Upgrading the on-premises gateway on Docker containers

This topic describes how to upgrade the BMC Helix Intelligent Integrations on-premises gateway on Docker containers.

To prepare for the upgrade

Review the system requirements and download the container images and utility files.
Back up the connector configurations, see Backing-up-and-restoring-connector-configurations.
Back up the /<IIGateway_INSTALL_DIR>/hii/docker-compose.yaml file.
Navigate to the /<IIGateway_INSTALL_DIR> directory, and run the following command to archive the hii directory: tar -cvf hii.tar hii
Before upgrading to version 25.1 if authentication is disabled for the on-premises gateway, and if you don't want to enable the authentication after the upgrade and you have customized the nginx.conf file, perform the following steps:
1. Navigate to the /<IIGateway_INSTALL_DIR>/hii/conf directory.
2. Back up the nginx.conf file to a temporary directory.
If you are upgrading to version 25.1 from 24.3.01 and authentication is enabled for the on-premises gateway before the upgrade, perform the following tasks:
1. Create the iig_auth directory under the <userHome> directory if it doesn't exist. Back up the /<IIGateway_INSTALL_DIR>/hii/conf/nginx.conf file in the iig_auth directory.
2. Check whether the <userHome>/iig_auth directory contains the external.conf file. If the file is not present, copy it from the /<IIGateway_INSTALL_DIR>/hii/conf/authproxy directory to the iig_auth directory.
If you are using BMC Helix IT Operations Management on premises and you are enabling authentication for the on-premises gateway for the first time after the upgrade, register the OAuth client.
For more information, see Setting-up-authentication-for-the-on-premises-gateway.

Task 1: To upgrade the on-premises on Docker containers if you are a Helix subscriber

Go to the server where you want to upgrade the on-premises gateway.
Copy the following files that you have downloaded to the /<IIGateway_INSTALL_DIR> directory:
- Container images: bmc-hii-docker-images-<buildNumber>.tgz
- Utility file: hii-bmc-<buildNumber>.zip
Perform the following steps to update the container images:
1. Stop the docker-compose service:
  docker compose down
2. Load the container images:
  docker load --input /<IIGateway_INSTALL_DIR>/bmc-hii-docker-images-<buildNo>.tgz
Navigate to the /opt/bmc/hii/defaults directory and delete the following files if they exist:
- docker-compose.yaml_Rsso
- podman-compose.yaml_Rsso
- nginx.conf_Rsso
Obtain the database version:
cat docker-compose.yaml | grep image | grep arango
Extract hii-bmc-<buildNumber>.zip and overwrite the existing files in the /<IIGateway_INSTALL_DIR>/hii directory.
If the database version is earlier than 3.12.2, perform the following steps to upgrade the database; otherwise, skip to step 8.
1. Open the /<IIGateway_INSTALL_DIR>/hii/docker-compose.yaml file with a text editor and search for the following line:
  # - --database.auto-upgrade
2. Uncomment the line:
  - --database.auto-upgrade
3. Start the docker-compose service:
  docker compose up -d
4. Open the /<IIGateway_INSTALL_DIR>/hii/docker-compose.yaml file with a text editor and search for the following line:
  - --database.auto-upgrade
5. Comment the line:
  # - --database.auto-upgrade
6. Stop the docker-compose service:
  docker compose down
Change permissions on the /<IIGateway_INSTALL_DIR>/hii/logs directory:
chmod 777 /<IIGateway_INSTALL_DIR>/hii/logs
If you have customized the docker-compose.yaml file before the upgrade, copy the customizations done in the file to the docker-compose.yaml file in the /<IIGateway_INSTALL_DIR>/hii directory.
