Upgrading Oracle Key Vault from Release 18.x in a Multi-Master Cluster Environment

5 Upgrading Oracle Key Vault from Release 18.x in a Multi-Master Cluster Environment

Similar to a standalone or primary-standby upgrade from release 18.x, this type of upgrade includes the Oracle Key Vault server software and endpoint software-related utilities.

About Upgrading Oracle Key Vault from Release 18.x in a Multi-Master Cluster Environment
To perform an upgrade from Oracle Key Vault release 18.x, you must upgrade each multi-master cluster node.
Step 1: Perform Pre-Upgrade Tasks for the Upgrade from Release 18.x
Similar to a standalone or primary-standby environment, you must perform pre-upgrade tasks such as backing up the Oracle Key Vault server.
Step 2: Add Disk Space to Extend the vg_root for Upgrade to Oracle Key Vault Release 21.4
Before upgrading to Oracle Key Vault release 21.4 from release 18x, you will need to extend the vg_root to increase disk space.
Step 3: Upgrade Multi-Master Clusters
Depending on your multi-master cluster configuration, you must follow the steps that are specific to your deployment.
Step 4: Check the Node Version and the Cluster Version
After you complete the upgrade of at least one node, you can log into any of the upgraded nodes to check the node and cluster versions.
Step 5: If Necessary, Change the Network Interface for Upgraded Nodes
Nodes that were created in Oracle Key Vault releases earlier than release 21.1 use Classic mode, in which only one network interface was used.
Step 6: Upgrade the Endpoint Software
After you have upgraded all the nodes in the cluster, you must reenroll endpoints that were created in earlier releases of Oracle Key Vault, or update the endpoint software.
Step 6: If Necessary, Add Disk Space to Extend Swap Space
If necessary, extend the swap space on each node. Oracle Key Vault release 21.5 requires a hard disk size greater than or equal to 1 TB in size with approximately 64 GB of swap space.
Step 8: If Necessary, Remove Old Kernels
For each multi-master cluster node, Oracle recommends that you clean up the older kernels that were left behind after the upgrade.
Step 9: If Necessary, Remove SSH-Related DSA Keys
For each multi-master cluster node, you should remove SSH-related DSA keys left behind after the upgrade, because they can cause problems with some code analysis tools.

5.1 About Upgrading Oracle Key Vault from Release 18.x in a Multi-Master Cluster Environment

To perform an upgrade from Oracle Key Vault release 18.x, you must upgrade each multi-master cluster node.

There are different steps for upgrading the multi-master cluster depending on your deployment. A 2-node cluster, running Oracle Key Vault release 18.5 or earlier, configured as a single read-write pair would involve running a pre-upgrade script which no other deployment requires. Multi-master cluster nodes deployed in a read-write configuration must follow different upgrade steps than those deployed as read-only nodes.

Oracle does not support direct upgrades from Oracle Key Vault release 18.1 or earlier. You must upgrade to Oracle Key Vault release 18.2 or later before upgrading to release 21.4.

The upgrade process involves performing the upgrade on each multi-master cluster node. After you have begun a cluster upgrade, ensure that you upgrade all the nodes in the cluster one after the other, without too much intervening time between upgrades of two nodes.

Upgrading an Oracle Key Vault multi-master cluster includes upgrading each cluster node to the new later version. You must upgrade all nodes to the same Oracle Key Vault version. You should first upgrade the read-only nodes of the cluster, and then upgrade the read-write pairs. As each cluster node is upgraded, its node version is updated to the new version of the Oracle Key Vault. After you complete the upgrade of all cluster nodes, the cluster version is updated to the new version of the Oracle Key Vault. You can check the node version or the cluster version by selecting the Cluster tab, then in the left navigation bar, selecting Management. Oracle Key Vault multi-master cluster upgrade is considered complete when node version and cluster version at each cluster node is updated to the latest version of Oracle Key Vault.

Before you perform the upgrade, note the following:

Perform the entire upgrade process on all multi-master cluster nodes, without interruption. That is, after you have started the cluster upgrade process, ensure that you try and upgrade all nodes, individually one after the other or in read-write pairs. Do not perform any critical operations or make configurational changes to Oracle Key Vault until you have completed upgrading all the nodes in your environment.
Be aware that you cannot use any new features that were introduced in this release until you have completed upgrading all of the multi-master cluster nodes. An error is returned when such features are used from the node that has been upgraded. Oracle recommends that you plan the upgrade of all cluster nodes close to each other to ensure availability of the new features sooner.
Starting in Oracle Key Vault release 21.2, expiration alerts for deactivated or destroyed objects are not generated. If you are upgrading from Oracle Key Vault release 21.1 or earlier, then the following behavior is expected:
- As each cluster node is upgraded, Oracle Key Vault deletes all expiration alerts for any certificate and secret objects, as well as for key objects that have been revoked or destroyed.
- Cluster nodes that have not been upgraded yet will continue to generate alerts for these same objects, and also send email notifications for these alerts. This behavior that results in deletion and recreation of alerts may repeat until the last cluster node is upgraded.
- After the upgrade is complete, expiration alerts for the certificate and secret objects will have the alert type of Certificate Object Expiration and Secret Object Expiration, respectively.

5.2 Step 1: Perform Pre-Upgrade Tasks for the Upgrade from Release 18.x

Similar to a standalone or primary-standby environment, you must perform pre-upgrade tasks such as backing up the Oracle Key Vault server.

In the server where Oracle Key Vault is installed, log in as user support, and then switch to the root user.
Back up the server so that you can recover data in case the upgrade fails.
Ensure that no full or incremental backup jobs are running. Delete all scheduled full or incremental backup jobs before the upgrade.

