Technical considerations when upgrading PGP Encryption Server (Symantec Encryption Management Server)
search cancel

Technical considerations when upgrading PGP Encryption Server (Symantec Encryption Management Server)

book

Article ID: 211876

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK Desktop Email Encryption Desktop Email Encryption Drive Encryption Endpoint Encryption File Share Encryption

Issue/Introduction

This article will discuss the technical aspects and considerations for the upgrade to the latest version of PGP Encryption Server.

At the time of this writing, both PGP Encryption Server 10.5.1 and version 11 are supported and recommended for consideration.

Many scenarios for older versions are discussed in this article listed below in the resolution section.

 

For the benefits of upgrading to version 10.5 or above see the following article:
150915 - PGP Encryption Server Benefits and Considerations for upgrading to version 10.5

*Please note that if your PGP Encryption Server is older than version 10.5, you need to upgrade to continue to receive support.
PGP Encryption Server 10.5.0 and above are all fully supported and continue to be maintained. 

*If you are upgrading from PGP Encryption Server 10.5.0 to version 10.5.1 you can do an in place upgrade using a *.pup file.

For information on how to update using a PUP file (PGP Upgrade file), see the following article:
180749 - Upgrading PGP Encryption Server using a *.pup file (Symantec Encryption Management Server)

If a PUP file is not able to update the server, an ISO will be used.

Environment

PGP Encryption Server (Symantec Encryption Management Server) release 10.5 and above.

Resolution

Prerequisites:
*DNS Servers and any NTP Servers in use are still valid.
*Ensure that all PGP Encryption Desktop clients (Symantec Encryption Desktop) connecting to the PGP Encryption Servers are running version 10.4 or above
(Clients running 10.3 and older will not be able to communicate.  Reach out to  Symantec Encryption Support for further guidance if you are still using 10.3 or older PGP Clients.

There are two methods of upgrading and the method you choose depends on the size and complexity of your environment:

Upgrade Method 1 (Recommended): New Installation.
Upgrade Method 2 (Restore):  The article mentions the restore method at the bottom of this article. 

Both upgrade types involve installing from ISO. Therefore, if the PGP Encryption Server is a VMware Virtual Machine, be sure to take a VMware snapshot prior to booting from ISO. This will allow you to rollback to snapshot if necessary.

When upgrading a cluster, please be aware that data inconsistency between cluster members may occur during the upgrade. This will resolve itself after all cluster members have been upgraded. Please see article 225396 for more information about how to avoid the risk of any data inconsistency.

 

Table of Contents

 

Consideration 1: New Installation Method (Recommended)

When using this option, you will be installing a new PGP Server instance using an ISO and setting up a new IP address and hostname.
You will bring the backup from the old version of the PGP Encryption Server and use that to restore.
The Restore will then restore the same network details as the old version.

 

Step 1. Install the PGP Encryption Server (Symantec Encryption Management Server) as a "New Installation"
For information on this, see the following article:
157080 - Pictured Installation Guide for Symantec Encryption Management Server (PGP Server)

Step 2. During the installation, configure the new IP Address and hostname for this install.
This needs to be different than your current production environment.

Step 3. Once the installation is complete, export your Organization Key from the old server (Keypair).
To do this, click on Keys, then Organization Keys, then click the Org Key.  Click Export, and export the keypair/private key.
Enter a password that will be used when you import to the New Installation.

180196 - HOW TO: Backup the Organization Key on Symantec Encryption Management Server (PGP Server)

Step 4. On the new Server, upload the Org Key from step 3, and overwrite. You will click the "up arrow" icon to do so.
Browse to the key, and enter the passphrase you entered.

Step 5. Once the new Organization Key is restored, you are ready to restore the production backup, but before you do, you will need to shut down the old PGP Servers to avoid IP/hostname conflicts.

Step 6. Once the old versions have been shut down, you can then go to the System tab of the new PGP Encryption Server and click the plus sign to upload your backup.

Step 7. The backup will then restore your old IP and hostname, along with all the data stored within the PGP Backup.

Step 8. Once the restore has finished, browse all the tabs to ensure everything was restored as expected.

Step 9. It's a good idea to reboot the server post upgrade.  

Step 10. Conduct all your testing to ensure the upgrade was complete.

If you need to download the ISO, you can do so from the Broadcom Download Portal.

Your license number can be found via the Entitlements section of the Portal.


