Security

Trying to figure out the best way to test the upgrade from 6.10 to 6.11 in a VM environment. Some questions I have:

• When you restore the config, does it bring back the hostname/ip addresses? Or do you need to set up new/temporary ones?
• If it does not import the old addresses, can you restore everything, then shut down/disconnect old VM and change IP/hostname of new VM?
• If it does import the old IPs, I guess just change the old VM to different IPs in the event I need to get something from it?

Even with notes and planning, I feel there's always something left behind that I would need to retrieve.

TIA.

Trying to figure out the best way to test the upgrade from 6.10 to 6.11 in a VM environment. Some questions I have:

• When you restore the config, does it bring back the hostname/ip addresses? Or do you need to set up new/temporary ones?
• If it does not import the old addresses, can you restore everything, then shut down/disconnect old VM and change IP/hostname of new VM?
• If it does import the old IPs, I guess just change the old VM to different IPs in the event I need to get something from it?

Even with notes and planning, I feel there's always something left behind that I would need to retrieve.

TIA.

Hi

First just some answers on your questions:

No, IP settings are not restored from the backup. This is not only true during the 6.11 migration, but always when you do a restore. Neither are settings like changed service parameters, hardening settings under the Network tab under server object or SNMP settings restored. In short, nothing configured under the server object is restored. Instead you need to change this manually.

If you do like you propose in your second question the server will need to update its database certificate as the database certificate contains the IP of the management interface as a SAN in the form DNS:1.2.3.4.

The update of the certificate is automatic but takes "some time" as the documentation states. Haven't timed this but maybe 10-20 minutes?

Depending on your current environment there are several options how to plan the migration to 6.11. 

I prefer to have a VIP address on each server and use this for authentication traffic. This way I can just move the VIP when I have tested the new server. This method will require additional port openings if the ClearPass server is behind a firewall.

Other things not included in the backup is licenses and certificates, so these must be backed up and restored manually. The license can be activated on the new 6.11 server without contacting Aruba, as you need to do if the server is redeployed with the same version.

You can find some discussions in the forum related to the 6.11 migration and different strategies.

------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Dec 22, 2023 10:31 AM
From: su_A_ve
Subject: Testing CPPM 6.11 upgrade (VM)

Trying to figure out the best way to test the upgrade from 6.10 to 6.11 in a VM environment. Some questions I have:

• When you restore the config, does it bring back the hostname/ip addresses? Or do you need to set up new/temporary ones?
• If it does not import the old addresses, can you restore everything, then shut down/disconnect old VM and change IP/hostname of new VM?
• If it does import the old IPs, I guess just change the old VM to different IPs in the event I need to get something from it?

Even with notes and planning, I feel there's always something left behind that I would need to retrieve.

TIA.

------------------------------
---
°(((=((===°°°(((=================================
------------------------------

I know this is a few months old, but the upgrade was deferred until March. I know have a new VM created with a different IP address. Some more questions:

Test restore

• Currently the new VM is up but GUI needs a license key. Can I simply use the existing license I'm using in the production CPPM or do I need an eval license?
• I would then want to update it to the latest 6.11 version, before restoring anything else
• I mostly would be able to see if any errors occurred with the restore, and also be able to time it, but not actually be able to test it.

Production restore

• I'll have a snapshot created on the new VM after upgrading to the latest version, and will roll it back before restoring during outage
• If I want to keep the same IP address, I would down the old VM, then change the IP address here
• Restore everything including certs - this should restore the DB cert which is tied to the old IP address

Should this be sufficient?

Current VM does not have a VIP. I think a suggestion is to add the old IP address as the VIP to the new VM. In this case, I wouldn't restore the DB cert?

TIA.

------------------------------
---
°(((=((===°°°(((=================================

Original Message:
Sent: Dec 22, 2023 11:12 AM
From: jonas.hammarback
Subject: Testing CPPM 6.11 upgrade (VM)

Hi

First just some answers on your questions:

No, IP settings are not restored from the backup. This is not only true during the 6.11 migration, but always when you do a restore. Neither are settings like changed service parameters, hardening settings under the Network tab under server object or SNMP settings restored. In short, nothing configured under the server object is restored. Instead you need to change this manually.

If you do like you propose in your second question the server will need to update its database certificate as the database certificate contains the IP of the management interface as a SAN in the form DNS:1.2.3.4.

The update of the certificate is automatic but takes "some time" as the documentation states. Haven't timed this but maybe 10-20 minutes?

Depending on your current environment there are several options how to plan the migration to 6.11. 

