-
Notifications
You must be signed in to change notification settings - Fork 0
Upgrading 1.0 to 1.1
The 1.1 version of MITREid Connect contains several changes from the 1.0 version series that will require a manual upgrade process.
The project now contains four modules instead of three. The openid-connect-server
module now produces a .jar
file, and the new openid-connect-server-webapp
module produces the .war
file that was previously produces by the openid-connect-server
module. All overlays must be updated to point to this new module.
The underlying data model has changed between 1.0 and 1.1, and updates to the database are required. Two methods are available for managing this update with different tradeoffs.
Existing data
Due to an upstream library change, existing authorizations are incompatible between 1.0 and 1.1 and must be revoked before upgrade. Otherwise, all authorization grants, clients, whitelists, blacklists, and scopes may remain in place following the instructions above.
The database update method can be used to update a persistent database store in place. To do so, run the database upgrade script found in openid-connect-server-webapp/src/main/resources/db/upgrade. Upgrade scripts are included for both MySQL and HSQL databases. These are designed to be run in-place on the database in question.
The recommended process is as follows:
- Shut down the version 1.0 server
- Connect to the MySQL or HSQL database as a user with appropriate rights
- Run the appropriate upgrade script
- Deploy the version 1.1 server
As of version 1.0.17 and 1.1.10, there is an admin-accessible API that can export data from a running system and import data from a saved export. The 1.0 server can import and export data from other 1.0 servers, and the 1.1 server can import and export data from both 1.0 and 1.1 servers. This process is meant to be run on a clean server installation, and it does not involve loss of any database information.
To access this API, log in as an administrator and send a GET
request to /api/data
to return the JSON object representing the server's current state. NOTE WELL: this export includes information including tokens, authentication objects, client secrets, and other sensitive security information. Therefore, the data export must be protected.
To re-import this data, log in as an administrator on a newly-installed server and send a POST
request to /api/data
with a content type of application/json
and the fully-formed JSON document exported from the API. This import MUST be done on an empty database with full schema or else you risk newly imported objects conflicting with existing objects.
The recommended process is as follows:
- Log into the 1.0 server as an administrator
- Export the server state by performing a
GET
request on/api/data
, save as a JSON file - Shut down the 1.0 server
- Connect to the MySQL or HSQL database as a user with appropriate rights
- Clear the database, remove all tables related to OIDC
- Initialize the database with the empty schema
- Deploy the version 1.1 server
- Log into the 1.1 server as an administrator
- Import the server state from the saved JSON file by performing a
POST
request with the data
Copyright ©2015 The MITRE Corporation and the MIT Kerberos and Internet Trust Consortium. Software is available under the Apache 2.0 license. Documentation available under the Creative Commons 3.0 By-NC license.