Operating system patch management
This section provides guidance on applying Microsoft patches to Bravura Security Fabric instance servers. Always check the Microsoft website for their latest recommendations.
This topic covers Windows Server operating system patching only and does not cover Bravura Security Fabric patching. For Bravura Security Fabric patching, see Upgrade and Migration.
Best practices
Prepare a company patch strategy that includes:
A schedule.
A list of servers to be included and excluded.
A communication plan to ensure all stakeholders are aware of the upcoming changes and any potential outages.
Identify servers that cannot be rebooted automatically and organize for a manual restart if required.
Microsoft typically releases patches on the second Tuesday of the month. Schedule patching the development and test environments after the patches are released to ensure no issues before proceeding to patch the production environment.
Perform testing after patching to ensure Bravura Security Fabric performs as expected.
Consider using a centralized patch management solution.
Downtime
Downtime is a crucial factor when patching. Create a downtime plan that is agreed upon by all stakeholders to reduce the effort of repeatedly reorganizing each time you apply patches. Examples:
Follow the standard maintenance window; for example, a routine maintenance window for the development and test environment might be from 11 pm to 4 am on a particular weekday, and from 11 pm to 4 am on the weekend for the production environment.
A specific patching window approved only for patching and only for a single deployment environment. For example, a preset time on the second Friday of the month to patch the development environment, another on the second Saturday for the test environment, and the third Saturday for production.
When devising your plan, also consider:
If the production environment cannot have a complete outage, group the nodes so each group is patched at a different time.
Coordinate each node's database server patching with the node itself; otherwise, you end up with two outages per node instead of one. This may require coordination with the OS and database administrators.
Before applying OS patches
To ensure Bravura Security Fabric is not adversely affected during patching, complete the following steps before applying operating system patches. These steps incorporate the single-node outage procedure.
Disable Bravura Security Fabric scheduled tasks, including auto discovery. For Bravura Privilege, disable randomization.
Disable any Windows scheduled tasks related to the Bravura instance.
Stop the Web Server (IIS) or remove the server from the load balancer.
Stop the database service (
iddb). If the server is in a replicated environment, flush the queues first:Use the queueflush utility to stop all Bravura Security services except the logging service and database service (
iddb) on all replication nodes, and allow the replication queues to empty.Once all queues are empty, stop the database service on each node.
Back up the application registry keys as a precaution against registry corruption during the OS update. Export the following registry keys including all subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Bravura SecurityHKEY_LOCAL_MACHINE\SOFTWARE\Hitachi ID
Ensure you have a successful backup of the application and database in a known state with the non-log services stopped.
After applying OS patches
Check server logs for any new errors.
Verify that the application registry keys are intact. If they were removed, restore them from the backup taken before the OS upgrade.
If the server is a replicated instance, wait until the replication queues have decreased or are close to empty before turning the Bravura Security services back on.
Add the node back to the load balancer.
Enable all OS and Bravura tasks that were disabled for patching.
For Bravura Privilege, re-enable randomization.
Run tests to ensure Bravura Security Fabric is operating as expected.