Note | |
---|---|
Before starting the upgrade, make backups of all configuration files where you have made modifications. |
When upgrading a maintenance release of Tectia Server on Windows, usually no rebooting of the computer is needed. Check the release notes to see if the current Server release can be upgraded without reboot. On Unix, upgrading does not require a reboot.
If you are running both Tectia Client and Tectia Server on the same machine, install the same release of each Tectia product, because there are dependencies between the common components.
Check if you have some Secure Shell software, for example earlier versions of Tectia products or OpenSSH server or client, running on the machine where you are planning to install the new Tectia versions.
Before installing Tectia Server on Unix platforms, stop any OpenSSH servers running on port 22, or change their listener port. You do not need to uninstall the OpenSSH software.
When upgrading on SUSE, also install the prerequisite packages:
# zypper install insserv-compat
The following table shows you which Tectia versions you need to uninstall before you can upgrade to Tectia Server 6.6. When upgrading versions marked upgrade on top, the earlier version is automatically removed during the upgrade procedure.
Table 2.2. Upgrade lines
Tectia version | AIX | HP-UX | Linux | Solaris | Windows |
---|---|---|---|---|---|
4.x | remove | remove | remove | remove | remove |
5.x-6.0 | upgrade on top | upgrade on top | upgrade on top | remove | remove |
6.1-6.6 | upgrade on top | upgrade on top | upgrade on top | remove | upgrade on top |
The configuration file format and file locations have been changed in Tectia Server 5.0 and the Unix DTD directories in version 6.2. Because of this, the configuration files behave differently when upgrading from 4.x and from 5.x-6.1 compared to when upgrading from 6.2 and later versions.
The 6.2-6.x configuration files are used by 6.6 as such and automatically taken into use.
Note | |
---|---|
Any explicitly configured settings, for example Ciphers, MACs and KEXs will be retained when upgrading. These might include insecure algorithms such as SHA-1 in KEX, or in host key or public-key signature algorithms. Also, for example the Post Quantum Cryptography (PQC) Hybrid Key Exchange algorithms, that require the Tectia Quantum Safe Edition license, need to be prepended to any explicit KEX configuration(s) when upgrading from Tectia version 6.5 and below. Alternatively, the explicit configuration settings, for example all KEX algorithms, can be removed from the configuration to use the 6.6 defaults or the PQC hybrid KEX can be enforced. |
The 5.x-6.1 configuration files are used by 6.6 as such and on Windows platforms automatically taken into use.
Note | |
---|---|
Any explicitly configured settings, for example Ciphers and MACs will
be retained when upgrading. These might include insecure algorithms.
In Tectia 6.1 and earlier on Unix the default auxiliary data directory
|
The 4.x configuration files are not migrated to 6.6, but the default 6.6 configuration is used. However, the connection profiles are migrated from 4.x to 6.6 on Windows platforms.
When necessary, you can modify the configuration files by using the Tectia Connections Configuration GUI or by editing the
XML configuration files manually with an ASCII text editor or an XML editor.
Please see example files ssh-server-config-example.xml
for
Tectia Server and ssh-broker-config-example.xml
for Tectia Client.
When upgrading a previously installed version of Tectia Server on Windows, the access permissions for existing configuration files will be checked during the upgrade installation.
The access permissions for the ssh-server-config.xml
configuration file
should be as follows:
The owner of the file is a member of the Administrators group.
Only Administrators and SYSTEM may have full control of the file.
Users are not allowed to modify the file.
Other accounts do not have access to the file.
If the access permissions are not safe, you will see the Configuration File Permissions dialog box during the upgrade installation. Do one of the following:
Reset the permissions for the configuration file to the default safe state and continue with the installation. (Recommended)
Ignore the incorrect permissions and continue with the installation without fixing the permissions. Note that if you decide to do this, the server might not be able to start. You can fix the permissions manually later.
Cancel the installation.
Note | |
---|---|
Your previous installation of Tectia Server has already been removed, so if you cancel the installation, your machine will be left with no version of Tectia Server installed. |
When doing a silent upgrade on Windows (see also Silent Installation)
using the /q
command-line option for msiexec.exe
, the
access permissions of an existing Tectia Server configuration file are checked. (The correct
configuration file access permissions are described in
Configuration File Access Permissions on Windows.) If the access permissions are incorrect, the
server will, by default, be uninstalled.
To override the default behavior, specify the desired value (1
or
2
) for the SSHMSI_SSH_FILE_PERMISSIONS
property of the
MSI installation package. Possible values are:
Cancel
or 0
(default)
– abort the installation.
Reset
or 1
(recommended)
– reset the configuration file access permissions to the default state.
Ignore
or 2
– continue the installation without
modifying configuration file access permissions. Note that in this case the server and
configuration utility may not be able to start until you fix the access permissions
manually.
The following command can be used to upgrade Tectia Server silently in the default installation directory, resetting the configuration file access permissions to the default state:
msiexec /q /i ssh-tectia-server-<v>
-windows-<p>
.msi SSHMSI_SSH_FILE_PERMISSIONS=1
In the command, <v>
is the current version of
Tectia Server (for example, 6.6.5.123
), and <p>
is the platform architecture
(x86_64
for 64-bit Windows versions).