Security

Hi team

Existing Cluster of CPPM 6.10 and we will migrate them to 6.11

Already have 2 new VM's with 6.11.10 and all the configuration , Certificates and licenses restored from the "production CPPM"

at the end of the week we are going to stop the current CPPM and change the new CPPM IP's to match the old ones

we have all prepared , and a tac openned with licensing team.

My only dought here is, can we activate the licenses on the new ones ( offline with tac, since CPPM does not have internet access) before the migration ? 

Without affecting the production ones?

Regards

Hi team

Existing Cluster of CPPM 6.10 and we will migrate them to 6.11

Already have 2 new VM's with 6.11.10 and all the configuration , Certificates and licenses restored from the "production CPPM"

at the end of the week we are going to stop the current CPPM and change the new CPPM IP's to match the old ones

we have all prepared , and a tac openned with licensing team.

My only dought here is, can we activate the licenses on the new ones ( offline with tac, since CPPM does not have internet access) before the migration ? 

Without affecting the production ones?

Regards

Hi

Activating the license for 6.11 will not affect the 6.10 servers in any aspect.

Keep in mind that changing the IP addresses of ClearPass servers will make the database certificate invalid. From 6.11 the server will generate a new database certificate with the new IP address, if the database certificate is a self signed certificate. If it's signed by a CA it must be replaced manually. The generation of a new database certificate can take some time before it has taken effect.

Also changing IP address may cause the cluster replication to stop, and you may need to join the subscriber again to the cluster.

Hi team

Existing Cluster of CPPM 6.10 and we will migrate them to 6.11

Already have 2 new VM's with 6.11.10 and all the configuration , Certificates and licenses restored from the "production CPPM"

at the end of the week we are going to stop the current CPPM and change the new CPPM IP's to match the old ones

we have all prepared , and a tac openned with licensing team.

My only dought here is, can we activate the licenses on the new ones ( offline with tac, since CPPM does not have internet access) before the migration ? 

Without affecting the production ones?

Regards

Hi Thanks 

are you talking HTTPS certificates or database ones?

Hi

Activating the license for 6.11 will not affect the 6.10 servers in any aspect.

Keep in mind that changing the IP addresses of ClearPass servers will make the database certificate invalid. From 6.11 the server will generate a new database certificate with the new IP address, if the database certificate is a self signed certificate. If it's signed by a CA it must be replaced manually. The generation of a new database certificate can take some time before it has taken effect.

Also changing IP address may cause the cluster replication to stop, and you may need to join the subscriber again to the cluster.

Hi team

Existing Cluster of CPPM 6.10 and we will migrate them to 6.11

Already have 2 new VM's with 6.11.10 and all the configuration , Certificates and licenses restored from the "production CPPM"

at the end of the week we are going to stop the current CPPM and change the new CPPM IP's to match the old ones

we have all prepared , and a tac openned with licensing team.

My only dought here is, can we activate the licenses on the new ones ( offline with tac, since CPPM does not have internet access) before the migration ? 

Without affecting the production ones?

Regards

Hi team

Existing Cluster of CPPM 6.10 and we will migrate them to 6.11

Already have 2 new VM's with 6.11.10 and all the configuration , Certificates and licenses restored from the "production CPPM"

at the end of the week we are going to stop the current CPPM and change the new CPPM IP's to match the old ones

we have all prepared , and a tac openned with licensing team.

My only dought here is, can we activate the licenses on the new ones ( offline with tac, since CPPM does not have internet access) before the migration ? 

Without affecting the production ones?

Regards

As was mentioned, activating the licenses on the 6.11 systems will not effect the 6.10 cluster, and since so many upgrades are taking place lately, they have made is so that TAC is not required to reactivate. 

Before taking the final TIPS backup from your 6.10 publisher to be restored to the 6.11 publisher, be sure to disable Standby publisher if configured in 6.10.  Also, any self-signed certificates on the 6.11 nodes will need to be updated since their IP address is included as a SAN name, and the HTTPS(ECC) cert should likely be disabled.  As others have stated, changing the IP would require that you reform the cluster, so for that reason you wouldn't want to join the 6.11 subscriber until after the IPs have been updated.

Once the 6.11 cluster is formed, server specific settings on the publisher and subscriber will need to be configured to match those in 6.10, including any non-default service parameters, and re-enabling the VIP if present. 

Another consideration is, if you had purchased a custom skin from Aruba, that is tied to your HPe/Passport account, so you would want to be sure to generate a token in Software Updates with the associated account, and install the custom skin before restoring the TIPs configuration and forming the 6.11 cluster.  Failure to do so will change any guest pages using the custom skin to one of the built-in skins.

Original Message:
Sent: Feb 17, 2025 05:51 AM
From: beconnect
Subject: CPPM migration to 6.11 - licensing

Hi team

Existing Cluster of CPPM 6.10 and we will migrate them to 6.11

Already have 2 new VM's with 6.11.10 and all the configuration , Certificates and licenses restored from the "production CPPM"

at the end of the week we are going to stop the current CPPM and change the new CPPM IP's to match the old ones

we have all prepared , and a tac openned with licensing team.

My only dought here is, can we activate the licenses on the new ones ( offline with tac, since CPPM does not have internet access) before the migration ? 

Without affecting the production ones?

Regards