1. Introduction

This guide describes the necessary steps and commands to upgrade PAS instance from version 4.8.0 to 4.9.0.

There are four main stages to describe the different phases and scenarios of the upgrade.

  1. Creating a backup for safety

  2. Upgrading a single node setup

  3. Upgrading a multi node setup

  4. Restoring the pre-upgrade state

2. Creating a backup for safety

Before starting the upgrade process, make sure there is a backup to which the current state of the actual PAS setup can be restored.

The following steps describe how to create a backup of an actual configuration manually.

All instructions need to be executed on the management node even in case of a multi node setup.
The password for the management component’s admin user will be necessary to be able to backup the running configuration.

2.1. Bootstrap configuration

  1. Log in to pas user by running sudo -iu pas.

  2. Save the following configuration files on the node in a zip file:

    • /opt/balasys/etc

    • /opt/balasys/.ssh for a multi node setup

    • Parts of the automated core deployment tool:

      • /opt/balasys/usr/share/automation/deploy-core.yml

      • /opt/balasys/usr/share/automation/host_vars

      • /opt/balasys/usr/share/automation/inventory.yml

      • /opt/balasys/usr/share/automation/roles/deploy-core/vars/main.yml

Example command to compress bootstrap files in a single node setup
zip --recurse-paths --symlinks \
    /opt/balasys/etc/ \
    /opt/balasys/usr/share/automation/{deploy-core.yml,host_vars,inventory.yml} \
Example command to compress bootstrap files in a multi node setup
zip --recurse-paths --symlinks \
    /opt/balasys/.ssh/ \
    /opt/balasys/etc/ \
    /opt/balasys/usr/share/automation/{deploy-core.yml,host_vars,inventory.yml} \

2.2. Creating a backup of the running configuration

  1. Log in to the Web UI as admin user and navigate to the Configuration Backup page from the top bar.

  2. On the Configuration Backup page select Running from the Export configuration dropdown menu.

    Backup and restore services with Proxedo API Security configuration
    Figure 1. Backup and restore services with Proxedo API Security configuration
  3. To export the running configuration, press the Download button. This will save the running configuration to a file named in the working directory.

Save both files ( and displayed in the examples) to a backup server.

To restore the backup, follow the instructions in section Restoring the pre-upgrade state.

3. Upgrading a single node setup

This section describes how to upgrade PAS in a single node setup. In case any problem occurs during the upgrade and the version 4.8.0 needs to be restored, follow the instructions in section Restoring the pre-upgrade state.

3.1. Prerequisites

The following requirements need to be met before carrying out the upgrade process:

  • The management, storage and core components of version 4.8.0 are running and healthy.

  • The password for the administrator user of the management component is available.

  • The new Debian packages are downloaded and available for installation on the node:

    • proxedo-api-security_4.9.0_all.deb

    • proxedo-api-security-mgmt_4.9.0_all.deb

    • proxedo-api-security-storage_4.9.0_all.deb

3.2. Upgrade steps

The user who performs the upgrade, needs to be logged in to via the docker login command line tool, and needs to have access to the PAS docker images.
  1. Run the following command in a new shell on the management node as pas user. After the pre-upgrade process is run, a can be found in the working directory.

    docker run --user $(id -u):$(id -g) --rm -it --network=host --volume $(pwd):/upgrade --frontend-baseurl http://localhost pre-upgrade
    A custom base url can be defined using --frontend-baseurl <url> pre-upgrade. It is useful when the management node is configured to only accept requests on a specific HTTP host or when the TLS certificate is not valid for localhost.
    When the frontend certificate is not trusted by the computer that runs pas-mgmt-update-config, the signing CA bundle can be provided using the --cacert <ca-bundle-file> option. The CA bundle file must contain the full CA chain and has to be placed in the working directory in PEM format.
  2. Run the following command in the same shell and working directory. It attempts to convert the running configuration to make it compatible with the new PAS version. If the conversion is successful, the new configuration is saved as However, if the automated conversion fails, the converter prompts the user for input.

    docker run --user $(id -u):$(id -g) --rm -it --network=host --volume $(pwd):/upgrade convert-config
  3. Install the new Proxedo API Security packages as root user. This will not restart systemd services.

