Applies To:
Trust Protection Platform 16.2
This is an update to the article for Trust Protection Platform 14.2 found here: https://support.venafi.com/hc/en-us/articles/215912797-What-happens-with-each-migration-task-during-an-upgrade
Summary:
During an upgrade, migration tasks are run.
What is a migration task? (answer: programmatically altering data in the product database to prepare it for compatibility for an upgrade or to address previously found issues with data schema)
Below you will find additional detail as to what is actually occurring during each of those tasks:Note: The log pertaining to the migration can be found at [Drive Letter]\Program Files\Venafi\Logs\VCC Installation Log.txt
Increasing the TCP MaxUserPort parameter to 12240 for the Discovery Engine.
If the discovery feature was selected the maximum number of TCP connections is increased to 12240
Performing Pre-Schema migration tasks
The tasks could change from release to release. For version 16.2, the tasks are:
If the discovery feature was selected the maximum number of TCP connections is increased to 12240
Performing Pre-Schema migration tasks
The tasks could change from release to release. For version 16.2, the tasks are:
- MigrateCACertificateClasses Removes the relationship between a managed certificate and root / intermediate root certificate.
- MigrateCertificateAssociations Migrates certificate association data to match the updated schema
Importing Schema
Any file listed in schema\schemainstall.lst will be processed by schematic
Importing Product Schema
Depending on which product are selected, the following files will be processed:
Certificate_Objects.lst
MobileCert_Objects.lst
Ssh_Objects.lst
Symmetric_Objects.lst
Creating Administrative user account
Creates admin user account for the local identity provider (Venafi's local identity provider)
Creating Log Processor
Creates the Log Server. The Log Server processes log events and generates notifications based on the notification rules for each event.
Importing Logserver schema
Import Log server schema
Activating/Disabling Logserver Windows service
If the Log server service was selected, this step activates the service, otherwise, it disables it.
Initializing Venafi Framework, Operational Tasks
Initializes the full framework, to access to the certificates as well as to the encryption drivers. This enables tasks such as importing HTML emails into the vault.
Initializing Venafi Operational Certificate
If the Venafi Operational Certificate does not already exist, this step creates a self signed certificate for the Venafi Web UIs to use for HTTPS communication. Note* this certificate can be replaced later with a CA signed certificate.
Importing default Logserver objects
Imports the default Log Server objects
Configuring service modules
Enable or disable service modules (eg. Discovery, Validation, Reporting, etc...) based on preferences set in configuration wizard
Activating/Disabling Venafi Trust Protection Platform Windows service
If Validation, Discovery, Certificate processing, Reporting, Monitoring, CAImport or OBDDiscovery is selected then the 'Venafi Trust Protection Platform' windows service is activated, otherwise it is disabled
Performing Post-Schema migration tasks
These tasks depend on the version of TPP, here are the ones for version 16.2
- MigCertExt2Pattern This migrator changes the default cert scanner extensions and an added customer extensions to patterns. (ex. .pem to *.pem)
- MigrateCertificatePolicy Migrates certificate objects to new object classes
- MigrateCertificateType Fixed where certificates were misclassified as root certificates instead of self-signed certs
- MigrateDefaultLogObject If this is not a First Upgrade, this migrator cleans up the Secret Store to delete abandoned html email (file) entries that are no longer connected to an SMTP channel object. These abandoned html email (file) entries are created by importing the DefaultLogObject.xml file over and over again or by installing and upgrading. Read all the SMTP channels.
- MigrateDeviceOsType Updates the device OS Type data to be written as OS_TYPE instead of OS_TYPE|<DATE TIME>.
- MigrateDNSyntax Migrates Username Credential attribute values from String syntax to DN syntax.
- MigrateF5LTMAdvanced converts "Partition" attribute to "Virtual Server Partition" on F5 LTM Advanced App objects and in Policy objects
- MigrateFixMismatchedRights if a user has config read to a container or certificate, then they should have read to secret store certificates, this migrator makes sure that is the case
- MigrateGenOnAppHashSettings sets CSR Hash default to SHA1 where policy or config settings have gen on app configured.
- MigrateIdentityRoot Mutates the Identity Root object from an 'Organization' to an 'Identity Root' object so the object could have new attributes specifically created for identity related items.
- MigrateIIS5 Migrates IIS5 Basic App objects.
- MigrateJenkinsHash Stores Jenkins Hashes computed with subject DNs for the existing root / intermediate root certificates into the association table to verify CRL.
- MigratePolicyRights Migrates Policy rights
- MigratePortalCertificateTask Migrates data from PortalCertificateWork objects to clientUserCertificateWork objects
- MigrateProxy Sense was finally knocked and the proxy was moved to the platforms tree, instead of being in the policy tree where you could set a different proxy for all ca's but not set one for everything like you can now that it is in the platforms tree.
- MigratePublicKeyHash cleans up discovery results that weren't properly deleted when the containing object was deleted
- MigratePublicKeyTypes Changed all public keys to be of one vault type with an association stating what type of key it is (RSA, DSA, ...)
- MigrateUserPreferences Changed to a single api for user preferences this migrated all the preferences to match the same format for the new api set.
- MigrateValidationSettings The settings / attributes used were modified so this driver will migrate existing settings to the new expected format
Creating IIS Website(s), SDK Website, Aperture Website
If these features were selected, the IIS sites are created at this time. The IIS sites that are created are:
- Web admin
- SDK
- Aperture
- Network Device Enrollment (SCEP)
- Network Device Enrollment Service (NDES)
- Client REST Handler
If WinAuth is selected, this step will setup the login identity on the services (vplatform and logserver). Otherwise, it will clear any previously setup identities on the services.
Setting IIS Identities
If WinAuth is selected, this step will setup the login identity on the application pools. Otherwise, it will clear any previously setup identities on the application pools
Stopping default web site
This step stops the default website that is created on install of IIS so that Venafi can use port 80 and 443 by default
Starting Venafi web site
This step starts the Venafi applications and websites
Starting services
This step starts the "Venafi Trust Protection Platform" and "Venafi Log Server" services
Configuration complete.
Comments