Hardware Appliance Upgrade Notes
The following lists important upgrade information and limitations to be aware of.
It is recommended to always create a backup before upgrading!
It is strongly recommended to upgrade old versions to version 3.13.0 first and then to the desired higher version.
Upgrading EJBCA
After upgrading to certain versions of EJBCA (typically a new version where the database schema has changed), it is recommended to perform an EJBCA post-upgrade.
If the EJBCA instance you are upgrading is a part of a cluster, you should run the EJBCA post-upgrade only after all nodes in the cluster have been upgraded to the new version of EJBCA. Note that you only need to run the post-upgrade on one of the nodes in the cluster.
For more information on upgrading EJBCA, refer to Upgrading EJBCA and for information on database changes in the respective EJBCA releases, refer to the EJBCA Upgrade Notes.
General Upgrade Notes
The following provides important information and requirements to be aware of when upgrading.
CA/VA setup: Internal Key Binding default Protocol and Cipher Suite not working
Changing IPv4 address in a cluster might lead to IPv6 address disappearing
Hardware Appliance 3.5.0 makes SNMP reachable over IPv6. If the appliance is upgraded from <=3.5.0 and SNMP was enabled before, SNMP does not become reachable over IPv6 automatically. To make it reachable, disable and re-enable IPv6 on one of the network interfaces.
If someone has previously edited their /etc/snmp/snmpd.conf e.g. to change the community string, their config will get overwritten by our new default config and SNMP will be disabled.
When installing updates on a Hardware Appliance running version 3.2.0, make sure to unplug any USB sticks before performing the update. When a single node is disconnected from the cluster, the local EJBCA instance will be temporarily unusable and the EJBCA Administration interface displays an error message. The problem remediates itself within one hour while a restart of EJBCA resolves the issue instantly. Note however, if your installation uses smart card authentication, PIN pad interactions will be required to activate the slots again.
When restoring large backups from EJBCA versions prior to 6.6.0, after the restore and reboot EJBCA will not be available for some time due to the database schema change and the need to reindex. For a full database of a Model M, it takes about an hour to re-index the database. Once re-indexed, an additional reboot is required.
For cluster backups taken on Hardware Appliance versions 2.4 to 2.8: when restoring the first backup onto a 3.4.X version, the cluster configuration will be deleted and requires manually adding the IP addresses of all the other nodes before proceeding with the cluster setup.
The Appliance 3.4.X versions do not support restoring backups of versions older than 2.4.0.
PIN Pad
While this release newly supports the new PIN pad (cyberJack one) and Smart Card Authentication with more than 1 user authentications for PKCS#11 R2, the new PIN pad is neither supported for Smart Card Authentication on the legacy PKCS#11 R1 stack nor for Backup Key Shares on very old Appliance hardware versions (1.x).
In rare cases after rebooting the Appliance, the PIN pad is not detected correctly and the Web Configurator (WebConf) Wizard will display the following message "Please connect the PIN pad to the Hardware Appliance before beginning the installation." This issue can be solved by re-plugging the PIN pad.
Cluster
Updating a cluster node > node1 might lead to IPv6 address disappearing.
An update from a version older than 3.13.0 to a version 3.13.0 or higher will have impact on the cluster.
The cluster update is handled differently. For more information refer to Updating the Software on a Cluster.
Ethernet Ports
Due to a firmware limitation, the Hardware Appliance only becomes reachable when both management and application Ethernet ports are successfully connected to a network.
Ethernet ports might not establish a link if the network cables have been connected after powering on the device.
General Downgrade Notes
Important!
Since version 3.13.0 it is no longer possible to downgrade from Webconf to version 3.12.1 or earlier.
If a downgrade has to be performed, a backup of a version earlier than 3.13.0 is absolutely necessary.
Reset the Hardware Appliance to the factory settings (factory reset).
Perform a downgrade with update before install.
Restart and Restore the backup.