DSS, DSA 21.5 – new security release – insights
Key moments:
1. DSS, DSA version 21.5 is not compatible with OLM server 5.6 or lower. Only in tandem with OpenLM Server v21.5 or higher is required.
2. Upgrade from 1.4 to 21.5 should work well, for both DSS and DSA.
3. Before upgrading DSS from 1.4 to 21.5 it’s mandatory to upgrade the OpenLM server to v21.5.
4. Firebird DB engine has been deprecated for DSS. For a clean installation, an empty DB schema is required: MySQL, MSSQL, or MariaDB.
5. For the upgrade process, if a defined Firebird engine is used, it will also be asked for an empty schema (MySQL, MSSQL, or MariaDB) and data will be migrated automatically from Firebird to the target DB. The migration will be done only for agents, domains, sync definitions. Entities and Relations will be recreated after syncs.
6. Starting from version 21.5, on a clean install, DSS will be installed in non-secure mode. Customers will be able to turn on security for DSS after approving it in the OLM server. And DSS will always work in the same security mode as the OpenLM Server. If the Server works with Identity – DSS (and DSA) will work with Identity. If the Server works without identity – DSS (and DSA) will also work without identity. It is not possible to run DSS in non-secure mode when the Server is working in secure mode and vice versa!
7. While approving DSS in OpenLM Server, it will be defined automatically, if the connected server is working in a secure mode. In case the OpenLM Server server works in secure mode, the message will be displayed. It says, that DSS should also be configured in the Identity:
8. To run DSA in secure mode, dsa-authorization.json should be generated from the EasyAdmin Security tab and placed in the main folder of DSA installation (or selected in the process of clean installation).
9. Each time on changing secure mode for DSS and DSA (no matter from non-secure to secure or opposite), components should be restarted. First DSS should be restarted, then DSA.
10. DSS should be opened in the browser with the same URL, as provided in the Identity Service UI (when DSS works in secure mode). If the DSS is configured as “http://hostname:7026”, this address should be used to open the DSS UI in the browser. NOT localhost:7026. The shortcut icons for DSS are pointed to hostname: port URL, so customers can easily open the UI from it.
11. If DSS is upgraded from 1.4 to 21.5, when the OpenLM server is already upgraded to 21.5 and configured to work with identity, first what should be done after DSS upgrade is finished: configure DSS also in Identity UI, and restart the DSS. After this, the DSA upgrade should be done, and dsa-authorization.json should be generated in EA and placed in the main folder of DSA.
Important note: Known issues the OpenLM Server, DSS, DSA are installed on the same machine and the system is rebooted:
The DSS and DSA v21 are implemented in a way that they’re syncing security mode with the OpenLM Server component. Therefore, synchronization happens only on application start. So, in some cases, when the OpenLM Server is down, or the system is rebooted, and the DSS started earlier than the OpenLM service, the DSS can’t sync this mode with the Server and starts in non-secure mode.
As a consequence, the sync can fail on sending data to the OpenLM Server stage, because it can’t receive unauthorized requests in a secure mode.
The solution:
Make sure the OpenLM Server is running;
Restart DSS;
Restart DSA;
When the DSS and DSA are working not in the same secure mode as the Server, in logs can be found a warning:
The security mode of the DSS is not synchronized with the OpenLM Server. Make sure the OPenLM Server is working and after this restart the DSS.
The workflow of DSS with Server and Identity configured with SSL (HTTPS
If the OpenLM Server and Identity are on SSL (HTTPS):
1. After turning on SSL (HTTPS) on OpenLM Server and Identity Service, open the Connectivity tab of DSS UI and change the Server’s IP/hostname value to HTTPS: FQDN (example “https://hostname.domain”). This should be done because SSL certificates are issued to FQDNs, which is common practice. Click Apply.
2. After DSS is approved in HTTPS Server, it is mandatory to update the Identity Service location in appsettings.json of DSS by:
-changing manually “Authority” field from “http:identityHost:port” to “https:identityHost:port” or
-from Identity UI Security settings, changing DSS URL by adding “/” at the end of URL and clicking Save (a workaround to allow Identity apply new settings and send a request to DSS). For example by changing: http://hostname:7026 to http://hostname:7026/
3. After changes from steps 1 and 2, just restart first DSS, and then DSA services and continue working as usual.