Plan for downtime according to the following specifications:

Oracle Key Vault Usage	Downtime required
Wallet upload or download	NO
Java Keystore upload or download	NO
Transparent Data Encryption (TDE) direct connect	YES (NO with persistent cache)
Primary Server Upgrade in a primary-standby deployment	YES (NO with persistent cache)

If Oracle Key Vault uses an online master encryption key, then plan for a downtime of 15 minutes during the Oracle Database endpoint software upgrades. Database endpoints can be upgraded in parallel to reduce total downtime.

If the Oracle Key Vault system has a syslog destination configured, ensure that the remote syslog destination is reachable from the Oracle Key Vault system, and that logs are being correctly forwarded. If the remote syslog destination is not reachable from the Oracle Key Vault system, then the upgrade process can become much slower than normal.
Check the disk size before you begin the upgrade. If any of the nodes in question have a disk size that is greater than 2 TB and uses BIOS boot mode, then you cannot upgrade that system to the new release. Oracle recommends that you remove the node from the cluster and if possible, replace it with a node whose disk is less than 2 TB in size.
Check the boot partition size. If any of the nodes in question have a boot partition that is less than 500 MB, then you cannot upgrade that system to the new release. You can check this size as follows:
1. Mount the /boot partition.
```
/bin/mount /boot
```
2. Check the Size column given by the following command:
```
/bin/df -h /boot
```
3. Unmount the /boot partition:
```
/bin/umount /boot
```
If the boot partition given by this command shows less than 488 MB, then you cannot upgrade to the current release. Oracle recommends that you remove the node from the cluster and if possible, replace it with a node that has been freshly installed with the same Oracle Key Vault version as the rest of the cluster nodes.
Increase the Maximum Disable Node Duration setting as appropriate so that any disabled cluster nodes have sufficient time to be upgraded then enabled back into the cluster. Note that increasing the Maximum Disable Node Duration setting also increases disk space usage.
For each node that had been integrated with the Oracle Audit Vault in Oracle Key Vault release 21.2 or earlier, do the following to disable and remove the Oracle Audit Vault integration:
1. Disable the Oracle Audit Vault integration: Log into the Oracle Key Vault management console as a System Administrator, select the System tab and then System Settings from the left navigation bar. In the Audit Vault integration pane that appears, disable Oracle Audit Vault. Click Save.
2. Log in to the Oracle Key Vault server through SSH as user support, switch user su to root and then switch user su to oracle.
3. Stop the agent by executing the following command:
```
agent_installation_directory/bin/agentctl stop
```
4. Log in to the Oracle Audit Vault Server console as an Oracle Audit Vault administrator.
5. Delete the corresponding agent and target.
6. Log in to the Oracle Key Vault server through SSH as user support, then switch user su to root.
7. Delete the installation directory for the Oracle Audit Vault agent.
Ensure that the Oracle Key Vault server certificate has not expired, nor is close to expiry, before you begin the upgrade.
You can find how much time the Oracle Key Vault server certificate has before it expires by checking the OKV Server Certificate Expiration setting on the Configure Alerts page in the Oracle Key Vault management console.

5.3 Step 2: Add Disk Space to Extend the vg_root for Upgrade to Oracle Key Vault Release 21.4

Before upgrading to Oracle Key Vault release 21.4 from release 18x, you will need to extend the vg_root to increase disk space.

When you add disk space for upgrades to Oracle Key Vault 21.4 in a multi-master cluster configuration, you must perform this step after the node has been disabled. Before you start this procedure, ensure that all endpoints have persistent cache enabled and in use.

Log in to the server for which you will perform the upgrade and switch user as root.
Ensure that the persistent cache settings for Oracle Key Vault have been set.
You will need to ensure that the persistent cache has been enabled because in a later step in this procedure, you must shut down the server. Shutting down the Oracle Key Vault server will incur downtime. To avoid any downtime, Oracle recommends that you turn on persistent cache.
Run the vgs command to determine the free space
```
vgs
```
The VFree column shows how much free space you have (for example, 21 GB).
Disable the node.
Select the Cluster tab, and then Management in the left navigation bar. Under Cluster Details, select check box for the node to disable, and then click Disable. The node's status will change from DISABLING to DISABLED.
Power off the server in order to add a new disk
```
/sbin/shutdown -h now
```
Add a new disk to the server with a capacity of 100 GB or greater
Start the server.
Log in to the Oracle Key Vault server through SSH as user support, then switch user su to root.
```
ssh support@okv_server_IP_address
su - root
```

Stop the Oracle Key Vault services.

service tomcat stop;
service httpd stop;
service kmipus stop;
service kmip stop;
service okvogg stop;
service javafwk stop;
service monitor stop;
service controller stop;
service dbfwlistener stop;
service dbfwdb stop;
service rsyslog stop;

