Monday, February 18, 2019

The (updated) Definitive EJBCA Upgrade Guide

With the release of EJBCA 7.0 and subsequent drop of support for JDK7/JEE6, we've updated the upgrade guide that we published back in 2017 to reflect these changes. With no further ado, here it goes:

tl;dr:

The official steps for upgrading any EJBCA installation are:

If running EJBCA < 4.0.16 on JDK6 or earlier:
  1. Upgrade to EJBCA 4.0.16
  2. Run ant upgrade from the console
  3. Run ant post-upgrade from the console
  4. Continue below
If running EJBCA >= 4.0.16 but < 5.0.12 on JDK6 or earlier:
  1. Upgrade to EJBCA 6.3.2.6
  2. Run ant upgrade from the console
  3. Run ant post-upgrade from the console
  4. Upgrade to JDK8 
  5. Upgrade application server to a JEE7 supporting application server
  6. Deploy the latest version of EJBCA 
  7. Run ant upgrade from the console
  8. Run post-upgrade from the UI
    If running EJBCA >= 5.0.12 but < 6.4.0:
        1. Upgrade to JDK8 
        2. Upgrade application server to a JEE7 supporting application server 
        3. Upgrade to latest version of EJBCA 
        4. Run ant upgrade from the console
        5. Run post-upgrade from the UI
        If running EJBCA >= 6.4.0:
        1. Upgrade to latest version of EJBCA 
        2. Run post-upgrade from the UI

        Example:

        A typical upgrade path:

        1. EJBCA 4.0.16 (on JDK6, JBoss 5.1.0.GA) 
        2. EJBCA 6.3.2.6 (on JDK6, JBoss 5.1.0.GA) 
        3. EJBCA 6.3.2.6 (on JDK8, WildFly 12) 
        4. EJBCA 7.x

              Concepts

              The background to writing this guide both stems from the understandable confusion in regards to upgrading EJBCA and many of our users experiencing problems when upgrading decade old installations. Thus there are some concepts we'd like to go through and explain:

              The Intermediate Release: EJBCA 6.3.2.6

              During EJBCA 6.8.0 we refactored the roles and access rules massively, which lead to an upgrade break when upgrading from versions of EJBCA prior to 5.0 (though upgrading via EJBCA 5.0 was still possible). As we realized that solving this issue while preserving 100% uptime requirements (see below) was impossible, as well as due to the technology jump (see the next section) and bugs that we discovered while testing upgrading from ancient installations, we created EJBCA 6.3.2.6 in order to handle all the intermediate steps. As of today EJBCA 6.3.2.6 is published and available in the Community Edition on SourceForge, and in the download area for customers.  

              Technology Jump - JDK6 → JDK7

              When: EJBCA 6.4.0

              All good things must come to an end, as must support for legacy runtime versions. As much as we value not having to put our customers through unnecessary hoops by forcing them to upgrade underlying technology such as the JDK, at some point we have to drop support due for several reasons: being held back by not being able to use modern developments, because other dependent systems like Application Servers drop support as well and because the JDKs themselves come to the end of their service lives and will no longer receive support from the vendor. 

              Technology Jump - JEE5 → JEE6

              When: EJBCA 6.4.0

              In EJBCA 6.4.0 we decided to move on to JDK7, which means that it can no longer be deployed to application servers based on JDK6 such as JBoss versions 4 and 5. The latest version that can still run under JDK6 is EJBCA 6.3.2.6. For an upgrade path this means that you can continue running on your old JBoss 5.1.0.GA server (JEE5) up to, and including, the EJBCA 6.3.2.6 intermediate release. At this stage you must upgrade JDK and the application server to JDK8 and JBoss EAP 7 or WildFly 10.

              Technology Jump - JDK7 → JDK8

              When: EJBCA 7.0.0

              With the planned drop of official support from JDK7 from Oracle during 2019, we've decided to drop JDK7 support. Internally this allows us to upgrade now aging libraries which have long since ceased receiving security updates.

              Technology Jump - JEE6 → JEE7

              When: EJBCA 7.0.0

              The loss of JEE6 support means that we've taken the chance to upgrade persistence definition files and library schemas to JEE7 standards. This means that EJBCA will no longer render on JEE6 application servers, meaning that minimal supported AS's are JBoss EAP7/Wildfly 10. 

              100% Uptime during Upgrade

              When: EJBCA 4.0

              While this may be familiar to many of you, EJBCA has ever since version 4.0 supported full uptime during upgrades for clustered installations. What this means is that we pledge that a clustered installation can continue to sign certificates, issue CRLs and answer OCSP queries during the upgrade process with no noticeable downtime for the end user. 

              This is why the upgrade process you may be familiar with is split up into two steps: upgrade and post-upgrade. In short, upgrade performs whatever steps may be required for the first node to be upgraded to be able to function once it comes online again, while post-upgrade performs whatever steps that remain (such as clean up) that can only be performed once all nodes are running the latest code. 

              Automatic Upgrade

              When: EJBCA 6.4.0

              Stunningly, prior to EJBCA 6.4.0 we hadn't actually thought of tracking the database version internally, thus requiring our user to manually enter this value. From EJBCA 6.4.0 and later we do in fact track this, doing away with the need to run the upgrade command entirely. Instead, it'll be automatically run from the first node running the upgraded code. 

              post-upgrade from Console

              When: EJBCA 6.8.0


              In a similar vein, as more and more of our customers run EJBCA on the PrimeKey Appliance and thus don't have access to the command line. As of EJBCA 6.8.0 it's been possible to perform post-upgrades from the UI. When a post-upgrade is required, the System Upgrade option will appear in the menu:
              Choosing it will bring you to a screen used to perform the post-upgrade action:

              Conclusion

              With this blog post and our latest round of QA, we hope that we've solved all existing upgrade issues, and that we can make running the latest version of EJBCA as easy and manageable as possible.

              Cheers!
              Tomas Gustavsson
              CTO

              Mike Agrenius Kushner
              Product Owner EJBCA

              2 comments:

              Jaime Hablutzel said...

              There is a typo. Where it says:

              The loss of JEE7 support means that we've taken the chance to upgrade persistence definition files and library schemas to JEE7 standards.

              It should say:

              The loss of JEE6 support means that we've taken the chance to upgrade persistence definition files and library schemas to JEE7 standards.

              Mike said...

              Ah, thanks! Corrected!