Checking for Incompatibilities between Version 12.3 and 21.0
As a system administrator, you need to check incompatibilities between consecutive versions before upgrading your system.
The tables below list new features that might lead to compatibility issues or should be taken care of when upgrading; they do not list all new features of this AE version. New features are described in full in the Release Highlights and Release Notes.
More information:
To provide a better overview, the tables are categorized by the severity of the issue. There are three different categories:
- Critical: Issues that must be addressed, otherwise the system will not work
- Behavior change: Functionality changes in existing features that might have an impact on your system
- Advisory: Different issues you should be aware of but might not have an impact on your system
The columns display the following information:
- Topic: Name of the general topic or new feature
- Changed behavior: What has been changed
- Possible incompatibilities: Impact the change may have
- Actions/Countermeasures: What can be done to identify and/or remove possible incompatibilities
This page includes the following:
Compatibility Issues
Important! Do not upgrade the AWI instance you are using for the Zero Downtime Upgrade. Make sure you upgrade a separate instance.
Until version 12.3, the Java communication process (JCP) was used partly to provide a REST endpoint for the Automation Engine. The new REST process covers this functionality now while the new Java communication process (JCP) functions as a communication process (CP) for components that use TLS/SSL and WebSockets.
As the AWI instances in versions higher than 12.3 connect to the new JCP, do not upgrade AWI and immediately try to continue the Zero Downtime Upgrade in the AWI target version. Remember that the new JCP is only available after the connections have been switched in step four of the wizard and the primary work process (PWP) in the target version is running. For more information, see Zero Downtime Upgrade.
Automic Automation
Critical
|
Topic |
Changed Behavior |
Possible Incompatibilities |
Actions/Countermeasures |
|---|---|---|---|
|
DB Service Agent with TLS/SSL |
The DB Service Agent uses its own INI file. It has the same structure as the INI file of the SQL Agent, including the configuration for TLS/SSL. The server INI file is no longer supported. | INI files must be adjusted. | Once implemented in CAU, a new default INI file can be created for the DB Service. You have to copy the old configuration into the new INI file. |
| Agents, Java API, AWI and Proxy with TLS/SSL |
Components that use WebSockets and TLS/SSL - that is, the Java-based Agents, Windows and UNIX Agents, the Java API, AWI and the Proxy - can only connect to the AE if there is a trusted certificate installed on the host where they are running. Note: Remember that the Java API version must match the Automation Engine version. |
It is not possible to disable TLS/SSL; therefore, the certificates must be available. | The certificates must be installed/deployed before connecting the mentioned components. |
| IBM Websphere for JMX Agent / Webservice with TLS/SSL | The Jetty libraries used for the TLS/SSL implementation of the Java-based Agents do not work with IBM Java, which is used by IBM Websphere. | IBM Websphere for JMX Agent and Webservice is no longer supported. | Use alternative solutions. |
| UNIX Agent for HP-UX discontinued as of version 21 | There is no version 21.0.0 of the HP-UX Agent. | There is no version 21.0.0 of the HP-UX Agent. | It is still possible to use older versions of the Agent with AE v21.0.0. |
| UNIX Agent for 32 bit ZLINUX discontinued as of version 21. | There is no version 21.0.0 of the 32 bit ZLINUX Agent. | There is no version 21.0.0 of the 32 bit ZLINUX Agent. | It is still possible to use older versions of the Agent with AE v21.0.0. |
| New C++ runtime libraries required for AE/ServiceManager on AIX 64bits | The AIX binaries are compiled with a new C++ runtime version: IBM XL C++ Runtime, V16.1 | If the new libraries (libc++, xlC.aix61, xlC) are not installed/updated, AIX does not work. |
Make sure that you have installed the IBM XL C++ Runtime, V16.1 system libraries (libc++, xlC.aix61, xlC). For detailed information on how to install the package, please refer to the official IBM C and C++ compilers documentation. |
| Proxy Client INI file parameters |
The [SSL] section including the keyStore and keyStorePwd parameters as well as the cpSelection and cpName parameters in the [GLOBAL] section of the INI file of the Proxy have been removed. Also, since the Proxy now connects to the JCP, the JCP selection is defined in the [JCPLIST] section of the INI file and not the [CP_LIST], which has also been removed. For more information, see Connecting to a Communication Process. |
If these parameters are not adapted to the requirements of version 21 the Proxy does not work. | Make sure that you configure the INI file of the Proxy Client accordingly, see Installing the Proxy and Upgrading the Proxy. |
| Proxy Server TLS/SSL certificate keystore in pkcs12 format | The TLS/SSL keystore for the certificate for the Proxy Server must be created in pkcs12 format and not jks. | If you keep using the previous keystore in jks format, the communication between Proxy Server and Client does not work. | You can convert your existing jks keystore to pkcs12, see Converting the Keystore to PKCS#12. |
