I am currently upgrading a customer who uses the Management Gateway. I am not talking about applying a Service Pack (it is my pet peave when applying a service pack is called and upgrade, because I call it patching and upgrade to me means changing major versions). This customer is upgrading from 8.7 SP5 to 8.8 SP3.
Here is the main problem that I have just solved. Well, not just, I have had this idea for a while, and this is really the first time I am implementing it.
All the clients have already created Management Gateway certificates and sent them to the 8.7 Core Server. We are upgrading using the following process.
1. New hardware for Core..
2. Backup database, restore as a different instance.
So this is a New Core - Upgraded Database type install
3. Install the Core, point to the new DB instance.
4. Get that Core Server ready.
5. Upgrade the agents.
Here is where the problem comes in. Upgrading the Agent will delete the clients certificate. While there are ways to force the client to create a new certificate, there is no reason to do so because the client already has a certificate.
For a client to connect to a Core Server, the following must be true:
#1. The Core must have its cert posted to the Gateway and all that configured.
#2. The Client must create and send the certificate to theCore Server using the credentials of user in the ManagementSuite group.
#3. The Core must have the client's cert info in the BrokerCert table in the database and this cert must no be repudiated.
#1 Is not really a problem. It is easy to configure, we just configure the new Core Server to use the Gateway and post the New Core's certificate to the gateway.
#2 is the big problem.
#3 Doesn't require any work. It is fine because we updated the database.
Note: If you didn't upgrade your database and want to do this, see this article:
Not authorized to view the specified document 2812
It doesn't matter if if #1 and #3 work, if #2 doesn't. If the agent install deletes the certificates on the client, then you have to create a new certificate, which will repudiate the old certificate. It is really a waste of work for nodes that already have certificates.
So here is what I am doing, and I finally just got it working in my lab.
I am pushing the new Core's agent using the old Core Server and here is my process:
- Create a batch file that does the following:
- Copies the %ProgramFiles%\LANDesk\Shared Files\broker folder and contents to c:\windows\temp\broker
- Install the new agent. I am using the advance agent because I am pushing with the old agent. The Advance agent will install, the task will complete, and the local agent processes will be done being in use by the time the advance agent downloads and runs the self-contained agent. YES, the advance agent works through the gateway on a client that is already configured to use the gateway.
Here is my batch file
REM Backs up the Gateway certs, then REM runs the advanced agent msi xcopy "%programfiles%\landesk\shared files\cbaroot\broker" "%windir%\temp\broker" /Y /I /S MSIEXEC /I "Default Windows Configuration.msi" IF "%ERRORLEVEL%"=="3010" Exit /B 0
Now the batch files is not going to be around to restore the files from the temp directory, so I am doing the restore in the agent configuration
- On the new Core Server, edit the agent (either edit the agent or edit all agents by editing the NTSTACFG.IN# or by using the Mergeini.exe process).
- Find the [Policy Management Post Copy] section.
- Add the following line to the INI:
EXEC1002=cmd /c xcopy "%windir%\temp\broker" "%programfiles%\landesk\shared files\cbaroot\broker" /Y /I /S
It was the "cmd /c" part that finally got it working, because the variables didn't work without that.
Note: If you want to use MergeIni, create the following ini file.:
[Policy Management Post Copy] EXEC1002=cmd /c xcopy "%windir%\temp\broker" "%programfiles%\landesk\shared files\cbaroot\broker" /Y /I /S
Read this document if you want to configure Mergeini:
Not authorized to view the specified document 1566
- Find the [Policy Management Post Copy] section.
- Now, once you have made the advanced changes to the agent on the new Core Server, save the agent, make sure it is updated.
- Still on the new Core Server, create an AdvanceAgent of the Agent you just modified.
- Now, back on the Old Core Server, copy the New Core Server's Advance Agent msi and the batch file into an HTTP share on the Old Core Server.
- Still on the Old Core Server, create a Batch File Distribution Package with the Batch File as the primary file and the advance agent MSI as an additional file.
- Push the batch file out as a policy.
What happens. The client runs the task, the batch file copies the certs out. The Agent MSI installs. It pulls down the self contained agent and runs it. Now the certs in the reguler broker directory are deleted in this process, but that is ok, they are backed up. Near the end of the agent installation, the certs are restored. The agent install finishes and the client is now working.
No new certificate was created on the agents, existing agents continued to work and continued to use the same cert they had before.
The ConfigureBroker.exe and .lng file was not necessary for the "reinstall".
Wow, now that this is working, it is time to move to something else.