Upgrade instructions version 3.x to 4.0.0
Replace etcd with Consul
Etcd support has been dropped in this version of the Security Proxy. Instead of etcd, the Security Proxy now depends on Consul.
Please check the requirements chapter for further instructions to install Consul.
Caching changes
The cache mechanism has changed from Infinispan to Redis. The Security Proxy no longer uses JGroups for cache replication in a clustered environment.
Adapt Environment variables
Remove the following environment variables:
- HOST_IP
- HOSTNAME
- JGROUPS_REPLICATION_PORT
- JGROUPS_FAILURE_DETECTION_PORT
Add the following environment variable:
Install Redis
In order to run the Security Proxy you must have Redis configured and running. See the Redis configuration chapter for more info.
Proxy changes
We have added more generic proxy support to the Security Proxy and thus we have replaced several environment variables in this release.
SSL configuration
Old property name | New property name |
---|---|
SECURITY_PROXY_SSL_CERTIFICATE | SECURITY_PROXY_SSL_CERTIFICATE_DEFAULT |
SECURITY_PROXY_SSL_CERTIFICATE_KEY | SECURITY_PROXY_SSL_KEY_DEFAULT |
Admin & Client backends
The client and admin backends are now being handled by the transparent proxy functionality of the Security Proxy.
Old property name | New property name |
---|---|
SECURITY_PROXY_BACK_END_TOKEN_SERVER_ADMIN_HOSTS | SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_ADMIN_HOSTS |
SECURITY_PROXY_BACK_END_TOKEN_SERVER_ADMIN_ALLOW | SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_ADMIN_ALLOW |
SECURITY_PROXY_BACK_END_TOKEN_SERVER_ADMIN_CONTEXT_ROOT | SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_ADMIN_CONTEXT_ROOT |
SECURITY_PROXY_BACK_END_TOKEN_SERVER_ADMIN_PROXY_SCHEME | SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_ADMIN_PROXY_SCHEME |
NOTE: If the CONTEXT_ROOT
and PROXY_SCHEME
are not defined, you will need to add them as they are required for transparent proxies.
The CONTEXT_ROOT
should be set to /admin
and the PROXY_SCHEME
to http
.
NOTE: For the client backend you can copy the ADMIN environment variables and change ADMIN
to CLIENT
and set /admin
to /client
in the CONTEXT_ROOT
.
CIM & UMA backends
The CIM and UMA backends are now being handled by the transparent proxy functionality of the Security Proxy.
Old property name | New property name |
---|---|
SECURITY_PROXY_PROXY_CIM_BACKEND_HOSTS | SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_CIM_HOSTS |
SECURITY_PROXY_PROXY_CIM_ALLOW | SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_CIM_ALLOW |
SECURITY_PROXY_PROXY_CIM_PROXY_SCHEME | SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_CIM_PROXY_SCHEME |
SECURITY_PROXY_PROXY_CIM_SERVER_NAME | SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_CIM_SERVER_NAME |
SECURITY_PROXY_PROXY_CIM_SSL_CERTIFICATE | SECURITY_PROXY_SSL_CERTIFICATE_CIM |
SECURITY_PROXY_PROXY_CIM_SSL_PRIVATE_KEY | SECURITY_PROXY_SSL_KEY_CIM |
NOTE: If the PROXY_SCHEME
was not defined, you will need to add it as it is required for transparent proxies.
NOTE: For the UMA
backend you can copy the CIM environment variables and change CIM
to UMA
in the environment variables.
Named routing
The named routing functionality for resource gateways is no longer being enabled/disabled by setting the SECURITY_PROXY_SERVER_NAME_ROUTING
.
Instead named routing for a resource gateway can be enabled by setting the SECURITY_PROXY_BACK_END_RESOURCE_GATEWAYS_<RGID>_SERVER_NAME
to the domain you want this resource gateway to listen on. This functionality can be enabled/disabled per resource gateway (or transparent proxy).
The SECURITY_PROXY_SERVER_NAME_ROUTING
can be removed.