Upgrading Verify Privilege Vault with Web Clustering

Introduction

Verify Privilege Vault has a built-in Web installer. The Web installer is a series of pages inside Verify Privilege Vault that allow you to download and run updates. Verify Privilege Vault is accessible by users for most of the upgrade process. You can bring down outside access to the site if you want to prevent users from making changes during the upgrade. Preventing user access makes restoring the database and site backups simpler if you decide to roll back the upgrade immediately afterward.

You do not need to download the installer or setup.exe.
Please see the Verify Privilege Vault On-Premises Upgrade Checklist prior to upgrading.
Never overwrite or delete your encryption.config file.
Back up your Verify Privilege Vault folder and database before performing the upgrade.
Upgrading to Verify Privilege Vault version 10.7.000000 and above, requires SQL Server 2012 or later as the database for Verify Privilege Vault. For more information, see the Verify Privilege Vault Release Notes.
Upgrading to Verify Privilege Vault version 10.0.000000 and requires configuring integrated pipeline mode on the Verify Privilege Vault Application Pool. Please see Configuring IIS for installing or upgrading to Verify Privilege Vault 10 (KBA) for details on configuring integrated pipeline mode in IIS. If using Integrated Windows Authentication, you will also need to update IIS authentication settings as detailed in Configuring Integrated Windows Authentication. If you are at version 9.1.000000 and below, you need to first upgrade to 9.1.000001 before you can upgrade to 10.0.000000 and above.
Upgrading to Verify Privilege Vault version 8.9.000000 and above requires Windows Server 2008 R2 or later.
Upgrading to Verify Privilege Vault version 8.5.000000 and above, there are changes in the .NET Framework version you will need to be aware of along with some additional steps in the upgrade process. For more information, see Verify Privilege Vault Moving to .NET Framework 4.5.1.

Before Beginning

  1. Ensure that you have account credentials information and access for the server hosting Verify Privilege Vaultand the SQL Server instance hosting your Verify Privilege Vault database.

  2. Have a recent backup of the application files and database available.

  3. If you use clustering, stop the application pools on all of the servers.

Upgrading a Clustered Environment

  1. Follow the instructions in Upgrading Verify Privilege Vault or Upgrading Verify Privilege Vault Without Outbound Access as applicable to upgrade one server.

  2. Once upgraded and working, copy the Web application folder (without the database.config or the encryption.config files) to all secondary servers, and replace the content of the existing Web application folder with the new.

  3. If IBM Security Management Server (TMS) is installed and clustered, you need to copy the TMS directory to the secondary servers as well. The TMS directory is included by default for new installs of Verify Privilege Vault 10.2 and above. TMS is used by advanced session recording and Verify Privilege Manager. If the TMS folder and site does not exist in IIS, then no additional actions are needed beyond copying the Verify Privilege Vault directory.

  4. Start secondary servers and confirm they still work.

EFS and DPAPI Encryption

When upgrading, after the initial cluster configuration, you do not need to copy the database.config or encryption.config files to the other servers. If you need to copy those files because the database configuration changed and are using DPAPI, disable DPAPI encryption in Verify Privilege Vault by going to Admin > Configuration and click Decrypt Key to not use DPAPI on the Security tab before copying those files to secondary servers.

EFS encryption is tied to the user account running the Verify Privilege Vault application pool, so it is not machine specific. Copying EFS encrypted files between Verify Privilege Vault instances will not result in errors, but is not needed.

Upgrading Database Mirroring

  1. If there is more than one Web server running Verify Privilege Vault, ensure all instances are pointing to the same database.

  2. Stop all but one of the web servers.

  3. Perform the upgrade on that single instance.

  4. Once upgraded and working, copy the Web application folder to all secondary servers.

  5. Start the secondary servers, and confirm they work.

  6. Ensure all instances are properly activated.

  7. Ensure that the database changes have been replicated to the mirror database.

  8. If the secondary Web server was pointing originally to the secondary database, adjust it to point back to the secondary database.

Upgrading Remote DR Instances

  1. Perform the upgrade on one instance.

  2. Backup that instance.

  3. Copy the database backup to the remote DR instance.

  4. Restore the database.

  5. Once the instance is upgraded and working, copy the Web application folder (but not the database.config or encryption.config files) to the remote DR instance (overwriting the existing files).

  6. Restart IIS or recycle the application pool running Verify Privilege Vault on the remote DR instance.

  7. Confirm that the remote DR instance is working correctly.

Error Conditions

Error that may arise:

  • Version does not match: If a node is not properly updated from the source node after an upgrade, that node will not run because the application version does not match the database. The solution is to copy the application folder (minus the database.config or encryption.config files) to replace the files on the secondary server.