Upgrading Connectware to 2.0.0 (Docker)

Verify that your firewalls and security rules are updated to allow the new ports (TCP/4222 and TCP/4223) and to remove dependencies on the deprecated ones (TCP/1884 and TCP/8884).

This ensures uninterrupted connectivity between your agents and Connectware.

We recommend adding the following resources to your hardware setup:

• 7 CPU cores

• 6 GB of memory

• 20 Gi of storage

However, these are general guidelines. Check what your specific system needs and make adjustments accordingly.

These steps apply to every Connectware installation upgrading to Connectware 2.0.0. For a detailed guide, see Mandatory Upgrade Steps.

1. TLS Changes: Default behavior on certificate validation has been adjusted.

2. Update .env Configuration: Remove any obsolete environment variables and update the configuration for changed or new environment variables as necessary.

3. Preparing the Connectware Upgrade.

4. Upgrading to Connectware 2.0.0: Download and install Connectware 2.0.0.

5. Updating Agent Configuration: Update your agent configuration to comply with the updated configuration.

6. Upgrading Agents: Upgrade your agents.

7. Reinstalling Services: This upgrade changes where your services are stored. You will need to reinstall any services after the upgrade.

Only follow these if you use the related features, so they continue working after the upgrade.

1. Roles and Permissions: New permissions were added to Connectware. Verify your custom roles, if they require updates.

2. Custom Connectors: Update your customer connector configurations to meet new requirements.

3. Systemstate Protocol: Update your Systemstate protocol configurations to meet new requirements.

4. Log Monitoring: Some logging strings are changed. If you use log monitoring, you may need to update it.

5. Heidenhain Agents: Upgrade your Heidenhain agents.

6. Auto-Generated MQTT Topics of Resources: Topic generation no longer includes resource-specific properties. Update your service commissioning files if you relied on old patterns.

7. Auto-Generated MQTT Users: The behavior of how MQTT users are auto-generated has changed. You may need to update your service commissioning file if you relied on auto-generated MQTT users.

Connectware maintains two separate CA chains:

• External certificates validated by cybus_ca.crt.

• Internal certificates validated by shared_yearly_ca.crt.

Which CA an agent requires depends on the hostname through which it connects to Connectware. For example, through the Connectware ingress, or directly to the Control Streaming Server (NATS) through the internal network.

To simplify configuration, we introduced cybus_combined_ca.crt, a bundle containing both chains, so agents can use a single file without needing to distinguish between internal and external CA certificates.

Agents now enforce TLS chain validation by default. Each agent requires access to cybus_combined_ca.crt, available on the certs volume.

• To revert to the previous behavior (skipping verification), set the environment variable CYBUS_TRUST_ALL_CERTS to true. Note that it has been renamed from TRUST_ALL_CERTS.

The default Connectware-generated CA includes the hostnames localhost and connectware.

• To add more hostnames, configure a comma separated list in the environment variable CYBUS_INGRESS_DNS_NAMES.

• You will also be prompted for these names as part of running the Connectware installer.

With 2.0.0, the internal CA chain is replaced:

• Certificate Authority renamed from CybusCA to CybusInternalCA.

• The hostname nats is added as a Subject Alternate Name (SAN) to shared_yearly_server.crt.

The built-in default external CA certificate chain is also replaced.

• The hostname connectware is added as a SAN to cybus_server.crt.

If you rely on monitoring, custom setups, or modified certificates, adapt your configuration accordingly.

To replace Connectware’s default external chain with your enterprise-managed CA:

• Replace cybus_ca.crt with your enterprise CA certificate.

• Ensure cybus_server.crt and cybus_server.key form a valid key pair, signed by the CA in cybus_ca.crt.

Do not replace the internal CA (shared_yearly_ca.crt).

After replacement:

1. Restart the system-control-server deployment to rebuild and synchronize the combined CA bundle (cybus_combined_ca.crt). Ensure that only a single Connectware instance is running.

1. Restart all Connectware services.

Some environment variables are obsolete and have been removed. Remove the following environment variables from your .env file for Connectware:

• CYBUS_CM_RPC_TIMEOUT

• CYBUS_ADMIN_WEB_APP_VRPC_TIMEOUT

• CYBUS_PM_RPC_TIMEOUT

• CYBUS_SM_RPC_TIMEOUT

• CYBUS_SCS_RPC_TIMEOUT

• CYBUS_USE_SERVICES_GRAPH

With the changes TLS behavior in Connectware, it has become essential to add the DNS names under which Connectware is addressed, for example by agents.

If you are replacing Connectware's default PKI, you can, and likely have managed this yourself by providing a valid cybus_server.crt containing all Subject Alternate Names (SANs) used within your setup.

