.. Reminder for header structure:
  Parts (H1)          : #################### with overline
  Chapters (H2)       : ******************** with overline
  Sections (H3)       : ====================
  Subsections (H4)    : --------------------
  Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
  Paragraphs (H6)     : """"""""""""""""""""

.. meta::
  :description: Upgrading the WAPT Server
  :keywords: WAPT, upgrade, upgrading, documentation

.. |ok| image:: wapt-resources/icon-ok.png
  :scale: 5%
  :alt: Feature available

.. |nok| image:: wapt-resources/icon-nok.png
  :scale: 5%
  :alt: Feature not available

.. |date| date::

.. _upgrade-wapt:

###################
Upgrade WAPT Server
###################

If your WAPT Server is a virtual host, take a snapshot of the VM.
This way, you will be able to go back easily in the rare case that the update fails.

.. warning::

  After each WAPT Server update, update your :ref:`WAPT Console <installing_the_WAPT_console>`, then :ref:`regenerate <create_WAPT_Agent>` the WAPT Agent.

Before upgrading WAPT Server, please refer to the following upgrading compatibility chart:

.. list-table:: Available WAPT Upgrade paths
  :header-rows: 1
  :stub-columns: 1
  :widths: auto

  * - \
    - To WAPT |wapt_short_version|
  * - From WAPT 2.4
    - |ok|
  * - From WAPT 2.5
    - |ok|

.. Danger::

  If you **migrating the WAPT server from Debian 12 to Debian 13**: Follow :ref:`this procedure for updating the PostgreSQL database <upgrade12to13-PostgreSQL>`


************************************************************
Switching of WAPT Edition (Community, Discovery, Enterprise)
************************************************************

WAPT Community is no longer supported.
If you want to upgrade from WAPT 1.8.2 Community you can upgrade to WAPT Discovery or WAPT Enterprise.
Please note that WAPT Discovery is limited to 300 clients.

It is always possible to upgrade from a :abbr:`WAPT Community setup to WAPT Discovery or Enterprise(https://www.wapt.fr/fr/doc-2.5/wapt-server-upgrade.html)`.

The WAPT Server will make the appropriate changes.

To upgrade WAPT Discovery to WAPT Enterprise simply upload a valid :ref:`licence <licence_activation>` to the WAPT Server from the WAPT Console.
 
If your Enteprise licence expire, it will fall back on the Discovery Edition.
If you are running WAPT Discovery and you have more that 300 client computers in your inventory, the WAPT Console will stop working and will only give you the option to delete computer entries from the inventory.
The WAPT Console will return to working condition when the inventory returns below the 300 computer limit.


.. _wapt_minor_upgrade:

****************************************
Upgrading from version 2.6 to latest 2.6
****************************************

.. _wapt_minor_upgrade_26_26:

To do a minor upgrade please follow the procedure corresponding to your server operating system.

.. tabs::

  .. tab:: Debian and derivatives

    * Update the underlying distribution and upgrade WAPT Server.

    .. code-block:: bash

      export DEBIAN_FRONTEND=noninteractive
      apt update && apt upgrade -y
      apt install tis-waptserver tis-waptsetup -y
      unset DEBIAN_FRONTEND

    * Launch the post-configuration step :ref:`post-configuration step <wapt_postconf>`

    * Once completed, your WAPT Server is ready.

  .. tab:: RedHat and derivatives

    * Update the underlying distribution and upgrade WAPT Server.

    .. code-block:: bash

      dnf update -y
      dnf install tis-waptserver tis-waptsetup -y

    * Launch the post-configuration step :ref:`post-configuration step <wapt_postconf>`

    * Once completed, your WAPT Server is ready.

  .. tab:: Windows

    * Download and execute |waptserversetup_exe|.

    .. warning::

      The installation of the WAPT Server **MUST** be done using a **Local Administrator**
      account on the host

    * Choose the language for the WAPT installer.

    .. image:: wapt-resources/wapt_deploy_choose-language_dialog-box.png
      :align: center
      :alt: Choosing the language for deploying the WAPT installer

    * Click on :guilabel:`OK` to go on to the next step.

    .. image:: wapt-resources/wapt_deploy_accept-license_dialog-box.png
      :align: center
      :alt: Accepting the WAPT license terms

    * Accept the licence terms and click on :guilabel:`Next` to go to next step.

    * Choose additional configuration tasks (leave the default if not sure).

    .. figure:: wapt-resources/wapt_deploy_additional-configuration-server_dialog-box.png
      :align: center
      :alt: Choosing the installer options for deploying the WAPT Serer

      Choosing the installer options for deploying the WAPT Server

    * Do not change the password for the WAPT Server (if not necessary).

    .. image:: wapt-resources/wapt_deploy_choosing-password_dialog-box.png
      :align: center
      :alt: Dialog box for changing the password

    * Click on the :guilabel:`Install` to launch the installation, wait for the installation to complete.

