Version-Specific Upgrades (Docker)
Some Connectware upgrades require you to follow a few additional steps when upgrading Connectware to a newer version.
Upgrading Connectware to 1.11.0
Please consider that this release includes breaking changes and requires manual upgrade steps. If the current changes aren't immediately necessary for your implementation, we recommend waiting for the upcoming 1.12.0 release, which will also require manual upgrade steps. In case of questions, our Customer Success team is able to advise you.
Connectware 1.11.0 introduces NATS as its new Control Plane message bus and distributed state storage. As a result, you’ll need to follow a few additional steps when updating to Connectware 1.11.0 or later.
Here is an overview of the required steps to upgrade your Connectware installation to version 1.11.0. For complete step-by-step instructions, see Upgrading Procedure.
Network Port Requirements: Make ports TCP/4222 and TCP/4223 accessible both within Connectware and by agents.
Prepare Certificate Changes: Configure the new
cybus_nats_server.crt
certificate to include the hostname nats and any external DNS names for Connectware when using external agents.Configure DNS Names: Define the hostnames and IPs that will be included in the NATS Server certificate.
Configure mTLS Agents: Set up agents to connect via NATS port 4222 using mTLS authentication.
Configure non-mTLS Agents: Set up agents to connect via WebSocket Secure port 4223 without mTLS.
Upgrade Connectware: Download and install Connectware 1.11.0.
Prerequisites
Connectware version: Your Connectware version is 1.7.3 or above. If your Connectware installation is below 1.7.3, make sure that you have followed Upgrading Connectware from 1.x to 1.5.0 and Upgrading Connectware to 1.7.0 before upgrading to 1.11.0.
Hardware resources: Connectware 1.11.0 introduces two new microservices (
resource-status-tracking
andnats
) to its architecture. This upgrade requires additional computing power. We recommend to add 3 CPU cores and 3 GB of memory to your current setup. However, these are general guidelines - check what your specific system needs and make adjustments accordingly.
Upgrading Procedure
Network Port Requirements
Connectware 1.11.0 introduces new network port requirements. Configure your network so that the following ports are accessible both within Connectware and by agents:
TCP/4222
TCP/4223
Minimal requirements: For installations requiring minimal firewall openings, you can configure the following:
Port TCP/4222 must be accessible within the Connectware network
For agents using mTLS authentication, port TCP/4222 must be accessible
For agents using username/password authentication, port TCP/4223 must be accessible
Verify both internal and external port accessibility to ensure proper communication between Connectware and its agents.
Preparing Certificate Breaking Changes
Connectware 1.11.0 introduces a new cybus_nats_server.crt
certificate which must contain the hostname nats
, as well as the external DNS name of Connectware if you are using any external agents. The configuration depends on whether you are using the built-in certificate infrastructure or a custom infrastructure.
2.1 When Using the Built-in Certificate Infrastructure
If you're using the built-in certificate infrastructure:
Do NOT proceed with the upgrade until you've completed Configuring DNS Names for Agent Connections.
When updating DNS names, you must add the DNS name used by external agents to connect to Connectware.
Be aware that the upgrade will regenerate the certificate.
This may affect systems using certificate pinning.
Update any certificate pinning configurations after the upgrade.
2.2 When Using Custom Certificates
If you have modified the certificate infrastructure or use a custom cybus_server.crt
:
Prepare a new
cybus_nats_server.crt
certificate that meets these requirements:Must be signed by your existing Certificate Authority (CA).
Must include
nats
as a Subject Alternative Name (SAN).Must include your external Connectware DNS name as a SAN.
Installation steps:
Install the new certificate before starting the upgrade.
Update your .env file to include the same external DNS name used in your certificate (See Configuring DNS Names for Agent Connections).
Certificate protection (optional): To prevent your custom certificate from being replaced during the upgrade, set the environment variable
CYBUS_DISABLE_NATS_CERTIFICATE_CHECKS
totrue
on the system-control-server in your docker-compose.override.yaml file.
Configuring DNS Names for Agent Connections
The CYBUS_INGRESS_DNS_NAMES
environment variable specifies the hostnames and IP addresses that will be included in the Subject Alternative Names (SAN) section of the NATS server certificate. This certificate is automatically generated by Connectware.
To enable agent connections to the Control Plane, you must configure the DNS names in the
.env
file located in the main Connectware installation directory.
Example
For a basic setup where Connectware runs on a host named company.io
, set:
You can specify multiple values by separating them with commas. This allows you to define any hostnames, wildcard domains, and IP addresses that agents use to connect to the Control Plane. All values are added to the certificate's SAN field, enabling secure agent connections through any of the configured access points.
Example
Configuring Agents using mTLS
For agents using mTLS authentication, configure the Control Plane connection using NATS and the port 4222
.
