-
Notifications
You must be signed in to change notification settings - Fork 11
PowerAuth Server 0.19.0
This guide contains instructions for migration from PowerAuth Server version 0.18.0 to version 0.19.0.
Following DB changes occurred between version 0.18.0 and 0.19.0:
- Table
pa_activation- added columnserver_private_key_encryptionthat indicates what application level encryption type is used to protect server private key.
Migration scripts are available for Oracle and MySQL.
DB migration script for Oracle:
--
-- Added Column SERVER_PRIVATE_KEY_ENCRYPTION in Table PA_ACTIVATION
--
ALTER TABLE PA_ACTIVATION ADD SERVER_PRIVATE_KEY_ENCRYPTION NUMBER(10,0) DEFAULT 0;DB migration script for MySQL:
--
-- Added column server_private_key_encryption in table pa_activation
--
ALTER TABLE `pa_activation` ADD COLUMN `server_private_key_encryption` INT(11) DEFAULT 0;In PowerAuth server versions up to 0.18.0 a single database sequence HIBERNATE_SEQUENCE was used.
It is preferable to use a dedicated sequence for generating IDs for different tables, thus in PowerAuth server version 0.19.0 this single sequence is migrated into multiple sequences.
The migration consists of following steps:
- Create new database sequences
This step can be executed while PowerAuth server is running. The PL/SQL script below allows up to 10000 new records to be generated before PowerAuth 0.19.0 is deployed (most of these records are audit records for signature verification in table PA_SIGNATURE_AUDIT). Depending on the time required for the deployment of PowerAuth 0.19.0 you can increase the value of expected new database records to a value higher than 10000.
DECLARE
value INTEGER;
BEGIN
SELECT (HIBERNATE_SEQUENCE.nextval) + 10000
INTO value
FROM DUAL;
-- Branch sequence PA_APPLICATION_SEQ from HIBERNATE_SEQUENCE
execute immediate 'CREATE SEQUENCE PA_APPLICATION_SEQ MINVALUE 1 MAXVALUE 9999999999999999999999999999 INCREMENT BY 1 START WITH ' || value || ' CACHE 20 NOORDER NOCYCLE';
-- Branch sequence PA_APPLICATION_VERSION_SEQ from HIBERNATE_SEQUENCE
execute immediate 'CREATE SEQUENCE PA_APPLICATION_VERSION_SEQ MINVALUE 1 MAXVALUE 9999999999999999999999999999 INCREMENT BY 1 START WITH ' || value || ' CACHE 20 NOORDER NOCYCLE';
-- Branch sequence PA_MASTER_KEYPAIR_SEQ from HIBERNATE_SEQUENCE
execute immediate 'CREATE SEQUENCE PA_MASTER_KEYPAIR_SEQ MINVALUE 1 MAXVALUE 9999999999999999999999999999 INCREMENT BY 1 START WITH ' || value || ' CACHE 20 NOORDER NOCYCLE';
-- Branch sequence PA_SIGNATURE_AUDIT_SEQ from HIBERNATE_SEQUENCE
execute immediate 'CREATE SEQUENCE PA_SIGNATURE_AUDIT_SEQ MINVALUE 1 MAXVALUE 9999999999999999999999999999 INCREMENT BY 1 START WITH ' || value || ' CACHE 20 NOORDER NOCYCLE';
-- Create new sequence PA_ACTIVATION_HISTORY_SEQ
execute immediate 'CREATE SEQUENCE PA_ACTIVATION_HISTORY_SEQ MINVALUE 1 MAXVALUE 9999999999999999999999999999 INCREMENT BY 1 START WITH 1 CACHE 20 NOORDER NOCYCLE';
end;
/- Deploy PowerAuth version 0.19.0.
The application is restarted during deployment. Once the application is deployed, new database sequences created in script from step 1 are used.
- Drop sequence HIBERNATE_SEQUENCE.
Once PowerAuth version 0.19.0 is deployed, the old HIBERNATE_SEQUENCE sequence is no longer required and can be safely dropped.
-- Drop old sequence HIBERNATE_SEQUENCE
DROP SEQUENCE HIBERNATE_SEQUENCE';We implemented application level encryption for server private keys.
Encryption of private keys can be enabled by setting the following property in application.properties:
powerauth.server.db.master.encryption.key=MTIzNDU2Nzg5MDEyMzQ1Ng==
When the property value is empty (default), encryption is not performed.
For additional details, see: Encrypting Records in Database.
PowerAuth version 0.19.0 supports Java 9. However, due to the short support cycle of Java 9 we recommend to use Java 8 in production for PowerAuth and wait with Java upgrade for Java 11 which will be the next long-term support release.
JMX (Java Management Extensions) is now disabled by default. This change slightly descreases startup time of PowerAuth and avoids unecessary exposing of information about PowerAuth Java processes.
If you need to use JMX for application monitoring, you can re-enable it using configuration property:
spring.jmx.enabled=trueThe whole PowerAuth stack now uses Spring boot 2. In case you integrate your application with PowerAuth using client APIs we recommend to migrate your application to Spring boot 2 to avoid compatiblity issues.
The whole PowerAuth stack now logs additional information on INFO log level. Depending on number of requests from mobile devices the log files can increase in size.
In case you run into disk space issues due to log size, we recommend you take one of the following actions:
- Configure log rotation in web container which hosts PowerAuth.
- Change the default log level to
WARNusing configuration property:
logging.level.root=WARN- Allocate more disk space for logs.
If you need any assistance, do not hesitate to drop us a line at [email protected].
Deployment Tutorials
Integration Tutorials
Reference Manual
Additional Topics