Upgrading PingFederate installations - PingFederate - 11.1

PingFederate Server

bundle
pingfederate-111
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.1
category
Administrator
Audience
Capability
DeploymentMethod
Product
SingleSignonSSO
Software
SystemAdministrator
pf-111
pingfederate
ContentType_ce

When upgrading your PingFederate installation on Linux, you must use the Upgrade Utility. On Windows, you can use either the Upgrade Utility or the installer.

  • Read Upgrading PingFederate for an overview of the upgrade process.
  • Ensure that you are signed on to your server with appropriate privileges to install and run an application.

Choose the relevant procedure for your system to upgrade PingFederate.

Tip:

If you are upgrading a clustered PingFederate environment, start with the console node, and then upgrade the engine nodes.

Important:

All nodes must use the same version of PingFederate.

Upgrading PingFederate on Linux systems

You can use the Upgrade Utility on Linux servers to upgrade to the current version of PingFederate.

The Upgrade Utility migrates the existing versions of all PingFederate plugins by default. You can use the -c command line parameter to override the default behavior and install the latest versions of each plugin.

Upgrade results are contained in the <pf_install_target>/pingfederate/upgrade/log/upgrade.log file.

To use the Upgrade Utility on Linux servers to upgrade to the current version of PingFederate:

  1. Download the latest version of the PingFederate Server distribution.zip archive from the Ping Identity website.
  2. Extract the distribution .zip archive into the target installation directory.
  3. Stop PingFederate.
  4. On the command line, change the current directory to <pf_install>/upgrade/bin within the target installation and execute the following command:
    ./upgrade.sh <pf_install_source> [-l <newLicense>] [-c] [--release-notes-reviewed]

    where:

    <pf_install_source>
    The full or relative path of the base pingfederate directory where the existing PingFederate software is installed.
    Note:

    The pingfederate directory must exist by that name for the Upgrade Utility to function correctly.

    <newLicense>
    The optional path and file name of the license to use for the upgraded PingFederate version.
    Note:

    If your current license is valid, the Upgrade Utility automatically copies it from the source installation to the target installation, and you don't need to specify the <newLicense> parameter.

    If your license isn't valid, obtain a valid license file and specify its path and file name for this parameter.

    -c
    The optional parameter to run the tool in custom mode, which allows you to override newer default security settings (if any) and to upgrade to the newest version of each installed plugin.
    --release-notes-reviewed
    An optional parameter that indicates that you've already reviewed the release notes. This parameter prevents prompts during the upgrade that ask if you've read the release notes and the upgrade considerations.

    The command prompt displays messages indicating upgrade progress. The process is complete when the following message appears:

    Upgrade completed with [N] errors and [N] warnings

    If there are errors, scroll up the command window to see them and then correct the indicated problems. Errors during the upgrade should be rare but might include problems such as missing or malformed configuration files in the source installation. The messages are also logged to the upgrade.log file in the Upgrade Utility base directory.

  5. If you're using an older version of the Amazon Web Services (AWS) CloudHSM client:
    1. Update the CloudHSM client and the CloudHSM Software Library for Java to a supported version and restart the client.

      For more information, see System requirements.

    2. Copy <pf_install>/pingfederate/lib-ext/pf-aws-cloud-hsm-wrapper.jar to the JAVA_HOME/jre/lib/ext directory.
    3. Copy all of the files in the /opt/cloudhsm/java and /opt/cloudhsm/lib directories to the JAVA_HOME/jre/lib/ext directory.
  6. If you're upgrading a clustered PingFederate environment, repeat from step 1 to upgrade PingFederate on each engine node.
    Note:

    End users might experience disruptions while you upgrade your PingFederate environment.

  7. Start the new PingFederate installation.

    If you're upgrading a clustered PingFederate environment, start the new PingFederate instance on the console node.

    If you've configured single sign-on using OpenID Connect (OIDC) as the console authentication scheme and set the endpoint settings back to your PingFederate environment, start the new PingFederate instance on the console node and one of the engine nodes.

  8. Open the administrative console and verify the new installation.
  9. If you're upgrading a clustered PingFederate environment:
    1. Start the new installation on each engine node, and then ensure all nodes are shown on the System > Server > Cluster Management page.
    2. On the Cluster Management page, click Replicate Configuration.
  10. If PingFederate is running as a service, reconfigure the PingFederate service:
    1. Edit the <pf_install>/pingfederate/sbin/linux/pingfederate.service systemd unit file (see step 5 in Installing PingFederate > Installing on Linux manually).
    2. Edit the <pf_install>/pingfederate/sbin/linux/pingfederate SysV initialization script (see step 6 in Installing PingFederate > Installing on Linux manually).
  11. Although the upgrade utility automatically merges, migrates, and copies the language packs' .properties files into the upgraded PingFederate installation, verify the language packs in the upgrade installation by looking at the .properties files located in the upgraded <pf_install>/pingfederate/server/default/conf/language-packs directory.
    • Standard .properties files include pingfederate-email-messages.properties, pingfederate-messages.properties, and pingfederate-sms-messages.properties. During the upgrade, these files are migrated and merged into the upgraded PingFederate installation.
    • Localized .properties files (for example, pingfederate-messages_fr_CA.properties), are also migrated and merged into the upgraded PingFederate installation.
    • If the PingOne MFA or PingOne Protect integration kit was installed on PingFederate, you must manually migrate its .properties file after the upgrade.
    • All other .properties files in <pf_install>/pingfederate/server/default/conf/language-packs that don't fit the previous criteria are copied (not merged) into the upgraded PingFederate installation.

After upgrading PingFederate, perform the Post-upgrade tasks.

Upgrading PingFederate on Windows using the Upgrade Utility

Upgrade results are contained in the <pf_install_target>\pingfederate\upgrade\log\upgrade.log file.

