Immediately before starting the upgrade, make a backup of these items:
- Your Keyfactor Command SQL database
-
Your SQL server Service Master Key (SMK) and/or Database Master Key (DMK), if needed (see Important note)
If you plan to migrate your Keyfactor Command implementation to a different SQL server during the upgrade, you need a thorough understanding of how Keyfactor Command uses the SMK and DMK. Review the data in SQL Encryption Key Backup and make appropriate plans before beginning your upgrade. If you plan to stay on the same SQL instance for the upgrade, you don't necessarily need to backup the SMK or DMK immediately before starting the upgrade. These can just be backed up as part of your normal disaster recovery planning process. Failing to back up the SMK and/or DMK will result in data loss and require manual re-entry of any secret data into Keyfactor Command in the event that the Keyfactor Command database needs to be restored from a backup to a SQL instance other than the original installed instance of SQL server.
Note: For more information about how Keyfactor Command uses the SMK and DMK and how to back these up, see SQL Encryption Key Backup in the Keyfactor Command Reference Guide. For more details on the mechanics of SQL Server Encryption and related disaster recovery procedures, see the SQL Server documentation. -
If you’re using Keyfactor Command application-level encryption, backup your encryption certificate, with private key
Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure., or raw AES key (see below).
Keyfactor Command allow you to encrypt select sensitive data stored in the Keyfactor Command database using a separate encryption methodology. This Keyfactor Command application-level encryption utilizes either a Keyfactor-defined certificate or a raw AES key on top of the SQL server encryption noted above. This additional layer of encryption protects the data in cases where the SQL Server master keys cannot be adequately protected. More information is provided inSQL Server.
-
Backup the NLog configuration file for each application to be upgraded. The location of this file varies depending on the application in question. For older versions of the Keyfactor Command server, it can be found in one of these locations:
C:\Program Files\Common Files\Certified Security Solutions\Certificate Management System\NLog.config
C:\Program Files\Common Files\Keyfactor\Keyfactor Platform\NLog.configMore recent versions of Keyfactor Command separate the NLog configuration into multiple files, with these locations, by default:
C:\Program Files\Keyfactor\Keyfactor Platform\Configuration\NLog_Configuration.config
C:\Program Files\Keyfactor\Keyfactor Platform\KeyfactorAPI\NLog_KeyfactorAPI.config
C:\Program Files\Keyfactor\Keyfactor Platform\Service\NLog_TimerService.config
C:\Program Files\Keyfactor\Keyfactor Platform\WebAgentServices\NLog_Orchestrators.config
C:\Program Files\Keyfactor\Keyfactor Platform\WebAPI\NLog_ClassicAPI.config
C:\Program Files\Keyfactor\Keyfactor Platform\WebConsole\NLog_Portal.config -
Make a backup of the Logi configuration file, which is found here by default:
C:\Program Files\Keyfactor\Keyfactor Platform\Logi\_Definitions\_Settings.lgx - If you have any custom extension handlers (e.g. auto-registration, alert events), make a backup of these.
- If you've have any other text-based configuration files that have been modified (this is most common for users who have enabled a third-party PAM provider such as CyberArk), make a backup of these.
-
If you're using a custom logo for your Management Portal, make a backup of this image. This file can be found here, by default:
C:\Program Files\Keyfactor\Keyfactor Platform\WebConsole\Images\Banner.png - Review the authentication settings you have configured in IIS for each of the Keyfactor Command applications under the Default Web Site (or other web site if you've installed elsewhere) and make notes as to how they are configured so that you can confirm that the configuration is the same following upgrade.
- If you’re using a virtualization solution for your Keyfactor Command application server(s), backup each virtual server as an image.
-
If you are using a version of Keyfactor Command older than 6 and have existing SSL
TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. scans, export them to a file using the following script prior to upgrading. Replace the example data with the information relevant to your environment. This step is not necessary if you're upgrading from release version 6 or later.Copy# Update with your SQL server name
$connectionString = "Data Source=SQLServerName;Integrated
Security=SSPI;Initial Catalog=KeyfactorDB"
$connection = new-object
System.Data.SqlClient.SqlConnection($connectionString)
$connection.Open()
# Password can be read from an encrypted file which can be secured as follows:
# Create a password file while logged in as the service account that will run this script:
# $credential = Get-Credential
# $credential.Password | ConvertFrom-SecureString | Set-Content
C:\Keyfactor\PowerShell\encrypted_password1.txt
# use the code below for the credentials
#$password = Get-Content C:\Keyfactor\PowerShell\encrypted_password1.txt | ConvertTo-SecureString
#comment out the below line if using secure credentials
$password = "MySuperSecretPassowrd" | ConvertTo-SecureString -AsPlainText -Force
#Update with the credentials for your environment
$username = "KEYEXAMPLE\MyUser"
$credential = New-Object System.Management.Automation.PSCredential($username, $password)
$passphrase = $username + ":" + $password
$fileName = "DiscoveryGroupsExported.txt"
#The name of the agent in your environment
$AgentName = "kyfagent1.keyexample.com"
#Update with the URLs for your environment.
$kyfAgentUrl = "http://kyfagent1.keyexample.com/CMSAPI/SSL/1/Agents"
$kyfGroupUrl = "http://kyfagent1.keyexample.com/CMSAPI/SSL/1/AddEndpointGroup"
$kyfEndpointUrl = "http://kyfagent1.keyexample.com/CMSAPI/SSL/1/AddEndpoint"
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($passphrase)
$EncodedText = [Convert]::ToBase64String($Bytes)<br />$headers = @{"Authorization" = "Basic $EncodedText";
"Content-Type" = "application/json;" }
$responseAgent = Invoke-RestMethod -Method Get -Uri $kyfAgentUrl -Header
$headers -Credential $credential
if ($responseAgent)
{
write-host $responseAgent.Name.ToLower()
if ($responseAgent.Name.ToLower() -eq $AgentName.ToLower())
{
$AgentGUID = $responseAgent.Guid
}
write-host $AgentGUID
$kyfEndpointGroups = "http://kyfagent1.keyexample.com/CMSAPI/SSL/1/EndpointGroups?agentId=$AgentGUID"
write-host $kyfEndpointGroups
$responseEndpointGroups = Invoke-RestMethod -Method Get -Uri $kyfEndpointGroups -Header $headers -Credential $credential
if ($responseEndpointGroups)
{
foreach($res in $responseEndpointGroups)
{
write-host $res.Name
$GroupName = $res.Name
#write-host $res.guid
$GroupGuid = $res.Guid
$sql = "SELECT VALUE, TypeID FROM cms_agents.SslEndpointGroupItems WHERE GroupID = '$GroupGuid'"
#write-host $sql $command = new-object System.Data.SqlClient.SqlCommand($sql,$connection)
$reader = $command.ExecuteReader()
while ($reader.Read())
{
$value = ""
$type = ""
$value = $reader["Value"]
$typeId = $reader["TypeId"]
#Add-Content $filename "$GroupName,$GroupGuid,$value,$typeId"
}
$reader.Close()
}
}
}
else
{
write-host "Agent not found."
}
$connection.Close()The resulting text file will contain the network definitions you currently have and can be opened in Excel. When Keyfactor Command has been upgraded, you can copy and paste from the file into the newly defined Networks that replace the previous Discovery and Monitoring groups.
Was this page helpful? Provide Feedback