This article will discuss the technical aspects and considerations for the upgrade to the latest version of PGP Encryption Server.
At the time of this writing, both PGP Encryption Server 10.5.1 and version 11 are supported and recommended for consideration.
Many scenarios for older versions are discussed in this article listed below in the resolution section.
For the benefits of upgrading to version 10.5 or above see the following article:
150915 - PGP Encryption Server Benefits and Considerations for upgrading to version 10.5
*Please note that if your PGP Encryption Server is older than version 10.5, you need to upgrade to continue to receive support.
PGP Encryption Server 10.5.0 and above are all fully supported and continue to be maintained.
*If you are upgrading from PGP Encryption Server 10.5.0 to version 10.5.1 you can do an in place upgrade using a *.pup file.
For information on how to update using a PUP file (PGP Upgrade file), see the following article:
180749 - Upgrading PGP Encryption Server using a *.pup file (Symantec Encryption Management Server)
If a PUP file is not able to update the server, an ISO will be used.
PGP Encryption Server (Symantec Encryption Management Server) release 10.5 and above.
Prerequisites:
*DNS Servers and any NTP Servers in use are still valid.
*Ensure that all PGP Encryption Desktop clients (Symantec Encryption Desktop) connecting to the PGP Encryption Servers are running version 10.4 or above
(Clients running 10.3 and older will not be able to communicate. Reach out to Symantec Encryption Support for further guidance if you are still using 10.3 or older PGP Clients.
There are two methods of upgrading and the method you choose depends on the size and complexity of your environment:
Upgrade Method 1 (Recommended): New Installation.
Upgrade Method 2 (Restore): The article mentions the restore method at the bottom of this article.
Both upgrade types involve installing from ISO. Therefore, if the PGP Encryption Server is a VMware Virtual Machine, be sure to take a VMware snapshot prior to booting from ISO. This will allow you to rollback to snapshot if necessary.
When upgrading a cluster, please be aware that data inconsistency between cluster members may occur during the upgrade. This will resolve itself after all cluster members have been upgraded. Please see article 225396 for more information about how to avoid the risk of any data inconsistency.
When using this option, you will be installing a new PGP Server instance using an ISO and setting up a new IP address and hostname.
You will bring the backup from the old version of the PGP Encryption Server and use that to restore.
The Restore will then restore the same network details as the old version.
Step 1. Install the PGP Encryption Server (Symantec Encryption Management Server) as a "New Installation"
For information on this, see the following article:
157080 - Pictured Installation Guide for Symantec Encryption Management Server (PGP Server)
Step 2. During the installation, configure the new IP Address and hostname for this install.
This needs to be different than your current production environment.
Step 3. Once the installation is complete, export your Organization Key from the old server (Keypair).
To do this, click on Keys, then Organization Keys, then click the Org Key. Click Export, and export the keypair/private key.
Enter a password that will be used when you import to the New Installation.
180196 - HOW TO: Backup the Organization Key on Symantec Encryption Management Server (PGP Server)
Step 4. On the new Server, upload the Org Key from step 3, and overwrite. You will click the "up arrow" icon to do so.
Browse to the key, and enter the passphrase you entered.
Step 5. Once the new Organization Key is restored, you are ready to restore the production backup, but before you do, you will need to shut down the old PGP Servers to avoid IP/hostname conflicts.
Step 6. Once the old versions have been shut down, you can then go to the System tab of the new PGP Encryption Server and click the plus sign to upload your backup.
Step 7. The backup will then restore your old IP and hostname, along with all the data stored within the PGP Backup.
Step 8. Once the restore has finished, browse all the tabs to ensure everything was restored as expected.
Step 9. It's a good idea to reboot the server post upgrade.
Step 10. Conduct all your testing to ensure the upgrade was complete.
If you need to download the ISO, you can do so from the Broadcom Download Portal.
Your license number can be found via the Entitlements section of the Portal.
Note: If you would like to use a different IP address and hostname during this restoration operation, reach out to Symantec Encryption Support for further guidance.
If you have backups larger than 2GBs each, see the following article:
153318 - Restoring Encryption Management Server Backups larger than 2GB
If you are on a physical box, where the PGP server is installed on actual hardware, such as a Dell PowerEdge, and you are upgrading to a Virtual Machine environment, such as VMware, special steps must be taken to do this.