Run the fdisk -l command to find if there are any available partitions on the new disk.
```
fdisk -l
```
At this stage, there should be no available partitions.
Run the fdisk disk_device_to_be_added command to create the new partition.
For example, to create a disk device named /dev/sdb:
```
fdisk /dev/sdb
```
In the prompts that appear, enter the following commands in sequence:
- n for new partition
- p for primary
- 1 for partition number
- Accept the default values for cylinder (press Enter twice).
- w to write and exit
Use the pvcreate disk_device_partition command to add the newly added disk to the physical volume.
For example, for a disk device named /dev/sdb1, which is the name of the disk partition that you created (based on the name used for the disk device that was added).
```
pvcreate /dev/sdb1
```
Output similar to the following appears:
```
Physical volume "/dev/sdb1" successfully created
```
Use the vgextend vg_root disk_device_partition command to extend the logical volume with this disk space that you just added.
For example, for the partition /dev/sdb1, you would run:
```
vgextend vg_root /dev/sdb1
```
Output similar to the following appears:
```
Volume group "vg_root" successfully extended
```
Run the vgs command again to ensure that VFree shows an increase of 100 GB.
```
vgs
```
Output similar to the following appears:
```
VG      #PV #LV #SN Attr   VSize   VFree
vg_root   2  12   0 wz--n- 598.75g <121.41g
```
Restart the Oracle Key Vault server.
```
/sbin/reboot
```
After you have successfully added the disk, re-enable the node. After you re-enable the disabled multi-master cluster node, its status changes from DISABLED to ENABLING, then to ACTIVE. The status of the node will remain at ENABLING and will not change to ACTIVE unless bidirectional replication between it and all other nodes is occurring successfully.

Related Topics

Oracle Key Vault Administrator's Guide

Parent topic: Upgrading Oracle Key Vault from Release 18.x in a Multi-Master Cluster Environment

5.4 Step 3: Upgrade Multi-Master Clusters

Depending on your multi-master cluster configuration, you must follow the steps that are specific to your deployment.

About Upgrading Multi-Master Clusters
When upgrading a multi-master cluster, you may upgrade the read-only nodes one after the other and in the case of read-write pairs, you must upgrade both of the nodes simultaneously.
Upgrading Multi-Master Cluster Read-Only Nodes
Before upgrading multi-master cluster read-only nodes, ensure that you understand the requirements for performing this kind of upgrade.
Upgrading Multi-Master Cluster Read-Write Pairs
Before upgrading multi-master cluster read-write pairs, ensure that you understand the requirements for performing this kind of upgrade.

Parent topic: Upgrading Oracle Key Vault from Release 18.x in a Multi-Master Cluster Environment

5.4.1 About Upgrading Multi-Master Clusters

When upgrading a multi-master cluster, you may upgrade the read-only nodes one after the other and in the case of read-write pairs, you must upgrade both of the nodes simultaneously.

You must perform these steps on both nodes of the cluster read-write pair in the order specified for all read-write pairs of the cluster. In order to perform the upgrade using this method, you must arbitrarily decide which of the read-write nodes of your pair will be Node A and which node will be Node B. The steps below refers to Node A and Node B that correspond to the Node A and Node B.

To perform the upgrade, you must upgrade each multi-master cluster node. There are different steps for upgrading the multi-master cluster depending on your deployment. A two-node cluster, running Oracle Key Vault release 18.5 or earlier, configured as a single read-write pair would involve running a pre-upgrade script which no other deployment requires. For multi-master cluster nodes that were deployed in a read-write configuration, you must follow different upgrade steps than those that were deployed as read-only nodes.

This section describes the upgrade methods for the various deployments. Choose the method that is appropriate for your configuration. When upgrading read-write pairs, after disabling both the nodes, you can upgrade the nodes at the same time. However, Oracle recommends that you upgrade the cluster nodes one at a time. If you have a multi-master cluster with three or more nodes, then you can upgrade two nodes at the same time with no down time.

When upgrading read-write pairs, it is critically important that you perform the steps in the proper order on the two nodes.

If your cluster consists of only two nodes in a read-write configuration and if you are upgrading from Oracle Key Vault release 18.2 through 18.5, then you must execute a pre-upgrade script before performing the upgrade. The pre-upgrade script is not to be executed in any other multi-master cluster configuration.

Parent topic: Step 3: Upgrade Multi-Master Clusters

5.4.2 Upgrading Multi-Master Cluster Read-Only Nodes

Before upgrading multi-master cluster read-only nodes, ensure that you understand the requirements for performing this kind of upgrade.

Oracle recommends that you upgrade the read-only nodes one at a time. You must upgrade read-only nodes ahead of any read-write pairs. Direct upgrades from release 18.1 or earlier are not supported. You must upgrade to Oracle Key Vault release 18.2 or later before upgrading to release 21.4. Do not perform any critical operations or make configuration changes to Oracle Key Vault until you have completed upgrading all multi-master cluster nodes. Ensure that you have successfully backed up Oracle Key Vault before you start to upgrade the multi-master cluster nodes. Do not proceed without completing this step.

You must perform these steps on each read-only node of the cluster, one after the other.

Ensure that you have performed the pre-upgrade steps.
Log in to the management console as a user with the System Administrator role.
Disable the multi-master cluster node.
1. Log in to any cluster Oracle Key Vault management console as a user who has the System Administrator role.
2. Select the Cluster tab, and then select Management from the left navigation bar.
3. Under Cluster Details, in the Select Node column, select the check box of the node to disable.
4. Click Disable.
  
  In the node’s Management page (under the Cluster tab), the node's status changes from DISABLING to DISABLED.
Ensure that you have added disk space to extend the vg_root for the upgrade to release 21.4.
Ensure that SSH access is enabled for the node.
As a user who has the System Administrator role, in the Oracle Key Vault management console, select the System tab, then Settings. In the Network Details area, click SSH Access. Select IP address(es) and then enter only the IP addresses that you need, or select All. Click Save.
Ensure you have enough space in the destination directory for the upgrade ISO files.
Log in to the Oracle Key Vault server through SSH as user support, then switch user su to root.
```
ssh support@okv_server_IP_address
su - root
```
If the SSH connection times out while you are executing any step of the upgrade, then the operation will not complete successfully. Oracle recommends that you ensure that you use the appropriate values for the ServerAliveInterval and ServerAliveCountMax options for your SSH sessions to avoid upgrade failures.

