Technical considerations when upgrading Encryption Management Server to release 10.5.1

book

Article ID: 211876

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption

Issue/Introduction

Upgrading to Encryption Management Server release 10.5.1 from release 3.3.2 or above is described in the Symantec Encryption Management Server 10.5.1 Upgrade Guide.

For the benefits of upgrading to version 10.5 or above see the following article:
150915 - Symantec Encryption Management Server Benefits and Considerations for upgrading to version 10.5

Please note that all releases below 10.5 are End of Service (support).

Note that if you are upgrading from release 10.5 to release 10.5.1 you can do an in place upgrade using a *.pup file. Otherwise, you will need to install from ISO. This article covers the ISO method.

Before updating, please confirm that the DNS servers and any NTP server that Encryption Management Server is configured to use are still valid. Also, ensure that all Encryption Desktop clients connecting to the servers are running Encryption Desktop release 10.4 or above, otherwise they will not be able to communicate with Encryption Management Server using TLS 1.2.

There are two methods of upgrading and the method you choose depends on the size and complexity of your environment:

  1. Restore.
  2. New Installation.

Both upgrade types involve installing from ISO. Therefore, if Encryption Management Server is a VMware Virtual Machine, be sure to take a VMware snapshot prior to booting from ISO. This will allow you to rollback to snapshot if necessary.

Use the Restore method if all of the following are true:

  1. Your backup file size is under 2 GB.
  2. You do not use Web Email Protection with a Complete Customization template.
  3. When you connect to the administration console you connect to network Interface 1 (eth0) of the server and Interface 1 is on the same subnet as the default gateway.
  4. Your server either does not use a network routing file for Interface 2 or above or you have downloaded it to a safe location. For example /etc/sysconfig/network-scripts/route-eth1.
  5. You have either not customized the /etc/crontab file or you have downloaded it to a safe location.
  6. You either do not have custom scripts or other files in any directory other than /var/lib/ovid/customization or you downloaded the files to a safe location.
  7. You have either not customized any of the pgp*.sh scripts in the /var/lib/ovid/customization directory or the customizations are not critical.

When upgrading a cluster, please be aware that data inconsistency between cluster members may occur during the upgrade. This will resolve itself after all cluster members have been upgraded. Please see article 225396 for more information about how to avoid the risk of any data inconsistency.

Environment

Symantec Encryption Management Server release 10.5 and above.

Resolution

Restore Method

This consists of the following steps:

  1. Export the Organization Key keypair, not just the public key, by logging into the administration console and navigating to Keys / Organization Keys, clicking on Organization Key and clicking on the Export button. A passphrase is optional. Store it in a safe location:
  2. Run a backup of Encryption Management Server. By default, backups are stored locally but clearly, this is not recommended. The backup location should have already been configured to store backups on a remote FTP or SCP server - please see article 180249 for details on how to do this. If backups are being stored locally, you will need to download the backup file using SCP from the /var/lib/ovid/backups directory. The name of the backup file will, by default, be in the format backup-name-hostname-backup-MM-DD-YY-HH-MI-SS.tar.gz.pgp. For example, PGP-Universal-Backup-keys.example.com-backup-03-31-21-10-09-08.tar.gz.pgp.
  3. Take a note of the server's basic network settings, specifically hostname, IP address, subnet mask, default gateway IP and DNS server IP addresses. If the server has more than one network interface, make a note of the IP addresses. If you have SCP available, download the file /etc/ovid/prefs.xml from the server because this contains not only the network settings but the license key and many other items of information.
  4. Boot from the release 10.5.1 ISO. You are warned that all data on the disk will be deleted and lost forever. For example:
  5. Once installation is completed, enter the basic network settings. Only one DNS server IP needs to be specified at this stage. For example:
  6. The server reboots from the fixed disk and shows Symantec Encryption Server for 3 seconds at the boot stage. For example:
  7. If at reboot the screen containing the warning all data on the disk will be deleted and lost forever is displayed, it means the server has booted from ISO. Shut down the server, disconnect the ISO and power on the server.
  8. After the server has finished booting you are prompted to connect to it using a web browser. For example:
  9. Connect to the server using a web browser on port 9000. Choose to do a Restore:
  10. When prompted, import the Organization Key. If you chose to set a passphrase when you exported it, you will need to enter it:
  11. When prompted, import the backup file:
  12. The data from the backup file will be restored. Please be patient. Restoring data takes at least twice as long as backing it up.
  13. Repeat the above steps for each server in a cluster.
  14. If the restore does not succeed, install from ISO again but this time at the Setup Type page choose New Installation.
  15. If the backup file is over 2 GB or the environment is complex then at the Setup Type page above you will also need to choose New Installation.

 

New Installation Method

The New Installation setup type will:

  1. Require you to enter a license key. The old license key is in the /etc/ovid/prefs.xml file which you should downloaded prior to installing from ISO. Search for the xml tag <license-number>.
  2. Allow you to change the network settings if you wish.
  3. Generate a new Organization Key.
  4. Create an administrator account with the username admin and prompt you to set a password for that account.

At the end of the process you will have a fresh installation of Encryption Management Server with default settings.

Backup larger than 2 GB

If the only complexity in your environment is the size of your backup file:

  1. Login to the administration console and navigate to Organization Keys.
  2. Click on the button in the Import column next to the Organization Key.
  3. Import the Organization Key that you exported before installing from ISO, replacing the Organization Key that was created as part of the new installation.
  4. Configure SSH.
  5. Use SCP to upload the backup file to the /root directory of the server.
  6. SSH to the server and restore the backup with this command where PGP-Universal-Backup-keys.example.com-backup-03-31-21-10-09-08.tar.gz.pgp is the name of the backup file:
    pgpbackup -r PGP-Universal-Backup-keys.example.com-backup-03-31-21-10-09-08.tar.gz.pgp
  7. When the backup has been restored you will need to login with the username and password you used before you installed from ISO.