There is a "MAC Address" value that is associated to physical NICs. If you are moving from Physical to Virtual, then these values need to be removed post upgrade. For assistance doing this, please reach out to Symantec Encryption Support for further guidance.
If this is not done post upgrade the NICs will not start properly and the Web UI will not be accessible.
EPG-28827
A Simple Web Email Protection template will be restored successfully.
An Advanced Web Email Protection template consists mainly of image files so there is a very good chance that it will be restored successfully but ensure you have a backup of the zipped images in a safe location.
However, a Complete Web Email Protection template will not be restored successfully. This is because there are changes in release 10.5.1 around time zone that guarantees incompatibility.
Therefore install a new Encryption Management Server from ISO in a test environment, create a new complete customization template and export it. When you have upgraded the production environment, import the template that you exported from the test environment.
Many Complete Customization Web Email Protection templates consist of customizations that can be made using an Advanced template. Before you upgrade, consider replacing the Complete Customization template with an Advanced template to avoid all the complexities of dealing with a Complete Customization template. See article 206882 for further details.
When you install from ISO you need to enter an IP address for the server and a default gateway that is on the same subnet. Otherwise you will not be able to connect to the server using a web browser.
When you restore from the backup file, all the original network settings are restored. However, any network routing files in the /etc/sysconfig/network-scripts directory are not backed up and will therefore not be restored.
Therefore, if your connectivity to the PGP Server administration console relies on a manual routing file being present in the /etc/sysconfig/network-scripts directory of the server then you may not be able to connect.
To avoid problems:
The new installation will contain a default /etc/crontab file. If you have customized your /etc/crontab file you need to use SCP to download it to a safe location before you install from ISO.
After installing using either the Restore or New Installation method, the /etc/crontab on the server will contain only the default entries.
You will need to edit the /etc/crontab file on the server and add back any custom entries. Then restart the crond service with:
systemctl restart crond
As can be seen in the various upgrade scenarios below, major upgrades commonly require a full backup/restore.
This is typically required when the PGP OS changes where no in-place update is available.
To upgrade to PGP Encryption Server 11, this will require a full backup/restore to migrate the data.
If you are on PGP Encryption Server 10.5.0 or newer, backup your server and restore to PGP 11.
If you are on an older version than 3.4.2 MP5, use the scenarios below to get to 10.5.1 first, and then from 10.5.1, backup/restore to PGP 11.
No versions prior to 10.5.0 can upgrade directly to PGP 11 with the backup/restore method.
1. Take a backup of the server while on PGP Encryption Server 3.4.2 MP5.
2. Restore that 3.4.2 backup to a fresh install of PGP 10.5.1.
3. Take a 10.5.1 backup and restore that to PGP Encryption Server 11.
1. Update the PGP server to 3.3.2 MP13.
2. Create a backup on 3.3.2 MP13
3. Restore the backup to 3.4.2 MP5 (ISO Install of 3.4.2 Build 10531).
4. Once on 3.4.2 MP5, create a full backup.
5. Restore the 3.4.2 MP5 Backup to the 10.5.1 PGP Server.
Important Note Upon Upgrading to 10.5.1 MP2 or above:
When upgrading to PGP Server 10.5.1 MP2 or beyond, the update process modifies some system configuration parameters so that it will use 4GBs of RAM for its own internal processes.
If you have 8GBs total, this could drop total utilization down to 4GBs. As a result, the PGP Server 10.5.1 MP2 and above has new system requirements:
Note: Once on 10.5.1, you can then backup/restore to PGP 11.
1. Update the PGP server to 3.3.2 MP13
2. Create a backup on 3.3.2 MP13
3. Restore the backup to 10.5 (ISO Install of 10.5)
Note: Once on 10.5.0, you can then backup/restore to PGP 11.
1. Create a backup on 3.2.1 MP5 (Build 5033)
2. Restore the backup to 3.3.2 MP13 (Build 21495 - Install 3.3.2 MP13 ISO and restore)
3. Create a backup on 3.3.2 MP13
4. Restore the backup to 10.5 (ISO Install of 10.5)
Note: Once on 10.5.0, you can then backup/restore to PGP 11.