Using the screen command prevents network disconnections interrupting the upgrade. If the session terminates, resume as follows:
```
root# screen -r
```
Copy the upgrade ISO file to the destination directory using SSH or other secure transmission method.
```
root# scp remote_host:remote_path/okv-upgrade-disc-new_software_release.iso /var/lib/oracle
```
In this specification:
- remote_host is the IP address of the computer containing the ISO upgrade file.
- remote_path is the directory of the ISO upgrade file. Do not copy this file to any location other than the /var/lib/oracle directory.

Make the upgrade accessible by using the mount command:

root# /bin/mount -o loop,ro /var/lib/oracle/okv-upgrade-new_software_release.iso /images

Clear the cache using the clean all command:

root# yum -c /images/upgrade.repo clean all

Apply the upgrade with upgrade.rb command:
```
root# /usr/bin/ruby /images/upgrade.rb --confirm
```
When you run the /usr/bin/ruby /images/upgrade.rb --confirm command, you will be asked to confirm that you completed the pre-upgrade steps, if they are required.

If the system is successfully upgraded, then the command will display the following message:
```
Remove media and reboot now to fully apply changes.
```
If you see an error message, then check the log file /var/log/messages for additional information.
Restart the Oracle Key Vault server by running reboot command:
```
root# /sbin/reboot
```
On the first restart of the computer after the upgrade, the system will apply the necessary changes. This can take a few hours. Do not shut down the system during this time. The upgrade of the cluster node is completed when the screen with heading: Oracle Key Vault Server new_software_release appears, with new_software_release reflecting the release number of the upgraded version. Following the heading appears the menu item Display Appliance Info. Select Display Appliance Info and press the Enter key to see the IP address settings for the appliance.
If you are performing an HSM upgrade using Entrust (formerly nCipher), then perform the additional steps described in Oracle Key Vault Root of Trust HSM Configuration Guide.
After you upgrade the node, apply the patch for Bug 33974435.

Note:
Failure to apply the patch for Bug 33974435 will result in the inability to create or register symmetric keys on upgraded cluster nodes until the entire cluster has been upgraded.
After applying the patch to the node, re-enable it.
1. Log in to any cluster Oracle Key Vault management console as a user who has the System Administrator role.
2. Select the Cluster tab, and then select Management from the left navigation bar.
3. In the Cluster Details section, under Name, click the name of the node that you had disabled.
4. Click Enable.
  After you re-enable the disabled multi-master cluster node, its status changes from DISABLED to ENABLING, then to ACTIVE. The status of the node will remain at ENABLING and will not change to ACTIVE unless bidirectional replication between it and all other nodes is occurring successfully.
As necessary, disable SSH access on this node.
Select the System tab, then Settings. In the Network Details area, click SSH Access. Select Disabled. Click Save.
After you have successfully completed this procedure, repeat these upgrade steps on all multi-master cluster nodes.

Related Topics

Parent topic: Step 3: Upgrade Multi-Master Clusters

5.4.3 Upgrading Multi-Master Cluster Read-Write Pairs

Before upgrading multi-master cluster read-write pairs, ensure that you understand the requirements for performing this kind of upgrade.

Do not perform any critical operations or make configuration changes to Oracle Key Vault until you have completed upgrading all multi-master cluster nodes.

You must perform these steps on both nodes of the cluster read-write pair in the order specified for all read-write pairs of your cluster. In order to perform the upgrade using this method, you must arbitrarily decide which of the read-write nodes of your pair will be Node A and which node will be Node B. The steps below will refer to Node A and Node B which correspond to your Node A and Node B.

Direct upgrades to Oracle Key Vault 21.4 from releases 18.1 or earlier are not supported. You must upgrade to Oracle Key Vault release 18.2 or later before upgrading to release 21.4. If you are upgrading a two-node cluster that runs Oracle Key Vault release 18.5 or earlier and is configured as a single read-write pair, then you must run the pre-upgrade script on each multi-master cluster node after mounting the ISO, but before performing the full upgrade.

Generally, once your cluster nodes are disabled, they become unavailable for use. Therefore, in order to allow operational continuity when you upgrade a two-node cluster that is configured as a read-write pair, applying the pre-upgrade script on both nodes allows the node to remain available in a read-only mode, even when the node is disabled. After both the nodes are disabled, you can upgrade the nodes one at a time; the order is at your discretion. However, when you enable the nodes after they have been upgraded, you must enable them in the reverse order that they were disabled.

If your deployment required running the pre-upgrade script, then after you run the pre-upgrade script, proceed with the standard upgrade process as follows. Disable both nodes (the order of disabling matters) of the read-write pair, add the extra disk space as necessary and then perform the upgrade and reboot. When you run the upgrade and reboot commands, Oracle recommends running them on one node of the pair before running it on the other node to avoid down time.

For 18.x to 21.y upgrade, upgrade both nodes while they are disabled: Disable node 1; disable node 2; upgrade both nodes; enable node 2; enable node 1 (enabling in reverse order is mandatory)., upgraded and then enabled in the reverse order. The actual upgrade step may be executed sequentially, but you cannot enable the node until the other one has been upgraded also. This requirement does not apply to 21.x to 21.y upgrade.

Log into the Node A Oracle Key Vault management console as a user who has the System Administrator role.
Ensure that SSH access is enabled.

