Skip to main content
Upgrade Health Checker

Download and set up Upgrade Health Checker

Contributors netapp-yvonneo netapp-ivanad netapp-barbe
PDFs

You can download Upgrade Health Checker to generate onsite, comprehensive reports before upgrading to a newer version of ONTAP.

About this task

Upgrade Health Checker supports upgrades for on-premises ONTAP versions 9.11.1 and later. If you are using Cloud Volumes ONTAP, refer to Upgrade Cloud Volumes ONTAP for information on upgrading your system.

Before you begin

Set up a virtual machine for Upgrade Health Checker with the following specifications:

Component Specification

VM

m5.large VM or equivalent with 2 vCPUs and 8 GiB RAM

Operating System

Any Linux OS with glibc library version 2.28 or higher (Ubuntu 22.04, RHEL8, or RHEL9)

Disk space

At least 4 GB free (8 GB recommended) in /tmp with execute permissions

Network

HTTPS connectivity to the ONTAP cluster(s) management LIF

ONTAP version

Cluster running ONTAP 9.11.1 or later

Hosting requirements

Place the VM in a location with cluster connectivity and internet access to allow for automatic tool updates. The machine should have access to the following endpoints through HTTPS (443) to conduct automatic updates and to enable NetApp to receive AutoSupport information about your upgrade plans:

https://support.netapp.com/
https://api.uhc.netapp.com
https://gql.aiq.netapp.com
https://api.activeiq.netapp.com

Recommended packages

Install a web server to facilitate access
Note Ensure that the virtual machine can connect to the auto-update and telemetry endpoints (https://support.netapp.com/ and https://api.activeiq.netapp.com) through HTTPS (443) to enable NetApp to receive AutoSupport information about your upgrade plans. If internet access is unavailable, you must manually download the latest version of Upgrade Health Checker.
Steps

  1. Download the Upgrade Health Checker binary by navigating to the NetApp Console Automation Hub and finding the Upgrade Health Checker tile.

  2. Set up the Upgrade Health Checker virtual machine and use SSH to place the binary in the location of your choice.

  3. Verify the digital signature of Upgrade Health Checker.

    Upgrade Health Checker has a public code signing certificate (UHC-Linux-codesigning-certificate-public.pem) and intermediate and root certificates chain (UHC-Linux-chain-certificates-public.pem).

    1. (Optional) Verify the code signing certificate against the chain:

      openssl verify -CAfile UHC-Linux-chain-certificates-public.pem UHC-Linux-codesigning-certificate-public.pem

      An output of OK confirms a valid chain of trust.

    2. Extract the public key from the code signing certificate:

      openssl x509 -in UHC-Linux-codesigning-certificate-public.pem -pubkey -noout -out UHC-Linux-public.pub

    3. Verify the signature file (uhc.sig) against the Upgrade Health Checker binary using the public key:

      openssl dgst -sha256 -verify UHC-Linux-public.pub -signature uhc.sig uhc

      An output of Verified OK confirms the signature is valid.

  4. Configure a service account and role for ONTAP cluster access. For cluster access through Upgrade Health Checker, create the service role as a REST-role.

    Note You can build an Ansible playbook to automate the deployment of the role and user to all ONTAP clusters.

    You must create the service account for the HTTP application. Use the following CLI commands to configure the necessary permissions:

    security login rest-role create -role uhctool -api /api -access readonly -vserver

security login rest-role create -role uhctool -api /api/support/autosupport -access read_create_modify -vserver

security login rest-role create -role uhctool -api /api/support/autosupport/messages -access read_create_modify -vserver

vserver services web access create -name spi -role uhctool -vserver

security login create -user-or-group-name uhctool -role uhctool -application http -authentication-method password

security login create -user-or-group-name uhctool -role uhctool -application ssh -authentication-method password

  5. (Optional) Set up credential management to secure access to the application.

    For example, if you have CyberArk and Conjur, you can configure your environment to avoid passing credentials through a yaml file or command line.

    1. Create required CyberArk Safes:

      1. Create a Safe (Main-Conjur-Safe) that holds the application credentials and secrets

      2. Create a Safe (API-Credentials-Safe) that holds the Conjur Host ID and API Key

      3. Create a Safe (Conjur-SSL-Certificate) that holds the necessary certificate

    2. Create the configuration (Conjur.conf) and identity (Conjur.identity) files for this application:

      1. Conjur.conf

        account:
plugins:[]
appliance_url: https://FQDN
cert_file: /etc/conjur.pem

      2. Conjur.identity

        machine https://FQDN/authn
login host /prodvault/devops/<Main-Conjur-Safe>/host1
password XXXXXX

    Here is an example of how to use CyberArk and Conjur in an Ansible playbook:

    1. Install Conjur Ansible Collection, which includes the Conjur Ansible Lookup Plugin, on Ansible Host:

      ansible-galaxy collection install cyberark.conjur

    2. Create a task in a yaml file to fetch the username and password from CyberArk:

      conjur_username: "{{ lookup('cyberark.conjur.conjur_variable', 'prodvault/devops/<Main-Conjur-Safe>/<Account name>/username', validate_certs=false) }}"
conjur_password: "{{ lookup('cyberark.conjur.conjur_variable', 'prodvault/devops/<Main-Conjur-Safe>/<Account name>/password', validate_certs=false) }}"
Related information
What's next?

You can use Upgrade Health Checker to help you plan for an ONTAP upgrade by generating an upgrade report.