Moving JSS

rob_potvin
Contributor III

Moving my JSS Mac to Linux (xserve is on its last leg) and wanted to know what you guys thought.

(No iOS devices at the moment slight change over so just macs, hence why perfect time)

- Change out the URLS?

- Quickadd Pacakge and deploy to all machines

What do you guys think

8 REPLIES 8

jarednichols
Honored Contributor

Issue your SSL certificate for your new server with your old server's FQDN as a SAN. Then when you're ready to cutover, issue a DNS alias. Hosts will hit the DNS alias and go to your new server. You can then use a policy to correctly over-write the JSS settings so they're hitting your new server directly.

Did this at my last job and it worked a treat.

TEST. TEST. TEST.

jhalvorson
Valued Contributor

Last week I migrated our jss from a Xserve (early 2008) to a Mac mini server (Mid 2011). The host name for the server was Device001.domain.edu with a static IP. Our network team had setup an alias to jss.domain.edu to that IP when we first started using CasperSuite. The newer Mac mini has a hostname of Device999.domain.edu with a different Static IP. All of the clients have been configured to connect to jss.domain.edu

  • Asked network team to remove the alias to the Xserver. (Clients stop reporting and act as if there is no network connection to the JSS.)
  • Backed up the JSS Database.
  • Copied the database over to the newer server.
  • Imported the JSS Database.
  • Verified the jss alias no longer resolved on a few different subnets. (At our location, it can take up to 20 minutes for the DNS tables to get updated.)
  • Then had them enable the jss.domain.edu alias on the newer Mac mini server.

All the clients now report to the newer server, without any changes to the client. The only data that got missed was any inventory reports that were submitted during the time the jss alias wasn't "alive".

Both the Xserver and the new Mac mini are using the built-in JAMF certificate. Next I have to work on getting a real cert from an external vendor. I am not sure what would have happened if the original server had a certificate assigned to device001.domain.edu and then made the migration.

Page 39 of the Casper Suite 8.6 Admin Guide has some more info.

rob_potvin
Contributor III

Thanks guys

Okay just nervous, hence why I am asking. I know the science just want the experience. I am moving to a new domain that coincides with our wild card certificate.

Going from domain1.subdomain.domain.com to domain1.domain.com getting rid of that subdomain part so we can use our wildcard cert

Hence the questions.

@jarednichols don't think that would work with me since I am using this new SSL cert eh?

jarednichols
Honored Contributor

If you wildcard *.domain.com it should. I've not worked with wildcard certs, however. I'm generally not a fan of them, but I understand their appeal.

Kumarasinghe
Valued Contributor

Be careful if you are going to change the JSS URL!!!!

No need to worry if it is only a server name change and DNS alias is pointing to the new server.

I was going to change our DEV environment to PROD and had this issue. At the end I have created a new database for the PROD and started from scratch.

If you are changing your JSS URL, please check this to see if you get any issues with the certificates:

  1. Go to https://newjssurl:8443/ca.html > Click "Download CA Certificate "and check the CA certificate of the new JSS url;

we've seen the new server CA's having the old server's URI details;
e.g- in the uri field of te CA shows ```
URI https://oldjssurl:8443//CA/JAMFCRLServlet
```

To rectify this CA cert issue, I did 'truncate table certificate_authority_settings' of the JSS Database and upon restarting Tomcat it created the CA automatically. Than I did "Replace with certificate from the JSS's built-in CA" step.

BUT

by doing this caused all my Configuration Profiles to say Unverified even on newly imaged machines.

Please check this and get JAMF engineers involved if you are going to change the JSS URL.

jacopo_pulici
Contributor

Hi @Kumarasinghe .
I have to resurrect this old post.
I've hit the same problem mentioned in this post.
I had to rebuilt my JSS server from scratch. I restored the MySQL database and now I'd like to reset the internal CA.
In the PKI settings there isn't any option to rebuild it. Do I have to follow [https://jamfnation.jamfsoftware.com/article.html?id=115](THIS) procedure?
Thanks to all.

Jack

Simmo
Contributor II
Contributor II

@Jachk In your JSS go to Settings>System Settings>Apache Tomcat Settings>Edit>Change the SSL certificate used for HTTPS>Generate a certificate from the JSS's built-in CA then restart Tomcat.
That should generate a new JSS in-built CA cert.

Kumarasinghe
Valued Contributor

@Jachk We have created a brand new database for PROD instead of migrate DEV to PROD to get a proper clean certs etc.
So please contact JAMF regarding this.

Thanks