Upgrading 4.2 or Later KeyControl Nodes with the KeyControl webGUI

If your KeyControl nodes are running version 4.2 or later, you can use the KeyControl webGUI to upgrade any node in the cluster and KeyControl will automatically upgrade the other nodes one at a time until all nodes have been upgraded. By doing sequential upgrades, KeyControl ensures that at least one node in the cluster remains available during the entire upgrade process.

This procedure will only work if you upgrade KeyControl nodes running version 4.2 or later using the KeyControl webGUI. You cannot use this procedure if you want to:

• Upgrade KeyControl nodes running version 4.1 or earlier.
• Upgrade a KeyControl node by booting it directly from the HyTrust DataControl ISO image, even if that node is running version 4.2 or later.

If either of the above conditions is true, you must dismantle the cluster and upgrade only a single node, then do a fresh KeyControl install on the other nodes and join them together to create a new cluster. For details, see Upgrading 4.1 or Earlier KeyControl Nodes.

Note:

Any new features in the KeyControl release will not be available until all nodes in the cluster have been upgraded.

Before You Begin 

• Make sure that the KeyControl nodes can communicate with one another on port TCP/443 (HTTPS). For details, see KeyControl Network Requirements.
• We recommend you back up your KeyControl cluster before you upgrade it. For details, see Backing Up the KeyControl Cluster.
• Make sure your internet connection to the KeyControl node is as fast and as stable as possible. To begin the upgrade, you need to upload the upgrade ISO image to the KeyControl node in one continuous session. If the upload times out or if connectivity to the KeyControl node is lost during the upload, you will see error messages in KeyControl and you must re-upload the file from scratch. KeyControl cannot resume the upload from where it left off during a previous session.

Procedure 

1. Log into the KeyControl webGUI using an account with Domain and Security Admin privileges.

2. In the top menu bar, click Cluster and make sure the Status of the cluster is Healthy. If it is not, you must resolve those issues before you can upgrade the cluster.
3. In the top menu bar, click Settings.
4. In the System Settings section, click System Upgrade.
5. Click Browse, navigate to the HyTrust ISO installation file, and click Open.

6. Click Upload File. If the Upload File button is not active, make sure that you have selected an ISO file and that the cluster is healthy.

   After KeyControl uploads and validates the ISO file, KeyControl begins the automatic upgrade process by copying the ISO file from the current node to all of the other KeyControl nodes in the cluster. After the ISO file has been copied, KeyControl displays a Success message. Click Close to continue with the upgrade.

   KeyControl displays a status message stating that the upgrade is in process along with a Cancel Upgrade button in case you want to stop the process.

   During this time you can continue to use KeyControl as normal, including changing all configuration options and adding or removing VMs. When KeyControl is ready to upgrade all nodes in the cluster, it displays the Finish Upgrade button.

7. Click Finish Upgrade.

   KeyControl displays a message stating that the cluster will be put into maintenance mode during this procedure and that all nodes will be rebooted. While in maintenance mode, KeyControl can still service key requests from the registered VMs, but no KeyControl configuration changes can be made and no new VMs can be added.

8. Click Proceed.

   KeyControl displays a status message stating that the cluster nodes are being rebooted. When all of the other nodes have been upgraded and are back online, KeyControl reboots the current node to finish the upgrade process on that node. At this point, you will be automatically logged out of the KeyControl webGUI on that node.

   Note:

   When KeyControl reboots the current node, you may see a message that the application cannot connect to the server, then browser page may display a "connection refused" message. Wait a few moments for the node to finish rebooting, then refresh your browser page. You should see the KeyControl Login page. If Refresh does not work, try to access the webGUI on a different node in the cluster. If the webGUI fails for all nodes, the hardware signature for one or more nodes may have changed during the upgrade. To restore access to KeyControl, contact HyTrust Support at support@hytrust.com or https://hytrust.com/support.

9. If you are upgrading from release 4.2 or earlier, you need to configure the Automatic Vitals Reporting feature that was added in release 4.2.1. To do so, log back into the webGUI using a KeyControl account with Security Admin privileges after the current node has finished rebooting. KeyControl automatically displays a pop up dialog box asking if you want to enable Automatic Vitals Reporting.

   Note:

   If you are upgrading from 4.2.1 or later, KeyControl uses your current setting for the Automatic Vitals Reporting feature.

   Automatic Vitals Reporting lets you automatically share information about the health of your KeyControl cluster with HyTrust Support. If you enable this service, KeyControl periodically sends an encrypted bundle containing system status and diagnostic information to a secure HyTrust server. HyTrust Support may proactively contact you if the Vitals Service identifies issues with the health of your cluster.

   KeyControl Security Admins can enable or disable this service at any time by selecting Settings > Vitals in the KeyControl webGUI. For details, see Configuring Automatic Vitals Reporting.

   Tip:

   If your browser does not display the KeyControl webGUI login page correctly, clear your browser cache and navigate to the page again.

10. To verify the upgrade, return to Settings > System Upgrade and verify the settings for Current Version and Previous Version.