Upgrade instructions version 3.x to 4.0.0

Replace etcd with Consul

Etcd support has been dropped in this version of the Security Proxy. Instead of etcd, the Security Proxy now depends on Consul.

Please check the requirements chapter for further instructions to install Consul.

Caching changes

The cache mechanism has changed from Infinispan to Redis. The Security Proxy no longer uses JGroups for cache replication in a clustered environment.

Adapt Environment variables

Remove the following environment variables:

  • HOST_IP
  • HOSTNAME
  • JGROUPS_REPLICATION_PORT
  • JGROUPS_FAILURE_DETECTION_PORT

Add the following environment variable:

Install Redis

In order to run the Security Proxy you must have Redis configured and running. See the Redis configuration chapter for more info.

Proxy changes

We have added more generic proxy support to the Security Proxy and thus we have replaced several environment variables in this release.

SSL configuration

Old property name New property name
SECURITY_​PROXY_​SSL_​CERTIFICATE SECURITY_PROXY_SSL_CERTIFICATE_DEFAULT
SECURITY_​PROXY_​SSL_​CERTIFICATE_​KEY SECURITY_PROXY_SSL_KEY_DEFAULT

Admin & Client backends

The client and admin backends are now being handled by the transparent proxy functionality of the Security Proxy.

Old property name New property name
SECURITY_​PROXY_​BACK_​END_​TOKEN_​SERVER_​ADMIN_​HOSTS SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_ADMIN_HOSTS
SECURITY_​PROXY_​BACK_​END_​TOKEN_​SERVER_​ADMIN_​ALLOW SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_ADMIN_ALLOW
SECURITY_​PROXY_​BACK_​END_​TOKEN_​SERVER_​ADMIN_​CONTEXT_​ROOT SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_ADMIN_CONTEXT_ROOT
SECURITY_​PROXY_​BACK_​END_​TOKEN_​SERVER_​ADMIN_​PROXY_​SCHEME SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_ADMIN_PROXY_SCHEME

NOTE: If the CONTEXT_ROOT and PROXY_SCHEME are not defined, you will need to add them as they are required for transparent proxies. The CONTEXT_ROOT should be set to /admin and the PROXY_SCHEME to http.

NOTE: For the client backend you can copy the ADMIN environment variables and change ADMIN to CLIENT and set /admin to /client in the CONTEXT_ROOT.

CIM & UMA backends

The CIM and UMA backends are now being handled by the transparent proxy functionality of the Security Proxy.

Old property name New property name
SECURITY_​PROXY_​PROXY_​CIM_​BACKEND_​HOSTS SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_CIM_HOSTS
SECURITY_​PROXY_​PROXY_​CIM_​ALLOW SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_CIM_ALLOW
SECURITY_​PROXY_​PROXY_​CIM_​PROXY_​SCHEME SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_CIM_PROXY_SCHEME
SECURITY_​PROXY_​PROXY_​CIM_​SERVER_​NAME SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_CIM_SERVER_NAME
SECURITY_​PROXY_​PROXY_​CIM_​SSL_​CERTIFICATE SECURITY_PROXY_SSL_CERTIFICATE_CIM
SECURITY_​PROXY_​PROXY_​CIM_​SSL_​PRIVATE_​KEY SECURITY_PROXY_SSL_KEY_CIM

NOTE: If the PROXY_SCHEME was not defined, you will need to add it as it is required for transparent proxies.

NOTE: For the UMA backend you can copy the CIM environment variables and change CIM to UMA in the environment variables.

Named routing

The named routing functionality for resource gateways is no longer being enabled/disabled by setting the SECURITY_PROXY_SERVER_NAME_ROUTING. Instead named routing for a resource gateway can be enabled by setting the SECURITY_PROXY_BACK_END_RESOURCE_GATEWAYS_<RGID>_SERVER_NAME to the domain you want this resource gateway to listen on. This functionality can be enabled/disabled per resource gateway (or transparent proxy).

The SECURITY_PROXY_SERVER_NAME_ROUTING can be removed.