Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Moving to ClearPass 6.11
Version Considerations
The migration to 6.11 is supported from either 6.9 or 6.10 ClearPass Policy Manager versions. With 6.9, migration is supported from 6.9.12 and higher. With 6.10, migration is supported from any 6.10 version.
|
In ClearPass 6.11.0 and later, the maximum single cluster size is 32 servers. This includes the publisher, standby publisher, subscribers, dedicated insight server, and standby insight servers. |
|
After re-imaging the servers to 6.11.0, it is recommended to update to the latest 6.11 patch before restoring the configuration backup. |
Refer to the following steps to restore your configuration and data, including licenses and certificates, on a new ClearPass 6.11.0 system:
1. Legacy license keys will not be accepted within the ClearPass 6.11.0 user interface. If using old (pre-6.8 version) license keys in a single line format, they must to be converted to the new multi-line format (starts with "-----BEGIN <license type> LICENSE KEY."). For more in formation, contact Support.
2. Save a backup of the configuration data (tipsdb and AppPlatform), Insight data (insightdb), and optionally the Session log data (tipsLogDb).
Complete a configuration backup from the Publisher node by navigating to Administration > Server Manager > Server Configuration. Select the radio button fort the Publisher node, then select the Back up button.
|
Extension and ClearPass Guest configurations are included within the Policy Manager backup and will also be restored. Custom skins are not included in the configuration backup and will need to be downloaded from the software updates portal and installed after the migration. |
Figure 1 Backup the Policy Manager Database
If insight is enabled on any of the nodes, take a backup of insight module from the insight primary master. If Insight is enabled on the publisher, enable both the Back up Insight data and Back up ClearPass configuration data checkbox options. If Insight is enabled on any other cluster node, backup Insight data from the appropriate node.
If the session log database is used as part of any of the authorization workflows, back up the log database from each cluster node by selecting the Back up ClearPass session log data checkbox. This is not a common use case however, and the additional time required to backup and restore the log database will need to be accounted for.
|
Ensure port 5433 is open in order to access the Insight database. Port 5433 is also used for connecting to the tipsLogDb in ClearPass 6.11.0. |
3. For migrations from ClearPass Policy Manager 6.9.12 and higher, backup the license keys manually as described below:
Keep a copy of the Publisher license keys, as obtained using the show license command. Since the application licenses are cluster wide, the Publisher will have a list of all the application license keys used in the cluster. Additionally, backup the Platform license (PAK/PAC Protected Access Credential. PAC is distributed to clients for optimized network authentication. These credentials are used for establishing an authentication tunnel between the client and the authentication server. ) from each Subscriber node. Platform licenses are specific to each node and need to be backed up separately from each node.
To obtain the licenses, log into the Publisher or Subscriber CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. as an appadmin and run the following show license command:
Figure 2 Run the show license command
These steps are optional, since Support maintains license keys for each customer account. However, it is recommended to back up the license keys in case they are not registered correctly in the support portal.
|
Backups taken in Publisher 6.10.0 and later have the Platform license (PAK/PAC Protected Access Credential. PAC is distributed to clients for optimized network authentication. These credentials are used for establishing an authentication tunnel between the client and the authentication server. ) key of every reachable node in the cluster stored as plain text files. If a subscriber is not reachable, its Platform license will not be present in the publisher's backup. The activation status of the subscriber's PAK is not present in the backup. |
For backups taken from ClearPass 6.10 nodes, the license keys from the Publisher, and all the reachable Subscriber nodes are available within the backup file under the PolicyManager folder as shown below:
Figure 3 Locate ClearPass legacy license keys
4. Export and backup the (RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. / HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. / RadSec / Service / Client) Certificates as .p12 files with a password from Administration > Certificates > Certificate Store.
|
Exporting certificates with a password will include the private key The part of a public-private key pair that is always kept private. The private key encrypts the signature of a message to authenticate the sender. The private key also decrypts a message that was encrypted with the public key of the sender., along with the certificate file in .p12 format so it can be imported once the re-imaging process is complete. |
Figure 4 Export and Backup Certificates
Export and backup the certificates for each node as a .p12 file if they are different from the certificates used on the Publisher.