    .. image:: wapt-resources/wapt_deploy_installation-in-progress_dialog-box.png
      :align: center
      :alt: Dialog box showing the WAPT installation in progress

    * Click on :guilabel:`Finish` to close the window.

    .. image:: wapt-resources/wapt_deploy_installation-completed_dialog-box.png
      :align: center
      :alt: Installation has finished

    * Once completed, your WAPT Server is ready.

.. Warning::

  After each server update, update your console then regenerate the WAPT Agent and the GPO (if used).

    * Rebuild a :ref:`WAPT Windows Agent<WAPT_Windows_Agent>`.
    * Rebuild a :ref:`WAPT Linux or MacOS Agent<WAPT_Linux_MacOS_Agent>`.
    * Update the :ref:`GPO <deploy_waptagent_with_GPO>`


****************************************
Upgrading from version 2.4 or 2.5 to 2.6
****************************************

.. _wapt_minor_upgrade_25_lastest:

.. orange_toggle::
  :titleen: Requirements to check before updating
  :titlefr: Prérequis à vérifier avant la mise à jour

  .. Note::

    Before upgrading, ensure that :ref:`installation requirements <install_requirements>` are met.

    If you are using WAPT WADS, please note that older WADS WinPE and WAPT 2.6 WADS WinPE are not compatible.
    You need to recreate the :file:`WinPE` File using the :guilabel:`upload WinPE` button in the :guilabel:`OS Deployment` tab.

    If you use WAPT Deploy in a GPO, then you need to update your GPO with the lastest :command:`waptdeploy.exe` binary.

  .. warning::

    For WAPT server, **during the postconf** be carefull.

    It is essential to enter the **FQDN name** of your server and not its IP address.
    For Example :

      .. code-block:: bash

        FQDN for the WAPT Server (eg. wapt.example.com)

        ---------------------------------------------
        wapt.mydomain.lan
        ---------------------------------------------

                    < OK >          < Cancel >

.. tabs::

  .. tab:: Debian and derivatives

    * First of all, update the underlying distribution and install the WAPT Server packages.

    .. code-block:: bash

      apt update && apt upgrade -y
      apt install apt-transport-https lsb-release gnupg

    * Then update the package repository and import the :mimetype:`GPG` key from the repository.

    .. code-block:: bash
      :substitutions:

      wget -qO- https://wapt.tranquil.it/$(lsb_release -is)/tiswapt-pub.gpg > /usr/share/keyrings/tiswapt-pub.gpg
      echo "deb https://wapt.tranquil.it/$(lsb_release -is)/wapt-|wapt_short_version|/ $(lsb_release -c -s) main" > /etc/apt/sources.list.d/wapt.list

    * Update the repository and install the packages.

    .. code-block:: bash

      export DEBIAN_FRONTEND=noninteractive
      apt update 
      apt install tis-waptserver tis-waptsetup -y
      unset DEBIAN_FRONTEND

    * Launch the post-configuration step :ref:`post-configuration step <wapt_postconf>`.

    * At last, launch the following script :command:`testing-ldap-connectivity.sh` (/opt/wapt/waptserver/scripts/testing-ldap-connectivity.sh). Identifying an AD account and an associated group. if the feedback is :command:`"ALL GOOD"` then the upgrade has been successfully completed and you can launch the wapt console.


    .. orange_toggle::
      :titleen: You encountered an error with the testing-ldap-connectivity.sh script. Please check the following:
      :titlefr: Vous avez rencontré une erreur avec le script testing-ldap-connectivity.sh. Veuillez vérifier les points suivants :

      .. warning::

        With version 2.6 of WAPT, Self-Service does NOT need simple bind LDAP authentication anymore. Kerberos (recommended) or LDAP SASL bind over GSSAPI (2nd choice) should be used:
        
        * In :file:`/etc/krb5.conf`, the file should look like this.

        .. code-block:: bash

          [libdefaults]
            default_realm = MYDOMAIN.LAN
            dns_lookup_kdc = true
            dns_lookup_realm = true

        If you want to disable DNS lookup for KDCs, you need to modify the file as follows.

        .. code-block:: bash

          [libdefaults]
            default_realm = MYDOMAIN.LAN
            dns_lookup_kdc = false
            dns_lookup_realm=false
          [realms]
            MYDOMAIN.LAN = {
            kdc = 192.168.1.13
            kdc = 192.168.1.12
            }      

        .. note::
          If you use the parameter **wapt_admin_group_dn** in your :file:`waptserver.ini`, you need to modify **wapt_admin_group_dn** to **wapt_admin_group** and write only the common name of your group.
          