Log in to the Oracle Key Vault management console as a user who has the System Administrator role. Select the System tab, then Settings. In the Network Details area, click SSH Access. Select IP address(es) and then enter only the IP addresses that you need, or select All. Click Save.
Ensure you have enough space in the destination directory for the upgrade ISO files.
Log in to the Oracle Key Vault server through SSH as user support, then switch user su to root.
```
ssh support@okv_server_IP_address
su - root
```
If the SSH connection times out while you are executing any step of the upgrade, then the operation will not complete successfully. Oracle recommends that you ensure that you use the appropriate values for the ServerAliveInterval and ServerAliveCountMax options for your SSH sessions to avoid upgrade failures.

Using the screen command prevents network disconnections interrupting the upgrade. If the session terminates, resume as follows:
```
root# screen -r
```
Copy the upgrade ISO file to the destination directory using Secure Copy Protocol or other secure transmission method.
```
root# scp remote_host:remote_path/okv-upgrade-disc-new_software_release.iso /var/lib/oracle
```
- remote_host is the IP address of the computer containing the ISO upgrade file.
- remote_path is the directory of the ISO upgrade file. Do not copy this file to any location other than the /var/lib/oracle directory.

Make the upgrade accessible by using the mount command:

root# /bin/mount -o loop,ro /var/lib/oracle/okv-upgrade-new_software_release.iso /images

If your Oracle Key Vault deployment consists solely of two cluster nodes in a read-write configuration running Oracle Key Vault 18.5 or earlier, then you must prepare the cluster for the upgrade process by executing a pre-upgrade script on both nodes.
You must run this pre-upgrade step only when you are upgrading a two-node cluster, running Oracle Key Vault 18.5 or earlier, configured as a single read-write pair. Do not run this pre-upgrade script on a cluster of any other configuration.
1. Unzip the upgrade script and save it in /tmp. Perform this step on both nodes.
```
root# /usr/bin/unzip -d /tmp/ /images/preupgrade/cluster_preupgrade_211.zip
```
2. Execute the upgrade script on each node to be upgraded.
```
root# /tmp/cluster_preupgrade_211.sh
```
3. Check for errors on each node by executing the following command:
```
root# echo $?
```
4. Check the upgrade script log /tmp/cluster_preupgrade_211.log on each node for any errors.
Disable Node A.
Select the Cluster tab, and then Management in the left navigation bar. Under Cluster Details, select check box for the node to disable, and then click Disable. The node's status will change from DISABLING to DISABLED
Wait until Node A is disabled before proceeding.
Log into the Node B management console as a user with the System Administrator role.
Disable Node B.
Select the Cluster tab, and then Management in the left navigation bar. Under Cluster Details, select check box for the node to disable, and then click Disable. The node's status will change from DISABLING to DISABLED
Wait until Node B is disabled before proceeding
Ensure that you have added disk space to extend the vg_root for both nodes.
For each node of the read-write pair, do the following:
Complete these steps on each node of a read-write pair in turn. In other words, perform the steps on the disabled Node A, allow the upgrade to complete, and then perform the steps on the disabled Node B.
1. Log in to the Oracle Key Vault server through SSH as user support, then switch user su to root.
```
ssh support@okv_server_IP_address
su - root
```
2. Clear the cache using the clean all command:
```
root# yum -c /images/upgrade.repo clean all
```
3. Apply the upgrade with upgrade.rb command:
```
root# /usr/bin/ruby /images/upgrade.rb --confirm
```
  When you run the /usr/bin/ruby /images/upgrade.rb --confirm step during the upgrade, you may be asked to confirm that you completed the pre-upgrade steps.
  
  When you run the upgrade.rb command, Oracle recommends that you execute this step and the next step (reboot) on one node first and then on the second after the first has completed. If your multi-master cluster deployment consists of three or more nodes, then you can upgrade both nodes of the read-write pair at the same time and avoid any down time.
  
  If the system is successfully upgraded, then the command will display the following message:
```
Remove media and reboot now to fully apply changes.
```
  If you see an error message, then check the log file /var/log/messages for additional information.
4. Restart the Oracle Key Vault server by running reboot command:
```
root# /sbin/reboot
```
  On the first restart of the computer after the upgrade, the system will apply the necessary changes. This can take a few hours. Do not shut down the system during this time.
  
  The upgrade of the cluster node is completed when the screen with heading: Oracle Key Vault Server version. This appliance was upgraded from previous_release_version.. The revision should reflect the upgraded release. Following the heading appears the menu item Display Appliance Info. Select Display Appliance Info and press the Enter key to see the IP address settings for the appliance.
After each node has been upgraded, clear your browser's cache before attempting to log in.
After you upgrade the node, apply the patch for Bug 33974435.

Note:
Failure to apply the patch for Bug 33974435 will result in the inability to create or register symmetric keys on upgraded cluster nodes until the entire cluster has been upgraded.
After both nodes has been successfully upgraded, re-enable Node B first (nodes must be enabled in the reverse order that they were disabled).
After you re-enable the disabled multi-master cluster node, its status changes from DISABLED to ENABLING, then to ACTIVE. The status of the node will remain at ENABLING and will not change to ACTIVE unless bidirectional replication between it and all other nodes is occurring successfully.
Re-enable Node A.
After you re-enable the disabled multi-master cluster node, its status changes from DISABLED to ENABLING, then to ACTIVE. The status of the node will remain at ENABLING and will not change to ACTIVE unless bidirectional replication between it and all other nodes is occurring successfully.
As necessary, disable SSH access on each node.

Log in to the Oracle Key Vault management console as a user who has the System Administrator role. Select the System tab, then Settings. In the Network Details area, click SSH Access. Select Disabled. Click Save.
After you have successfully completed this procedure, repeat these upgrade steps on all remaining multi-master cluster read-write pairs.