Each agent requires a Control Plane URI environment variable that references one of the CYBUS_INGRESS_DNS_NAMES
hostnames that you have defined in Configuring DNS Names for Agent Connections. Configure this variable in the agent's docker-compose.yml file or via command line.
For agents running with Docker Compose, set the
CYBUS_CONTROLPLANE_URI
environment variable in their docker-compose.yml file:
Example
For agents running without Docker Compose, set the
CYBUS_CONTROLPLANE_URI
environment variable according to your deployment method.
Certificate Configuration
Agents will use their existing mTLS certificates as configured during the initial agent installation. No additional certificate configuration is required during the upgrade process, provided the agents were previously set up with valid mTLS certificates according to Installing Agents - Enabling Mutual TLS (mTLS).
Configuring Agents not using mTLS
For agents not using mTLS authentication, configure the Control Plane connection using WebSocket Secure (WSS) and the port 4223
.
Each agent requires a Control Plane URI environment variable that references one of the CYBUS_INGRESS_DNS_NAMES
hostnames that you have defined in Configuring DNS Names for Agent Connections. Configure this variable in the agent's docker-compose.yml file or via command line.
For agents running with Docker Compose, set the
CYBUS_CONTROLPLANE_URI
environment variable in their docker-compose.yml file:
Example
For agents running without Docker Compose, set the
CYBUS_CONTROLPLANE_URI
environment variable according to your deployment method.
Certificate Configuration
When using agents with username and password, you can configure the authentication of the agents to the Connectware server during Control Plane connections. You have two options:
Set the
TRUST_ALL_CERTS
environment variable on the agent to bypass certificate verification entirelyAuthenticate using certificates. For certificate authentication, ensure that the agent trusts the CA certificate that signed Connectware's cybus_nats_server.crt. This is only done automatically if you are using a globally trusted certificate for Connectware - otherwise, you need to provide the agent with the appropriate CA certificate.
The following table shows the result of configuring TRUST_ALL_CERTS
and providing the CA certificate.
CA certificate
Value of TRUST_ALL_CERTS
Behavior
Log shown during connection
Not Configured
true
Default: The connection to Control Plane (NATS) will not validate certs and will trust all certs.
CA certificate not found, trusting all certificates for NATS connection.
Not Configured
false
The connection to Control Plane (NATS) will try to use the system trust store to do certificate validation. This will only work when the CAs being used in Connectware are signed by a well known CA authority or when self-signed CAs were added to the system trust store.
CA certificate not found, using system trusted CAs for NATS connection.
Configured
true
The connection to Control Plane (NATS) will not validate server certs and will trust any cert.
CA certificate found, but trusting all certificates for NATS connection.
Configured
false
The connection to Control Plane (NATS) will validate server certs and will not trust any cert.
CA certificate found, using it for NATS connection with CA verification.
Upgrading Connectware to 1.11.0
To upgrade Connectware to 1.11.0, see Upgrading Connectware (Docker).
Upgrading Connectware to 1.7.0
Connectware 1.7.0 affects the backward compatibility of the Connectware broker. Older broker data volumes are not compatible with brokers of Connectware 1.7.0 and newer. Upgrading to Connectware 1.7.0 requires additional upgrade procedures.
Additionally, multi-factor authentication (MFA) is now controlled via a dedicated configuration switch.
Important Notes
This upgrade will delete all persisted data of the Connectware broker. This includes client sessions, subscriptions, and retained data. If your configuration relies on any type of data persisted by the broker, make sure to properly initialize your applications after the upgrade.
If you rely on persisted data, create a backup or snapshot of the broker data volumes. This allows you to roll back in case of complications.
Upgrading Procedure
Important: If your Connectware installation is below 1.5.0, make sure that you have followed Upgrading from 1.x to 1.5.0 before upgrading to 1.7.0.
To stop Connectware, go to the Connectware installation directory (default:
/opt/connectware
) and rundocker compose down
.Delete the broker data volume of Connectware. Find the broker data volume in the list of volumes with
docker volume ls
and delete it withdocker volume rm <connectware_brokerData>
.If you are using multi-factor authentication (MFA), set the environment variable
CYBUS_MFA_ENABLED
totrue
inside your .env file.Download and install the new Connectware version. For more information, see Upgrading Connectware (Docker).
Upgrading Connectware from 1.x to 1.5.0
This section describes the upgrade of a Cybus Connectware installation from a previous 1.x version to 1.5.0 and later.
The additional upgrade steps require you to use the docker-compose.override.yml
file. If you already use such a file in your Connectware installation directory make sure to create a backup of this file to later restore.
In Connectware 1.5.0, we’ve enhanced security by primarily using a system user with limited permissions, following the principle of using the least amount of privilege needed for our software components.
