Upgrade Decisions

Keep existing level of security

This is the easiest and smoothest approach. tpm will process your configuration and do its best to maintain the same level of security. In order to achieve that, tpm will dynamically update your configuration with additional properties to adjust the level of security to match.

The properties that tpm will add to your configuration will be some or all of the following depending on the initial starting point of your configuration:

disable-security-controls
connector-rest-api-ssl
manager-rest-api-ssl
replicator-rest-api-ssl
datasource-enable-ssl
enable-connector-ssl

Before commencing with the upgrade, you should include the following properties to configure the API authentication:

rest-api-admin-user=apiuser
rest-api-admin-password=secret

You can now proceed with the upgrade, refer to "Steps to upgrade using tpm" for the required steps

Apply new recommendations and setup security

The following security setting levels can be enabled, and will require user action prior to upgrading. These are:

1. Internal Encryption and Authentication

2. Tungsten to Database Encryption

3. Application (Connector) to Database Encryption

4. API SSL

5. Configure API Authentication

Applying all of the above steps will bring full security, equivalent to the default.

The steps to enable will depend on what (if any) security is enabled in your existing installation. The following sections outline the steps required to be performed to enable security for each of the various layers. To understand whether you have configured any of the various layers of security, the following summary will help to understand your configuration:

No Security

If no security has been configured, the installation that you are starting from will have disable-security-controls set to true (or it will not be supplied at all if upgrading from v6) and no additional security properties will be supplied.

Partial Security

The installation that you are starting from will have partial security in place. This could be a combination of any of the following:

• Internal encryption is configured (disable-security-controls=false), and/or

• Connector encryption is enabled (connector-ssl=true) and/or

• Cluster to the database encryption is enabled (datasource-enable-ssl=true or datasource-enable-ssl=true)

To upgrade and enable security, you should follow one or more of the following steps based on your requirements. At a minimum, the first step should always be included, the remaining steps are optional.

1. "Setup internal encryption and authentication"

2. "Enable Tungsten to Database Encryption" (if required)

3. "Enable Connector to Database Encryption" (if required)