Upgrade instructions version 3.x to 4.0.0¶
Replace etcd with Consul¶
Etcd support has been dropped in this version of the Security Proxy. Instead of etcd, the Security Proxy now depends on Consul.
Please check the requirements chapter for further instructions to install Consul.
Caching changes¶
The cache mechanism has changed from Infinispan to Redis. The Security Proxy no longer uses JGroups for cache replication in a clustered environment.
Adapt Environment variables¶
Remove the following environment variables:
- HOST_IP
- HOSTNAME
- JGROUPS_REPLICATION_PORT
- JGROUPS_FAILURE_DETECTION_PORT
Add the following environment variable:
Install Redis¶
In order to run the Security Proxy you must have Redis configured and running.
Proxy changes¶
We have added more generic proxy support to the Security Proxy and thus we have replaced several environment variables in this release.
SSL configuration¶
| Old property name | New property name |
|---|---|
| SECURITY_PROXY_SSL_CERTIFICATE | SECURITY_PROXY_SSL_CERTIFICATE_DEFAULT |
| SECURITY_PROXY_SSL_CERTIFICATE_KEY | SECURITY_PROXY_SSL_KEY_DEFAULT |
Admin & Client backends¶
The client and admin backends are now being handled by the transparent proxy functionality of the Security Proxy.
| Old property name | New property name |
|---|---|
| SECURITY_PROXY_BACK_END_TOKEN_SERVER_ADMIN_HOSTS | SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_ADMIN_HOSTS |
| SECURITY_PROXY_BACK_END_TOKEN_SERVER_ADMIN_ALLOW | SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_ADMIN_ALLOW |
| SECURITY_PROXY_BACK_END_TOKEN_SERVER_ADMIN_CONTEXT_ROOT | SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_ADMIN_CONTEXT_ROOT |
| SECURITY_PROXY_BACK_END_TOKEN_SERVER_ADMIN_PROXY_SCHEME | SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_ADMIN_PROXY_SCHEME |
NOTE: If the CONTEXT_ROOT and PROXY_SCHEME are not defined, you will need to add them as they are required for transparent proxies. The CONTEXT_ROOT
should be set to /admin and the PROXY_SCHEME to http.
NOTE: For the client backend you can copy the ADMIN environment variables and change ADMIN to CLIENT and set /admin to /client in the CONTEXT_ROOT.
CIM & UMA backends¶
The CIM and UMA backends are now being handled by the transparent proxy functionality of the Security Proxy.
| Old property name | New property name |
|---|---|
| SECURITY_PROXY_PROXY_CIM_BACKEND_HOSTS | SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_CIM_HOSTS |
| SECURITY_PROXY_PROXY_CIM_ALLOW | SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_CIM_ALLOW |
| SECURITY_PROXY_PROXY_CIM_PROXY_SCHEME | SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_CIM_PROXY_SCHEME |
| SECURITY_PROXY_PROXY_CIM_SERVER_NAME | SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_CIM_SERVER_NAME |
| SECURITY_PROXY_PROXY_CIM_SSL_CERTIFICATE | SECURITY_PROXY_SSL_CERTIFICATE_CIM |
| SECURITY_PROXY_PROXY_CIM_SSL_PRIVATE_KEY | SECURITY_PROXY_SSL_KEY_CIM |
NOTE: If the PROXY_SCHEME was not defined, you will need to add it as it is required for transparent proxies.
NOTE: For the UMA backend you can copy the CIM environment variables and change CIM to UMA in the environment variables.
Named routing¶
The named routing functionality for resource gateways is no longer being enabled/disabled by setting the SECURITY_PROXY_SERVER_NAME_ROUTING. Instead named
routing for a resource gateway can be enabled by setting the SECURITY_PROXY_BACK_END_RESOURCE_GATEWAYS_<RGID>_SERVER_NAME
to the domain you want this resource gateway to listen on. This functionality can be enabled/disabled per resource gateway (or transparent proxy).
The SECURITY_PROXY_SERVER_NAME_ROUTING can be removed.