Before upgrading

Before starting to upgrade the product, verify that your network has the minimum required supported versions of the operating system, product, and database.

Supported operating systems

To obtain an updated list of the supported operating systems, see Supported Operating Systems.

For a complete list of system requirements (disk spaces, temporary spaces and RAM usage), see HCL Workload Automation Detailed System Requirements.

Supported databases

For an up-to-date list of supported databases, see Supported Software.

Product level prerequisites for master domain manager and its backup, dynamic domain manager and its backup, and agents

Before you start the upgrade, verify that your environment has the required product level prerequisites. For a complete list of product level prerequisites, see HCL Workload Automation Detailed System Requirements.

User authorization requirements

Before starting to upgrade, verify that the user running the installation process has the following authorization requirements:
UNIX and Linux operating systems
root access
Windows operating system

If you set the Windows User Account Control (UAC), your login account must be a member of the Windows Administrators group or domain administrators group with the right Act as Part of the Operating System.

You must run the installation as administrator.

SSL mode configuration

If the HCL Workload Automation environment is configured in SSL mode, ensure one of the following conditions is met in the localopts file before you upgrade master domain manager, backup master domain manager, dynamic domain manager, or fault-tolerant agents to Version 10.2 or later:
  • the SSL Encryption Cipher parameter is set to TLSv1.2
  • If the SSL Encryption Cipher parameter is not used, but one of the following parameters is used:
    • ssl tls12 cipher
    • ssl tls11 cipher
    • ssl tls10 cipher
    ensure the parameter is set to HIGH.

Upgrading to 10.1 Fix Pack 1 or later using custom certificates

When upgrading to V10.1 Fix Pack 1 or later, the system modifies the server.xml file by introducing new multiple <jwtBuilder> and <mpJwt> elements. These elements are used by the HCL Workload Automation for JWT functionality, and they are identified by the following comments within the server.xml file:

<!-- Starting JWT Token configuration -->

<!-- JWT configuration for DA -->

The JWT feature uses the certificates deployed in WebSphere Application Server Liberty Base. For the new elements, use the label of the certificate stored in the <WA_DATA>/usr/servers/dwcServer/resources/security/TWSServerKeyFile.jks.

WebSphere Application Server Liberty Base does not enable you to sign-on with new JWT tokens. If you try to create a new API Key from the Dynamic Workload Console it fails.

To fix this issue do the following:

  • Update the <jwtBuilder> elements by modifying the *keyAlias* property to the correct value.
  • Provide additional configuration:
    • To verify the signature of a JWT received in a connection from another entity, WebSphere Application Server Liberty Base retrieves the public information associated to the certificate from the <WA_DATA>/usr/servers/engineServer/resources/security/{*}TWSServerTrustFile.jks{*} file. You can find the public information in the *keyName=”${mp.jwt.trust.key}”* property within the <mpJwt> elements. These elements uses a variable which is declared within the new jwt_variables.xml file that appears in the overrides folder after the upgrade:

      <server description=”jwt_variables”>

      <variable name=”mp.jwt.trust.key” value=”{*}twstrustkey{*}”/>

      </server>

    • Specify the default twstrustkey value. Add the public information only of the custom certificate in the TWSServerTrustFile.jks file (overwriting the already existing one).
    • Alternatively, it is possible to add it as a new entry with a new label, ensure to update the jwt_variables.xml file accordingly.

      For further information, see Enabling API Key authentication after upgrading.

      Note:

      The Agent must have the public information associated to the certificate used by the MDM when creating a new JWT, as the Agent also needs to verify the signature of a JWT received from the MDM.

      Therefore, it is required to also add the public information only of the custom certificate of the MDM (the file that was added in the TWSServerTrustFile.jks file on the MDM) in the TWSClientKeyStore.kdb file of the Agent.

Downloading installation images

Before starting to upgrade, download the installation images. For further information, see Downloading installation images on your workstation