Web Email Protection

A Simple Web Email Protection template will be restored successfully.

An Advanced Web Email Protection template consists mainly of image files so there is a very good chance that it will be restored successfully but ensure you have a backup of the zipped images in a safe location.

However, a Complete Web Email Protection template will not be restored successfully. This is because there are changes in release 10.5.1 around time zone that guarantees incompatibility.

Therefore install a new Encryption Management Server from ISO in a test environment, create a new complete customization template and export it. When you have upgraded the production environment, import the template that you exported from the test environment.

Many Complete Customization Web Email Protection templates consist of customizations that can be made using an Advanced template. Before you upgrade, consider replacing the Complete Customization template with an Advanced template to avoid all the complexities of dealing with a Complete Customization template. See article 206882 for further details.

Network routing

When you install from ISO you need to enter an IP address for the server and a default gateway that is on the same subnet. Otherwise you will not be able to connect to the server using a web browser.

When you restore from the backup file, all the original network settings are restored. However, any network routing files in the /etc/sysconfig/network-scripts directory are not backed up and will therefore not be restored.

Therefore, if your connectivity to the Encryption Management Server administration console relies on a manual routing file being present in the /etc/sysconfig/network-scripts directory of the server then you may not be able to connect.

To avoid problems:

  1. Use SCP to download any routing files from the /etc/sysconfig/network-scripts directory of the server.
  2. Install using the New Installation method and ensure that you enter an IP address for the server and a default gateway IP that are on the same subnet.
  3. Once the new installation is completed, configure SSH.
  4. Upload the network routing files to the /etc/sysconfig/network-scripts directory of the server using SCP.
  5. Login to the administration console and navigate to System / Network.
  6. Ensure that the network settings match what they were before you installed from ISO. This may include adding additional network interfaces.
  7. Ensure that you click the Save button on the Network Settings page, even if you made no changes. This will restart the network and load manual routing files.
  8. Optionally, SSH to the server and set a password for the root user so that you can login to the console in case of routing problems. Use this command to set the root password:
    passwd
  9. SSH to the server and restore the backup.

Custom /etc/crontab file

The new installation will contain a default /etc/crontab file. If you have customized your /etc/crontab file you need to use SCP to download it to a safe location before you install from ISO.

After installing using either the Restore or New Installation method, the /etc/crontab on the server will contain only the default entries.

You will need to edit the /etc/crontab file on the server and add back any custom entries. Then restart the crond service with:

systemctl restart crond

Custom scripts or files not in /var/lib/ovid/customization

Only custom scripts and files in the /var/lib/ovid/customization directory are backed up.

If you have custom scripts or files that are not in the /var/lib/ovid/customization directory then use SCP to download them to a safe location before installing using either the Restore or New Installation method.

After installing, use SCP to upload them to their original locations.

If the scripts are being run using entries in the /etc/crontab file then update the /etc/crontab file too.

Customization of pgp*sh scripts in the /var/lib/ovid/customization directory

During the installation, any pgp*.sh scripts that were in the /var/lib/ovid/customization directory are moved to the /var/lib/ovid/customization_legacy directory.

If you have modified any of those scripts, you will need to SSH to the server and add back any customizations you made to the pgp*.sh scripts in the /var/lib/ovid/customization directory.

See article 197045 for further details.

Additional Information

 

193931-How to download Symantec Encryption products from the Broadcom download Portal (And where to find the license number for PGP)

Upgrade Path for Legacy version 2.12 SP4 to 10.5

1. Create backup from 2.12 SP4 (Build 1128)
2. Restore backup to 3.1.2 SP3 (Build 50 - Install with ISO on new "Linux 2.6 Other 32-bit" VMware system)
3. PUP Update to 3.3.0 (Build 8741)
4. PUP Update to 3.3.2 MP13 (Build 21495)
5. Create a backup from 3.3.2 MP13
6. Restore backup to SEMS 10.5  (Install ISO on new VM system "RHEL 7" or "CentOS 7" in VMware)

Upgrade Path for Legacy version 3.0.x to 10.5

1. PUP update from 3.0.x to 3.1.2 SP3.
2. Restore backup to 3.1.2 SP3 (Build 50 - Install with ISO on new "Linux 2.6 Other 32-bit" VMware system)
3. PUP Update to 3.3.0 (Build 8741)
4. PUP Update to 3.3.2 MP13 (Build 21495)
5. Create a backup from 3.3.2 MP13
6. Restore backup to SEMS 10.5  (Install ISO on new VM system "RHEL 7" or "CentOS 7" in VMware)

Upgrade Path for Legacy version 3.1.x to 10.5

1. If you're on a version older than 3.1.2 SP3, then PUP update to 3.1.2 SP3 first (Contact Symantec Support if you do not have the PUP updates as these are no longer housed in the download portal.
2. Once you're on version 3.1.2 SP3, then PUP Update to 3.3.0 (Build 8741).
3. From 3.3.0, PUP Update to 3.3.2 MP13 (Build 21495)
4. Create a backup from 3.3.2 MP13.
5. Restore backup to SEMS 10.5  (Install ISO on new VM system "RHEL 7" or "CentOS 7" in VMware)

Upgrade Path for Legacy version 3.2.1 to 10.5

1. Create a backup on 3.2.1 MP5 (Build 5033).
2. Restore the backup to 3.3.2 MP13 (Build 21495 - Install 3.3.2 MP13 ISO and restore)
3. Create a backup on 3.3.2 MP13
4. Restore the backup to 10.5 (ISO Install of 10.5).

 

Attachments