If you are using Connectware's default PKI, you can use the new environment variable CYBUS_INGRESS_DNS_NAMES, which is a comma separated list of names that will be added to the default cybus_server.crt.

Hostname Formats

You can include multiple hostnames in the list. The certificate will include all specified names in its SAN section.

The configuration accepts various hostname formats:

• Wildcards (e.g., *.company.io)

• Subdomains (e.g., connectware.company.io)

• Custom hostnames (e.g., localhost)

• IP addresses (e.g. 192.168.100.42)

Example

The Connectware installer will also ask you for this value.

With Connectware 2.0.0, Connectware uses a new major version of PostgreSQL. You need to delete your postgresql volume before upgrading Connectware (this is covered later in this upgrade guide). This requires you to create a backup of your database and restore this after the upgrade.

1. To create a backup of your database, first identify the correct container from the NAMES column:

If more than one container is shown, you need to identify the correct container. The prefix of the container is usually the folder name in which your Docker Composition is stored. For example, if you installed it in /opt/connectware, the name of the container would be connectware-postgresql-1.

1. Create a backup of the database in the file connectware_database.sql, replacing [container-name] with the name of the container identified in step 1.

1. Make sure the backup is successful, then store the database file in a secure location.

The service-manager volume is deprecated and will not be used after the upgrade to 2.0.0.

After upgrading, you can remove this Docker volume. You can identify the volume using this command:

In the future, the former contents of this volume will be stored in the PostgreSQL database, but they will not be migrated automatically. You must reinstall any services that you previously used. See Reinstalling Services.

If you do not have your services stored outside of Connectware, make sure to export your services, or create a backup of your service-manager volume before upgrading.

Before upgrading to Connectware 2.0.0, review the changelog to familiarize yourself with new features, bug fixes, and other changes introduced in Connectware 2.0.0.

Make sure that you store backups of your setup. This allows you to restore a previous state if necessary.

Your backups must consist of the following files:

• All Docker volumes

• Your Connectware database

• Your .env file

• All service commissioning files

Depending on your local infrastructure, it may be necessary to back up additional files.

Before running the upgrade, you must stop all connected agents. Any agents that remain active during the upgrade will have to go through the registration process again.

• Docker Run: To stop agents which were started using docker run, use the docker stop command. If you are not aware of the name these containers use, run the docker ps command to find out.

• Docker Compose: If your agents are running in Docker Compose, use the docker compose down command to stop them.

• Agent Helm Chart: You can shut down agents that have been installed via the connectware-agent Helm chart using this command:

• Before running the installer, you must shut down Connectware.

1. Make sure you enter the directory in which you installed Connectware, where your docker-compose.yaml and .env files are located. This is likely /opt/connectware.

2. Shutdown Connectware:

• Before running the installer, you must remove the postgresql volume.

1. Identify the correct volume to delete:

If this shows more than one volume, you must identify the correct volume. The prefix of this volume is usually the folder name in which your Docker Composition is stored. For example, if you installed in /opt/connectware, the name of this volume would be connectware_postgresql.

1. Delete the postgresql volume:

• To upgrade Connectware to a newer version, follow the steps in the Prepare Installer Script to get the latest installer script. When running the update, select your current Connectware installation directory.

The update will automatically preserve your existing configuration, including your license key and network settings. If you are prompted to enter a license key during the update, this usually means that you have selected the wrong installation directory. In this case, cancel the update and verify you have chosen the correct directory.

Upgrading Connectware in Silent Mode

The installer supports an automated deployment mode that requires no manual intervention. You can activate this by using either -s or --silent, and -d(directory) when running the installation script.

If you need to customize your installation, the script offers several configuration options. Run the installer with --help to view all available parameters.

Example

The installer will tell you that you are ready to run docker compose up now. However, before you do this, there are some additional steps that need to be completed.

1. Create a file called docker-compose.override.yaml and add the following content:

1. Start the Docker Composition:

1. Once the postgresql container has started, restore the database (reuse the container name previously identified when backup up the database):

1. Stop the Docker Composition:

1. Remove docker-compose.override.yaml

1. Start Connectware 2.0.0:

1. Restart Connectware 2.0.0:

Finally, restart Connectware once more to ensure any certificate updates are properly applied:

To connect a protocol-mapper agent with Connectware 2.0.0, you must either provide the agent with the valid CA certificate for the server certificate in use, or disable verification of TLS certificate validity by setting the environment variable CYBUS_TRUST_ALL_CERTS to true on the agent.

Whether you are connecting an agent via Connectware's ingress or the internal network will determine whether you need to provide either cybus_ca.crt or shared_yearly_ca.crt. However, if you want to avoid this complexity, there is a new file called cybus_combined_ca.crt which includes both CA bundles and allows both internal and external connections.

