When SKFS is ready to level up.
For older versions of the StrongKey FIDO Server, upgrading to the current version (4.4.2) of the FIDO Server is possible through the use of the upgrade script. To upgrade, simply run the upgrade.sh script as the root user. A database backup is created during the script, but it is recommended to make another database backup with the command:
$shell > /usr/local/strongkey/mariadb-10.2.30/bin/mysqldump -u root -p skfs > skfs_backup.sql
Editing the upgrade script allows the user to configure details new updates or whether to upgrade to newer major versions of Payara or MariaDB.
The upgrade script configurables primarily include values added to the updated FIDO2 Server policy in newer updates. The following shows the configurables with brief explanations of each group: The RPNAME and RPID flags change the relying party id and name in the policy to be added to the fido_policies table in the database.
RPNAME=FIDOServer
RPID=strongkey.com
The following flags are used for both the new FIDO policy to be added in the database as well as inputs for the new JWT key generation script:
JWT_DN='CN=StrongKey KeyAppliance,O=StrongKey'
JWT_DURATION=30
JWT_KEYGEN_DN='/C=US/ST=California/L=Cupertito/O=StrongAuth/OU=Engineering'
JWT_CERTS_PER_SERVER=3
JWT_KEYSTORE_PASS=Abcd1234!
JWT_KEY_VALIDITY=365
SAKA_DID=1
As mentioned earlier, flags have been added to let the user decide whether to upgrade to a newer major version of Payara or MariaDB. These flags are set to update both by default.
UPDATE_GLASSFISH=Y
UPDATE_MARIADB=Y
The ROLLBACK flag maintains previous Payara and MariaDB versions by default. If set to 'N', the old versions will be deleted.
ROLLBACK=Y
Post-upgrade, if the previous version added new users to LDAP, those users will need to be added to the new LDAP groups:
FidoRegAuthorized
FidoSignAuthorized
FidoAuthzAuthorized
FidoAdminAuthorized
If SKFS is in a cluster configuration, the generated jwtsigningkeystore.bcfks and jwtsigningtruststore.bcfks must be copied to the other SKFS instances.