Automic Workload Automation

  • Private Community
 View Only

  • 1.  New UC_SYSTEM_SETTINGS in 12.3. handling for Zero Downtime Upgrade

    Posted Feb 26, 2020 05:26 AM
    ​Hi All,

    In our case the Setting SMGR_SUPPORT_LEGACY_SECURITY should be set to "Y" after the Zero downtime upgrade. "Y" is not the default.

    Can we add this already to the UC_SYSTEM_SETTINGS in the older Version so that it is available when starting 12.3. the first time?

    Best Regards,
    Roman


    ------------------------------
    Roman Embacher
    R.E. IT Services

    ------------------------------


  • 2.  RE: New UC_SYSTEM_SETTINGS in 12.3. handling for Zero Downtime Upgrade

    Posted Feb 27, 2020 02:28 AM
    Hi Roman,
    If you do not install CAPKI, SMGR_SUPPORT_LEGACY_SECURITY will be set to Y automatically.
    Best Regards

    Original Message


  • 3.  RE: New UC_SYSTEM_SETTINGS in 12.3. handling for Zero Downtime Upgrade

    Posted Mar 03, 2020 03:28 AM
    Hi Gang Lu,

    many thanks for your Reply :) Need to get into the Details :) 

    What exactly do you mean by "If you do not install CAPKI". This Needs to be installed on each Server with command line tool if used, and configurations Need to be done in the ini-files.  How does the AE check if it is installed or not? 

    I'm still a bit sceptic as the Default for this variable is "N". Will the upgrade routine somehow check some ini or on the OS if CAPKI is installed and then set it to "Y"??

    To be on the safe side, is it an option to just set SMGR_SUPPORT_LEGACY_SECURITY in the UC_SYSTEM_SETTINGS, already before the ZDU upgrade?

    Best Regards,
    Roman
    Original Message


  • 4.  RE: New UC_SYSTEM_SETTINGS in 12.3. handling for Zero Downtime Upgrade

    Broadcom Employee
    Posted Mar 04, 2020 03:03 AM
    Hi Roman,

    it's not mandatory to install CAPKI. But only when it's installed on both ends then the communication will be encrypted using the TLS protocol. In that case you need to set SMGR_SUPPORT_LEGACY_SECURITY=N

    When you run the setup for CAPKI then it registers itself to the system (e.g. Registry Key on windows) with its Caller ID.

    There are multiple levels of security when using CAPKI:
    1) Basic: no validation of certificates (Trusted Certificate Store empty). The automatically created certificates will be used to encrypt communication, but not validated.
    2) mutual TLS authentication incl. validation of certificates between ServiceManager and AE. For this level we recommend one certificate for the AE and one for the ServiceManager(s) (=2 certificates in total)
    3) mutual TLS authentication incl. validation of certificates also between ServiceManager Dialog (ServiceManager CLI) and ServiceManager. For this level we recommend an additional certificate for ServiceManagerDialog and CLI (=3 certificates in total)

    Regards, Markus

    Original Message


  • 5.  RE: New UC_SYSTEM_SETTINGS in 12.3. handling for Zero Downtime Upgrade

    Posted Mar 04, 2020 07:33 AM
    Can we add this already to the UC_SYSTEM_SETTINGS in the older Version so that it is available when starting 12.3. the first time?
    Do not set this in your older version  before you start the Zero Downtime Upgrade --  This happened to us and caused the Database upgrade to fail and was a real pain to fix. 


    The upgrade will set the   SMGR_SUPPORT_LEGACY_SECURITY to Y automatically if you don't install CAPKI 




    Original Message


  • 6.  RE: New UC_SYSTEM_SETTINGS in 12.3. handling for Zero Downtime Upgrade
    Best Answer

    Posted Mar 04, 2020 07:42 AM
    Hi Marilyn,
    Yes. You can set UC_SYSTEM_SETTINGS in advance.
    Best Regards
    Original Message