    • Use the simplified installer windows for a directed and easier way of installing the PAS packages.

    • When the installer asks whether the existing configuration files shall be overwritten, select 'yes'. This question will be asked for each package.

      generated overwrite question
      Figure 2. Question about overriding existing files

      Starting from version 4.9.0, the password encryption uses the bcrypt algorithm. If you wish to update the password hash to bcrypt, re-enter the administrator password when prompted during the installation of proxedo-api-security-mgmt.

      By agreeing the installer to overwrite the existing files, the installer creates a working, single node configuration, consequently, there is no need to complete any manual updates. The newly created configuration is saved in a backup subdirectory next to its original location.

      • /opt/balasys/etc/infrastructure/storage/backups for storage infrastructure configuration

      • /opt/balasys/etc/storage/backups for storage configuration

      • /opt/balasys/etc/infrastructure/mgmt/backups for management infrastructure configuration

      • /opt/balasys/etc/mgmt/backups for management configuration

      • /opt/balasys/etc/infrastructure/core/backups for core infrastructure configuration

    • When the Debian installer asks what to do with the new versions of the configuration files, select N for keeping installed versions:

      Example question from the Debian installer
      Installing new version of config file /opt/balasys/etc/infrastructure/storage/docker-compose.conf ...
      Configuration file '/opt/balasys/etc/storage/config.yml'
      ==> Modified (by you or by a script) since installation.
      ==> Package distributor has shipped an updated version.
        What would you like to do about it ?  Your options are:
         Y or I  : install the package maintainer's version
         N or O  : keep your currently-installed version
           D     : show the differences between the versions
           Z     : start a shell to examine the situation
      The default action is to keep your current version.
      *** config.yml (Y/I/N/O/D/Z) [default=N] ?
  4. Log in to pas user by executing sudo -iu pas. Carry out the following operations as pas user.

  5. Verify that the upgraded configuration file, named, exists in your current working directory.

  6. Run the update command for each component:

    • pas-update for core

    • pas-mgmt-update for management

    • pas-storage-update for storage

  7. Starting from version 4.9.0, the visibility of storage certificates has been modified to be visible only to the owner user. If you wish to adjust the visibility of existing certificates, run the following command:

    find "/opt/balasys/etc/storage/" -type f -name '*.pem' -exec chmod 600 {} +

  8. Run the checkconfig command for each component for which it is available:

    • pas-mgmt-checkconfig for management

    • pas-storage-checkconfig for storage

  9. Restart the PAS management and storage components.

  10. Stop the PAS core component.

    By stopping the core component, the proxy functionality is hung up, and the network traffic going through is interrupted. The traffic will be served again when the core component is restarted in the last step.
  11. Run pas-mgmt-upgrade-config post-upgrade --config-apply-timeout 20 in the same directory where the pre-upgrade and the configuration conversion steps were performed. Follow the instructions of the script to complete.

    If a new administrator password was provided in the installer, that one needs to be used.
    A custom base url can be defined using pas-mgmt-upgrade-config --frontend-baseurl <url> post-upgrade. It is useful when the management node is configured to only accept requests on a specific HTTP host or when the TLS certificate is not valid for localhost.
    When the frontend certificate is not trusted by the computer that runs pas-mgmt-update-config, the signing CA bundle can be provided using the --cacert <ca-bundle-file> option. The CA bundle file must contain the full CA chain and has to be placed in the working directory in PEM format.
  12. Start the PAS core component.

4. Upgrading a multi node setup

This section describes how to upgrade PAS in a multi node setup. In case any problem occurs during the upgrade and the version 4.8.0 needs to be restored, follow the instructions in section Restoring the pre-upgrade state.

4.1. Prerequisites

The following requirements need to be met before carrying out the upgrade process:

  • The management and storage components of version 4.8.0 are running and healthy on the management node.

    If the core component is also run on the management node, it needs to be running and functioning too.
  • The storage and core components of version 4.8.0 are running and healthy on the core node.

