After you upgrade

7.7 After you upgrade

After you have completed the installation process for the new version of MyID, you may have to carry out some additional configuration before your system is fully operational.

7.7.1 Reviewing web server security

Upgrading your MyID system may reset some of your IIS configuration, if you have made changes manually or using PowerShell scripts; for example, setting up SSL/TLS on your websites. You must review your IIS settings after upgrade to ensure that everything is configured correctly.

7.7.2 Upgrading your renewal and issuance jobs

If you need to update your renewal and issuance jobs, after you install MyID you must run the appropriate database scripts. See section 7.1.7, Upgrading renewal jobs and section 7.1.8, Upgrading card issuance jobs for details.

7.7.3 Upgrading clients

Note: If you have the MyID Client Components (provided in the UMC package) installed on any PC, uninstall them before you install the latest version of the MyID clients.

You are recommended to upgrade your clients (Self-Service App, Self-Service Kiosk, MyID Desktop, and MyID Client Service) on each client PC when you upgrade MyID. Older versions of the MyID clients may continue to operate with reduced functionality, and may experience problems when attempting to use new functionality.

7.7.4 Upgrading credential profiles

After you have upgraded your system, you must use the Credential Profiles workflow to upgrade each credential profile to the latest version.

Note: Credential profiles were previously known as card profiles.

To upgrade a credential profile:

From the Configuration category, select Credential Profiles.
From the Select Profile drop-down list, select the profile you want to edit.
Click Modify.
Click Next on each screen until you complete the workflow.

In most circumstances, you do not have to make any changes. However, see section 7.7.12, Upgrading systems with older data models and section 7.7.13, Upgrading systems with customized data models for considerations relating to upgrading credential profiles and their data models.

The profile is updated to the latest version of the software.

Note: If you are upgrading from a pre-MyID 10.8 system and are using terms and conditions, you must select an HTML template for the terms and conditions in each credential profile. See the Terms and conditions and Customizing terms and conditions sections in the Administration Guide.

7.7.5 Upgrading security phrase security

MyID now uses SHA256 to store the answers stored for security phrases, providing significantly enhanced security. This feature is enabled by default for new installations. If you are upgrading an existing system prior to version 10.2, you must update the security phrases stored for each user.

The security phrase security setting is controlled by the Use Security Phrase algorithm version 2 option on the PINs tab of the Security Settings workflow. You can set the option to one of the following:

No (red cross icon) – The new security phrase algorithm is not used. This means the original security phrase hashing algorithm is used.
Ask (blue question mark icon) – The new security phrase algorithm is used for users on upgraded clients. This setting is for transitioning from the original algorithm to the v2 algorithm.

While in this mode, logon can be performed using clients that have not been upgraded, using security phrases that were captured using the original security phrase algorithm.

If a user changes their security phrases while this configuration is set on a client that has not been upgraded, the old password algorithm will be used to store the new security phrases.

If a user changes their security phrases while this configuration is set on a client that has been upgraded, security phrases will be stored using both the old and the new algorithms. This allows logon on both upgraded and non-upgraded clients.
Yes (green tick icon) – The new security algorithm is used across the board.

Security phrase logon is allowed only if the client software has been upgraded, and the passphrases have been captured using the new algorithm. Authentication using original security phrase algorithm is no longer allowed. Any passphrases that are changed shall be stored only using the new v2 algorithm.

You are recommended to carry out the following procedure:

Set the Use Security Phrase algorithm version 2 option to Ask.
Upgrade each client PC.
Ask each user to change their security phrases on an upgraded client.
Once all users have updated their security phrases, set the Use Security Phrase algorithm version 2 option to Yes.

To get the full benefit of the Use Security Phrase algorithm version 2 feature, the setting must be Yes, and any previously captured passphrases using the original algorithm (while the configuration was set to No or Ask) must be removed. To remove the old security phrases, a user can change their security phrases while the Use Security Phrase algorithm version 2 option is set to Yes. If you require assistance with bulk removal of legacy security phrase data, contact Intercede customer support, quoting reference SUP-121.

Note: This feature also affect authentication codes that were issued by MyID 10.1 or earlier. If you want to use authentication codes that were generated before you upgraded, you must set the Use Security Phrase algorithm version 2 option to Ask. If you set the Use Security Phrase algorithm version 2 option to Yes, you must request new authentication codes.