Behavior Change
|
Topic |
Changed Behavior |
Possible Incompatibilities |
Actions/Countermeasures |
|---|---|---|---|
| JMX Agent / Webservice SAP Netweaver with TLS/SSL | To work with TLS/SSL, the JMX Agent and Webservice require a workaround for some SAP Netweaver versions. | The TLS/SSL implementation requires workarounds for some versions. |
|
|
LDAP service must be available for the login. Also, to use the Synchronize button in the User object for manual synchronization, a Login object must be assigned. |
In previous versions, the last valid LDAP password was saved in the AE DB to enable a login even if the service was not available at the time. The user passwords saved were also used for the synchronization available in the User object. This previous behavior is seen as a security issue and is therefore no longer supported. |
If the LDAP service is not available, the access is denied. The Synchronize button in the User object no longer works without a SYNC_LOGIN object defined and assigned in variable UC_LDAP_XXXX |
Make sure that the LDAP service is available when the LDAP connection is used in the User settings. To use the Synchronize button, make sure you specify a Login object with LDAP credentials and assign it using the SYNC_LOGIN key of the UC_LDAP_XXX variable. For more information, see UC_LDAP_EXAMPLE - LDAP Connection Variable. |
| JWP roles and periodic tasks during ZDU |
JWPs can have explicit roles and the periodic tasks (performance management, telemetry) should only be performed by one JWP. During ZDU, there is a switch from the old to the new JWP. This could lead to two JWPs performing periodic tasks, which may cause some issues. |
ZDU is not possible from versions prior to the following:
|
For versions 12.1 to 12.3, use the latest service pack before carrying out a ZDU. |
| Separation of privileges for UNIX Agents | The UNIX Agents no longer has a separation of privileges. Only one process is responsible for all Agent functions. | Only if this functionality is a requirement in your company. | Do not upgrade the UNIX Agent to version 21.0 if separation of privileges is mandatory in your company. |
| docu= parameter in [REST] section of AE INI file | The default value of the docu= parameter in the [REST] section of the AE INI file has been changed to 1 (enabled). This means that the endpoint to request the REST API documentation is enabled by default. | No incompatibilities, but the endpoint is enabled. | If the endpoint was disabled in the previous version and you want to keep it that way, change the value to 0 (disabled). |
| RA Agents have to be updated when upgrading AE from 12.3 to 21.0 | The RA core framework was updated in version 21 affecting also the display of the updated AWI panels. | While Agents, Objects and Executions are not affected and work as usual, the RA panels are not displayed in AWI version 21.0. |
Upgrade the RA Agents to their latest version:
|
Advisory
|
Topic |
Changed Behavior |
Possible Incompatibilities |
Actions/Countermeasures |
|---|---|---|---|
|
General DB change Note: Information and the checking instructions apply to all versions, between your existing installation and the latest you want to upgrade to, respectively. |
The DB scheme/structure has been changed. | Custom SQL queries on AE DB do not work anymore. |
|
|
Check JxP availability This change relates to higher reliability of an AE system and transparency about system availability. |
The system internally checks if the minimum number of java-based processes (JCP, JWP, REST, JWP) required to log into the system or to perform operations in AWI is available. |
If the minimum number of java-based processes required is not available when logging into the system, the login is refused and a notification is displayed. If they are not available during AWI operations, the user gets a notification. To log off, stop further user activities and inform your administrator. |
No action is required. |
| JWP role for Lucene Indexing |
Lucene indexing is done by the JWP with the role IDX. The search still goes through the JCP in v.12.3. Note: In version 12.3, the JCP was used partly to provide a REST endpoint for the Automation Engine. |
If there were any index monitoring actions directly related to the JCP in v.12.3, these need to be adjusted accordingly. | Make sure you have adjusted any index monitoring actions so that they are managed by the JWP. |
| TLS Gateway supports non-TLS/SSL Agents and a seamless upgrade process to the new TLS/SSL versions. | The TLS Gateway is a new component which provides connectivity for non-TLS/SSL Agents. It enables file transfers between (new) TLS/SSL Agents and (legacy) non-TLS/SSL Agents. It also supports the Agent upgrade process, in the period where old and new agents are active in parallel. | New component, no incompatibilities. | Make sure the TLS Gateway is installed and configured after the AE itself has been upgraded, but before the legacy Agents are replaced with the new TLS/SSL versions. |
| Centralized Agent Upgrade (CAU) from GSS to TLS/SSL agents |
You can use the Centralized Agent Upgrade (CAU) to upgrade supported Agents to their respective TLS/SSL (21.0) version. |
