This article describes how to upgrade Smart ID Certificate Manager to the latest version. For all other upgrade paths, contact Nexus.
...
Sequential upgrade process
To upgrade from older versions to newer versions, you must upgrade each version step-by-step.
...
This article describes how to upgrade Smart ID Certificate Manager to the latest version. For all other upgrade paths, contact Nexus.
Info |
---|
Sequential upgrade process To upgrade from older versions to newer versions, you must upgrade each version step-by-step. Example: Starting upgrade from 8.9.0, you must upgrade to 8.6.1 10 and thereafter to 8.711.10. |
Note |
---|
8.4.0 was replaced by 8.4.1. For more information, see Release note Certificate Manager 8.4.1. |
Prerequisites
...
Certificate Manager is installed. See Smart ID Certificate Manager.
Stop the Nexus CIS, CF, and SNMP services. For more information, see Start Certificate Manager server components.
Use the files in the folder Upgrade/Upgrade from CM x.x.x to x.x.x.
Info |
---|
Example To upgrade from 8.39.0 to 8.711.10, use the files in the following folders in sequence: Upgrade from CM 8.39.x to 8.4.1Upgrade from CM 8.4.x to 8.5.0 10.0 Upgrade from CM 8.510.x to 8.6.1Upgrade from CM 8.6.x to 8.7.111.0
|
Step-by-step instruction
1. Upgrade database
...
Info |
---|
Select version Make sure to select the specific script for the upgrade. You must run each DB script from the start version to the target version in sequence. The script examples below displays x_x_x as a reference to the CM version number that you are upgrading todisplays x_x_x as a reference to the CM version number that you are upgrading to. |
Note |
---|
Exception: Upgrade from 8.10.0 and earlier Support for MariaDB version below 10.5 has been removed in version 8.10.0 (and later) of Certificate Manager. If you use MariaDB version below 10.5, you must upgrade before you proceed with the steps below. |
Note |
---|
Exception: Upgrade from 7.18.x to 8.0.0 Support for the Oracle database version 11g has been removed in version 8.0.0 of Certificate Manager due to EOL. If you use Oracle 11g, you must upgrade before you proceed with the steps below. |
...
Database | Script | Comment |
---|
MSSQL | database/CMDBUpgrade_MSSQL_x_x_x.sql | The following applies: If there are no scripts included in the release bundle, go to the next step in this upgrade instruction (Upgrade Certificate Manager services). If there are scripts included in the release bundle, run all included scripts.
|
MySQL | database/CMDBUpgrade_MySQL_x_x_x.sql |
Oracle | database/CMDBUpgrade_Oracle_x_x_x.sql |
PostgreSQL | database/CMDBUpgrade_PostgreSQL_x_x_x.sql |
MariaDB | database/CMDBUpgrade_MariaDB_x_x_x.sqlStarting from 8.2.x to 8.3.0, you must run the database script for MariaDB.CMDBUpgrade_MariaDB_x_x_x.sql | |
AzureSQL | database/CMDBUpgrade_AzureSQL_x_x_x.sql | Starting from 8.6.x to 8.7.0, you must run the database script for AzureSQL. | |
2. Upgrade Certificate Manager services
The Certificate Manager server components are installed and run as services. Do the the following steps at the server(s) that runs any of the Nexus CF, Nexus CIS, or Nexus SNMP services.
...
Before you start, make sure to:
Upgrade the Certificate Manager databases, see step "1. Upgrade database".
Stop the Nexus CIS, CF, and SNMP services. For more information, see Start Certificate Manager server components.
...
Upgrade the Certificate Manager databases, see step "1. Upgrade database".
