Prepare for Upgrade

As a best practice, back up the system prior to performing an upgrade. If, after upgrade, you should need to restore the previous installation, you must have:

  • A recent backup of the database prior to the upgrade. This is performed within SQL Server, not in Privileged Identity.
  • The encryption key. This can be found in the management console by going to Settings > Encryption Settings, then clicking the Export button and saving the file to a secure location. If using a hardware security module (HSM), be sure you know the key store and PIN to access your HSM.
  • The previous installation software.

If the management console is installed on a virtual machine, it may be prudent to simply snapshot the virtual machine.

Upgrade Outline

  1. Stop the deferred processing and zone processor services. This ensures that jobs will not be processed during the database upgrade and helps prevent any data loss or corruption.
  2. Stop the web application and web services. This ensures users will not be able to generate new database activity (jobs, auditing, etc.) while the upgrade takes place.
  3. Upgrade the console.
  4. Deploy the upgraded web application and web service.
  5. Deploy the upgraded deferred and zone processor services.
  6. Deploy ancillary components such as PowerShell, application launcher, etc.

Stop the Existing Deferred Processing Services

  1. From the management console, click Jobs from the left action pane.
  2. On the Stored Jobs dialog, click Job Queues.
  3. On the Job Queues dialog, select all items of type Deferred Processing Service and click Get Job Queue and Service Status.
  4. Immediately expand each Deferred Processing Service and check the status column for Currently Running. The status should indicate No jobs are currently being run by this processor.
  5. If the status indicates a job is running, it is best to wait for the job to finish or you may damage the job or cause other problems in your network due to a partially complete job. Further, if a job is running, also check the Queued Jobs column for the deferred processor and note how many jobs are in the queue to process. It will be best to wait for the jobs to finish or to take note of their Job IDs and disable them before they are run so you may perform the upgrade. When you start the processors post-upgrade, all past-due jobs will be run as soon as possible.
  6. If the jobs list is empty, go to the Services snap-in within Windows, locate RED Identity Management Deferred Processing Serviceand stop the service.

This service was called Enterprise Random Password Manager Deferred Processing Service in version 5.5.2 of the software.

  1. Repeat step 5 for each management console installed.

Stop Existing Zone Processors

  1. From the management console, click Jobs from the left action pane.
  2. On the Stored Jobs dialog, click Job Queues.
  3. On the Job Queues dialog, select all items where the zone processor column is NOT listed as Deferred Processing Service and click Get Job Queue and Service Status.
  4. Immediately expand each zone processor service and check the status column for Currently Running. The status should indicate No jobs are currently being run by this processor.
    • If the status indicates a job is running, it is best to wait for the job to finish or you may damage the job or cause other problems in your network due to a partially complete job. Further, if a job is running, also check the Queued Jobs column for the deferred processor and note how many jobs are in the queue to process. If will be best to wait for the jobs to finish or take not of their Job IDs and disable them before they get run so you may perform the upgrade. Don't worry, when you start the processors post-upgrade, all past due jobs will be run as soon as possible.
  5. If the jobs list is empty, cancel the Job Queues dialog and click on Zone Processors from the Stored Jobs dialog.
  6. Right click on each zone processor and select Stop Service. If there are any problems communicating with the services control manager on the remote systems, you will need to go to each system, open the Services snap-in within Windows, locate RouletteSked${ZONE-NAME} and stop the service.
  7. Zone Processors

  8. Repeat step 6 for each zone processor.

 

Remove any Existing Deferred Processing Services if Necessary

 

If you are upgrading from version 5.5.0 or later of the solution, you may simply replace key files on the zone processor host, or you may follow the removal/re-deploy steps that follow. If simply replacing the files, the file list is provided later in this process. If upgrading from version 5.4.0 or earlier, all previous zone processor installations should be removed. The required files and registry configurations have changed.

The method for removing zone processors depends on whether the remote zone processor host can be managed remotely from the management console or not.

There is no way to tell in the console how a zone processor was deployed. If you are unsure, start by trying to remove the zone processor from the console. If there are any failures to communicate or perform the first action (file removal), stop and follow the steps in the alternate subsection below.

If the remote zone processor host can be managed remotely from the management console and was deployed by the management console:

  1. From the management console, click Jobs from the left action pane.
  2. From the Stored Jobs dialog, click Zone Processors.
  3. From the Zone Processors dialog, right-click the zone processors in question and select Remove.
  4. You will be prompted to remove the service files, service registry settings, and finally the service registration. Select Yes for each prompt.

If the remote zone processor host was not deployed by the management console:

There is no way to tell in the console how a zone processor was deployed. If you are unsure, start by trying to remove the zone processor from the console. If there are any failures to communicate or perform the first action (file removal), stop and follow the steps below.

  1. Log in to the zone processor host.
  2. Open Programs and Features.
  3. Find the Zone Processor installer and remove it. It will have a name similar to BeyondTrust Zone Processor.
  4. From the management console, click Jobs from the left action pane.
  5. From the Stored Jobs dialog, click Zone Processors.
  6. From the Zone Processors dialog, right-click the zone processors in question and select Delete Registration.

Stop the Web Application and Web Service in IIS

  1. Open IIS on the web application and web service hosts.
  2. Expand the host server.
  3. Expand Sites.
  4. Right-click on the parent root web site and click Manage Web Site > Stop.
  5. IIS Stop

  6. Repeat this step for each web application and web service host.

 

Stop the Web Application and Web Service COM+ Applications

  1. Open Component Services (dcomcnfg.exe) on the web application and web service hosts.
  2. Expand Component Services.
  3. Expand Computers.
  4. Expand My Computer.
  5. Select the COM+ Applications folder.
  6. Web Service Shutdown

  7. Shut down the COM+ application:
    • For the web application, right click on PWCWebComApp and select Shutdown.
    • For the web service application, right-click on the web service and select Shut down.