What Happens With Each Migration Task During An Upgrade

Applies To:

Trust Protection Platform 16.2

This is an update to the article for Trust Protection Platform 14.2 found here:


During an upgrade, migration tasks are run. 

What is a migration task? (answer: programmatically altering data in the product database to prepare it for compatibility for an upgrade or to address previously found issues with data schema)

Below you will find additional detail as to what is actually occurring during each of those tasks:
Note: The log pertaining to the migration can be found at [Drive Letter]\Program Files\Venafi\Logs\VCC Installation Log.txt
Increasing the TCP MaxUserPort parameter to 12240 for the Discovery Engine.

If the discovery feature was selected the maximum number of TCP connections is increased to 12240

Performing Pre-Schema migration tasks

The tasks could change from release to release. For version 16.2, the tasks are:
  1. MigrateCACertificateClasses Removes the relationship between a managed certificate and root / intermediate root certificate.
  2. MigrateCertificateAssociations Migrates certificate association data to match the updated schema

Importing Schema

Any file listed in schema\schemainstall.lst will be processed by schematic

Importing Product Schema

Depending on which product are selected, the following files will be processed:

Creating Administrative user account

Creates admin user account for the local identity provider (Venafi's local identity provider)

Creating Log Processor

Creates the Log Server. The Log Server processes log events and generates notifications based on the notification rules for each event.

Importing Logserver schema

Import Log server schema

Activating/Disabling Logserver Windows service

If the Log server service was selected, this step activates the service, otherwise, it disables it.

Initializing Venafi Framework, Operational Tasks

Initializes the full framework, to access to the certificates as well as to the encryption drivers. This enables tasks such as importing HTML emails into the vault.

Initializing Venafi Operational Certificate

If the Venafi Operational Certificate does not already exist, this step creates a self signed certificate for the Venafi Web UIs to use for HTTPS communication. Note* this certificate can be replaced later with a CA signed certificate.

Importing default Logserver objects

Imports the default Log Server objects

Configuring service modules

Enable or disable service modules (eg. Discovery, Validation, Reporting, etc...) based on preferences set in configuration wizard

Activating/Disabling Venafi Trust Protection Platform Windows service

If Validation, Discovery, Certificate processing, Reporting, Monitoring, CAImport or OBDDiscovery is selected then the 'Venafi Trust Protection Platform' windows service is activated, otherwise it is disabled

Performing Post-Schema migration tasks

These tasks depend on the version of TPP, here are the ones for version 16.2

  1. MigCertExt2Pattern This migrator changes the default cert scanner extensions and an added customer extensions to patterns. (ex. .pem to *.pem)
  2. MigrateCertificatePolicy Migrates certificate objects to new object classes
  3. MigrateCertificateType Fixed where certificates were misclassified as root certificates instead of self-signed certs
  4. MigrateDefaultLogObject If this is not a First Upgrade, this migrator cleans up the Secret Store to delete abandoned html email (file) entries that are no longer connected to an SMTP channel object. These abandoned html email (file) entries are created by importing the DefaultLogObject.xml file over and over again or by installing and upgrading. Read all the SMTP channels.
  5. MigrateDeviceOsType Updates the device OS Type data to be written as OS_TYPE instead of OS_TYPE|<DATE TIME>.
  6. MigrateDNSyntax Migrates Username Credential attribute values from String syntax to DN syntax. 
  7. MigrateF5LTMAdvanced converts "Partition" attribute to "Virtual Server Partition" on F5 LTM Advanced App objects and in Policy objects
  8. MigrateFixMismatchedRights if a user has config read to a container or certificate, then they should have read to secret store certificates, this migrator makes sure that is the case
  9. MigrateGenOnAppHashSettings sets CSR Hash default to SHA1 where policy or config settings have gen on app configured.
  10. MigrateIdentityRoot Mutates the Identity Root object from an 'Organization' to an 'Identity Root' object so the object could have new attributes specifically created for identity related items.
  11. MigrateIIS5 Migrates IIS5 Basic App objects. 
  12. MigrateJenkinsHash Stores Jenkins Hashes computed with subject DNs for the existing root / intermediate root certificates into the association table to verify CRL.
  13. MigratePolicyRights Migrates Policy rights
  14. MigratePortalCertificateTask Migrates data from PortalCertificateWork objects to clientUserCertificateWork objects
  15. MigrateProxy Sense was finally knocked and the proxy was moved to the platforms tree, instead of being in the policy tree where you could set a different proxy for all ca's but not set one for everything like you can now that it is in the platforms tree.
  16. MigratePublicKeyHash cleans up discovery results that weren't properly deleted when the containing object was deleted
  17. MigratePublicKeyTypes Changed all public keys to be of one vault type with an association stating what type of key it is (RSA, DSA, ...) 
  18. MigrateUserPreferences Changed to a single api for user preferences this migrated all the preferences to match the same format for the new api set.
  19. MigrateValidationSettings The settings / attributes used were modified so this driver will migrate existing settings to the new expected format

Creating IIS Website(s), SDK Website, Aperture Website

If these features were selected, the IIS sites are created at this time. The IIS sites that are created are:
  1. Web admin
  2. SDK
  3. Aperture
  4. Network Device Enrollment (SCEP)
  5. Network Device Enrollment Service (NDES)
  6. Client REST Handler
Setting Service Identities

If WinAuth is selected, this step will setup the login identity on the services (vplatform and logserver). Otherwise, it will clear any previously setup identities on the services.

Setting IIS Identities

If WinAuth is selected, this step will setup the login identity on the application pools. Otherwise, it will clear any previously setup identities on the application pools

Stopping default web site

This step stops the default website that is created on install of IIS so that Venafi can use port 80 and 443 by default

Starting Venafi web site

This step starts the Venafi applications and websites

Starting services

This step starts the "Venafi Trust Protection Platform" and "Venafi Log Server" services
Configuration complete.
Was this article helpful?
0 out of 0 found this helpful