Note: If you would like to use a different IP address and hostname during this restoration operation, reach out to Symantec Encryption Support for further guidance.

 

 

Consideration 2: Backup larger than 2 GB

If you have backups larger than 2GBs each, see the following article:

153318 - Restoring Encryption Management Server Backups larger than 2GB

 

 

Consideration 3: Source Server is a Physical Server, but Destination Server is a Virtual Machine

If you are on a physical box, where the PGP server is installed on actual hardware, such as a Dell PowerEdge, and you are upgrading to a Virtual Machine environment, such as VMware, special steps must be taken to do this.
There is a "MAC Address" value that is associated to physical NICs.  If you are moving from Physical to Virtual, then these values need to be removed post upgrade.  For assistance doing this, please reach out to Symantec Encryption Support for further guidance. 

If this is not done post upgrade the NICs will not start properly and the Web UI will not be accessible.

EPG-28827

 

Consideration 4: Email Protection

A Simple Web Email Protection template will be restored successfully.

An Advanced Web Email Protection template consists mainly of image files so there is a very good chance that it will be restored successfully but ensure you have a backup of the zipped images in a safe location.

However, a Complete Web Email Protection template will not be restored successfully. This is because there are changes in release 10.5.1 around time zone that guarantees incompatibility.

Therefore install a new Encryption Management Server from ISO in a test environment, create a new complete customization template and export it. When you have upgraded the production environment, import the template that you exported from the test environment.

Many Complete Customization Web Email Protection templates consist of customizations that can be made using an Advanced template. Before you upgrade, consider replacing the Complete Customization template with an Advanced template to avoid all the complexities of dealing with a Complete Customization template. See article 206882 for further details.



Consideration 5: Network routing

When you install from ISO you need to enter an IP address for the server and a default gateway that is on the same subnet. Otherwise you will not be able to connect to the server using a web browser.

When you restore from the backup file, all the original network settings are restored. However, any network routing files in the /etc/sysconfig/network-scripts directory are not backed up and will therefore not be restored.

Therefore, if your connectivity to the PGP Server administration console relies on a manual routing file being present in the /etc/sysconfig/network-scripts directory of the server then you may not be able to connect.

To avoid problems:

  1. Use SCP to download any routing files from the /etc/sysconfig/network-scripts directory of the server.
  2. Install using the New Installation method and ensure that you enter an IP address for the server and a default gateway IP that are on the same subnet.
  3. Once the new installation is completed, configure SSH.
  4. Upload the network routing files to the /etc/sysconfig/network-scripts directory of the server using SCP.
  5. Login to the administration console and navigate to System / Network.
  6. Ensure that the network settings match what they were before you installed from ISO. This may include adding additional network interfaces.
  7. Ensure that you click the Save button on the Network Settings page, even if you made no changes. This will restart the network and load manual routing files.
  8. SSH to the server and restore the backup.



Consideration 6: Custom /etc/crontab file

The new installation will contain a default /etc/crontab file. If you have customized your /etc/crontab file you need to use SCP to download it to a safe location before you install from ISO.

After installing using either the Restore or New Installation method, the /etc/crontab on the server will contain only the default entries.

You will need to edit the /etc/crontab file on the server and add back any custom entries. Then restart the crond service with:

systemctl restart crond

 

 

193931-How to download Symantec Encryption products from the Broadcom download Portal (And where to find the license number for PGP)

 

Upgrade Path for Legacy versions of PGP Encryption Server to version 11.0.x

As can be seen in the various upgrade scenarios below, major upgrades commonly require a full backup/restore.
This is typically required when the PGP OS changes where no in-place update is available.

To upgrade to PGP Encryption Server 11, this will require a full backup/restore to migrate the data.

If you are on PGP Encryption Server 10.5.0 or newer, backup your server and restore to PGP 11.

 

If you are on an older version than 3.4.2 MP5, use the scenarios below to get to 10.5.1 first, and then from 10.5.1, backup/restore to PGP 11.

No versions prior to 10.5.0 can upgrade directly to PGP 11 with the backup/restore method.

Scenario 1: Upgrade Path for Legacy version 3.4.2 MP5 to 11 and later


1. Take a backup of the server while on PGP Encryption Server 3.4.2 MP5.
2. Restore that 3.4.2 backup to a fresh install of PGP 10.5.1.
3. Take a 10.5.1 backup and restore that to PGP Encryption Server 11.