From 7.18.x to 8.0.0
Expand |
---|
|
Make a backup copy of these folders before applying any changes: <cm-server-home>/config <cm-server-home>/lib
On the server(s) running the Nexus CF, Nexus CIS, or Nexus SNMP services: Do the configuration changes in <cm-server-home>/config/ described in the respective files under the <server> folder. Remove the following files from <cm-server-home>/config:
The suggested default log levels for CM-SNMP has been reduced from FINEST to INFO. If you use CM-SNMP and want to change to the new default values, change this in the file <cm-server-home>/config/snmplog.properties. The following deprecated modifiers have been replaced or removed. If you use customized format files, make sure that none of the deprecated modifiers are used. These deprecated modifiers have been replaced: SubjectKeyIdAdder > SubjectKeyIdentifierModifier ScepUniqueness > RenewalAllowed AltNameModifier > SubjectAltNameModifier
These deprecated modifiers have been removed:
Info |
---|
Updated license file required CM 8.x requires an updated license file in order to start. License files issued for CM 7.x cannot be used for CM 8.x. Place the updated license file in the directory <cm-server-home>/license/. |
|
expand | title |
---|
From 8.0.x to 8.1.0
Expand |
---|
|
Make a backup copy of these folders before applying any changes: <cm-server-home>/config <cm-server-home>/lib
On the server(s) running the Nexus CF, Nexus CIS or Nexus SNMP services: Do the configuration changes in <cm-server-home>/config/ described in the respective files under the <server> folder. Note the important changes described in the file changes-formats.txt. The file is located here: <Upgrade\Upgrade from CM 8.0.x to 8.1.0\server>. The tool used in changes-formats.txt requires updated lib files. Therefore those instructions should be executed after the new jar files has been replace in the final upgrade instruction. From Upgrade files CM 8.1.0/server/inputviews, add the following files to <cm-server-home>/inputviews, or replace if any of these files already exist:
|
Expand |
---|
title
|
From 8.1.x to 8.2.0
Expand |
---|
|
Make a backup copy of these folders before applying any changes: <cm-server-home>/config <cm-server-home>/lib
On the server(s) running the Nexus CF, Nexus CIS, or Nexus SNMP services: Do the configuration changes in <cm-server-home>/config/ described in the respective files under the <server> folder.
|
Expand |
---|
title
|
From 8.2.x to 8.3.
...
0
Expand |
---|
|
Make a backup copy of these folders before applying any changes: <cm-server-home>/config <cm-server-home>/lib
On the server(s) running the Nexus CF, Nexus CIS or Nexus SNMP services: Do the configuration changes in <cm-server-home>/config/ described in the respective files under the <server> folder. From <Upgrade files CM 8.3.0/server/inputviews>, add the following file to <cm-server-home>/inputviews:
|
Expand |
---|
title |
From 8.3.x to 8.4.1
Expand |
---|
|
Make a backup copy of this folder before applying any changes: <cm-server-home>/config
Do the configuration changes in <cm-server-home>/config/ described in the respective files under the <server> folder. From Upgrade files CM 8.4.1/server/inputviews, add these files to <cm-server-home>/inputviews: est-auth-cert.conf its-station-registration.conf
|
Expand |
---|
title
|
From 8.4.x to 8.5.0
Expand |
---|
|
titleMake a backup copy of these folders before applying any changes: <cm-server-home>/config <cm-server-home>/lib <cm-server-home>/bin <cm-server-home>/deliverynotes
Do the configuration changes in <cm-server-home>/config/ described in the respective files under the <server> folder. Depending on which 8.4.x version you are currently on, some of the changes may already have been performed as part of an earlier upgrade. On the servers running the Nexus CF, Nexus CIS or Nexus SNMP service, remove all jar files in the <cm-server-home>/lib folder. Start the Nexus CIS, CF and SNMP services.
|
Expand |
---|
have been performed as part of an earlier upgrade.
|
From 8.5.x to 8.6.1
Expand |
---|
|
Make a backup copy of these folders before applying any changes: <cm-server-home>/config <cm-server-home>/lib <cm-server-home>/bin <cm-server-home>/deliverynotes
Do the configuration changes in <cm-server-home>/config/ described in the respective files under the <server> folder.
Depending on which 8.5.x version you are currently on, some of the changes may already have been performed as part of an earlier upgrade. The ability to manually build CRLs and CILs has been moved from the officer role "Use AWB" to its own role in "Manual build of CRL and CIL". As such, if you have officers that should be able to perform manual builds of CXLs, then their officer profiles will need to be updated. |
Expand |
---|
title |
From 8.6.x to 8.7.1
Expand |
---|
|
When you upgrade CM from 8.6.x to 8.7.1, execute only the database script in the folder "Upgrade from CM 8.6.x to 8.7.0" in the release bundle.Do not use the script in the folder "Upgrade from CM in the release bundle. Do not use the script in the folder "Upgrade from CM 8.7.0 to 8.7.1" Make a backup copy of these folders before applying any changes: <cm-server-home>/config <cm-server-home>/lib <cm-server-home>/bin <cm-server-home>/deliverynotes
Do the configuration changes in <cm-server-home>/config/ described in the respective files under the <server> folder.