  • The password for the administrator user of the management component is available.

  • The new Debian packages are downloaded and available for installation on the management node:

    • proxedo-api-security_4.9.0_all.deb

    • proxedo-api-security-mgmt_4.9.0_all.deb

    • proxedo-api-security-storage_4.9.0_all.deb

4.2. Upgrade steps

The user who performs the upgrade, needs to be logged in to via the docker login command line tool, and needs to have access to the PAS docker images.

Execute all steps on the management node.

  1. Make sure local PAS management and storage components of version 4.8.0 are running.

  2. Make sure remote PAS storage and core components of version 4.8.0 are running.

  3. Run the following command in a new shell on the management node as pas user. After the pre-upgrade process is run, a can be found in the working directory.

    docker run --user $(id -u):$(id -g) --rm -it --network=host --volume $(pwd):/upgrade --frontend-baseurl http://localhost pre-upgrade
    A custom base url can be defined using --frontend-baseurl <url> pre-upgrade. It is useful when the management node is configured to only accept requests on a specific HTTP host or when the TLS certificate is not valid for localhost.
    When the frontend certificate is not trusted by the computer that runs pas-mgmt-update-config, the signing CA bundle can be provided using the --cacert <ca-bundle-file> option. The CA bundle file must contain the full CA chain and has to be placed in the working directory in PEM format.
  4. Run the following command in the same shell and working directory. It attempts to convert the running configuration to make it compatible with the new PAS version. If the conversion is successful, the new configuration is saved as However, if the automated conversion fails, the converter prompts the user for input.

    docker run --user $(id -u):$(id -g) --rm -it --network=host --volume $(pwd):/upgrade convert-config
  5. Install the new Proxedo API Security packages locally as root user. This will not restart systemd services.

    The simplified installer is designed to help single node installation. Ignore all questions asked by the installer during the upgrade and select "No" where possible. Ignore any questions asked twice and any error prompts.
    Starting from version 4.9.0, the password encryption uses the bcrypt algorithm. If you wish to update the password hash to bcrypt, re-enter the administrator password when prompted during the installation of proxedo-api-security-mgmt.
    • When the Debian installer asks what to do with the new versions of the configuration files, select N for keeping the installed versions.

      Example question from the Debian installer
      Installing new version of config file /opt/balasys/etc/infrastructure/storage/docker-compose.conf ...
      Configuration file '/opt/balasys/etc/storage/config.yml'
      ==> Modified (by you or by a script) since installation.
      ==> Package distributor has shipped an updated version.
        What would you like to do about it ?  Your options are:
         Y or I  : install the package maintainer's version
         N or O  : keep your currently-installed version
           D     : show the differences between the versions
           Z     : start a shell to examine the situation
      The default action is to keep your current version.
      *** config.yml (Y/I/N/O/D/Z) [default=N] ?
  6. Log in to pas user by executing sudo -iu pas. Carry out the following operations as pas user.

  7. Make sure the DOCKER_IMAGE_TAG variable is updated to 4.9.0 in all docker-compose.conf files:

    • /opt/balasys/etc/infrastructure/pas/docker-compose.conf for core

    • /opt/balasys/etc/infrastructure/mgmt/docker-compose.conf for management

    • /opt/balasys/etc/infrastructure/storage/docker-compose.conf for storage

  8. Verify that the upgraded configuration file, named, exists in your current working directory.

  9. Update the configuration of the automated deployment tool.

    1. At /opt/balasys/etc/automation/common_vars.yml

      • Update the storage_deb_path to the new .deb file.

      • Update the core_deb_path to the new .deb file.

      • Update the common.docker.PAS_IMAGE_TAG to 4.9.0.