Related Topics

Parent topic: Step 3: Upgrade Multi-Master Clusters

5.5 Step 4: Check the Node Version and the Cluster Version

After you complete the upgrade of at least one node, you can log into any of the upgraded nodes to check the node and cluster versions.

Oracle Key Vault tracks the version information of each cluster node as well as the version of the cluster as a whole. The node version represents the version of the Oracle Key Vault software on a given node. When a node is upgraded, its node version is updated to the new version of the Oracle Key Vault software. The cluster version is derived from the version information of the cluster nodes and is set to the minimum version of any cluster node. During cluster upgrade, node version is updated as each cluster node is upgraded to the later version. When all of the cluster nodes have been upgraded, the cluster version is then updated to the new version. (The Cluster Version and Node Version fields are available in Oracle Key Vault release 18.2 or later.)

Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
Select the Cluster tab.
In the left navigation bar, select Management.
Check the following areas:
- To find the node version, check the Cluster Details area.
- To find the cluster version, check the Cluster Information area.

Parent topic: Upgrading Oracle Key Vault from Release 18.x in a Multi-Master Cluster Environment

5.6 Step 5: If Necessary, Change the Network Interface for Upgraded Nodes

Nodes that were created in Oracle Key Vault releases earlier than release 21.1 use Classic mode, in which only one network interface was used.

If you prefer to use dual NIC network mode, which supports the use two network interfaces, then you can switch the node to use this mode, from the command line.

Related Topics

Oracle Key Vault Administrator's Guide

Parent topic: Upgrading Oracle Key Vault from Release 18.x in a Multi-Master Cluster Environment

5.7 Step 6: Upgrade the Endpoint Software

After you have upgraded all the nodes in the cluster, you must reenroll endpoints that were created in earlier releases of Oracle Key Vault, or update the endpoint software.

If you are upgrading from an earlier release to the latest release of Oracle Key Vault, then you must reenroll the endpoint instead of upgrading the endpoint software. Reenrolling the endpoint automatically updates the endpoint software.

Before an endpoint that uses online TDE master encryption key management by Oracle Key Vault can take advantage of the ability to control the extraction of objects from Oracle Key Vault during cryptographic operations, it must be upgraded to Oracle Key Vault release 21.4.

Ensure that you have upgraded the Oracle Key Vault servers. If you are upgrading the endpoint software for an Oracle database configured for online TDE master encryption key management, then shut down the database.
Download the endpoint software (okvclient.jar) for your platform from the Oracle Key Vault server as follows:
1. Go to the Oracle Key Vault management console login screen.
2. Click the Endpoint Enrollment and Software Download link.
3. In the Download Endpoint Software Only section, select the appropriate platform from the drop-down list.
4. Click the Download button.
Identify the path to your existing endpoint installation that you are about to upgrade (for example, /home/oracle/okvutil).
Install the endpoint software by executing the following command:
```
java -jar okvclient.jar -d existing_endpoint_directory_path
```
For example:
```
java -jar okvclient.jar -d /home/oracle/okvutil
```
If you are installing the okvclient.jar file on a Windows endpoint system that has Oracle Database release 11.2.0.4 only, then include the -db112 option. (This option is not necessary for any other combination of endpoint platform or Oracle Database version.) For example:
```
java -jar okvclient.jar -d /home/oracle/okvutil -v -db112
```
Install the updated PKCS#11 library file.
This step is needed only for online TDE master encryption key management by Oracle Key Vault. If an endpoint uses online TDE master encryption key management by Oracle Key Vault, then you must upgrade the PKCS#11 library while upgrading the endpoint software.
- On UNIX/Linux platforms: Run root.sh from the bin directory of endpoint installation directory to copy the latest liborapkcs.so file for Oracle Database endpoints.
```
$ sudo $OKV_HOME/bin/root.sh
```
  Or
```
$ su - root
# bin/root.sh
```
- On Windows platforms: Run root.bat from the bin directory of endpoint installation directory to copy the latest liborapkcs.dll file for Oracle Database endpoints. You will be prompted for the version of the database in use.
```
bin\root.bat
```
Update the SDK software.
Oracle recommends that you redeploy the SDK software in the same location after you complete the upgrade to Oracle Key Vault release 21.4. This enables you to have access to the new SDK APIs that were introduced since the Oracle Key Vault version that you are upgrading from.
1. Go to the Oracle Key Vault management console login screen.
2. Click the Endpoint Enrollment and Software Download link.
3. In the Download Software Development Kit section, select the appropriate language and platform for your site.
4. Click the Download button to get the SDK zip file.
5. Identify the existing location where SDK software was already deployed.
6. Navigate to the directory in which you saved the SDK zip file.
7. Unzip the SDK zip file.
  For example, on Linux, to unzip the Java SDK zip file, use the following command:
```
unzip -o okv_jsdk.zip -d existing_endpoint_sdk_directory_path
```
  For the C SDK zip file, use this command:
```
unzip -o okv_csdk.zip -d existing_endpoint_sdk_directory_path
```
8. Do not exit this page.
If you had deployed the RESTful services utility in the previous release, then re-deploy the latest okvrestclipackage.zip file.
The latest okvrestclipackage.zip file enables you to have access to the new RESTful services utility commands that were introduced since the Oracle Key Vault version that you are upgrading from.
You can use wget or curl to download okvrestclipackage.zip.
```
wget --no-check-certificate https://Oracle_Key_Vault_IP_address:5695/okvrestclipackage.zip

curl -O -k https://Oracle_Key_Vault_IP_address:5695/okvrestservices.jar
```
Restart the endpoint if it was shut down.
At this stage, the endpoint will be fully upgraded.
If your site requires that you restrict TDE master encryption keys from leaving Oracle Key Vault and if you are using an Oracle Real Application Clusters (Oracle RAC) environment, then perform the following steps on each Oracle RAC node:
1. Perform the endpoint upgrade on each Oracle RAC node.
2. Set the extractable attribute value for symmetric keys.
  By default, the extractable attribute value is true, which means that the key material of symmetric keys can be extracted from Oracle Key Vault during certain operations. If you want to prevent symmetric keys from being extracted, then you must set this value to false. You can set an extractable attribute value as follows:
  - Set the default value for the extractable attribute of new symmetric keys in the endpoint settings. Endpoint-specific setting overrides the global endpoint settings.
  - Explicitly specify the value of the extractable attribute when creating or registering a new symmetric key.
  - Modify the extractable attribute of an existing symmetric key.
  See Oracle Key Vault Administrator's Guide.
3. As a user who has the SYSDBA or SYSKM administrative privilege, perform a rekey operation in the Oracle RAC node. Use the following syntax:
```
ADMINISTER KEY MANAGEMENT SET [ENCRYPTION] KEY 
[FORCE KEYSTORE]
[USING TAG 'tag_name'] 
IDENTIFIED BY [EXTERNAL STORE | keystore_password] 
[WITH BACKUP [USING 'backup_identifier']];
```
  See Oracle Database Advanced Security Guide for more information about rekeying a TDE master encryption key.
If your site requires that you restrict TDE master encryption keys from leaving Oracle Key Vault and if you are using an Oracle Data Guard environment, then do the following on the primary and standby databases:
1. Perform the endpoint upgrade on the primary and standby databases.
2. Set the extractable attribute value for symmetric keys.
  By default, the extractable attribute value is true, which means that the key material of symmetric keys can be extracted from Oracle Key Vault during certain operations. If you want to prevent symmetric keys from being extracted, then you must set this value to false. You can set an extractable attribute value as follows:
  - Set the default value for the extractable attribute of new symmetric keys in the endpoint settings. Endpoint-specific setting overrides the global endpoint settings.
  - Explicitly specify the value of the extractable attribute when creating or registering a new symmetric key.
  - Modify the extractable attribute of an existing symmetric key.
  See Oracle Key Vault Administrator's Guide.
3. As a user who has the SYSDBA or SYSKM administrative privilege, perform a rekey operation in the primary and standby databases.
```
ADMINISTER KEY MANAGEMENT SET [ENCRYPTION] KEY 
[FORCE KEYSTORE]
[USING TAG 'tag_name'] 
IDENTIFIED BY [EXTERNAL STORE | keystore_password] 
[WITH BACKUP [USING 'backup_identifier']];
```
  See Oracle Database Advanced Security Guide for more information about rekeying a TDE master encryption key.

