Security Server Cluster RHEL 7 to RHEL 8 Upgrade

This document describes the steps required for upgrading a Security Server cluster from RHEL 7 to RHEL 8 using a configuration backup. This upgrade document is tested on PostgreSQL version 12.

Please read carefully through the whole document before starting the upgrade process. It is assumed that the reader is familiar with the Red Hat Linux distribution and has experience of Red Hat release upgrades.

The upgrade process is based on

• [1] https://github.com/nordic-institute/X-Road/blob/develop/doc/Manuals/LoadBalancing/ig-xlb_x-road_external_load_balancer_installation_guide.md

  • Especially sections 3, 4, 5, and 7.

• [2] How to Upgrade Security Server to RHEL 8 Using a Configuration Backup?

Please review both documents before continuing.

Upgrade process

• Ensure that all nodes have the same X-Road software version and PostgreSQL version. All Red Hat packages are updated.

  • If necessary, update the cluster, following instructions in [1], section 7.

• Pause the database and configuration synchronization on the secondary nodes ([1], section 7.2.1).

• Connecting a hardware security module (HSM) to a new server may require additional steps that are not covered by these instructions. Check the HSM documentation and verify that it supports RHEL 8.

Upgrading the primary node

• Set the primary node to maintenance mode or manually disable it from the external load balancer.

  • See [1] section 7.2.2, steps 1 and 2.

• Recreate the primary node using the backup, as described in How to Upgrade Security Server to RHEL 8 Using a Configuration Backup? .

• Stop the old primary node.

• Set up primary node as described in [1] section 3.2 Primary installation, steps 2 - 4, 6 and step 9.

• Verify that the Security Server services are running and the system is functioning.

• Switch over to the new server.

  •  For example, change the new server's IP address(es) to match the old addresses and/or update DNS, firewall, NAT, or other network configuration.

• If the primary node was disabled manually from the external load balancer, verify that the primary node is working and enable it in the load balancer.

  • See [1], section 7.2.2 for details.

Upgrading the secondary nodes

After successfully upgrading the primary, secondary nodes can be upgraded one by one.

• Gracefully disable the secondary node from the load balancer, either manually or using the health check maintenance mode (see [1], section 7.2.3).

• Stop the old secondary node.

• Install the new RHEL 8 secondary node(s) as described in [1] section 3.3 Secondary installation.

  • Secondary node must have the same PostgreSQL version as the primary.

  • Optionally, copy the messagelog database and archived log records from the old secondary server.

    • See How to Upgrade Security Server to RHEL 8 Using a Configuration Backup? for more information.

• Verify that the Security Server services are running and the system is functioning.

• Switch over to the new server.

  •  For example, change the new server's IP address(es) to match the old addresses and/or update DNS, firewall, NAT, or other network configuration.

• After the node is healthy (see [1], section 6 ), enable the secondary node in the load balancer if you manually disabled it.