Skip to main content
Skip table of contents

Upgrade VeridiumID from 3.5.4/3.6/3.7 to v3.7.2

 

This document will provide a step by step procedure to upgrade to VeridiumID 3.7.2.

It is recommended to take a snapshot for the servers before update.

The procedure will provide information regarding both update methods:

  • using a configured YUM repository

  • using local packages

The update is done without downtime, one node at a time. Please start with WEBAPP nodes and after that do the installation on PERSISTENCE nodes. In order to have no impact, please take out from the balancer the node on which install is running.
WEBAPP node is a server where websecadmin is installed, PERSISTENCE node is a server where Cassandra is installed.

The application 3.x is compatible with 3.7.0 database schema.

 

Summary:

1) Download packages

2) Pre-requirements

3) Start Update

4) Post update steps

5) Other references

 

1) Download packages

 

Package URL

MD5

SHA1

Description

Update Packages Archive RHEL8

dadf790a00001fb2cd03f7c0b22e9f2f

cea11dacd33a7ba0f104858266209432ec31e2dc

VeridiumID Update packages archive containing all RPMs, for local update procedure RHEL8

Update Packages Archive RHEL9

4e5deeca6043a0a0fb3e34b7e53f07fe

b2ee9cbcb2bff995f124697eb1dcaa47633c58be

VeridiumID Update packages archive containing all RPMs, for local update procedure RHEL9

Download the package on the server and unzip it.

CODE 
## download the package on each server; the below command can be used. Please fill in the proxy IP and username and password provided by Veridium.
## it is recommanded to execute these commands with the user that is going to do the installation.
## based on OS version, you have download the necessary package:
## check OS version, by running 
cat /etc/redhat-release
## RHEL8, Rocky8
export https_proxy=PROXY_IP:PROXY_PORT
wget --user NEXUS_USER --password NEXUS_PASSWORD https://veridium-repo.veridium-dev.com/repository/VeridiumUtils/Veridium-3.7.2-update/veridiumid-update-packages-rhel8-11.2.63.zip
## RHEL9, Rocky9
export https_proxy=PROXY_IP:PROXY_PORT
wget --user NEXUS_USER --password NEXUS_PASSWORD https://veridium-repo.veridium-dev.com/repository/VeridiumUtils/Veridium-3.7.2-update/veridiumid-update-packages-rhel9-11.2.63.zip

Other option is to upload the update package to local repository, based on the OS the client is using - RHEL7,8 or 9.

2) Pre-requirements

2.1) (MANDATORY) User requirements

We recommend using any user with sudo rights or root directly.

Python 3 must be installed. To check if you have a working Python 3 version run the following command:

CODE 
python3 --version

If Python 3 is not installed, please see section 5.1 - How to install python 3

3) Start Update

Please execute all commands as root or with a user that has sudo privileges.

3.1) Update using local packages

Execute below commands on all nodes, first on WEBAPP and later on PERSITENCE nodes. Please execute the update one by one servers, not in parallel.

CODE 
TMP_DEST="/home/veridiumid/update372"
#### please choose the one that apply, based on your OS:
##RHEL8
unzip veridiumid-update-packages-rhel8-11.2.63.zip -d ${TMP_DEST}
##RHEL9
unzip veridiumid-update-packages-rhel9-11.2.63.zip -d ${TMP_DEST}

After this, update application:

CODE 
TMP_DEST="/home/veridiumid/update372"
sudo yum localinstall -y ${TMP_DEST}/packages/veridiumid_update_procedure-11.2.63-20250213.x86_64.rpm
sudo sed -i '104,115 {s/^/#/}' /etc/veridiumid/update-procedure/current/resources/scripts/372/set_for_java17.sh
sudo python3 /etc/veridiumid/update-procedure/current/preUpdateSteps.py --version 11.2.63 --rpm-path ${TMP_DEST}/packages/
sudo python3 /etc/veridiumid/update-procedure/current/startUpdate.py --version 11.2.63 --rpm-path ${TMP_DEST}/packages/
sudo bash /etc/veridiumid/scripts/check_services.sh

 

3.2) Update using a YUM repository

Starting with version 3.7.2, it is used JAVA 17 version. Please install this package before the update.

CODE 
## please check JAVA version
java --version
## PLEASE INSTALL JAVA 17 from local repositories, if not already installed; it should be OPENJDK distribution. Without this step the update will not be possible
sudo yum install java-17-openjdk -y
## Make sure that the old java version is still the default one, if not then configure it using the following command:
sudo update-alternatives --config java

Check if packages are visible in the repository. If the packages are not visible, please upload them into your repository, based on the OS you are using.