5. Node specific parameters are not included in the backup. Document and archive the following settings for future reference:
AD Domain(s) that have been joined
The list of domains that ClearPass has joined can be found by running the show domain command from the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..
The list of password servers configured per domain can be found by running the ad passwd-server list -n <domain NETBIOS name> command.
Any static routes configured using ClearPass Policy Manager
The List of static routes that have been configured can be found by running the network IP list command.
Application ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. that have been configured
The application ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. that have been applied per server can be found by navigating to Administration > Server Manager > Server Configuration. Click on a server in order to view its settings, then select the Network tab.
Custom service parameters
Any changes made to the service parameters have to be documented before the upgrade and re-applied manually. Review the service parameters values by navigating to Administration > Server Manager > Server Configuration. Click on a server in order to view its settings, then select the Service Parameters tab.
6. Download the 6.11.0 ISO and/or VM Virtual Machine. A VM is an emulation of a computer system. VMs are based on computer architectures and provide functionality of a physical computer. image from the HPE Networking Support Portal. For more information, see Installing the ClearPass 6.11 ISO Image.
7. Install the ClearPass 6.11.0 ISO or deploy the VM Virtual Machine. A VM is an emulation of a computer system. VMs are based on computer architectures and provide functionality of a physical computer. image.
8. Complete the bootstrap configuration using the appadmin CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command. This includes the hostname, IP address assignment for the management and data interfaces, NTP Network Time Protocol. NTP is a protocol for synchronizing the clocks of computers over a network. server, time zone and the FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. mode configuration.
|
The IP address should be the same to reuse DB server certificate exported in step 4. If the 6.9.X or 6.10.X backup is from a FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. mode deployment, then FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. mode should be enabled before restoring the backup. |
9. Add the Platform License made available in backup described in step 2 to access the GUI. Add all other application licenses (Access, Onboard, OnGuard etc.) from the GUI as well. The following additional tasks also require completion:
Any static routes required need to be reconfigured
Join ClearPass Policy Manager to the AD domain
Configure application ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port.
Add Platform license to access the GUI (Subscriber only)
10. Restore the certificates exported in step 4. This includes restoring the Publisher's or Subscriber's server certificates.
11. Restore the backup taken in step 2 using the -c and -r command options, or by using the GUI.
-c restore the ClearPass Policy Manager configuration data
-r restore the Insight data
-i ignore version mismatch and attempt data migration
|
Do NOT restore the ClearPass Policy Manager session log data as part of the restore operation described in this step. Including the session log data in the restore adversely affects the time to complete the restore operation. |
12. Join the subscriber nodes to the cluster as applicable. Repeat for each subscriber and configure Standby Publisher.
13. Download and install custom skins if needed from the software updates portal. Apply the skin to the appropriate guest pages.
14. Activate the licenses. There is a 90-day grace period to complete the license activation.
Activate the Publisher's PAK and each cluster-wide application license
Activate the Platform license on each Subscriber
Cluster Migration Considerations
For clustered ClearPass configurations, there are different ways to plan the migration. For ClearPass clusters running on virtual appliances, the migration process is easier compared to the hardware counterparts.
One option to consider for virtual appliances is to build a new 6.11cluster in parallel and restore the backup from the production cluster. If there is a need to retain existing IP address schema for the the VMs, power off the existing VMs and deploy new VMs running ClearPass 6.11 with the same IP addresses.
For hardware appliances, another option is to remove the standby publisher and a few subscriber nodes from the cluster, re-image them as ClearPass 6.11 versions and create a smaller parallel cluster running 6.11. This provides the opportunity to test different workflows against ClearPass 6.11. Once the validations are complete, move specific services from the old cluster to the new ClearPass 6.11 cluster. Additionally, instead of moving over all the services at once, move specific workflows from the old cluster to the new ClearPass 6.11 cluster.