On Tue Jan 5 between 5:00-7:00am, the production IP Address Management appliance grid will be upgraded to a new software release from the vendor (8.5.1). As part of this upgrade, the login procedures will change, and (unfortunately) your individual GUI personalizations will be lost.
IT Pros who use IPAM should consider taking these action steps before the upgrade:
1. Log in to the production system at https://ipam.illinois.edu/ and take notes and/or screenshots of any individual GUI personalizations that are important to you, so that you can more easily recreate them after the upgrade.
Here are some places you may wish to look:
- (your username in upper-right corner) > Profile: Table Size
- Finder > Smart Folders
- Finder > Bookmarks
- column customizations for various tables (e.g. adding "Network Name" to both Data Management > IPAM and Data Management > DHCP > Networks > Networks)
- saved Quick Filters for various tables
and here are some other simple boolean options you don't need to record but may wish to re-enable after the upgrade:
- "Toggle Advanced Mode" in various dialog boxes
- "Toggle flat view" in Data Management > DNS > Zones > Records
- "Include Extensible Attributes Values" in Search > Advanced
2. Test your access to https://dev.ipam.illinois.edu/ using "SSO Login" (note: you may need VPN for this test since the dev system is not reachable from off-campus).
- 2FA is required.
- GUI users should click the new "SSO Login" button to authenticate using Shibboleth, which has 2FA integration built in.
- See https://answers.uillinois.edu/internal/2fa-alias if you perform IPAM tasks using a "secondary" AD account.
- Note: it's also possible to perform a GUI login with the regular "Login" button and your Active Directory userPrincipalName, but be aware that Grid Manager will treat this as a completely separate user profile (with an independent set of GUI personalizations) from your SSO user profile. In general, we recommend always accessing the GUI using SSO Login to avoid confusion.
3. If you use the IPAM API, test your access to the dev system's API.
- `curl https://dev.ipam.illinois.edu/wapi/v2.7.3/grid --user CHANGEME` (from on-campus or VPN) should return a JSON answer containing a value for `_ref`
- API users should log in with your Active Directory userPrincipalName (typically netid@illinois.edu or serviceuser@ad.uillinois.edu, but other variations are also possible)
- Non-person service users requiring unattended API access must be individually exempted from 2FA for IPAM by the IPAM service managers.
- We have prepopulated our exemption list based on recent logs from production IPAM, but please test and let us know if you have an active service user with IPAM permissions which is unable to access the dev system's API.
- In most cases, the same userPrincipalName that works for the dev system should also work today for production IPAM (test this using the same curl command without `dev.`), in which case you can reconfigure your automated tools with the new username ahead of time.
4. Contact hostmgr if you encounter any problems.
Read on for additional (but less urgent) information about the upgrade.
What's new:
- dynamic ALIAS records (with some limitations)
- native GUI support for CAA records
- generic "Unknown Record" GUI support for other DNS record types (including AFSDB, SSHFP, etc)
- DNS Traffic Control support for internal use cases where the health monitor target is only reachable from inside the campus network
What's fixed:
- DNS Traffic Control no longer displays status as "Warning" (yellow) when all DTC Servers are healthy.
- DNS Traffic Control now returns to normal operation much more quickly (typically within 1 second) after a restart of services in which DTC configuration changes are being applied.
What's different:
- Login procedures have changed to support Shibboleth SSO and to require 2FA.
- The entire GUI interface has been visually re-themed by the vendor with new colors and icons.
- The table control buttons which appear above most table views are now located on the left, and the "Go to" box is located on the right (reversed from before).
- new "VLANs" and "Super Host" tabs under Data Management, which will not be used in our environment (at least for now)
- The legacy Perl-only API (PAPI), whose use we have strongly discouraged for years (essentially ever since the modern RESTful Web API was introduced), is now officially deprecated by the vendor.
How will services be affected during the upgrade window?
- During the upgrade window, IT Professionals will not be able to log in to Grid Manager (via the GUI or the API) to make DNS and DHCP configuration changes.
- Any Scheduled Tasks created in Grid Manager that have not completed before the upgrade begins will be automatically removed.
- Due to the use of DHCP Failover and the fact that the appliances upgrade sequentially, clients will in general still be able to obtain DHCP leases during the upgrade window. However, if a particular DHCP Range is very nearly full and experiencing a lot of churn (old clients leaving and new clients joining the network) during the upgrade window, it is possible that some new clients joining that range may not be able to obtain leases until both servers are back online.
- DNS query resolution is NOT impacted by this change.
If you would like to preview the new software release, you may log into the development IPAM grid at https://dev.ipam.illinois.edu/ (note that the dev system is not reachable from off-campus, so you may need to use the VPN).
Please contact hostmgr with any questions or feedback.