Upgrading the Proxy

As a system administrator, you upgrade the Proxy Client and Server. These upgrade instructions apply to Windows and UNIX.

Before upgrading make sure you check for possible incompatibilities. For more information, see Checking for Incompatibilities. To check other compatibility issues, see Compatibility Information or access the compatibility matrix directly.

This page includes the following:

Upgrading the Proxy Client to TLS/SSL

As of version 21, the communication between the Proxy Client and the Java communication process (JCP) uses TLS/SSL server authentication - an industry standard - through a secure WebSocket (WSS). The JCP uses trusted certificates to prove their identity to other communication partners.

Therefore, you have to decide which kind of certificates you are going to use to secure the communication in your system. This decision must be considered carefully, as it determines not only how secure the connections are but also the time and effort you have to invest in renewing and deploying the certificates.

For more information, see TLS/SSL Considerations for Automic Automation .

Make sure that you define the properties that are required to connect to the Java communication process (JCP) and to handle the relevant certificates in the respective INI file.

To do so, make sure that you define the value for the JCP connection using the connection= parameter in the TCP/IP section of the INI file. The default value is jcphost:8443.

To start after the upgrade, the TLS/SSL Agent also requires the JCP certificate (jcp.cer) to connect to the Automation Engine.

When you used certificates signed by a CA, the certificates are stored in the respective Java or OS store by default; that is the Java trust store for Java components and Java Agents, the Windows OS store for Windows Agents, or the TLS/SSL store for UNIX Agents. In this case, you only have to check that the root certificates already are in the respective store.

If the relevant certificates are not there and you want to import them, you can use OS or Java specific tools for that purpose, such as Keytool, cert-manager, OpenSSL and such. For more information on how to use those tools, please refer to the respective product documentation.

If you do not want to use the default locations for the components and Agents listed above, make sure you use the trustedCertFolder=, agentSecurityFolder=, and keyPassword= parameters (if applicable) in the respective configuration (INI) file to define the path to the folder where the trusted certificates are stored.

To start after the upgrade, the Proxy Client also requires the JCP certificate (jcp.cer) to connect to the Automation Engine. Make sure the certificate is available in the folder defined in the trustedCertFolder = parameter. For more information, see Proxy Client INI file

Converting the Keystore to PKCS#12

As of this version, the communication between the Proxy Client and Server require TLS/SSL encryption and authentication in pkcs12 format.

If your previous version of the Proxy uses jks format you can use the following command to convert the .jks keystore to pkcs12.

keytool -importkeystore
        -srckeystore KEYSTORE.jks
        -destkeystore KEYSTORE.p12
        -srcstoretype JKS
        -deststoretype PKCS12
        -srcstorepass mysecret
        -deststorepass mysecret
        -srcalias myalias
        -destalias jetty
        -srckeypass mykeypass
        -destkeypass mykeypass
        -noprompt

Upgrading the Proxy Client and Server

The upgrade process does not differ from a new installation. For detailed information on how to install the Proxy, see Installing the Proxy.

See also:

About Proxy