Depending on whether you want to enable or disable authentication for the on-premises gateway after the upgrade, perform one of the following steps :
- To upgrade to the on-premises gateway with authentication enabled, perform the following steps:
  1. (Optional) To register the BMC Helix Single Sign-On client again, perform the following steps:
    1. Delete the <userHome>/iig_auth directory.
    2. Replace the /<IIGateway_INSTALL_DIR>/hii/scripts/cred.json file with the cred.json file extracted from /<IIGateway_INSTALL_DIR>/hii in step 6.
  2. Navigate to the /<IIGateway_INSTALL_DIR>/hii/scripts directory.
  3. Run the gateway_deployment.sh script:
    ./gateway_deployment.sh
  4. Enter docker when prompted for the deployment method.
  5. Enter y to upgrade to the on-premises gateway with authentication enabled.
  6. Enter the following information:
    - Access key and access secret key: Access key and secret key required to access the BMC Helix applications.
      For instructions about how to generate the access key and secret key, see Setting up access keys for programmatic access.
      Important
      The keys are generated in the following format: key:<access key>::<access secret key>,tenant id:<tenant ID>. Enter <access key> and <access secret key> as the values of access key and access secret key.
      The access key and access secret key must have the Administrators group and the Administrator role assigned.
    - Tenant Id: BMC Helix tenant ID.
      Copy the tenant ID from the access key (key:<access key>::<secret key>,tenant id: <tenant ID>).
    - Tenant URL: BMC Helix tenant URL.
      For example, https://swp-2021-1840-disceks1.abc.com .
    - Host name: Name of the server where you want to deploy the on-premises gateway.
      The on-premises gateway is upgraded and authentication is enabled. Also, the cred.json, external.config, and nginx.config configuration files are backed up in the /<userHome>/iig_auth directory.
- To upgrade to the on-premises gateway with authentication disabled, perform the following steps:
  1. If you have backed up the nginx.conf file, as described in Before you begin, copy the customizations done in the file to the nginx_noauth.conf file in the <IIGateway_INSTALL_DIR>/hii/defaults directory.
  2. Navigate to the /<IIGateway_INSTALL_DIR>/hii/scripts directory.
  3. Run the gateway_deployment.sh script:
    ./gateway_deployment.sh
  4. Enter docker when prompted for the deployment method.
  5. Enter n to upgrade to the on-premises gateway with authentication disabled.
    The on-premises gateway is upgraded, and authentication is disabled.
Verify that all containers are running.
docker ps -a
If any of the container is in restarting state due to permission issues, set the user context for that container. For more information, see Troubleshooting-the-BMC-Helix-Intelligent-Integrations-issues.
Access the BMC Helix Intelligent Integrations UI by using the following URL: https://<hostName>:443/swpui
<hostName> is the fully-qualified domain name of the server where the on-premises gateway is deployed.
For example, https://swp-2021-1840-disceks1.abc.com:443/swpui .
Important
After the upgrade is complete, you can access the BMC Helix Intelligent Integrations UI by using the URL specified in this step. BMC Helix Portal does not display any tile for the on-premises gateway.
If the UI is accessible, delete and purge the existing container images:
docker image prune -a
When prompted, enter y to purge the previous version images from the repository.