As a result, you’ll need to follow a few additional steps when updating to Connectware 1.5.0 or later.
The first part of this document covers updating Connectware, while the second part focuses on agents.
With the introduction of Connectware 1.5.0, which prefers to use a system user with limited privileges whenever possible, you’ll need to modify the permissions of your volumes. This ensures that the system user has the necessary write access to the existing volumes in your setup.
The following protocols may not operate as expected in some constellations:
If you experience problems with these protocols after upgrading to Connectware 1.5.0, these affected services may require root permissions and are no longer supported by the internal protocol-mapper or agents without root permissions.
In this case, you should transfer the service that uses these protocols to a separate agent. This agent can have higher permissions but in a controlled manner.
To learn how to configure an agent to operate with root permissions, check out the section on agent orchestration.
Upgrading Connectware
As an additional step for this upgrade, we offer a docker-compose.override.yml
file, which will help you adjusting volume permissions. The upgrade will consist of the following steps:
Shut down Connectware
Save the provided file as
docker-compose.override.yml
in the same folder as your Connectwaredocker-compose.yml
Start the the Docker composition to adjust volume permissions
Remove the
docker-compose.override.yml
fileUpgrade Connectware using the
connectware-online-installer.sh
script
Remove override file
Run docker compose down
to remove the temporary permissions fix container. Run the command as you would usually do, be that as a regular user, using sudo
or as the user root
directly. Next, delete the file docker-compose.override.yml
. If you used a docker-compose.override.yml
in your installation before this update, restore your original file.
Upgrade Connectware
Download and run the Connectware online installer like for other updates:
Run the commands as you would usually do, be that as a regular user, using sudo
or as the user root
directly. After updating you can start Connectware as usual.
If you wish to verify that Connectware services run with an unprivileged user, you can optionally run this command:
Only the service container-manager
should be using the user ID 0
.
In case of any questions or trouble, feel free to contact Cybus Support.
Upgrading Connectware agents
Connectware agents are ideally orchestrated using Docker Compose as described in agent orchestration.
In order to upgrade your agents, you need to decide between these two options:
Adjust volume permissions to allow the unprivileged system user to write data (recommended) OR
Adjust your docker composition to continue running with higher privileges
To benefit from the improvements to security, we recommend to adjust volume permissions over continuing to run with higher privileges.
If you are using HBM DAQ or OPC DA, you may need to follow the second option of continuing with higher privileges.
Upgrading agents by adjusting volumes
If you choose to adjust volume permissions, we offer a docker-compose.override.yml
which will help you adjusting volume permissions. The upgrade will consist of the following steps:
Shut down the agent
Save the provided file as
docker-compose.override.yml
in the same folder as your agent’sdocker-compose.yml
Start the the Docker composition to adjust volume permissions
Remove the
docker-compose.override.yml
fileUpgrade the agent by adjusting the image tag in your
docker-compose.yml
file
Download & save override file
Use this file as docker-compose.override.yml
:
If you use a different name for your agent Docker service and volume than our example, you need to adjust the highlighted line to the name you use for your agent and its volume inside your docker-compose.yml
file.
If you already have a docker-compose.override.yml
file for your agent’s installation directory, make sure to rename it before storing this file as docker-compose.override.yml
.
Remove override file
Run docker compose down
to remove the temporary permissions fix container. Run the command as you would usually do, be that as a regular user, using sudo
or as the user root
directly. Next, delete the file docker-compose.override.yml
. If you used a docker-compose.override.yml
for your agent before this update, restore your original file.
Upgrade the agent
Set the image tag used for the agent to the same tag that your current Connectware installation uses, but at least 1.5.0
. If you have not yet upgraded your Connectware to at least version 1.5.0
, please do so now.
Example:
You can now start your agent as usual, for example by running docker compose up -d
. Run the command as you would usually do, be that as a regular user, using sudo
or as the user root
directly.
In case of any questions or trouble, feel free to contact Cybus Support.
Upgrading by using root privileges
If you have not yet upgraded your Connectware to at least version 1.5.0
, please do so first.
As an alternative to modifying volume permissions, or if you use a protocol that requires elevated permissions, you can modify your agent’s docker-compose.yml
file to specify the system user which is used for the container.
To do so, simply add user: root
to the docker compose service of your agent, while adjusting the image tag to the same tag that your current Connectware installation uses, but at least 1.5.0
, as highlighted in this example:
You can now start your agent as usual, for example by running docker compose up -d
. Run the command as you would usually do, be that as a regular user, using sudo
or as the user root
directly.
If you use a docker run
command, you can simply add --user=root
to the command.
In case of any questions or trouble, feel free to contact Cybus Support.
Last updated
Was this helpful?