CODE 
## check installed package
sudo yum list installed veridiumid_update_procedure
## check availability of the new package; if this package is not available, please fix the issue with the repository
sudo yum list available veridiumid_update_procedure-11.2.63-20250213

If the package is available, please execute below commands on all nodes, first on WEBAPP and later on PERSITENCE nodes. Please execute the update one by one servers, not in parallel.

CODE 
sudo yum clean metadata
sudo yum install -y veridiumid_update_procedure-11.2.63
sudo sed -i '104,115 {s/^/#/}' /etc/veridiumid/update-procedure/current/resources/scripts/372/set_for_java17.sh
sudo python3 /etc/veridiumid/update-procedure/current/preUpdateSteps.py --version 11.2.63 --use-repo
sudo python3 /etc/veridiumid/update-procedure/current/startUpdate.py --version 11.2.63 --use-repo
sudo bash /etc/veridiumid/scripts/check_services.sh

 

4) Post update steps

4.1) It might be possible that ver_freeradius service will not start, due to having an old openssl version on server. Solution is below:

CODE 
##update openssl and openssh-server; after updating them, try to connect one more time to the server in a new session
yum update openssl 
yum update openssh-server
systemctl restart ver_freeradius

4.2) This procedure will migrate all the data to Elasticsearch (devices, accounts) in order to have better reports.

CODE 
##please run it on one PERSISTENCE node, regardless of how many datacenters.
sudo bash /opt/veridiumid/migration/bin/migrate_to_elk.sh

4.3) After updating all nodes, please update Cassandra from 4.0.9/4.1.4 to 5.0.2 on persistence nodes. Please execute the update one by one servers, not in parallel. This procedure might be with a downtime until executed on all nodes. If Cassandra was updated in a previous version, than no update is needed.

If update is done with local packages:

CODE 
/opt/veridiumid/cassandra/bin/nodetool describecluster
## if the version is 4.0.9 or 4.1.4, than update should be executed; the proper version is 5.0.2
TMP_DEST="/home/veridiumid/update372"
sudo bash /etc/veridiumid/update-procedure/current/resources/scripts/372/update_cassandra.sh ${TMP_DEST}/packages/
##check status
sudo /opt/veridiumid/cassandra/bin/nodetool status
sudo /opt/veridiumid/cassandra/bin/nodetool describecluster

If update is done withing repo:

CODE 
/opt/veridiumid/cassandra/bin/nodetool describecluster
## if the version is 4.0.9 or 4.1.4, than update should be executed; the proper version is 5.0.2
sudo bash /etc/veridiumid/update-procedure/current/resources/scripts/372/update_cassandra.sh
##check status and wait till it starts before going to next node
sudo /opt/veridiumid/cassandra/bin/nodetool status
sudo /opt/veridiumid/cassandra/bin/nodetool describecluster

4.4) If “Error message: [es/index] failed: [mapper_parsing_exception] failed to parse field [authenticationDeviceOsPatch] of type [date] in document with id“ error appears in bops.log, the bellow procedure should be applied

 

CODE 
index=veridium.sessions-$(date '+%Y-%m')
/opt/veridiumid/migration/bin/elk_ops.sh --reindex --index-name=${index} --dest-index=${index}-001

4.5) run this step, only if KAFKA is installed (this is a step that needs to be executed only by clients that have ILP product installed)

Please run the following procedure, on All Persistence Nodes, in parallel, first in DC1 and after that in DC2. Before switching to second DC2, please test if in first DC uba is working fine.

CODE 
## check if kafka is installed
systemctl is-enabled uba-kafka
## if it is enabled, please un
sudo bash /etc/veridiumid/update-procedure/current/resources/scripts/372/decoupleKafkaFromZk.sh
## after this, please restart all ILP services on webapp nodes
uba_stop
uba_start

4.6) create zookeeper cluster and update properties to allow it to run in read only mode

In case of single Datacenter, please run the following procedure, on All Persistence Nodes, sequentially. This apply also single/multi node installation.

CODE 
sudo bash /etc/veridiumid/update-procedure/current/resources/scripts/372/update_zookeeper_configuration.sh

In case of CDCR, run the following procedure, to create one big cluster, with nodes from both datacenters.