7.7.6 Upgrading roles

The upgrade process can make changes to the roles set up on your system; for example, upgrades from MyID PIV 9 to MyID 10 may result in changes to the PIV Sec Officer role and the workflows it has available. Check that your role assignments are correct after you have completed the upgrade.

When you install MyID, the System role is granted permission to all the workflows in MyID. Make sure you review your security requirements for this role after upgrading MyID.

If you have removed any of the following roles:

Registrar
Help Desk
Applicant
Adjudicator
Issuer
Sponsor
Security Officer
Signatory
Contractor
Emergency
Foreign

When you upgrade MyID from any pre-MyID PIV 10.1 system, these roles are added back into your system.

7.7.7 Upgrading email support

Versions of MyID before MyID 10.6 used Database Mail to send email messages.

If you are upgrading an existing system from before MyID 10.6, your Database Mail configuration will continue to work; however, if you want to switch to the new system, carry out the following:

Set up a new SMTP server in the External Systems workflow.
Set the Database Mail Profile Name option to empty.

See the Setting up email section in the Advanced Configuration Guide for details.

7.7.8 Upgrading the storage of PINs for HSMs

From version 10.7, MyID stores the PINs for Thales HSMs encrypted in the registry for the MyID COM+ user. If you are upgrading an existing Thales HSM system and want to migrate the PIN, or if you are using an Entrust nShield HSM and want to store the PIN, you can use the SetHSMPIN utility to do this.

See section 8.6, Setting the HSM PIN for details.

7.7.9 Modifying an existing installation

If you want to use the installation program to modify your installation of MyID after the original installation is completed, see section 8.4, Modifying the installation.

7.7.10 Upgrading systems with Virtual Smart Cards

If your system is using server-generated Virtual Smart Cards, note that the server-generated VSC feature has now reached end of support. If you are upgrading from an earlier version of MyID, and are using server-generated VSCs, MyID will continue to support lifecycle management of the issued VSCs. See the Microsoft VSC Integration Guide for details.

7.7.11 Upgrading systems with a startup user

If you are using a startup user configured using GenMaster, after you upgrade your system to the latest version of MyID you may not be able to use that account to log on to MyID. To reset the startup user, run GenMaster again and select the Configure startup password option. See section 8.5.1, Running GenMaster for details.

Note: Startup users are intended only for bootstrapping your system, and are not intended for long-term use. See the System Security Checklist document for details.

7.7.12 Upgrading systems with older data models

When you upgrade your system, if your credential profiles use older data models that are no longer supported, you may experience problems with certificates losing their assigned containers. After upgrading, make sure that each of your credential profiles has a valid data model specified, and has the correct settings for each certificate container, if appropriate.

7.7.13 Upgrading systems with customized data models

If you have customized the standard card data models, installing MyID may overwrite your changes. Make sure you back up your customized files and review the changes after installation.

MyID 10.7 increases the size of the Security Object in all standard card data models. This addresses an issue that prevented issuance on systems where the Certificate Authority had a long distinguished name.

If you are upgrading an existing pre-MyID 10.7 system that has custom data models, you must manually update your data model files to increase the size of the Security Object.

For guidance on updating the size of the security object, contact customer support, quoting reference SUP-247.

7.7.14 Upgrading systems with Project Designer customizations

If you are upgrading a MyID system that has had screen layouts customized using Project Designer, you may see some cosmetic differences after you have upgraded your system.

7.7.15 Upgrading hyperlinks for the Self-Service App

In MyID 11.0, the format used for command-line parameters for the Self-Service App has changed. You must make sure that any systems that make use of these arguments – for example, custom email templates – are updated to use the new command-line arguments. For more information, see the Command line arguments section in the Self-Service App.

7.7.16 Upgrading customized configuration

If you have made any changes to configuration files, such as the myid.config file for the various MyID web services, you must merge in the changes from the backups you made before you installed the new version.

You may also have to re-implement translations. For information about translating the text for all on-screen elements in the client applications, contact Intercede customer support, quoting reference SUP-138.

If you have further customizations on your system and would like assistance with the upgrade process, contact customer support quoting reference SUP-300.