You need to have the CA certificate that you want to add at hand. In this example, we assume that you are using the cybus_combined_ca.crt:

1. Identify the correct container from the NAMES column:

1. Copy cybus_combined_ca.crt from Connectware:

1. Copy the CA certificate cybus_combined_ca.crt to the directory which contains the docker-compose.yaml file for your agent:

Example using /opt/connectware-agent/ as directory:

1. Mount the CA certificate cybus_combined_ca.crt to the /connectware/certs/ca/ca-chain.pem mount point of your agent by adding a volume in docker-compose.yaml:

Example using /opt/connectware-agent/ as directory:

You can choose to disable TLS certificate validation for agents. This is not recommended, as it weakens security and makes your setup vulnerable to man-in-the-middle attacks. However, it may be acceptable in non-production environments such as development or testing.

Obsolete Environment Variables (Agents)

Some Environment Variables are obsolete and have been removed. Remove the following environment variables from your agent orchestration:

• CYBUS_PM_RPC_TIMEOUT

• CYBUS_CONTROLPLANE_URI

New or Changed Environment Variables (Agents)

The following environment variables have changed. If you had specific configuration for these in the past, update your orchestration accordingly.

For some environment variables, you need to take additional steps depending on your setup. The required steps are covered in the following sections.

Connectware 2.0.0 changes how you address your Connectware instance with agents.

Previously, the environment variable CYBUS_MQTT_HOST was used. Later, CYBUS_HOSTNAME_INGRESS was introduced for targeting the ingress, while CYBUS_MQTT_HOST was used for targeting the control-plane-broker. Additionally, CYBUS_DATA_MQTT_HOST was introduced to control the MQTT broker that the agent connected to as data plane. CYBUS_MQTT_HOST acted as a fallback for all three environment variables.

With the removal of the control-plane-broker, we are simplifying and decoupling the configuration:

• If you are only using the Connectware ingress for your agents, you must only configure CYBUS_HOSTNAME_INGRESS.

• If you have more complex setup, which targeted the MQTT data plane broker or the control-plane-broker, use CYBUS_DATAPLANE_HOST and CYBUS_STREAMSERVER_HOST to refine your configuration, as explained in the next steps.

In short, make sure that you target your Connectware instance using the CYBUS_HOSTNAME_INGRESS environment variable, replacing any legacy CYBUS_MQTT_HOST configuration you may have had, without the intention of directly targeting the MQTT data plane broker.

When deploying agents in the internal network of Connectware, they are able to directly connect to our MQTT broker instead of going through the Connectware ingress.

This improves performance and reduces failure points, so if you are running a heavy, critical load, it may be worth the extra configuration.

The major hindrance is, that the name "broker", which is used by our MQTT broker on the internal network, is not part of the cybus_server.crt by default. In order to connect agents with a TLS connection to this hostname, you either need to add the hostname "broker" as a Subject Alternate Name (SAN) to the certificate, or set CYBUS_TRUST_ALL_CERTS=true for the agent. The previous steps explained how to add the CA certificate bundle file and how to set the environment variable.

Adding the Hostname to the Default Certificate

If you are using the built-in default certificate for Connectware, you can add the hostname "broker" through the environment variable CYBUS_HOSTNAME_INGRESS in the .env file of your Connectware installation:

It is easiest if you add this configuration during your upgrade to Connectware 2.0.0, since activating it will automatically be covered by the upgrade guide. You will be asked for the ingress hostnames by the installer script. You can also use the parameter --ingress-dns-names for the Connectware installer to set this.

If applying this configuration after already upgrading to Connectware 2.0.0, running docker compose up -d on your Connectware installation will cause the multiple containers to restart. Once they are ready, restart Connectware again:

Configuring Your Agents to Target the MQTT Broker

Next, you must configure your agents to target the MQTT broker directly by using the CYBUS_DATAPLANE_* environment variables. To use TLS encryption for this connection, you must set CYBUS_DATAPLANE_USE_TLS to true and provide the agent with the CA certificate bundle, as explained previously.

Docker Compose Example:

To add a Docker Composition to an existing network, you must add it as external network. For this, you need to know the name of the network.

This example assumes the name is connectware_cybus, however you can find it using this command (NAME column):

The TCP port used for this connection is automatically determined by other configuration like TLS and mTLS settings, however, if for some reason you need to override this, use the environment variable CYBUS_DATAPLANE_PORT.

When deploying agents in the internal network of Connectware, they are able to directly connect to our streaming server control plane instead of going through the Connectware ingress.

This improves performance and reduces failure points, so if you are running a heavy, critical load, it may be worth the extra configuration.