I prefer to have a VIP address on each server and use this for authentication traffic. This way I can just move the VIP when I have tested the new server. This method will require additional port openings if the ClearPass server is behind a firewall.

Other things not included in the backup is licenses and certificates, so these must be backed up and restored manually. The license can be activated on the new 6.11 server without contacting Aruba, as you need to do if the server is redeployed with the same version.

You can find some discussions in the forum related to the 6.11 migration and different strategies.

------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Dec 22, 2023 10:31 AM
From: su_A_ve
Subject: Testing CPPM 6.11 upgrade (VM)

Trying to figure out the best way to test the upgrade from 6.10 to 6.11 in a VM environment. Some questions I have:

• When you restore the config, does it bring back the hostname/ip addresses? Or do you need to set up new/temporary ones?
• If it does not import the old addresses, can you restore everything, then shut down/disconnect old VM and change IP/hostname of new VM?
• If it does import the old IPs, I guess just change the old VM to different IPs in the event I need to get something from it?

Even with notes and planning, I feel there's always something left behind that I would need to retrieve.

TIA.

------------------------------
---
°(((=((===°°°(((=================================
------------------------------

Hi

Yes you can use your old license key, as long as it is in the ClearPass NL format (version 6.8+). You can also activate the license even though the license is still in use on the old ClearPass server. This has been enabled to minimize at least some problems during this migration from earlier versions to 6.11.

You have to have a valid support agreement for your servers and licenses and this support agreement must be added to the ASP site, or actually the current support portal HPE Networking Support.

After you have performed the restore, you can perform test autentications by reconfiguring a test switch pointing to the new server IP addresses instead of your current production environment.

If you keep the new server IP addresses, I prefer to utilize the old server IP addresses as VIP, and as you mention, you don't need to worry about the database certificate.

I know this is a few months old, but the upgrade was deferred until March. I know have a new VM created with a different IP address. Some more questions:

Test restore

• Currently the new VM is up but GUI needs a license key. Can I simply use the existing license I'm using in the production CPPM or do I need an eval license?
• I would then want to update it to the latest 6.11 version, before restoring anything else
• I mostly would be able to see if any errors occurred with the restore, and also be able to time it, but not actually be able to test it.

Production restore

• I'll have a snapshot created on the new VM after upgrading to the latest version, and will roll it back before restoring during outage
• If I want to keep the same IP address, I would down the old VM, then change the IP address here
• Restore everything including certs - this should restore the DB cert which is tied to the old IP address

Should this be sufficient?

Current VM does not have a VIP. I think a suggestion is to add the old IP address as the VIP to the new VM. In this case, I wouldn't restore the DB cert?

TIA.

------------------------------
---
°(((=((===°°°(((=================================

Original Message:
Sent: Dec 22, 2023 11:12 AM
From: jonas.hammarback
Subject: Testing CPPM 6.11 upgrade (VM)

Hi

First just some answers on your questions:

No, IP settings are not restored from the backup. This is not only true during the 6.11 migration, but always when you do a restore. Neither are settings like changed service parameters, hardening settings under the Network tab under server object or SNMP settings restored. In short, nothing configured under the server object is restored. Instead you need to change this manually.

If you do like you propose in your second question the server will need to update its database certificate as the database certificate contains the IP of the management interface as a SAN in the form DNS:1.2.3.4.

The update of the certificate is automatic but takes "some time" as the documentation states. Haven't timed this but maybe 10-20 minutes?

Depending on your current environment there are several options how to plan the migration to 6.11. 

I prefer to have a VIP address on each server and use this for authentication traffic. This way I can just move the VIP when I have tested the new server. This method will require additional port openings if the ClearPass server is behind a firewall.

Other things not included in the backup is licenses and certificates, so these must be backed up and restored manually. The license can be activated on the new 6.11 server without contacting Aruba, as you need to do if the server is redeployed with the same version.

You can find some discussions in the forum related to the 6.11 migration and different strategies.

------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Dec 22, 2023 10:31 AM
From: su_A_ve
Subject: Testing CPPM 6.11 upgrade (VM)

Trying to figure out the best way to test the upgrade from 6.10 to 6.11 in a VM environment. Some questions I have:

• When you restore the config, does it bring back the hostname/ip addresses? Or do you need to set up new/temporary ones?
• If it does not import the old addresses, can you restore everything, then shut down/disconnect old VM and change IP/hostname of new VM?
• If it does import the old IPs, I guess just change the old VM to different IPs in the event I need to get something from it?

Even with notes and planning, I feel there's always something left behind that I would need to retrieve.

TIA.

------------------------------
---
°(((=((===°°°(((=================================
------------------------------