From 8.7.0 to 8.7.1" Important! Certificate Manager version 8.7.0 is no longer available on Nexus support portal. Make a backup copy of these folders before applying any changes: <cm-server-home>/config <cm-server-home>/lib <cm-server-home>/bin <cm-server-home>/deliverynotes Do the configuration changes in /deliverynotes
Do the configuration changes on the server(s) running the Nexus CF, Nexus SNMP and Nexus CIS service in: <cm-server-home>/config/ and <cm-server-home>/configinputviews/ described described in the respective files under the <server> folder. From Upgrade files CM 8.7. 0 to 1/server/inputviews, add the following file to <cm-server-home>/inputviews:
|
From 8.7.
...
Important! Certificate Manager version 8.7.0 is no longer available on Nexus support portal.
x to 8.8.0
Expand |
---|
|
title | From 8.7Make a backup copy of these folders before applying any changes:applying any changes: <cm-server-home>/config <cm-server-home>/lib <cm-server-home>/bin <cm-server-home>/deliverynotes
Do the configuration changes on the server(s) running the Nexus CF, Nexus SNMP and Nexus CIS service in: <cm-server-home>/config / and <cm-server-home> /lib<cm-server-home>/bin /inputviews/ described in the respective files under the <server> folder. Depending on which 8.7.x version you are currently on, some of the changes may already have been performed as part of an earlier upgrade. From Upgrade files CM 8.9.0/server/inputviews, add the following files to <cm-server-home>/deliverynotes Do the configuration changes on the server(s) running the Nexus CF, Nexus SNMP and Nexus CIS service in: <cm-server-home>/config/ and <cm-server-home>/inputviews/ described in the respective files under the <server> folder. From inputviews: From Upgrade files CM 8. 79. 10/server/ inputviewsconfig, add the following file to <cm-server-home>/ inputviewsconfig: kerberos-pkinit-san
Rename any custom formats files used by Certificate Manager that has a filename that begins with the "_" character to something the does not begin with the "_" character. The reason for this is that formats starting with "_" will not be loaded.
|
---|
Expand |
---|
Only for upgrades coming from earlier that 8.1.x: Run any steps that may have been postponed in earlier steps, such as those required for "copycacerts" when upgrading from CM 7.17.x or those in changes-format.txt when upgrading from CM 8.0.x.
|
From 8.8.x to 8.
...
9.0
Expand |
---|
|
Make a backup copy of these folders before applying any changes: <cm-server-home>/config <cm-server-home>/lib <cm-server-home>/bin <cm-server-home>/deliverynotes
Do the configuration changes on the server(s) running the Nexus CF, Nexus SNMP, and Nexus CIS service in: <cm-server-home>/config/ and <cm-server-home>/inputviews/ described in the respective files under the <server> folder. Depending on which
|
From 8.
...
9.x to 8.10.0
Expand |
---|
|
Make a backup copy of these folders before applying any changes: <cm-server-home>/ inputviews:config
v2x<cm- enroll-enabling-registration.confkerberos-pkinit-san.conf From Upgrade files CM 8.9.0/server/config, add the following file to server-home>/lib <cm-server-home>/bin <cm-server-home>/ config:Rename any custom formats files used by Certificate Manager that has a filename that begins with the "_" character to something the does not begin with the "_" character. The reason for this is that formats starting with "_" will not be loaded. Only for upgrades coming from earlier that 8.1.x: Run any steps that may have been postponed in earlier steps, such as those required for "copycacerts" when upgrading from CM 7.17.x or those in changes-format.txt when upgrading from CM 8.0.x.
|
Expand |
---|
|
deliverynotes Do the configuration changes on the server(s) running the Nexus CF, Nexus SNMP, and Nexus CIS service in: <cm-server-home>/config/ described in the respective files under the <server> folder.