Task 1: To upgrade the on-premises gateway on Docker containers if you are using BMC Helix IT Operations Management on premises

Go to the server where you want to upgrade the on-premises gateway.
Copy the following files that you have downloaded to the /<IIGateway_INSTALL_DIR> directory:
- Container images: bmc-hii-docker-images-<buildNumber>.tgz
- Utility file: hii-bmc-<buildNumber>.zip
Perform the following steps to update the container images:
1. Stop the docker-compose service:
  docker compose down
2. Load the container images:
  docker load --input /<IIGateway_INSTALL_DIR>/bmc-hii-docker-images-<buildNo>.tgz
Navigate to the /opt/bmc/hii/defaults directory and delete the following files if they exist:
- docker-compose.yaml_Rsso
- podman-compose.yaml_Rsso
- nginx.conf_Rsso
Obtain the database version:
cat docker-compose.yaml | grep image | grep arango
Extract hii-bmc-<buildNumber>.zip and overwrite the existing files in the /<IIGateway_INSTALL_DIR>/hii directory.
If the database version is earlier than 3.12.2, perform the following steps to upgrade the database; otherwise, skip to step 8.
1. Open the /<IIGateway_INSTALL_DIR>/hii/docker-compose.yaml file with a text editor and search for the following line:
  # - --database.auto-upgrade
2. Uncomment the line:
  - --database.auto-upgrade
3. Start the docker-compose service:
  docker compose up -d
4. Open the /<IIGateway_INSTALL_DIR>/hii/ docker-compose.yaml file with a text editor and search for the following line:
  - --database.auto-upgrade
5. Comment the line:
  # - --database.auto-upgrade
6. Stop the docker-compose service:
  docker compose down
Change permissions on the /<IIGateway_INSTALL_DIR>/hii/logs directory:
chmod 777 /<IIGateway_INSTALL_DIR>/hii/logs
If you have customized the docker-compose.yaml file before the upgrade, copy the customizations done in the file to the docker-compose.yaml file in the /<IIGateway_INSTALL_DIR>/hii directory.
If authentication is disabled for the on-premises gateway before the upgrade and you don't want to enable authentication after the upgrade, perform the following steps; otherwise skip to step 11.
1. If you have backed up the nginx.conf file, as described in Before you begin, copy the customizations done in the file to the nginx_noauth.conf file in the <IIGateway_INSTALL_DIR>/hii/defaults directory.
2. Navigate to the /<IIGateway_INSTALL_DIR>/hii/scripts directory.
3. Run the gateway_deployment.sh script:
  ./gateway_deployment.sh
4. Enter docker when prompted for the deployment method.
5. Enter n to deploy the on-premises gateway with authentication disabled.
  The on-premises gateway is upgraded, and authentication is disabled.
6. Go to step 13 to verify the status of the containers.
If authentication is disabled for the on-premises gateway before the upgrade, and you want to enable it for the first time after the upgrade, perform the following steps; otherwise skip to step 12:
1. Perform the following steps to update the BMC Helix SSO configuration for Auth Proxy:
  1. Navigate to the <IIGATEWAY_INSTALL_DIR>/hii/conf/authproxy directory and open the external.conf file with a text editor.
  2. Update the file:
    - Search for the rsso_external_url and rsso_internal_url parameters and replace {RSSO_URL} with the OpenID Connect Issuer URL.
    - Search for the client_id parameter and replace {RSSO_CLIENT_ID} with the Client ID that you saved in a file while registering the OAuth client.
    - Search for the client_secret parameter and replace {RSSO_CLIENT_SECRET} with the Client Secret that you saved in a file while registering the OAuth client.
    - Locate the proxies section, and replace {TENANT_URL} with the BMC Helix tenant URL. For example, https://swp-2021-1840-disceks1.abc.com.
  3. Save the file.
2. Perform the following steps to update the neo.feature.flags.auth-enabled parameter:
  1. Navigate to the /<IIGateway_INSTALL_DIR>/hii/conf directory.
  2. Open the swp.conf file with a text editor.
  3. Set the value of the neo.feature.flags.auth-enabled parameter to true.
  4. Save the file.
3. Start the docker-compose service:
  docker compose up -d
4. Go to step 13 to verify the status of the containers.
If authentication is enabled for the on-premises gateway before the upgrade and you want to continue with authentication after the upgrade, perform the following steps:
1. Perform the following steps to update the neo.feature.flags.auth-enabled parameter:
  1. Navigate to the /<IIGateway_INSTALL_DIR>/hii/conf directory.
  2. Open the swp.conf file with a text editor.
  3. Set the value of the neo.feature.flags.auth-enabled parameter to true.
  4. Save the file.
2. Copy the nginx.conf file from the <userHome>/iig_auth directory to the /<IIGateway_INSTALL_DIR>/hii/conf directory.
3. Copy the external.conf file from the <userHome>/iig_auth directory to the /<IIGateway_INSTALL_DIR>/hii/conf/authproxy directory.
4. Start the docker-compose service:
  docker compose up -d
5. Go to step 13 to verify the status of the containers.
Verify that all containers are running.
docker ps -a
If any of the container is in restarting state due to permission issues, set the user context for that container. For more information, see Troubleshooting-the-BMC-Helix-Intelligent-Integrations-issues.
Access the BMC Helix Intelligent Integrations UI by using the following URL:
https://<hostName>:443/swpui
<hostName> is the fully-qualified domain name of the server where the on-premises gateway is deployed.
For example, https://swp-2021-1840-disceks1.abc.com:443/swpui
Important
After the upgrade is complete, you can access the BMC Helix Intelligent Integrations UI by using the URL specified in this step. BMC Helix Portal does not display any tile for the on-premises gateway.
If the UI is accessible, delete and purge the existing container images:
docker image prune -a
When prompted, enter y to purge the previous version images from the repository.

Task 2: To import custom or CA-signed certificates into the on-premises gateway

Important

Make sure that the version of the keytool utility installed on the on-premises gateway host matches the version available in the swp-authproxy container.

