, by introducing new multiple <jwtBuilder> and <mpJwt> elements. These elements are used by HCL Workload Automation for the JWT functionality, and are identified by the following comments within the server.xml file:
<!-- Starting JWT Token configuration -->
<!-- JWT configuration for DA -->

The new elements listed above identify the certificate using the server label, instead of the custom label defined in the keyName properties. This prevents WebSphere Application Server Liberty Base from signing new JWTs.

To work around this problem, perform the following steps:
  1. Update the <jwtBuilder> elements by modifying the keyAlias property to the correct value.
  2. To verify the signature of a JWT received in a connection from another entity, WebSphere Application Server Liberty Base retrieves the public information associated to the certificate from the <WA_DATA>/usr/servers/engineServer/resources/security/TWSServerTrustFile.p12 file. You can find the public information in the keyName=”${mp.jwt.trust.key}” property within the <mpJwt> elements. These elements use a variable which is declared within the new jwt_variables.xml file that is created in the overrides folder after the upgrade:
    <server description=”jwt_variables”>

     <variable name=”mp.jwt.trust.key” value=”twstrustkey”/>

</server>
  3. Also, add the public information only of the custom certificate in the TWSServerTrustFile.p12 file, under that alias (overwriting the already existing one).
  4. Alternatively, it is possible to add it as a new entry with a new label, but the jwt_variables.xml file should be updated accordingly. For more information, see Enabling API Key authentication after upgrading.
  5. The agent must have the public information associated to the certificate used by the master domain manager when creating a new JWT. The reason for this is that also the agent needs to verify the signature of a JWT received from the master domain manager. Therefore, it is required to also add the public information only of the custom certificate of the master domain manager (the file that was added in the TWSServerTrustFile.p12 file on the master domain manager) in the TWSClientKeyStore file of the agent.

Support for OpenSSL 3.0.x libraries from UNIX operating systems

If you install the master domain manager on recent UNIX operating systems, you can use the OpenSSL 3.0.x libraries provided with the operating system. The list of UNIX operating systems whose libraries you can use is as follows:
  • Ubuntu 22
  • AIX 7.3
  • Red Hat 9

To ensure HCL Workload Automation uses these libraries, always launch the installation or upgrade procedure from a brand new shell. You can also check the OpenSSL library currently in use with the which openssl command and check the OpenSSL version with the openssl version command.

Downloading installation images

Before starting to upgrade, download the installation images. For further information, see Downloading installation images on your workstation