Related Topics

Oracle Key Vault Administrator's Guide

Parent topic: Upgrading Oracle Key Vault from Release 18.x in a Multi-Master Cluster Environment

5.8 Step 6: If Necessary, Add Disk Space to Extend Swap Space

If necessary, extend the swap space on each node. Oracle Key Vault release 21.5 requires a hard disk size greater than or equal to 1 TB in size with approximately 64 GB of swap space.

If your system does not meet this requirement, follow these instructions to extend the swap space. You can check how much swap space you have by running the swapon -s command. By default, Oracle Key Vault releases earlier than release 18.1 were installed with approximately 4 GB of swap space. After you complete the upgrade to release 18.1 or later, Oracle recommends that you increase the swap space allocation for the server on which you upgraded Oracle Key Vault. A new Oracle Key Vault installation is automatically configured with sufficient swap space. However, if you upgraded from a previous release, and your system does not have the desired amount of swap space configured, then you must manually add disk space to extend the swap space, particularly if the intention is to convert the upgraded server into the first node of a multi-master cluster.

Log in to the server in which you upgraded Oracle Key Vault and connect as root.
Check the current amount of swap space.
```
[root@my_okv_server support]# swapon -s
```
Output similar to the following appears. This example shows that the system has 4 GB of swap space.
```
Filename Type Size Used Priority
/dev/dm-0 partition 4194300 3368 -1
```
There must be 64 GB of swap space if the disk is greater than 1 TB in size.
Run the vgs command to determine how much free space is available.
```
vgs
```
The VFree column shows how much free space you have (for example, 21 GB).
Power off the server in order to add a new disk.
```
/sbin/shutdown -h now
```
Add a new disk to the server of a size that will bring the VFree value to over 64 GB.
Start the server.
Log in to the Oracle Key Vault server through SSH as user support, then switch user su to root.
```
ssh support@okv_server_IP_address
su - root
```
Run the fdisk -l command to find if there are any available partitions on the new disk.
```
fdisk -l
```
At this stage, there should be no available partitions.
Run the fdisk disk_device_to_be_added command to create the new partition.
For example, to create a disk device named /dev/sdc:
```
fdisk /dev/sdc
```
In the prompts that appear, enter the following commands in sequence:
- n for new partition
- p for primary
- 1 for partition number
- Accept the default values for cylinder (press Enter twice).
- w to write and exit
Use the pvcreate disk_device_partition command to add the newly added disk to the physical volume.
For example, for a disk device named /dev/sdc1, which is the name of the disk partition that you created (based on the name used for the disk device that was added).
```
pvcreate /dev/sdc1
```
Output similar to the following appears:
```
Physical volume "/dev/sdc1" successfully created
```
Use the vgextend vg_root disk_device_partition command to extend the logical volume with this disk space that you just added.
For example, for the partition /dev/sdc1, you would run:
```
vgextend vg_root /dev/sdc1
```
Output similar to the following appears:
```
Volume group "vg_root" successfully extended
```
Run the vgs command again to ensure that VFree shows an increase of 64 GB.
```
vgs
```

Disable swapping.