Obtain the custom or CA-signed certificates from the BMC Helix platform deployment which the on-premises gateway is part of and save it in the <IIGateway_INSTALL_DIR>hii/conf folder.
Copy the cacerts file present in the swp-mediator container at /opt/java/openjdk/lib/security to the /<IIGateway_INSTALL_DIR>/hii/conf/certs directory by using the following command:
docker cp swp-mediator:/opt/java/lib/security/cacerts /<IIGateway_INSTALL_DIR>hii/conf/certs/cacerts_mediator
(Required if authentication is enabled for the on-premises gateway) Copy the cacerts file present in the swp-authproxy container at /opt/java/openjdk/lib/security to the /<IIGateway_INSTALL_DIR>/hii/conf/certs directory by using the following command:
docker cp swp-authproxy:/opt/java/openjdk/lib/security/cacerts /<IIGateway_INSTALL_DIR>hii/conf/certs/cacerts_authproxy
Navigate to the /<IIGateway_INSTALL_DIR>/hii/conf/certs folder.
Import the certificates into the copied files by using the keytool utility.
- Import the certificates into the cacerts_mediator file by using the following command:
  keytool -importcert -file <certificate_name> -keystore cacerts_mediator -alias <alias_name>
  Replace the certificate_name with the certificate name that you obtained from the BMC Helix platform deployment.
- (Required if authentication is enabled for the on-premises gateway) Import the certificates into the cacerts_authproxy file by using the following command:
  keytool -importcert -file <certificate_name> -keystore cacerts_authproxy -alias <alias_name>
  Replace the certificate_name with the certificate name that you obtained from the BMC Helix platform deployment.
Open the /<IIGateway_INSTALL_DIR>/hii/docker-compose.yaml file with a text editor:
Update the file:
- Search for the mediator section and add the following line to the volumes section:
  - ./conf/certs/cacerts_mediator:/opt/java/lib/security/cacerts
- (If authentication is enabled for the on-premises gateway) Search for the authproxy section and add the following line to the volumes section:
  - ./conf/certs/cacerts_authproxy:/opt/java/openjdk/lib/security/cacerts
Save and close the docker-compose.yaml file.
Restart the container service by using the following commands:
docker compose down
docker compose up -d

Task 3: To edit the connector in BMC Helix Intelligent Integrations

If there are any updates in the connector configuration during upgrade, the existing connector instances are not updated automatically after upgrade. You need to either create a new connector instance or stop the existing data stream and create a new data stream.

For the list of updates in various connectors in version 25.1, see 25-1-enhancements-and-patches. For information about editing an existing connector for data streams, see Editing-and-deleting-integrations and Starting-or-stopping-data-streams.

Task 4: To update the collector URL in the third-party product

If you have switched authentication for the on-premises gateway during upgrade, perform the following steps to update the collector URL in the third-party product (for example, Entuity) from which you are collecting data:

Access the BMC Helix Intelligent Integrations UI by using the following URL:
https://<hostName>:443/swpui
<hostName> is the fully-qualified domain name of the server where the on-premises gateway is deployed.
On the SOURCES panel, click Configure Mediator for the source connection that you created and then expand the < thirdPartyProduct Datatype> panel.
On the COLLECTOR CONFIGURATION tab, click copy to copy the existing, auto-generated collector URL and save the URL in a temporary file.
For example, https://hostA/hii/api/mediator/v3/push/9mn-6c97-4c2e-8pc5-12c0asdf?token=API-KEY.
Depending on whether authentication is enabled or disabled for the on-premises gateway, perform the following steps:
- If authentication is enabled, perform the following steps:
  1. Log on to BMC Helix Portal and generate an access key.
    For instructions about how to generate the access key, see Setting up access keys for programmatic access.
  2. Copy the generated access key and save it in a temporary file.
    The key is generated in the format:<accessKey>::<secretKey>::<tenantID>.
    For example, Y40OSC49QZA11Q8A1H9H6::MnVLk69TNyCEponsthHJ1Hj1uKcjTB::385261281.
  3. Change the format of the access key to <tenantID>::<accessKey>::<secretKey>.
    For example, 385261281::Y40OSC49QZA11Q8A1H9H6::MnVLk69TNyCEponsthHJ1Hj1uKcjTB.
  4. In a temporary file, modify the auto-generated collector URL by replacing API-KEY with the access key that you formatted in the previous step.
    For example, https://host.ab.com/hii/api/mediator/v3/push/9mn-6c97-4c2e-8pc5-12c0asdfd?token=385261281::Y40OSC49QZA11Q8A1H9H6::MnVLk69TNyCEponsthHJ1Hj1uKcjTB .
- If authentication is disabled, perform the following steps:
  1. Save the URL in a temporary file.
  2. Remove the following string from the collector URL: ?token=API-KEY
    The updated collector URL looks like the following example:
    https://hostA/hii/api/mediator/v3/push/9mn-6c97-4c2e-8pc5-12c0asdf

Task 5: To configure the third-party product

Configure the third-party product again to forward data to BMC Helix Intelligent Integrations.
For the sample instructions to update the collector URL in a third-party product, see To configure a connection with Entuity for collecting incidents data.