CODE 
## run this command on main/active datacenter on one node in persistence. This generates a file DC1.tar.gz
sudo bash /etc/veridiumid/scripts/veridiumid_cdcr.sh -g
## copy the DC1.tar.gz to all nodes - webapp and persistence in both datacenters.
## run this command on all persistance in primary datacenter - the script will create a large cluster containing the Zookeeper nodes in both datacenters
ARCH_PATH=/tmp/DC1.tar.gz
sudo bash /etc/veridiumid/scripts/veridiumid_cdcr.sh -z -a ${ARCH_PATH}
## run this command on all persistance in secondary datacenter - the script will create a large cluster containing the Zookeeper nodes in both datacenters and remove data from second DC
ARCH_PATH=/tmp/DC1.tar.gz
sudo bash /etc/veridiumid/scripts/veridiumid_cdcr.sh -z -s -a ${ARCH_PATH}
## run this command on a single node in one datacenter - this configure the data in zookeeper
ARCH_PATH=/tmp/DC1.tar.gz
sudo bash /etc/veridiumid/scripts/veridiumid_cdcr.sh -j -a ${ARCH_PATH}
## run this command on all webapp nodes in secondary datacenter - this is changing the salt and password taken from DC1 into DC2.
ARCH_PATH=/tmp/DC1.tar.gz
bash /etc/veridiumid/scripts/veridiumid_cdcr.sh -p -r -a ${ARCH_PATH}

5) Other references.

5.1) How to install python 3

In order to run the update procedure all nodes must have Python 3 installed .

To check if the VeridiumID Python 3 package (this is optional) is present use the following command as root:

CODE 
## on RHEL7/Centos7 it should be used python 3.7
python3 --version
##Python 3.7.8
yum -y install python3.7
## on RHEL8/RHEL9 it should be used python3.9
sudo yum -y install python39 python39-pip
##Python 3.9.18

 

Veridium REPO LINKS:

Package URL

Description

https://veridium-repo.veridium-dev.com/repository/VeridiumRPM8/packages/

Repository with RHEL8 packages

https://veridium-repo.veridium-dev.com/repository/VeridiumRPM9/packages/

Repository with RHEL9 packages

 

RHEL8 MD5 of each package:

Package URL

MD5

SHA1

Description

WebsecAdmin

6641b051be7e8fbb26f79109dcb5b596

26896ed8cfeb1519aea54600e0cafb415856216c

VeridiumID Admin Dashboard

Migration

c7140397b0744c2c9e7637d55337a675

42cdd5b8d03cc1242e12dccbdb14baad53a9f7c7

VeridiumID migration tool

Websec

9c1a449013bdb3ea9fd07b7a2955695a

a744cd9444c6d56a27534be914c09705b6ae39e0

VeridiumID Websec

AdService

9049cd3aa166f633570da097f2a94b1d

1f50d8659bb02b6f20b23ad8242cea9821a7b1c2

VeridiumID Directory Service component

DMZ

b90ecd68b1480a574a3545ee0b31d7b2

b5ce3bff90d28c009a536035a4b65578cfb31ef1

VeridiumID DMZ service

Fido

47e663742ecaae14ce62969fa088f83f

3e12eb6c1adc81028404d76ffc2e716c74178ee1

VeridiumID Fido service

OPA

c2dbf73147b684a44bbc41ce5358e28f

5d34578afa2c584b8c4a9d797f9ab8d1c21bd046

VeridiumID Open Policy Agent

Elasticsearch

eedab3e73ccb9037e3f39b762a0c341c

211bb64d886baaf0efe31a4fb76a37001d5fdc22

VeridiumID Elasticsearch

Kibana

b7ced835b68309fce1a563a9517a2ec9

36d286f3667f270a8fd05747282e0cd9459de65f

VeridiumID Kibana

Zookeeper

18782b42ee02f8f28ee1c2d6c62d171c

e2c35e9fccd286efedd5391c01f6f50bdbe2d910

VeridiumID Zookeeper

Cassandra

c572f41a69a2a814995bf24c62d4f83d

1e1d68ad9cf1dc43d96fcae0d466b14bb5bb167e

VeridiumID Cassandra

Haproxy

c830e7df6245b036b869896af99a5e00

deaa41995e51ae5e1b3c54769f08c10bf2392e5d

VeridiumID Haproxy

SelfServicePortal

5518da80bf9544d0e9c71c7745e6e36b

fd28db845709ac209a748a3eb72a48e1470b52ea

VeridiumID Self Service Portal

Shibboleth

4ef8a078f7855386113849c3a801fbb9

249f4e2603a3e8c7acd7c327c162b85f9007d43a

VeridiumID Shibboleth Identity Provider

Tomcat

0b8e91d605596524daeee056a7d38cbc

62640356c32248707840a365f4de4e27a0d62426

VeridiumID Tomcat

Freeradius

8bc0f96150ffb50cec626c79e4ae3813

4aae7d0305ede039e0c43c99fa8f3ab065d82d28

VeridiumID FreeRadius

4F

ddafe237d4b4fbf806b563768554c935

d1bda9cb67610c93974be40e6fc8f86cfcbaf6bc

VeridiumID 4F biometric library

VFace

dbb63583b85455a2e9e7e852a8d95b78

624625b6485d5a3a8005eb6ca0023380d6040e7c

VeridiumID VFace biometric library

Update procedure RPM

2a81a27a797e435af14666f07156157e

03e73da9a49db3cf2ffb8c27d3fe920aabae46e1

Update scripts

RHEL9 MD5 of each package:

WebsecAdmin

eb85b7c6ae733ae430c32f0e868beded

1d27bf4dcd0b9aa73dcfa9316971523dd74f6997

VeridiumID Admin Dashboard

Migration

48fba441730dc0ad6697f030d99846bc

6646027aaa8b430b1663654280185ee895ebb51d

VeridiumID migration tool

Websec

58eea43dedcf037734a286123772934d

cd6c2e4e06eab4ccf60b9924f959d2b6f6d7f4d8

VeridiumID Websec

AdService

58ba3611e388af77e16f90720a649c3e

9c83d5a91f2c1673af228ae9ae955f3b8a757113

VeridiumID Directory Service component

DMZ

52dfcb27f96e759232ec9d7983a8b028

f683bcdf18cc6c2c6038c3bd9fe7d25ad40204a5

VeridiumID DMZ service

Fido

d453db942101140ad79f30e2698c972b

89fdf4b73fa19e52fd5a9f757ad72da5ec93445b

VeridiumID Fido service

OPA

1ad3607ba7361f5e1ed044b32e30b78d

e1ce5da0ff7c28029fbe9fb25e6c086fdb8f2913

VeridiumID Open Policy Agent

Elasticsearch

7ce340f5a033f07fb03e9de8ec54edeb

868d9669b1aa8f91b856b0d05808f63dfc666be3

VeridiumID Elasticsearch

Kibana

7822ff7f616a02017c2afd97a0c0e237

615fbb35d07783d529c5636a74cbf187fc90e8f5

VeridiumID Kibana

Zookeeper

673a801533bcc4b65336724fdcaac223

1793ff04bd0adb4aa2c8cd25bd6e5ab16102d5e7

VeridiumID Zookeeper

Cassandra

88e9efcd8dfd2c3f6a360d734d719c46

3fe64015eabb553d9143b8e0b677bec9209b7865

VeridiumID Cassandra

Haproxy

91e69f7ecfaa40bdaae2e4a05727d23e

8baf9c68c64a46efd90cf19429cd14d5b017504e

VeridiumID Haproxy

SelfServicePortal

86e6371fa206c65e82df9ae0d7b2efb2

4e2b4119a40c94ea200c9465db9705625f2a5e7c

VeridiumID Self Service Portal

Shibboleth

d1c7e1580573322e26b22eb4db7ffded

170ad7eabed75248c3198459d6885a9d488bd65e

VeridiumID Shibboleth Identity Provider

Tomcat

c5546b061cee3c19e3cd7923af1c3b6d

9cdf58433775434665db90e07d8010c7c8ceffcf

VeridiumID Tomcat

Freeradius

f78f3f04c0f9854132bb406c6e5864b9

fbee9fb4848f9a5456f7178c6ec89cda3820a8b1

VeridiumID FreeRadius

4F

67f7bd5bbf7e5ea003cf1745f55ccc64

2040e7110061a23a1ad7ca473776b96cd21ea5e2

VeridiumID 4F biometric library

VFace

c7280c38f582dbbc550f449f6a05cd90

48c3f78289c62f3c65f7a2a12f18bc2fbb29b6e6

VeridiumID VFace biometric library

Update procedure RPM

000016a4e5e510bb052c358a4dc1c16d

3f918cd708244b207e0f1558859b325b503f61d4

Update scripts

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close