          For example:

          .. raw:: html

            <p><del>wapt_admin_group_dn = CN=WAPTADMIN,OU=USERS,DC=MYDOMAIN,DC=FR</del></p>
            <p>wapt_admin_group = WAPTADMIN</p>

        * The setting :command:`ad_domain_name` in the :file:`waptserver.ini`, should contain the name of your domain and not an IP address or a server name.

        This parameter replaces all the old parameters starting with ldap.

        .. code-block:: bash

          ad_domain_name = mydomain.lan

  .. tab:: RedHat and derivatives

    .. note::

      This procedure is for a Redhat 10 and derivatives, if you use another version of Redhat follow :ref:`this procedure to update <update_redhat_waptserver>`.

    * First of all, update the underlying distribution and necessary packages.

    .. code-block:: bash

      dnf update -y
      dnf install epel-release redhat-lsb-core -y

    * Then update the package repository and import the :mimetype:`GPG` key from the repository.

    * Add Tranquil IT's repository.

    .. code-block:: bash
      :substitutions:

      cat > /etc/yum.repos.d/wapt.repo <<EOF
      [wapt]
      name=WAPT Server Repo
      baseurl=https://wapt.tranquil.it/redhat10/wapt-|wapt_short_version|/
      enabled=1
      gpgcheck=1
      EOF

    * Retrieve the :file:`.gpg` key.

    .. code-block:: bash

      wget -q -O /tmp/tranquil_it.gpg "https://wapt.tranquil.it/redhat10/RPM-GPG-KEY-TISWAPT-10"; rpm --import /tmp/tranquil_it.gpg

    * And finally upgrade the WAPT Server.

    .. code-block:: bash

      dnf install tis-waptserver tis-waptsetup cabextract -y

    * Launch the post-configuration step :ref:`post-configuration step <wapt_postconf>`.

    * At last, launch the following script :command:`testing-ldap-connectivity.sh` (/opt/wapt/waptserver/scripts/testing-ldap-connectivity.sh). Identifying an AD account and an associated group. if the feedback is :command:`"ALL GOOD"` then the upgrade has been successfully completed and you can launch the wapt console.

    .. orange_toggle::
      :titleen: You encountered an error with the testing-ldap-connectivity.sh script. Please check the following:
      :titlefr: Vous avez rencontré une erreur avec le script testing-ldap-connectivity.sh. Veuillez vérifier les points suivants :

      .. warning::

        With version 2.6 of WAPT, Self-Service does NOT need simple bind LDAP authentication anymore. Kerberos (recommended) or LDAP SASL bind over GSSAPI (2nd choice) should be used:

        * In :file:`/etc/krb5.conf`, the file should look like this.

        .. code-block:: bash

          [libdefaults]
            default_realm = MYDOMAIN.LAN
            dns_lookup_kdc = true
            dns_lookup_realm = true

        If you want to disable DNS lookup for KDCs, you need to modify the file as follows. 

        .. code-block:: bash

          [libdefaults]
            default_realm = MYDOMAIN.LAN
            dns_lookup_kdc = false
            dns_lookup_realm=false
          [realms]
            MYDOMAIN.LAN = {
            kdc = 192.168.1.13
            kdc = 192.168.1.12
            }

        .. note::
          If you use the parameter **wapt_admin_group_dn** in your :file:`waptserver.ini`, you need to modify **wapt_admin_group_dn** to **wapt_admin_group** and write only the common name of your group.
          
          For example:

          .. raw:: html

            <p><del>wapt_admin_group_dn = CN=WAPTADMIN,OU=USERS,DC=MYDOMAIN,DC=FR</del></p>
            <p>wapt_admin_group = WAPTADMIN</p>

        * The setting :command:`ad_domain_name` in the :file:`waptserver.ini`, should contain the name of your domain and not an IP address or a server name.

        This parameter replaces all the old parameters starting with ldap.

        .. code-block:: bash

          ad_domain_name = mydomain.lan

  .. tab:: Windows

    * Download and execute |waptserversetup_exe|.

    * Choose the language for the WAPT installer.

    .. image:: wapt-resources/wapt_deploy_choose-language_dialog-box.png
      :align: center
      :alt: Choosing the language for deploying the WAPT installer

    * Click on :guilabel:`OK` to go on to the next step.

    .. image:: wapt-resources/wapt_deploy_accept-license_dialog-box.png
      :align: center
      :alt: Accepting the WAPT license terms

    * Accept the licence terms and click on :guilabel:`Next` to go to next step.

    * If an old installation installation folder found, this message appear.
      Click on :guilabel:`Yes` to go on to the next step.

    .. image:: wapt-resources/wapt_deploy_folder-exist_dialog-box
      :align: center
      :alt: Dialog box warning about the obsolete WAPT destination folder

    * Select additional task if needed.

