search

UWIT-IAM / cert-service

UW certificate service website
2 stars 0 forks source link

Retire use of iamdb21 #45

Closed chmc3 closed 6 months ago

chmc3 commented 1 year ago

Currently Certificate Services and other tools on the iamtools servers utilize the database server iamdb21. These servers are leaving support as CentOS 7 servers, so the database needs to be transitioned to a new server. I believe there is currently a iamdb31 solution already in existence that other IAM services have been transitioned to. But there may be a need to review the use of iamdb21 before transition efforts take place.

chmc3 commented 12 months ago

From AuthN meeting on 11/13, we are prioritizing this as we have been asked to move the database and upgrade it. To avoid making extra work where we had already done some, this work is being prioritized for November. Andrew is to take point but pull in resources like @jdiverp to help explore the move and get started on the process.

mar235av commented 12 months ago

Created the iamtools-test database in the uwit-mci-iam project and applied basic configuration. Postgres version 15. Created the client certificates needed to connect securely from the iamtools servers and saved these to iamtools-test11. Discovered that the iamtools servers have an ancient version (9.6.14) of the Postgres client tools, so they cannot handle the secure connections to the newer database version. Sent a ticket to UE asking them to upgrade the Postgres client on iamtools-test11 so we can test. I will coordinate an upgrade of the prod application servers after validation is complete on the test server. Blocked until UE completes the upgrade on iamtools-test11.

chmc3 commented 11 months ago

From Certificate Services meeting, the amount of work uncovered in this process has delayed us from moving forward with this until January. For now, we are going to continue to work on this over the break and check back in early January about a timeline for a release. Andrew may update this issue with more details. He has been doing very good work to investigate this and keep the team updated on his progress, and documenting as he goes so we don't have to replicate the efforts later.

mar235av commented 10 months ago

As of this date, there are four remaining work elements to be completed before this issue can be resolved:

  1. The database driver used by cert services to connect to the database is not properly recognizing the certificates needed to connect securely to the new database. This will need to be resolved hopefully with additional configuration, but more radical changes may be needed if we cannot figure this out. (Note that SPRegistry is using a completely different driver that is not experiencing this issue.) This is the current primary blocking issue.
  2. Update the configuration of the Python script on the IdP servers that pulls new SP configuration from SPReg into the IdP, with smoke testing to confirm connectivity.
  3. Comprehensive testing of all application functions in cert services, SPReg, and the SpReg->IdP connector.
  4. Recovery testing to document and verify our ability to restore the new database from backup if needed.
chmc3 commented 6 months ago

This was completed on 4/16 successfully!