To roll back the on-premises gateway upgrade

Stop the docker-compose service:
docker compose down
Rename the /<IIGateway_INSTALL_DIR>/hii directory:
mv hii hii_upgrade
You might need this directory for debugging.
If you have enabled authentication during the upgrade, navigate to the <userHome> directory and delete the iig_auth directory and any other directories or files created in this directory during the upgrade.
Delete and purge the container images:
docker image prune -a
When prompted, enter y to purge the images from the repository.
Load the container images for the version from which you have upgraded:
docker load --input /<IIGateway_INSTALL_DIR>/bmc-hii-docker-images-<buildNo>.tgz
Extract the backed up hii.tar:
tar -xvf /<IIGateway_INSTALL_DIR>/hii.tar -C /<IIGateway_INSTALL_DIR>/
Start the docker-compose service:
docker compose up -d
Access the BMC Helix Intelligent Integrations UI by using the following URL: https://<hostName>:443/swpui
<hostName> is the fully-qualified domain name of the server where the on-premises gateway is deployed.
For example, https://swp-2021-1840-disceks1.abc.com:443/swpui.

After you upgrade

Downgrade the Arango DB from version 2.13 to 2.11 by performing the following steps:

For on-premises gateway
1. Download the build with downgraded Arango DB version to the /<IIGateway_INSTALL_DIR> directory:
  - Container images: bmc-hii-docker-images-<buildNumber>.tgz
  - Utility file: hii-bmc-<buildNumber>.zip
2. Bring the Arango DB down.
3. Create a temporary directory by using the following command:
  mkdir/tmp/arangodump
4. Take a backup of Arango DB in a temporary file by using the following command:
  docker run -v "/tmp/arangodump:/tmp/dump" -it arangodb:3.12.0 arangodump --server.endpoint tcp://${<IP/host>}:8529 --server.username root --server.password "" --all-databases true --overwrite true --output-directory /tmp/dump --dump-data=true
5. Navigate to /opt/bmc/hii directory and stop the docker-compose by using this command:
  docker-compose down
6. Deploy the downloaded bmc-hii-docker-images-<buildNumber>.tgz build by performing the following steps:
  1. Load docker images for the build by using this command:
    docker load --input bmc-hii-docker-images-<buildNumver>.tgz
  2. Run the following command:
    ./hii/scripts/gateway_deployment.sh
7. Restore the Arango database from backup by using this command:
  docker run -e ARANGO_RANDOM_ROOT_PASSWORD=1 -v "/tmp/arangodump:/arango-backups" \
    -it arangodb:3.12.0 \
    /usr/bin/arangorestore \
    --input-directory "/arango-backups" \
    --server.endpoint tcp://${HOSTNAME}:8529 \
    --server.username root \
    --server.password "" \
    --create-database \
    --all-databases
For SaaS
1. Take a backup of the Arango DB by using the following command:
  kubectl -n $NAMESPACE apply -f https://github.bmc.com/dem/k8s-configurations/blob/master/ops_scripts/arango-compliance-downgrade/arango-downgrade-compliance-backup.yaml
2. Delete the Arango DB deployment using the following command:
  kubectl -n $NAMESPACE delete ArangoDeployment arango
3. Rerun Arango DB deployemnt with the bmc-hii-docker-images-<buildNumber>.tgz build.
4. Restore the Arungo DB by running this command:
  kubectl -n $NAMESPACE apply -f https://github.bmc.com/dem/k8s-configurations/blob/master/ops_scripts/arango-compliance-downgrade/arango-downgrade-compliance-restore.yaml
5. Rescale mediator, rollout restart ui, backup and tenant:
  kubectl -n $NAMESPACE scale swp-mediator --replicas=0
  kubectl -n $NAMESPACE rollout restart deploy swp-ui swp-tenant swp-backup
  kubectl -n $NAMESPACE scale swp-mediator --replicas=10

Where to go from here

After you upgrade the on-premises gateway, perform the following tasks:

If you want to ensure high availability of the on-premises gateway instances in case of any failure, see Configuring-the-on-premises-gateway-for-high-availability .
C onfigure connections with the required third-party products to collect events, metrics, and topology data.

If a problem occurs

Known-and-corrected-issues