These upgrade instructions apply to EJBCA Cloud nodes version 2.0 and above. The instructions assume there is more than one node installed and configured to read from an RDS database. 

To ensure EJBCA continues to function against the new database, keep the existing nodes running until the installation of the new nodes is complete. Since RDS holds the EJBCA data, new nodes are provisioned to read from RDS and the old ones are decommissioned. For details on how to perform these steps, see Restore and Upgrade Procedure.

After upgrading to certain versions of EJBCA, typically a new version where the database schema has changed, you may need to perform an EJBCA post-upgrade, described in the last step of the procedure.

When connected to an RDS database, you should run the EJBCA post-upgrade only after all nodes in the cluster have been upgraded to the new version of EJBCA. You only need to run the post-upgrade on one of the nodes in the cluster.

Wizard-based Installation (as of EJBCA Cloud 2.1)

The following describes the wizard-based installation upgrade steps as of version EJBCA Cloud 2.1.

  1. Launch the same quantity of nodes from the AWS Marketplace as you currently have in production according to the AWS Launch Guide.
  2. If using a VIP in this EJBCA cluster, add the VIP address in the wizard Step 1: Host Settings.
  3. Select the option to use an Existing EJBCA Database in the configuration wizard at launch time.

    Cluster Join Note

    If you are running a version of EJBCA older than 7.5 there are steps needed to migrate your older Liquidsec public keys to CloudHSM. For more information please see the CloudHSM Integration Guide section regarding CloudHSM Liquidsec Key Conversion.

  4. Wait for the node to boot using the configuration from the existing installation.

  5. Once the new nodes are running and connected to the RDS database, remove the old nodes from the load balancer (if used) and add the new ones.
  6. Confirm the new nodes are properly serving traffic.
  7. Click System Upgrade in the System Configuration menu of the EJBCA Admin UI.

    The menu item System Upgrade is only available if an EJBCA post-upgrade is pending. If the option is not available, post-upgrade is not needed and you can skip this step.

  8. Click Start post-upgrade to perform an EJBCA post-upgrade.

Manual Upgrade (EJBCA Cloud 2.0)

The following describes the manual upgrade steps using version EJBCA Cloud 2.0.

  1. Launch the same quantity of nodes from the AWS Marketplace as you currently have in production according to the AWS Launch Guide.
  2. Select the defaults and install a local database on all nodes. Note that this configuration will be overwritten when the node is restored.
  3. Take a backup of one of the existing nodes.
  4. Copy the backup file to the new instance.
  5. Run the /opt/PrimeKey/support/system_restore.sh script pointing it to the backup file you just copied to the new instance. For information on restoring a backup, see Restore and Upgrade Procedure.
  6. Generate new TLS certificates for the EJBCA host with the /opt/PrimeKey/support/new_tls_cert.sh script.  For more information on how to use new_tls_cert.sh script, see the TLS Certificate Generation Guide. These new certificates should contain the load-balanced VIP that is used to have clients access the cluster.
  7. Once the new nodes are running and connected to the RDS database, remove the old nodes from the load balancer (if used) and add the new ones.
  8. Confirm the new nodes are properly serving traffic.
  9. Click System Upgrade in the System Configuration menu of the EJBCA Admin UI.

    The menu item System Upgrade is only available if an EJBCA post-upgrade is pending. If the option is not available, post-upgrade is not needed and you can skip this step.

  10. Click Start post-upgrade to perform an EJBCA post-upgrade.