        Example extract of values for the updated attributes
        storage_deb_path: /tmp/proxedo-api-security-storage_4.9.0_all.deb
        core_deb_path: /tmp/proxedo-api-security_4.9.0_all.deb
            PAS_IMAGE_TAG: 4.9.0
  10. Run the update command for each component:

    • pas-update for core if core is also run on the management node

    • pas-mgmt-update for management

    • pas-storage-update for storage

  11. Starting from version 4.9.0, the visibility of storage certificates has been modified to be visible only to the owner user. If you wish to adjust the visibility of existing certificates, run the following command:

    find "/opt/balasys/etc/storage/" -type f -name '*.pem' -exec chmod 600 {} +

  12. Run the checkconfig command for each component for which it is available:

    • pas-mgmt-checkconfig for management

    • pas-storage-checkconfig for storage

  13. Restart the local PAS management and storage components.

  14. Restart the remote core component by running pas-mgmt-deploy-core --deploy-core --restart-storage. This will restart the remote storages with PAS version 4.9.0.

  15. Run pas-mgmt-upgrade-config post-upgrade --config-apply-timeout 20 in the same directory where the pre-upgrade and the conversion of the steps were performed. Follow the instructions of the script to complete.

    A custom base url can be defined using pas-mgmt-upgrade-config --frontend-baseurl <url> post-upgrade. It is useful when the management node is configured to only accept requests on a specific HTTP host or when the TLS certificate is not valid for localhost.
    When the frontend certificate is not trusted by the computer that runs pas-mgmt-update-config, the signing CA bundle can be provided using the --cacert <ca-bundle-file> option. The CA bundle file must contain the full CA chain and has to be placed in the working directory in PEM format.
  16. Restart the local PAS core component.

  17. If HA is run, also restart the local HA component.

  18. Upgrade and restart the remote PAS core component by running pas-mgmt-deploy-core --restart-core.

  19. If HA is run, also upgrade and restart the remote HA component by running pas-mgmt-deploy-core --deploy-ha --restart-ha.

  20. Open the UI as the administrator user and go to the Status page. If FAILED is displayed in the Reload success column, go to the Changes page, and click Config Apply even if there are no pending changes.

5. Restoring the pre-upgrade state

5.1. Cleaning up to pre-upgrade state

  1. Stop all PAS services on all nodes.

    • systemctl stop proxedo-api-security for core

    • systemctl stop proxedo-api-security-mgmt for management

    • systemctl stop proxedo-api-security-storage for storage

  2. Remove PAS packages as root user on all nodes. Remove packages only from those nodes where they are installed.

    • apt remove --purge proxedo-api-security for core

    • apt remove --purge proxedo-api-security-mgmt on management

    • apt remove --purge proxedo-api-security-storage on storage

  3. Remove the pas user by running userdel --force --remove pas.

5.2. Restoring the configuration to pre-upgrade state

All instructions need to be executed on the management node.

  1. Reinstall PAS version 4.8.0 packages.

  2. Log in to pas user by running sudo -iu pas.

  3. Copy the files saved during the backup to the pas user’s home directory.

5.2.1. Bootstrap configuration

It is important to run all commands as pas user to prevent from accidentally overwriting system files.
  1. Unzip the saved bootstrap configuration files in the /opt/balasys directory as pas user by running unzip -u -o -d /.

    Example bootstrap configuration restore command and output
    $ unzip -u -o -d /
       creating: /opt/balasys/etc/
       creating: /opt/balasys/etc/ha/
      inflating: /opt/balasys/etc/ha/config.yml
       creating: /opt/balasys/etc/mgmt/
     extracting: /opt/balasys/etc/mgmt/users.htpass
      inflating: /opt/balasys/etc/mgmt/config.yml
       creating: /opt/balasys/etc/storage/
  2. Start all PAS services including the HA component if previously an HA setup was run.

  3. If a multi node setup is being restored, also deploy the remote node by running the remote deployment command.

    pas-mgmt-deploy-core --deploy-core
  4. If an HA setup is run, also start the HA service on the remote node.

    pas-mgmt-deploy-core --deploy-ha

5.2.2. Restoring the running configuration

  1. Log in to the Web UI as the administrator user and navigate to the Configuration Backup page from the top bar.

  2. To import the running configuration, on the Configuration Backup page choose a configuration file from the computer and press Upload to upload the configuration.

    Backup and restore services with Proxedo API Security configuration
    Figure 3. Backup and restore services with Proxedo API Security configuration
  3. Apply the configuration.