Hardware Appliance 3.5.X Upgrade Notes

The following lists important upgrade information and limitations to be aware of.

Upgrading EJBCA

After upgrading to certain versions of EJBCA (typically a new version where the database schema has changed), it is recommended to perform an EJBCA post-upgrade.

If the EJBCA instance you are upgrading is a part of a cluster, you should run the EJBCA post-upgrade only after all nodes in the cluster have been upgraded to the new version of EJBCA. Note that you only need to run the post-upgrade on one of the nodes in the cluster.

For more information on upgrading EJBCA, refer to Upgrading EJBCA and for information on database changes in the respective EJBCA releases, refer to the EJBCA Upgrade Notes.

General Upgrade Notes

The following provides important information and requirements to be aware of when upgrading.

  • Hardware Appliance 3.5.0 makes SNMP reachable over IPv6. If the appliance is upgraded from <=3.5.0 and SNMP was enabled before, SNMP does not become reachable over IPv6 automatically. To make it reachable, disable and re-enable IPv6 on one of the network interfaces.
  • If someone has previously edited their /etc/snmp/snmpd.conf e.g. to change the community string, their config will get overwritten by our new default config and SNMP will be disabled.
  • When installing updates on a Hardware Appliance running version 3.2.0, make sure to unplug any USB sticks before performing the update. When a single node is disconnected from the cluster, the local EJBCA instance will be temporarily unusable and the EJBCA Administration interface displays an error message. The problem remediates itself within one hour while a restart of EJBCA resolves the issue instantly. Note however, if your installation uses smart card authentication, PIN pad interactions will be required to activate the slots again.
  • When restoring large backups from EJBCA versions prior to 6.6.0, after the restore and reboot EJBCA will not be available for some time due to the database schema change and the need to reindex. For a full database of a Model M, it takes about an hour to reindex the database. Once reindexed, an additional reboot is required.
  • For cluster backups taken on Hardware Appliance versions 2.4 to 2.8: when restoring the first backup onto a 3.4.X version, the cluster configuration will be deleted and requires manually adding the IP addresses of all the other nodes before proceeding with the cluster setup.
  • The Appliance 3.4.X versions do not support restoring backups of versions older than 2.4.0. 

PIN Pad

  • While this release newly supports the new PIN pad (cyberJack one) and Smart Card Authentication with more than 1 user authentications for PKCS#11 R2, the new PIN pad is neither supported for Smart Card Authentication on the legacy PKCS#11 R1 stack nor for Backup Key Shares on very old Appliance hardware versions (1.x).
  • In rare cases after rebooting the Appliance, the PIN pad is not detected correctly and the WebConfigurator (WebConf) Wizard will display the following message "Please connect the PIN pad to the Hardware Appliance before beginning the installation." This issue can be solved by replugging the PIN pad.

FIPS Restrictions Applied Mode

  • The FIPS restrictions applied mode is currently not available on Appliances of the second generation hardware version since it is not available on that HSM generation. Operation in FIPS mode will be added in future releases. 
  • While smart card activated slots are supported with PKCS#11 R2, the FIPS restrictions applied mode is not.

Ethernet Ports

  • Due to a firmware limitation, the Hardware Appliance only becomes reachable when both management and application Ethernet ports are successfully connected to a network.
  • Ethernet ports might not establish a link if the network cables have been connected after powering on the device.