 

 

Scenario 2: Upgrade Path for Legacy version 3.3.x to 10.5.1 and later

1. Update the PGP server to 3.3.2 MP13.
2. Create a backup on 3.3.2 MP13
3. Restore the backup to 3.4.2 MP5 (ISO Install of 3.4.2 Build 10531).
4. Once on 3.4.2 MP5, create a full backup.
5. Restore the 3.4.2 MP5 Backup to the 10.5.1 PGP Server.

Important Note Upon Upgrading to 10.5.1 MP2 or above: 
When upgrading to PGP Server 10.5.1 MP2 or beyond, the update process modifies some system configuration parameters so that it will use 4GBs of RAM for its own internal processes.
If you have 8GBs total, this could drop total utilization down to 4GBs.  As a result, the PGP Server 10.5.1 MP2 and above has new system requirements:

Note: Once on 10.5.1, you can then backup/restore to PGP 11.

 

 

Scenario 3: Upgrade Path for Legacy version 3.3.x to 10.5.0

1. Update the PGP server to 3.3.2 MP13
2. Create a backup on 3.3.2 MP13
3. Restore the backup to 10.5 (ISO Install of 10.5)

Note: Once on 10.5.0, you can then backup/restore to PGP 11.

 

Scenario 4: Upgrade Path for Legacy version 3.2.1 to 10.5.0 (and then to PGP 11)

1. Create a backup on 3.2.1 MP5 (Build 5033)
2. Restore the backup to 3.3.2 MP13 (Build 21495 - Install 3.3.2 MP13 ISO and restore)
3. Create a backup on 3.3.2 MP13
4. Restore the backup to 10.5 (ISO Install of 10.5)

Note: Once on 10.5.0, you can then backup/restore to PGP 11.

 

Scenario 5: Upgrade Path for Legacy version 3.1.x to 10.5.0

1. If you're on a version older than 3.1.2 SP3, then PUP update to 3.1.2 SP3 first (Contact Symantec Support if you do not have the PUP updates as these are no longer housed in the download portal)
2. Once you're on version 3.1.2 SP3, then PUP Update to 3.3.0 (Build 8741)
3. From 3.3.0, PUP Update to 3.3.2 MP13 (Build 21495)
4. Create a backup from 3.3.2 MP13
5. Restore backup to SEMS 10.5  (Install ISO on new VM system "RHEL 7" or "CentOS 7" in VMware)

Note: Once on 10.5.0, you can then backup/restore to PGP 11.


Scenario 6: Upgrade Path for Legacy version 3.0.x to 10.5

1. PUP update from 3.0.x to 3.1.2 SP3
2. Restore backup to 3.1.2 SP3 (Build 50 - Install with ISO on new "Linux 2.6 Other 32-bit" VMware system)
3. PUP Update to 3.3.0 (Build 8741)
4. PUP Update to 3.3.2 MP13 (Build 21495)
5. Create a backup from 3.3.2 MP13
6. Restore backup to SEMS 10.5  (Install ISO on new VM system "RHEL 7" or "CentOS 7" in VMware)

Note: Once on 10.5.0, you can then backup/restore to PGP 11.


Scenario 7: Upgrade Path for Legacy version 2.12 SP4 to 10.5.0

1. Create backup from 2.12 SP4 (Build 1128)
2. Restore backup to 3.1.2 SP3 (Build 50 - Install with ISO on new "Linux 2.6 Other 32-bit" VMware system)
3. PUP Update to 3.3.0 (Build 8741)
4. PUP Update to 3.3.2 MP13 (Build 21495)
5. Create a backup from 3.3.2 MP13
6. Restore backup to SEMS 10.5  (Install ISO on new VM system "RHEL 7" or "CentOS 7" in VMware)

Note: Once on 10.5.0, you can then backup/restore to PGP 11.

 

Upgrade Method 2: Restore Method

The "New Installation" method is recommended, but there is a "Restore" operation as well where all you see is the restore. 
The steps to restore a backup are below.  To use the New Installation method, you will need to have a new IP address that will not conflict with the old IP address.

Use the Restore method if all of the following are true:

  1. Your backup file size is under 2 GB.
  2. You do not use Web Email Protection with a Complete Customization template.
  3. When you connect to the administration console you connect to network Interface 1 (eth0) of the server and Interface 1 is on the same subnet as the default gateway.
  4. Your server either does not use a network routing file for Interface 2 or above or you have downloaded it to a safe location. For example /etc/sysconfig/network-scripts/route-eth1.
  5. You have either not customized the /etc/crontab file or you have downloaded it to a safe location.
  6. You either do not have custom scripts or other files in any directory other than /var/lib/ovid/customization or you downloaded the files to a safe location.
  7. You have either not customized any of the pgp*.sh scripts in the /var/lib/ovid/customization directory or the customizations are not critical.