[root@my_okv_server support]# swapoff -v /dev/vg_root/lv_swap

To extend the swap space, run the lvresize command.

[root@my_okv_server support]# lvresize -L +60G /dev/vg_root/lv_swap

Output similar to the following appears:

Size of logical volume vg_root/lv_swap changed from 4.00 GiB (128 extents) to 64.00 GiB (2048 extents)
Logical volume lv_swap successfully resized.

Format the newly added swap space.

[root@my_okv_server support]# mkswap /dev/vg_root/lv_swap

Output similar to the following appears:

mkswap: /dev/vg_root/lv_swap: warning: don't erase bootbits sectors
on whole disk. Use -f to force.
Setting up swapspace version 1, size = 67108860 KiB
no label, UUID=fea7fc72-0fea-43a3-8e5d-e29955d46891

Enable swapping again.

[root@my_okv_server support]# swapon -v /dev/vg_root/lv_swap

Verify the amount of swap space that is available.

[root@my_okv_server support]# swapon -s

Output similar to the following appears:

Filename Type Size Used Priority 
/dev/dm-0 partition 67108860 0 -1

Restart the Oracle Key Vault server.
```
/sbin/reboot
```
For primary-standby deployments, ensure that the primary and standby nodes sync up before proceeding further with next steps.

Parent topic: Upgrading Oracle Key Vault from Release 18.x in a Multi-Master Cluster Environment

5.9 Step 8: If Necessary, Remove Old Kernels

For each multi-master cluster node, Oracle recommends that you clean up the older kernels that were left behind after the upgrade.

While the older kernel is not in use, it may be marked as an issue by some code analysis tools.

Log in to the Oracle Key Vault server as the support user.
Switch to the root user.
```
su - root
```
Mount /boot if it was not mounted on the system.
1. Check if the /boot is mounted. The following command should display /boot information if it was mounted.
```
df -h /boot;
```
2. Mount it if /boot is not mounted.
```
/bin/mount /boot;
```
Check the installed kernels and the running kernel.
1. Search for any kernels that are installed.
```
rpm -q kernel-uek | sort;
```
  The following example output shows that two kernels are installed:
```
kernel-uek-4.14.35-2047.504.2.el7uek.x86_64 
kernel-uek-5.4.17-2136.304.4.5.el7uek.x86_64
```
2. Check the latest kernel.
```
uname -r;
```
  The following output shows an example of a kernel version that was installed at the time:
```
5.4.17-2136.304.4.5.el7uek.x86_64
```
```
# uname-r
```
```
5.4.17-2136.304.4.5.el7uek.x86_64
```
  This example assumes 5.4.17-2136.304.4.5.el7uek.x86_64 as the latest version (newer versions may be available by now). Based on the output from the commands above, remove the older kernel (kernel-uek-4.14.35-2047.504.2.el7uek.x86_64). You should remove all kernels that are older than the latest kernel.

Remove the older kernel and its associated RPMs.

For example, to remove the kernel-uek-4.14.35-2047.504.2.el7uek.x86_64 kernel:

yum --disablerepo=* remove `rpm -qa|grep 4.14.35-2047.504.2.el7uek`

Output similar to the following appears:

  Resolving Dependencies
-->   Running transaction check
---> Package kernel-uek.x86_64 0:4.14.35-2047.504.2.el7uek will be erased
---> Package kernel-uek-devel.x86_64 0:4.14.35-2047.504.2.el7uek will be erased
--> Finished Dependency Resolution

Dependencies Resolved

=================================================================================================================
 Package               Arch        Version                           Repository                          Size
=================================================================================================================
Removing:
 kernel-uek          x86_64         4.14.35-2047.504.2.el7uek       @anaconda/7.7                        58 M
 kernel-uek-devel    x86_64         4.14.35-2047.504.2.el7uek       @avs-ol-dependencies                 63 M

Transaction Summary
=================================================================================================================
Remove        2 Package(s)

Installed size: 121 M
Is this ok [y/N]:

Enter y to accept the deletion output.
Repeat these steps starting with Step 4 for all kernels that are older than the latest kernel.

Parent topic: Upgrading Oracle Key Vault from Release 18.x in a Multi-Master Cluster Environment

5.10 Step 9: If Necessary, Remove SSH-Related DSA Keys

For each multi-master cluster node, you should remove SSH-related DSA keys left behind after the upgrade, because they can cause problems with some code analysis tools.

Log in to the Oracle Key Vault management console as a user with the System Administrator role.
Enable SSH.

Log in to the Oracle Key Vault management console as a user who has the System Administrator role. Select the System tab, then Settings. In the Network Details area, click SSH Access. Select IP address(es) and then enter only the IP addresses that you need, or select All. Click Save.
Login to the Oracle Key Vault support account using SSH.
```
ssh support@OracleKeyVault_serverIPaddress
```
Switch to the root user.
```
su - root
```
Change directory to /etc/ssh.
```
cd /etc/ssh
```

Rename the following keys.

mv ssh_host_dsa_key.pub ssh_host_dsa_key.pub.retire
mv ssh_host_dsa_key ssh_host_dsa_key.retire

Disable SSH access.

Log in to the Oracle Key Vault management console as a user who has the System Administrator role. Select the System tab, then Settings. In the Network Details area, click SSH Access. Select Disabled. Click Save.

Parent topic: Upgrading Oracle Key Vault from Release 18.x in a Multi-Master Cluster Environment