|
From 8.10.x to 8.11.0
Expand |
---|
|
Make a backup copy of these folders before applying any changes: <cm-server-home>/config <cm-server-home>/lib <cm-server-home>/bin <cm-server -home>/deliverynotesMake sure 64-bit Java SE 17 is installed and properly configured to be used by the CF, CIS and SNMP services. See BACKUP - Certificate Manager requirements and interoperability for more information. On Linux-home>/deliverynotes On Linux, if you are upgrading from a Certificate Manager version earlier than 8.9.x, remove the Nexus CIS, CF and SNMP services using the cmservices tool: <install_root>/bin/cmservices remove cf <install_root>/bin/cmservices remove cis <install install_root>/bin/cmservices remove cmsnmp Do the configuration changes on the server(s) running the Nexus CF, Nexus SNMP, and Nexus CIS service in: <cm-server-home>/config/ and <cm-server-home>/inputviews/ described in the respective files under the <server> folder. Rename any custom formats files used by Certificate Manager that has a filename that begins with the "_" character to something the does not begin with the "_" character. The reason for this is that formats Formats starting with "_" will not be loaded. On the servers running the Nexus CF, Nexus CIS, or Nexus SNMP service, remove all jar files in the <cm-server-home>/lib folder. Copy all jar files in Upgrade files CM 8.911.0/server/lib to <cm-server-home>/lib. Replace all files in <cm-server-home>/tools with the new ones in Upgrade files CM 8.911.0/server/tools. Copy all files in Upgrade files CM 8.911.0/server/bin to <cm-server-home>/bin, replacing the old ones. Copy all files in Upgrade files CM 8.911.0/server/deliverynotes to <cm-server-home>/deliverynotes, replacing the old ones. If you are upgrading from a Certificate Manager version earlier than 8.9.x, you must re-install the cmservices. On Linux, reinstall the Nexus CIS, CF and SNMP services using cmservices tool, replacing "cmuser" with the user who shall run the systemd services: <install_root>/bin/cmservices install cf cmuser cmuser <install_root>/bin/cmservices install cis cmuser cmuser <install_root>/bin/cmservices install cmsnmp cmuser cmuser Only for upgrades coming from earlier that 8.1.x: Run any steps that may have been postponed in earlier steps, such as those required for "copycacerts" when upgrading from CM 7.17.x or those in changes-format.txt when upgrading from CM 8.0.x. Configure java CF to use Make sure 64-bit Java SE 17 is installed and properly configured to be used by the CF, CIS and SNMP services. See Certificate Manager - requirements and interoperability for more information. Configure services to use Java 17. On Windows open the Registry Editor. In "HKEY_LOCAL_MACHINE\SOFTWARE\Nexus\Service Parameters\CF<CF/CIS/SNMP>". Edit the variable JREPath so it instead points to Java 17 home directory. On Linux, navigate to <install_root>/bin and edit the JAVA variable in the <cf/cis/cmsnmp>_launch.conf to point to Java 17.
Start the Nexus CIS, CF, and SNMP services.
|
3. Upgrade Certificate Manager clients
Expand |
---|
title | From 7.18.x to 8.0.0 |
---|
|
The directory containing user-specific settings has moved. These settings include the list of favorite CM servers, the trust store for the server TLS certificates, selected columns in various GUI elements, and other client-specific settings. To keep the settings from a previous client installation, move the following directories to the new location: On Windows: On Linux: |
Expand |
---|
|
Do the following: Shut down all the Certificate Manager clients. Make sure Java SE 17 is installed and set as default Java on the system. Certificate Manager clients can be run on both 32-bit and 64-bit JDKs with the following limitations: Linux: 64-bit Java is required in order to use clients with Personal. Windows: After the upgrade, if a javaw.exe binary exists under the C:\Windows\SysWOW64 folder, clients will continue to run on 32-bit Java even if default JDK is 64-bit. Remove this binary (and javaws.exe, java.exe) in order to run the clients on 64-bit Java.
Backup the <cm-client-home>/config folder. Uninstall the Certificate Manager clients components, see Uninstall Certificate Manager server components and clients. On Windows use "Programs and Features" to uninstall "Certificate Manager Clients Components". On Linux, run <cm-client-home>/install/setup.sh -u.
Remove any remaining hotfix jar files in the <cm-client-home>/lib folder. On Linux, if there is a <cm-client-home>/P11 folder, backup any config file with customizations to Personal Desktop Client and then delete the folder.
Install the new version of the clients, included in the delivery of Certificate Manager. Apply any customizations to the new configuration files in the <cm-client-home>/config folder.
The officer role "Use AWB" is now used for read-only access to the AWB and no longer has permission to do manual builds of CRLs and CILs. Instead, the role "Manual build of CRL and CIL" is needed to perform manual builds. The officer profile that was previously used by the officer that performed manual builds must now be modified to include the role "Manual build of CRL and CIL". |
4. Upgrade Certificate Manager Protocol Gateway
See Upgrade Protocol Gateway.
...