For information on the New Installation method, see the following article:

157080 - Pictured Installation Guide for Symantec Encryption Management Server


TIP: For information on how to backup the Organization Key, a needed component for backup/restore/upgrade scenarios, see the following article:

180196 - HOW TO: Backup the Organization Key on Symantec Encryption Management Server (PGP Server)

This consists of the following steps:

  1. Export the Organization Key keypair, not just the public key, by logging into the administration console and navigating to Keys / Organization Keys, clicking on Organization Key and clicking on the Export button. A passphrase is optional. Store it in a safe location:
  2. Run a backup of Encryption Management Server. By default, backups are stored locally but clearly, this is not recommended. The backup location should have already been configured to store backups on a remote FTP or SCP server - please see article 180249 for details on how to do this. If backups are being stored locally, you will need to download the backup file using SCP from the /var/lib/ovid/backups directory. The name of the backup file will, by default, be in the format backup-name-hostname-backup-MM-DD-YY-HH-MI-SS.tar.gz.pgp. For example, PGP-Universal-Backup-keys.example.com-backup-03-31-21-10-09-08.tar.gz.pgp.
  3. Take a note of the server's basic network settings, specifically hostname, IP address, subnet mask, default gateway IP and DNS server IP addresses. If the server has more than one network interface, make a note of the IP addresses. If you have SCP available, download the file /etc/ovid/prefs.xml from the server because this contains not only the network settings but the license key and many other items of information.
  4. Boot from the release 10.5.1 ISO. You are warned that all data on the disk will be deleted and lost forever. For example:
  5. Once installation is completed, enter the basic network settings. Only one DNS server IP needs to be specified at this stage. For example:


  6. The PGP Encryption Server reboots from the fixed disk and shows Symantec Encryption Server for 3 seconds at the boot stage. For example:



  7. If at reboot the screen containing the warning all data on the disk will be deleted and lost forever is displayed, it means the server has booted from ISO. Shut down the server, disconnect the ISO and power on the server.

  8. After the server has finished booting you are prompted to connect to it using a web browser. For example:



  9. Connect to the server using a web browser on port 9000. Choose to do a Restore:


  10. When prompted, import the Organization Key. If you chose to set a passphrase when you exported it, you will need to enter it:


  11. When prompted, import the backup file:


  12. The data from the backup file will be restored. Please be patient. Restoring data takes at least twice as long as backing it up.
  13. Repeat the above steps for each server in a cluster.
  14. If the restore does not succeed, install from ISO again but this time at the Setup Type page choose New Installation.
  15. If the backup file is over 2 GB or the environment is complex then at the Setup Type page above you will also need to choose New Installation.

 

Troubleshooting

For assistance with general issues restoring backups, see the following article:

153588 - Restore Backup files to Symantec Encryption Management Server (PGP Server)

If you are seeing any other errors not outlined in the article above, please reach out to Symantec Encryption Support for further guidance.  

 

Special Note on Customization of the PGP Server:

Custom scripts or files not in /var/lib/ovid/customization

Only custom scripts and files in the /var/lib/ovid/customization directory are backed up.

If you have custom scripts or files that are not in the /var/lib/ovid/customization directory then use SCP to download them to a safe location before installing using either the Restore or New Installation method.

After installing, use SCP to upload them to their original locations.

If the scripts are being run using entries in the /etc/crontab file then update the /etc/crontab file too.

Customization of pgp*sh scripts in the /var/lib/ovid/customization directory

During the installation, any pgp*.sh scripts that were in the /var/lib/ovid/customization directory are moved to the /var/lib/ovid/customization_legacy directory.

If you have modified any of those scripts, you will need to SSH to the server and add back any customizations you made to the pgp*.sh scripts in the /var/lib/ovid/customization directory.

 

 

If you are using Custom Scripts with the PGP Server, you may want to re-evaluate if you still need these. 

Scripts would be provided only in special circumstances by a consulting group who specializes in the PGP server and warranties the customizations performed.
For more information on tis, see article 197045.

 



Additional Information

Powered by Wolken Software