FAQ - Upgrade procedures

A list of questions and answers related to upgrade procedures:

Q:How do I upgrade a component that was originally installed without SSL configuration?
A: To configure SSL attributes, perform the following steps:
  1. Set the security_level parameter to force_enabled in the workstation definition and the secureaddr parameter to the secure port, as described in Configuring SSL attributes.
  2. Set the nm SSL full port parameter to the value of the secure port in the localopts file. For more information, see Localopts details
Q: How do I upgrade a component that was installed with default certificates?
A: Define the JKS_SSL_PASSWORD environment variable as described in Enhanced security for default certificates. For the full upgrade procedure, see Upgrading. If you are using default certificates and want to install a new component to be connected to a back-level master, see Upgrading in a mixed-version environment when using default certificates.
Q: What happens if I do not remember the password for the default certificates?
A: Before starting the upgrade, test the passwords for the certificates using the following keytool commands:
  • keytool -list -keystore TWSServerTrustFile.jks 
-storepass my_password
  • keytool -list -keystore TWSServerKeyFile.jks 
-storepass my_password
Q: The upgrade failed because the password I provided for the certificates in the JKS_SSL_PASSWORD variable is incorrect. How can I recover from this error?
A. Before restarting the upgrade, perform the following steps:
  1. Retrieve and test the password for the certificates, as described in Q: What happens if I do not remember the password for the default certificates?
  2. Restore the previous version of the ita.ini file.
  3. Restart the upgrade.
Q: My environment is FIPS compliant. What happens if I upgrade to version 10.2.2?
A: Version 10.2.2 does not support FIPS. If you want to upgrade to this version, your environment will no longer be FIPS compliant. A new optional parameter named enablefips is available in the serverinst and twsinst scripts to check FIPS settings before you upgrade. This is because you need to be aware that by upgrading, your environment will no longer be FIPS compliant.
Upgrade scenarios vary depending on your upgrade path, as follows:
If you are upgrading from version 10.2.1
FIPS is already disabled by default in this version. If do not specify the enablefips parameter or you set it to false, the upgrade proceeds. If you set the enablefips parameter to true, the upgrade stops with an error message and you have to set enablefips to false to proceed.
If you are upgrading from any version other than 10.2.1
You can proceed in one of the following ways:
  • Disable FIPS before upgrading by editing the following options in the configuration files:
    localopts
    set SSL Fips enabled to no
    ita.ini
    set fips_enable to no
    You can then proceed with the upgrade without specifying the enablefips parameter, which is set to false by default.
  • Set the enablefips parameter to false. A warning message is displayed to inform you that FIPS is being disabled and the localopts and ita.ini files are automatically updated with the new FIPS configuration (the previous SSL Fips enabled option is removed and the new SSL FIPS compliance option is added and set to no/false) . The upgrade proceeds.
Can I install a backup master domain manager at version 10.2.2 in a back-level environment?
If you have a back-level environment, for example version 9.4, you can install a backup master domain manager at version 10.2.2, but it is recommended you check your security configuration.
Most 9.4 environments are not configured with SSL, which is enabled by default starting from version 10.1. To ensure communication between all components, perform the following steps:
  1. Install the fix for APAR IJ47731, if your current environment is earlier than 9.5 FP4. To obtain the fix for your product version, contact Software Support.
  2. Install the backup master domain manager at version 10.2.2.
  3. Stop Open Liberty on the backup master domain manager at version 10.2.2, as described in Application server - starting and stopping.
  4. Browse to the following paths:
    on Windows operating systems
    TWS\broker\config
    on UNIX operating systems
    TWS/broker/config
  5. Set the Broker.Workstation.PortSSL property to false in the BrokerWorkstation.properties file.
  6. Start Open Liberty on the backup master domain manager at version 10.2.2, as described in Application server - starting and stopping.
  7. Run the following commands on the back-level master domain manager: 
    1. optman chg cf = ALL
      This command changes the enCarryForward option so that all incomplete job streams are carried forward.
    2. JnextPlan -for 0000 -noremove
      This command extends the production plan without removing successfully completed job stream instances.
    3. optman chg cf = <original value>
      This command returns the enCarryForward option to its original value.

The new backup master domain manager can now communicate with the back-level network.

If you want to switch the new backup master domain manager to master, stop the broker on the back-level master domain manager, and switch it to master domain manager.