Note:

If you used the server distribution .zip archive to install the previous version of PingFederate on Windows, you must use the Upgrade Utility to upgrade to the current version of PingFederate.

  1. Download the latest version of the PingFederate Server distribution .zip archive from the Ping Identity website.
    Note:

    The distribution .zip archive is identical for both Windows and Linux.

  2. Extract the distribution.zip archive into the target installation directory.
  3. Stop PingFederate.
  4. At the command prompt, change the current directory to <pf_install>\pingfederate\upgrade\bin within the target installation and enter the following command:
    upgrade <pf_install_source> [-l <newLicense>] [-c] [--release-notes-reviewed]

    where:

    <pf_install_source>
    The full or relative path of the base pingfederate directory where the existing PingFederate software is installed.
    Note:

    The pingfederate directory must exist by that name for the Upgrade Utility to function correctly.

    <newLicense>
    The optional path and file name of the license to use for the upgraded PingFederate version.
    Note:

    If your current license is valid, the Upgrade Utility automatically copies it from the source installation to the target installation, and you don't need to specify the <newLicense> parameter.

    If your license isn't valid, obtain a valid license file and specify its path and file name for this parameter.

    -c
    The optional parameter to run the tool in custom mode, which allows you to override newer default security settings (if any) and to upgrade to the newest version of each installed plugin.
    --release-notes-reviewed
    An optional parameter that indicates that you've already reviewed the release notes. This parameter prevents prompts during the upgrade that ask if you've read the release notes and the upgrade considerations.

    The command prompt displays messages indicating upgrade progress. The process is complete when the following message appears:

    Upgrade completed with [N] errors and [N] warnings

    If there are errors, scroll up the command window to see them and then correct the indicated problems. Errors during the upgrade should be rare but might include problems such as missing or malformed configuration files in the source installation. The messages are also logged to the upgrade.log file in the Upgrade Utility base directory.

  5. If you're upgrading a clustered PingFederate environment, repeat from step 1 to upgrade PingFederate on each engine node.
    Note:

    End users might experience disruptions while you upgrade your PingFederate environment.

  6. Start the new PingFederate installation.

    If you're upgrading a clustered PingFederate environment, start the new PingFederate instance on the console node.

    If you've configured single sign-on using OpenID Connect (OIDC) as the console authentication scheme and set the endpoint settings back to your PingFederate environment, start the new PingFederate instance on the console node and one of the engine nodes.

  7. Open the administrative console and verify the new installation.
  8. If you're upgrading a clustered PingFederate environment:
    1. Start the new installation on each engine node, and then go to System > Server > Cluster Management and ensure all nodes are shown.
    2. On the Cluster Management page, click Replicate Configuration.
  9. If PingFederate is running as a service, reinstall the service:
    1. Remove the existing PingFederate service.
    2. Install the new PingFederate service.
    3. For a clustered PingFederate environment, reinstall the PingFederate service on all nodes.
  10. Although the upgrade utility automatically merges, migrates, and copies the language packs' .properties files into the upgraded PingFederate installation, verify the language packs in the upgrade installation by looking at the .properties files located in the upgraded <pf_install>\pingfederate\server\default\conf\language-packs directory.
    • Standard .properties files include pingfederate-email-messages.properties, pingfederate-messages.properties, and pingfederate-sms-messages.properties. During upgrade, these files are migrated and merged into the upgraded PingFederate installation.
    • Localized .properties files (for example, pingfederate-messages_fr_CA.properties), are also migrated and merged into the upgraded PingFederate installation.
    • If the PingOne MFA or PingOne Protect integration kit was installed on PingFederate, you must manually migrate its .properties file after the upgrade.
    • All other .properties files in <pf_install>\pingfederate\server\default\conf\language-packs that don't fit the previous criteria are copied (not merged) into the upgraded PingFederate installation.

After upgrading PingFederate, perform the Post-upgrade tasks.

Upgrading PingFederate on Windows using the installer

Note:

If you used the PingFederate installer for Windows to install the previous version of PingFederate, you can use it to upgrade to the current version of PingFederate.

Upgrade results are contained in the upgrade.log file. If the upgrade succeeds, upgrade.log is located in <pf_install_target>\pingfederate\upgrade\log. If the upgrade fails, upgrade.log is located in <pf_install_target>.

The default location for <pf_install_target> is C:\Program Files\Ping Identity. You can change the location during the upgrade process.

Note:

The PingFederate installer for Windows doesn't support custom mode. If you want to override the newer default security settings or upgrade the OpenToken Adapter, use the PingFederate Upgrade Utility.

  1. Download the PingFederate installer for Windows from the Ping Identity website.
  2. Double-click the pingfederate-<version>.msi file to begin the upgrade.
  3. Follow the instructions in the PingFederate Setup Wizard to upgrade PingFederate.
    Screen capture of the Welcome page for the PingFederate installer for Windows

    Errors are rare but might include problems, such as missing or malformed configuration files in the source installation. If the upgrade tool reports an error, review the error messages in the upgrade.log file.

    Note:

    You can rerun the tool as many times as needed to correct any problems.

    When the tool completes the upgrade, it automatically starts the new PingFederate installation.

  4. If you're upgrading a clustered PingFederate environment, repeat from step 1 to upgrade PingFederate on each engine node.
    Note:

    End users might experience disruptions while you upgrade your PingFederate environment.

  5. Open the administrative console and verify the new installation.
  6. If you are upgrading a clustered PingFederate environment:
    1. Go to System > Server > Cluster Management and ensure all nodes are shown.
    2. On the Cluster Management page, click Replicate Configuration.

After upgrading PingFederate, perform the Post-upgrade tasks.