Configuring Your Agents to Target the Streaming Server

Next, you must configure your agents to target the streaming server directly by using the CYBUS_STREAMSERVER_HOST environment variable. The default internal name is "nats".

Docker Compose Example:

To add a Docker Composition to an existing network, you must add it as external network. For this, you need to know the name of the network.

This example assumes the name is connectware_cybus. However, you can find it using this command (NAME column):

The TCP port used for this connection is automatically determined by other configuration like mTLS settings. However, if for some reason you need to override this, use the environment variable CYBUS_STREAMSERVER_PORT.

After completing the upgrade, you must reinstall all previously used services. You can do this using your preferred method:

• Via the Admin UI, see Installing Services.

• Automatically through a CI pipeline.

Additionally, there have been changes to the relationships between services. Understanding how these interdependencies behave at runtime is crucial for correct deployment and maintenance.

Install parent services first (recommended): If the service depends on another service (parent/child relationship), install the parent service first. This ensures:

• Service relations are created during installation.

• Each service can be installed with targetState=enabled.

Install child services first (alternative): It is possible to install the dependent (child) service first, but this comes with limitations:

• Service relations are only established when the service is enabled.

• The dependent (child) service can only be installed with targetState=disabled.

For more details, see Service Dependency Behavior and targetState.

• Check the permissions of your users. Compare them with the default roles in Connectware 2.0.0 and make any updates needed so your users can continue working without interruptions.

For more information on managing permissions, see Permissions.

VRPC is no longer supported in the custom connector environment.

• Remove all VRPC references in the custom connector code. This includes the import and any usage of VrpcAdapter:

Example

• When defining the Dockerfile, ensure that the destination path for the copied source files ends in a protocol-specific directory name written entirely in lowercase.

Example

• The schema $id must match the file name (without the .json).

• The schema must start with a capital letter, like Foobar.

Example

• In FoobarConnection.json, the class must be like:

• In FoobarEndpoint.json, the class must be like:

Schemas support versioning through the additional version property, which must be a positive integer greater than zero. If this property is omitted, the default value is 1.

Versioning ensures that only the latest version of a schema is considered active and valid. This means that even though all custom connector instances should run the same version of schemas, the latest version will overwrite any previous version in the CW control plane.

Example

• FoobarConnection.json supporting versioning.

Follow the case-sensitive naming conventions based on the protocol name.

• File names must start with an uppercase protocol name (e.g., Foobar).

• Connection and endpoint suffixes are mandatory.

• JS files define classes.

• JSON files define schemas.

Example

• The class name must match the file name, excluding the .js extension.

• The class name must start with a capital letter, such as Foobar.

Example

• In FoobarConnection.js, the class must be:

• In FoobarEndpoint.js, the class must be:

Unless you need a specific constructor, there is no need to specify one because it is inherited from the parent class. However, if you need to implement a custom constructor for the Connection or Endpoint classes, preserve the following format:

• In FoobarConnection.js, the class constructor must be like:

• In FoobarEndpoint.js, the class constructor must be like:

The _topic property is now handled automatically. Manually assigning it will cause errors.

The following code is invalid and must be removed since topics are now built internally.

The standard JavaScript environment of custom connectors is based on CommonJS modules. ES modules are not supported.

TypeScript is not officially supported in development workflows. However, if you want to use TypeScript and compile it to JavaScript, make sure to configure your tsconfig.json file as follows:

Additionally, the compiled JavaScript output must include an exports.default assignment and the exported class itself. This ensures interoperability with our CommonJS-based module system. The compiled .js file should result in:

• Tracking the entire service object is no longer allowed. You must update your connector configuration to track individual resources only (like specific endpoints or connections).

Example

The following status events have been removed from Systemstate. If your implementation depends on them (e.g., for health monitoring or automation), you must refactor that logic:

• subscribed/unsubscribed

• online/offline

If you rely on log monitoring, review whether your setup references any of the updated log messages and adjust accordingly.

You must upgrade the Windows-based Cybus Heidenhain Agent to work with Connectware 2.0.0.

1. Uninstall the existing Heidenhain agent installation from your Windows system.

2. Install the updated Heidenhain agent. You can find the download link at Heidenhain DNC.

Auto-generated topics no longer include resource-specific properties. They always follow:

Example of new behavior

• S7: services/myService/pressure

• Modbus: services/myService/current

• HTTP: services/myService/myEndpoint

Procedure

1. Scan your service commissioning files for any usage of auto-generated topics.

2. Adapt those references by replacing direct topic strings with !ref references.

For more details, see Reference Method (!ref).

If you are using auto-generated MQTT users outside of services (e.g., scripts, dashboards, or other non-commissioning references), migrate to explicit identities:

• Create dedicated users with the required roles/permissions. See User Management.

• Update your external systems to use the new explicit credentials.