1. If you're on a version older than 3.1.2 SP3, then PUP update to 3.1.2 SP3 first (Contact Symantec Support if you do not have the PUP updates as these are no longer housed in the download portal)
2. Once you're on version 3.1.2 SP3, then PUP Update to 3.3.0 (Build 8741)
3. From 3.3.0, PUP Update to 3.3.2 MP13 (Build 21495)
4. Create a backup from 3.3.2 MP13
5. Restore backup to SEMS 10.5 (Install ISO on new VM system "RHEL 7" or "CentOS 7" in VMware)
Note: Once on 10.5.0, you can then backup/restore to PGP 11.
1. PUP update from 3.0.x to 3.1.2 SP3
2. Restore backup to 3.1.2 SP3 (Build 50 - Install with ISO on new "Linux 2.6 Other 32-bit" VMware system)
3. PUP Update to 3.3.0 (Build 8741)
4. PUP Update to 3.3.2 MP13 (Build 21495)
5. Create a backup from 3.3.2 MP13
6. Restore backup to SEMS 10.5 (Install ISO on new VM system "RHEL 7" or "CentOS 7" in VMware)
Note: Once on 10.5.0, you can then backup/restore to PGP 11.
1. Create backup from 2.12 SP4 (Build 1128)
2. Restore backup to 3.1.2 SP3 (Build 50 - Install with ISO on new "Linux 2.6 Other 32-bit" VMware system)
3. PUP Update to 3.3.0 (Build 8741)
4. PUP Update to 3.3.2 MP13 (Build 21495)
5. Create a backup from 3.3.2 MP13
6. Restore backup to SEMS 10.5 (Install ISO on new VM system "RHEL 7" or "CentOS 7" in VMware)
Note: Once on 10.5.0, you can then backup/restore to PGP 11.
The "New Installation" method is recommended, but there is a "Restore" operation as well where all you see is the restore.
The steps to restore a backup are below. To use the New Installation method, you will need to have a new IP address that will not conflict with the old IP address.
Use the Restore method if all of the following are true:
For information on the New Installation method, see the following article:
157080 - Pictured Installation Guide for Symantec Encryption Management Server
TIP: For information on how to backup the Organization Key, a needed component for backup/restore/upgrade scenarios, see the following article:
180196 - HOW TO: Backup the Organization Key on Symantec Encryption Management Server (PGP Server)
This consists of the following steps:
For assistance with general issues restoring backups, see the following article:
153588 - Restore Backup files to Symantec Encryption Management Server (PGP Server)
If you are seeing any other errors not outlined in the article above, please reach out to Symantec Encryption Support for further guidance.
Special Note on Customization of the PGP Server:
Only custom scripts and files in the /var/lib/ovid/customization directory are backed up.
If you have custom scripts or files that are not in the /var/lib/ovid/customization directory then use SCP to download them to a safe location before installing using either the Restore or New Installation method.
After installing, use SCP to upload them to their original locations.
If the scripts are being run using entries in the /etc/crontab file then update the /etc/crontab file too.
During the installation, any pgp*.sh scripts that were in the /var/lib/ovid/customization directory are moved to the /var/lib/ovid/customization_legacy directory.
If you have modified any of those scripts, you will need to SSH to the server and add back any customizations you made to the pgp*.sh scripts in the /var/lib/ovid/customization directory.
If you are using Custom Scripts with the PGP Server, you may want to re-evaluate if you still need these.
Scripts would be provided only in special circumstances by a consulting group who specializes in the PGP server and warranties the customizations performed.
For more information on tis, see article 197045.
211876 - Technical considerations when upgrading Encryption Management Server to release 10.5
150915 - PGP Encryption Server Benefits and Considerations for upgrading to version 10.5
157080 - Pictured Installation Guide for Symantec Encryption Management Server (PGP Server)
153588 - Restore Backup files to the PGP Encryption Server (Symantec Encryption Management Server)
180749 - Upgrading PGP Encryption Server using a *.pup file (Symantec Encryption Management Server)
153318 - Restoring Encryption Management Server Backups larger than 2GB
197045 - Custom scripts are moved when upgrading to Encryption Management Server 10.5