In an on-premises installation, the INI file of the respective Agents are patched automatically, and the certificates are added as well. |
In an on-premises installation, no action is required. If you migrate to an AAKE system, remember that the JCP by default uses a generated, self-signed certificate within the Kubernetes cluster. The TLS/SSL Agents do not connect to the JCP directly, but to an HTTPS load balancer for which a certificate is required, see Connecting to AWI, the JCP and REST Processes Using an Ingress. You can use the CAU_INCLUDE_SERVER_CERTIFICATES parameter in the UC_SYSTEM_SETTINGS to stop the AE from automatically adding the JCP certificate during CAU. For more information ,see CAU_INCLUDE_SERVER_CERTIFICATES. |
| User Passwords are now stored as hash using Argon2 algorithm. | Existing passwords are migrated automatically but the password generation (last used passwords counter) is re-initialized and starts with 1. | No incompatibilities, but passwords that were used before the migration are not taken into account when changing the password and are accepted as a new password. | No action is required. |
| New LOCAL parameter for job messenger to connect to agent (Windows only) |
This parameter defines if the Windows Messenger uses a secure (TLS/SSL) or non-secure connection to connect to the Agent. If the parameter is set to 1, the job messenger uses a non-secure connection to the Windows Agent over localhost (127.0.0.1) only. |
No changes/incompatibilities | If the performance decreases due to TLS/SSL support, you can use this parameter to disable TLS/SSL between the job messenger and the Windows Agent, see Agent Job Messenger. |
| Alternative database tablespace names |
You can state default tablespaces provided for Automic Automation and AAKE as alternative ones. |
No changes/incompatibilities |
If you used cloud-hosted databases and do not have the permissions required to create or rename a tablespace, state them as alternative ones. In Automic Automation you can do so in the DBLoad utility user interface while loading the database or using the command line interface, see AE DB Load (UCYBDBLD.EXE). In AAKE you set them in the values.yaml file, see Configuring Container-Based Systems. |
| AE REST API - Generate at activation time | You can use the AE REST API to execute objects with the attribute Generate Task at: Activation time | No changes/incompatibilities | No action is required. |
Automic Automation Kubernetes Edition
Critical
|
Topic |
Changed Behavior |
Possible Incompatibilities |
Actions/Countermeasures |
|---|---|---|---|
| MSSQL DB not supported | The Automic Automation Kubernetes Edition only supports PostgreSQL and Oracle databases | It is not possible to upgrade/migrate from an older AE version that uses a MSSQL database. | Do not upgrade if you have a MSSQL database. |
| DB2 not supported | The Automic Automation Kubernetes Edition only supports PostgreSQL and Oracle databases | It is not possible to upgrade/migrate from an older AE version that uses a DB2 database. | Do not upgrade if you have a DB2 database. |
| CyberArk external password vault |
In the Automic Automation Kubernetes Edition, the CyberArk AIM client used for the integration cannot communicate with an Automation Engine in a cluster. |
It is not possible to use the CyberArk integration to retrieve login passwords from an external vault. | Do not upgrade if you use the CyberArk password vault integration. |
| CAPAM external password vault |
In the Automic Automation Kubernetes Edition, the CAPAM A2A client used for the integration cannot communicate with an Automation Engine in a cluster. |
It is not possible to use the CAPAM integration to retrieve login passwords from an external vault. | Do not upgrade if you use the CAPAM password vault integration. |
| Zero Downtime Upgrade not supported |
In Automic Automation Kubernetes Edition, the Helm plugin handles the upgrade. |
It is not possible to use the ZDU to upgrade an AAKE installation. | Do not use ZDU to upgrade AAKE. |
| SSO - Kerberos not supported |
The Automic Automation Kubernetes Edition does not support the Kerberos Key Distribution Center (KDC) protocol. |
It is not possible to use SSO - Kerberos in AAKE. | No action is required/possible. |
| SSO - SAML |
The SAML implementation for the Automic Automation Kubernetes Edition is different than the one for an on-premises installation. |
If SAML is not enabled and configure correctly for AAKE it will not work. |
Enable SAML either outside the instance in the values.yaml file before the installation. Once your installation is provisioned, you can use the configmap to modify the settings, see Setting up Single Sign-On. |
| SSO - LDAP |
The LDAP implementation for the Automic Automation Kubernetes Edition is different than the one for an on-premises installation. |
In addition to enabling and configuring LDAP in your system, AAKE requires a Kubernetes secret for the LDAP server and the corresponding certificate before the installation. |
Create a Kubernetes secret with the corresponding LDAP server certificate before the installation, see Setting Up LDAP for Automic Automation Kubernetes Edition. |
| Event Engine | The Event Engine feature is not supported in Automic Automation Kubernetes Edition. | It is not possible to use the Event Engine feature in AAKE. | No action is required/possible. |