7.7.17 Upgrading systems with multiple databases

Your MyID system may have multiple databases; for example, a separate audit database, an audit archive database, or a binary objects database. You configure MyID to point to the appropriate database by configuring its .udl files; you are recommended to back up these files in the Windows SysWOW64 folder (for 32-bit MyID before version 12.0.0) or System32 folder (for 64-bit MyID from 12.0.0 on) before you start the upgrade; after you have installed the new version of MyID, you may have to reconfigure each of these files to point to the appropriate database.

For more information about setting up your MyID system to use multiple databases, see the Database configuration section in the Advanced Configuration Guide.

7.7.18 Upgrading systems that use Integrated Windows Logon

If your system uses Integrated Windows Logon, you must reconfigure the web services and carry out any configuration in IIS for Integrated Windows Logon. See the Configuring the MyID web services for Integrated Windows Logon section in the Web Service Architecture guide and the Integrated Windows Logon section in the Administration Guide for details.

7.7.19 Upgrading biometric integration

If a change to the biometric devices and software used in your environment is required as part of the upgrade, you must review the configuration options relating to biometrics. For example, you must check the Biometric matching library and Fingerprint enrollment device.

If you previously used Cross Match as the biometric matching library, you must modify this setting to the new library selected for your environment. For further information, see the Cross Match legacy fingerprint integration end of support section in the Release Notes, and the appropriate biometric integration guides provided with MyID.

7.7.20 Supporting older clients

MyID has an improved envelope mechanism. This provides enhanced security for data transferred between MyID clients and the MyID server. When you install MyID, it is configured to support the new Envelope Version 1.3 instead of the previous Envelope Version 1.2. This affects whether you can use older clients to access MyID:

Windows clients (MyID Desktop, Self-Service App, and Self-Service Kiosk) that use MyID Client Components version UMC-10.1.1000.14 or later (as provided with MyID 10.1) support the new Envelope Version 1.3.
Windows clients using older versions of the MyID Client Components support only the previous Envelope Version 1.2.

You can choose which envelope mechanisms to support in MyID; if you need to maintain support for older clients, you must enable support for Envelope Version 1.2.

To select the envelope mechanisms:

Install the latest MyID Desktop.
Within MyID Desktop, from the Configuration category, select Security Settings.
On the Server tab, set the following:
- Allow envelope version 1.2 – MyID allows clients to connect using the older envelope mechanism. All clients support this mechanism.
- Allow envelope version 1.3 – MyID allows clients to connect using the updated envelope mechanism. Windows clients from MyID 10.1 support this mechanism.
Note: Do not deselect both options. If you deselect both options, no clients will be able to access MyID, and you will be locked out of the system. If you accidentally deselect both options, contact customer support, quoting reference SUP-140.
Click Save changes.

Note: If you have enabled envelope version 1.2, then subsequently decide to disable it and use envelope version 1.3 only, you may experience some problems when you set the option in the Security Settings workflow. After you click Save changes to set Allow envelope version 1.2 to No and Allow envelope version 1.3 to Yes, MyID Desktop cannot communicate with the server through its current connection, and you will see an error similar to:

An error occurred on the server when processing the URL. Please contact the system administrator.
If you are the system administrator please click here to find out more about this error.

Close MyID Desktop (this may present additional errors, which you can safely ignore). When you open MyID Desktop again, it will use envelope 1.3 and work correctly.

7.7.21 Updating the list of identity documents

MyID 12.4 provides an updated list of the identity documents available on the APPLICATION tab of the Edit PIV Applicant screen to match the specifications of the section 2.7 of the FIPS-201-3 PIV Identity Proofing and Registration Requirements (pages.nist.gov/FIPS201/requirements/#s-2-7).

If you are upgrading from a system earlier than MyID 12.4, the upgrade process does not change the existing list of identity documents. You must use the List Editor workflow to update your system to include the latest list of primary and secondary identity documents.

See the Identity documents section in the PIV Integration Guide for details.

7.7.22 Known issues with upgrading

IKB-198 – Notifications DLL error when uninstalling MyID

If you are upgrading from MyID 10.5 or earlier, you may see an error similar to the following when uninstalling MyID:

Failed to unregister Notifications.dll

The error occurs when the DLL has become unregistered on the server before the uninstall process begins. You can close the error message with no additional impact.