Upgrading KeyControl from 10.4.1 or 10.4.1.1 to 10.4.3

If your KeyControl nodes are running version 10.1 or later, you can use the KeyControl Vault Management webGUI to upgrade any node in the cluster and KeyControl will automatically upgrade the other nodes one at a time until all nodes have been upgraded. By doing sequential upgrades, KeyControl ensures that at least one node in the cluster remains available during the entire upgrade process.

Important: If you are using HSM Root-of-Trust mode with password, you must enter the password on each node during upgrade.

You can use this procedure for all installations of KeyControl, including AWS, Azure, and GCP.

Note: Any new features in the KeyControl release will not be available until all nodes in the cluster have been upgraded.

Before You Begin 

  • Make sure that the KeyControl nodes can communicate with one another on port TCP/8443 and TCP/5432. For details, see KeyControl Network Requirements.
  • Entrust recommends that you back up your KeyControl cluster before you upgrade it. For details, see Backing Up KeyControl Through the webGUI
  • Please download your Admin Key and store it in a safe place before you upgrade. If KeyControl prompts for an admin key to recover your KeyControl system, you must provide this admin key to proceed. If you do not have your admin key, you may lose your data. For details, see Downloading Your Admin Key Part.
  • We recommend that you enable the support login on all cluster nodes before you start the upgrade. For details, see Enabling or Disabling the Support Login .
  • Make sure your internet connection to the KeyControl node is as fast and as stable as possible. To begin the upgrade, you need to upload the upgrade ISO image to the KeyControl node in one continuous session. If the upload times out or if connectivity to the KeyControl node is lost during the upload, you will see error messages in KeyControl and you must re-upload the file from scratch. KeyControl cannot resume the upload from where it left off during a previous session.

Procedure 

  1. Sign on to the KeyControl Vault Management webGUI with Domain and Security Admin privileges.

  2. In the top right, click the Appliance Management link.

  3. In the top menu bar, click Cluster and make sure the Status of the cluster is Healthy. If it is not, you must resolve those issues before you can upgrade the cluster.
  4. In the top menu bar, click Settings.
  5. In the System Settings section, click System Upgrade.

  6. Click Browse, navigate to the Entrust ISO upgrade file, and click Open.

    Important: KeyControl now has separate ISO files for installation and upgrade. Please ensure that you use the ISO upgrade file.

  7. Click Upload File. If the Upload File button is not active, make sure that you have selected an ISO file and that the cluster is healthy.

    After KeyControl uploads and validates the ISO file, KeyControl begins the automatic upgrade process by copying the ISO file from the current node to all of the other KeyControl nodes in the cluster. After the ISO file has been copied, KeyControl displays a Success message. Click Close to continue with the upgrade.

    KeyControl displays a status message stating that the upgrade is in process along with a Cancel Upgrade button in case you want to stop the process.

    During this time you can continue to use KeyControl as normal, including changing all configuration options and adding or removing VMs. When KeyControl is ready to upgrade all nodes in the cluster, it displays the Finish Upgrade button.

  8. Click Finish Upgrade.

    Note: Ensure you are still on the same node where you clicked Upgrade File.

    KeyControl displays a message stating that the cluster will be put into maintenance mode during this procedure and that all nodes will be rebooted. While in maintenance mode, KeyControl can still service key requests from the registered VMs, but no KeyControl configuration changes can be made and no new VMs can be added.

  9. Click Proceed.

    KeyControl displays a status message stating that the cluster nodes are being rebooted. It may take a while for this process to run on all nodes except for the current node. When all of the other nodes have been upgraded and are back online, KeyControl reboots the current node to finish the upgrade process on that node. At this point, you will be automatically logged out of the KeyControl Vault Management webGUI on that node. You can monitor the progress on the KeyControl Vault Management webGUI of the other nodes. This again may take a while to complete.

    When any node is being upgraded, if you have access to the KeyControl System Console, you can view the upgrade messages.

    Note: When KeyControl reboots the current node, you may see a message that the application cannot connect to the server, then browser page may display a "connection refused" message. Wait a few moments for the node to finish rebooting, then refresh your browser page. You should see the KeyControl Login page.

    Beginning with 10.2, KeyControl has changed the login experience. You can now switch between the KeyControl Vault Management webGUI and the KeyControl Appliance Management webGUI in the same browser with one login. When you log in, click the Switch to Appliance Management link at the top right side of the web page to switch.

  10. To verify the upgrade, return to Settings > System Upgrade and verify the settings for Current Version and Previous Version.