Migrate agent

Data Integrity Suite
Product
Spatial_Analytics
Data_Integration
Data_Enrichment
Data_Governance
Precisely_Data_Integrity_Suite
geo_addressing_1
Data_Observability
Data_Quality
dis_core_foundation
Services
Spatial Analytics
Data Integration
Data Enrichment
Data Governance
Geo Addressing
Data Observability
Data Quality
Core Foundation
ft:title
Data Integrity Suite
ft:locale
en-US
PublicationType
pt_product_guide
copyrightfirst
2000
copyrightlast
2026

The migrate agent feature enables a secure transition from an existing agent to a newer version that enforces encrypted communication. This migration enhances overall security by applying encryption both at the persistent level and in transit.

Key benefits after migration

  • Periodic key rotation: Agent keys are rotated automatically and regularly to maintain strong cryptographic hygiene.
  • End-to-End Encryption: All communication between system components is now fully secured. This includes:

    • Amazon SQS messages: All messages exchanged via SQS are encrypted in transit.

    • Cloud to on-premises communication: Data transferred between cloud and on-prem components is protected through secure encryption protocols.
Note: This is a one-time operation. Migration should only be performed when an Update instruction appears beside the Mailbox service in the Data Integrity Suite UI.

Prerequisites

Before initiating the migration, ensure the following prerequisites are met:

  1. Agent status: The agent is running and in a healthy state.
  2. CLI tool update: The agent’s CLI tool (discli) is updated to the latest version.
  3. Operator version: Agents must be running at least on version 2.0.0 or higher of the operator. Agents with versions below 2.0.0 cannot execute the ./discli agent migrate command.
  4. Kafka version update:
    1. If the Kafka version is 1.1.2, update the Kafka service to 1.1.3 before migration. Use the command ./discli agent applyKafkaVersion 1.1.3 to apply the Kafka version update.

Updating the CLI tool

To update the CLI tool, run the following command from the agent machine: ./discli updateCli

For complete steps to perform the prereqisites of agent migration, refer to the Available CLI commands documentation.

How to migrate the agent

To begin the migration, execute the command ./discli agent migrate. This command upgrades the agent to operate in fully end-to-end encrypted mode.

What happens during migration

  1. Migration Inititation: Migration is initiated using the discli tool.
  2. Temporary health status change: The agent status may briefly appear red (unhealthy) in the UI. This is expected and temporary. While communication is briefly paused, workload processing will continue.
  3. Post-migration status: Once migration completes, the agent status automatically returns to green (healthy).

Components introduced during migration

As part of the upgrade, the following new services are installed:

  • Trust Manager: Establishes secure trust between system components and manages identity exchange within your environment.

  • Credentials Management Service (ACMS): Manages and securely stores encryption keys and credentials in the keystore to enable end-to-end encryption.
Note: All existing IAM agents, which are not end-to-end encrypted, must be migrated by 15 August 2025. After this date, IAM agent cleanup activities will begin, and only end-to-end encrypted agents will remain operational.

Migration failure

If the migration fails, we recommend renewing the agent certificates using the command: ./discli agent renewCerts This can help resolve most certificate-related migration issues.