    .. figure:: wapt-resources/wapt_deploy_additional-configuration-server_dialog-box.png
      :align: center
      :alt: Choosing the installer options for deploying the WAPT Serer

      Choosing the installer options for deploying the WAPT Server

    * Change the WAPT Server password if needed, then press :guilabel:`Next`.

    .. image:: wapt-resources/wapt_deploy_choosing-password_dialog-box.png
      :align: center
      :alt: Dialog box for changing the password

    * Click on the :guilabel:`Install` to launch the installation, wait for the installation to complete.

    .. image:: wapt-resources/wapt_deploy_installation-in-progress_dialog-box.png
      :align: center
      :alt: Dialog box showing the WAPT installation in progress

    * Click on :guilabel:`Finish` to close the window.

    .. image:: wapt-resources/wapt_deploy_installation-completed_dialog-box.png
      :align: center
      :alt: Installation has finished

    .. warning::

      **DO NOT** use the WAPT Console on the WAPT Server.
      **DO NOT** install nor run your WAPT package development tools on the WAPT Server.

    The WAPT Server on your Windows server or workstation is ready.

    .. figure:: wapt-resources/wapt_server_web-interface_browser-window.png
      :align: center
      :alt: The WAPT Server interface in a web browser

      The WAPT Server interface in a web browser

    Your WAPT Server is now ready.
    You may now go to the documentation on :ref:`Installing the WAPT management Console <installing_the_WAPT_console>`.

.. Warning::

  After each server update, update your console then regenerate the WAPT Agent and the GPO (if used).

    * Rebuild a :ref:`WAPT Windows Agent<WAPT_Windows_Agent>`.
    * Rebuild a :ref:`WAPT Linux or MacOS Agent<WAPT_Linux_MacOS_Agent>`.
    * Update the :ref:`GPO <deploy_waptagent_with_GPO>`


.. _upgrade12to13-PostgreSQL:

*****************************************************************************************************
Migrating the WAPT server from Debian 12 to Debian 13: Procedure for updating the PostgreSQL database
*****************************************************************************************************

|

**When you upgrade your waptserver to Debian 13, modify** :file:`/etc/apt/sources.list` **to switch to trixie then follow the procedure below.**

Debian Trixie now integrates nginx spnego module, which conflicts with the one Wapt was shipping for Debian 12 and earlier.
To avoid upgrade errors, please use the following procedure:


.. code-block::
  
  systemctl stop waptserver nginx
  systemctl mask nginx
  export DEBIAN_FRONTEND=noninteractive 
  apt-get update  && apt-get upgrade -y && apt-get dist-upgrade -y
  apt-get purge -y libnginx-mod-http-auth-spnego
  apt-get install libnginx-mod-http-auth-spnego
  unset DEBIAN_FRONTEND
  systemctl  unmask nginx 
  systemctl  start nginx waptserver

**Upgrading the PostgreSQL database to version 17:**

Wapt uses PostgreSQL as a database backend.
PostgreSQL database binary format on disk changes between major version, and it is necessary to run a script to dump and restore de database when doing major upgrades.
When upgrading Debian from one major version to another, PostgreSQL version also changes and it is thus necessary to run the appropriate script to run the right version.
In order to streamline the upgrade process, Debian keeps the old PostgreSQL version running after major os upgrade (from Bookworm to Trixie for example). 
So you may still have an old PostgreSQL database running even after major debian upgrade, so be sure to follow these steps to upgrade you PostgreSQL database.

.. note::

  Use the following command to check your current PostgreSQL cluster version:

  .. code-block::

    pg_lsclusters

  If your output shows:

  .. code-block::

    Ver Cluster Port Status Owner    Data directory              Log file
    17  main    5432 online postgres /var/lib/postgresql/17/main /var/log/postgresql/postgresql-17-main.log

  Your database is already running PostgreSQL 17. **No further action is required**.

  If your output shows:

  .. code-block::

    Ver Cluster Port Status Owner    Data directory              Log file
    15  main    5432 online postgres /var/lib/postgresql/15/main /var/log/postgresql/postgresql-15-main.log

  You need to upgrade to PostgreSQL 17. Follow these steps:

1. Optimize the Database and Check Disk Space

Before upgrading, optimize the database and verify its size to **ensure you have enough disk space**:

.. code-block::

  sudo -i -u postgres psql wapt -c "VACUUM FULL;"
  sudo du -sh /var/lib/postgresql/15/main

2. Backup the Database

.. code-block::

  sudo -iu postgres pg_dump wapt > wapt_backup_$(date +%Y-%m-%d).sql

3. Ensure Sufficient Disk Space

You need **approximately 3 times the disk space** of your current database before running the following commands:

4. Upgrade PostgreSQL to Version 17

.. code-block::
  
  pg_dropcluster --stop 17 main
  pg_upgradecluster -v 17 15 main
  apt remove postgresql*-15