search cancel

Technical considerations when upgrading Encryption Management Server to release 10.5.1

book

Article ID: 211876

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption

Issue/Introduction

Upgrading to Encryption Management Server release 10.5.1 from release 3.3.2 or above is described in the Symantec Encryption Management Server 10.5.1 Upgrade Guide.

For the benefits of upgrading to version 10.5 or above see the following article:
150915 - Symantec Encryption Management Server Benefits and Considerations for upgrading to version 10.5

Please note that all releases below 10.5 are End of Service (support).

Note that if you are upgrading from release 10.5 to release 10.5.1 you can do an in place upgrade using a *.pup file. Otherwise, you will need to install from ISO. This article covers the ISO method.

Before updating, please confirm that the DNS servers and any NTP server that Encryption Management Server is configured to use are still valid. Also, ensure that all Encryption Desktop clients connecting to the servers are running Encryption Desktop release 10.4 or above, otherwise they will not be able to communicate with Encryption Management Server using TLS 1.2.

There are two methods of upgrading and the method you choose depends on the size and complexity of your environment:

  1. Restore.
  2. New Installation.

Both upgrade types involve installing from ISO. Therefore, if Encryption Management Server is a VMware Virtual Machine, be sure to take a VMware snapshot prior to booting from ISO. This will allow you to rollback to snapshot if necessary.

Use the Restore method if all of the following are true:

  1. Your backup file size is under 2 GB.
  2. You do not use Web Email Protection with a Complete Customization template.
  3. When you connect to the administration console you connect to network Interface 1 (eth0) of the server and Interface 1 is on the same subnet as the default gateway.
  4. Your server either does not use a network routing file for Interface 2 or above or you have downloaded it to a safe location. For example /etc/sysconfig/network-scripts/route-eth1.
  5. You have either not customized the /etc/crontab file or you have downloaded it to a safe location.
  6. You either do not have custom scripts or other files in any directory other than /var/lib/ovid/customization or you downloaded the files to a safe location.
  7. You have either not customized any of the pgp*.sh scripts in the /var/lib/ovid/customization directory or the customizations are not critical.

When upgrading a cluster, please be aware that data inconsistency between cluster members may occur during the upgrade. This will resolve itself after all cluster members have been upgraded. Please see article 225396 for more information about how to avoid the risk of any data inconsistency.

Environment

Symantec Encryption Management Server release 10.5 and above.

Resolution

 

 

 

Consideration 1: New Installation Method (Recommended)

 

The New Installation setup type will:

  1. Require you to enter a license key. The old license key is in the /etc/ovid/prefs.xml file which you should downloaded prior to installing from ISO. Search for the xml tag <license-number>.
  2. Allow you to change the network settings if you wish.
  3. Generate a new Organization Key.
  4. Create an administrator account with the username admin and prompt you to set a password for that account.

At the end of the process you will have a fresh installation of Encryption Management Server with default settings.

 

Consideration 2: Backup larger than 2 GB

If you have backups larger than 2GBs each, see the following article:

153318 - Restoring Encryption Management Server Backups larger than 2GB

 

 

Consideration 3: Source Server is a Physical Server, but Destination Server is a Virtual Machine

If you are on a physical box, where the PGP server is installed on actual hardware, such as a Dell PowerEdge, and you are upgrading to a Virtual Machine environment, such as VMware, special steps must be taken to do this.
There is a "MAC Address" value that is associated to physical NICs.  If you are moving from Physical to Virtual, then these values need to be removed post upgrade.  For assistance doing this, please reach out to Symantec Encryption Support for further guidance. 

If this is not done post upgrade the NICs will not start properly and the Web UI will not be accessible.

EPG-28827

 

Consideration 4: Email Protection

A Simple Web Email Protection template will be restored successfully.

An Advanced Web Email Protection template consists mainly of image files so there is a very good chance that it will be restored successfully but ensure you have a backup of the zipped images in a safe location.

However, a Complete Web Email Protection template will not be restored successfully. This is because there are changes in release 10.5.1 around time zone that guarantees incompatibility.

Therefore install a new Encryption Management Server from ISO in a test environment, create a new complete customization template and export it. When you have upgraded the production environment, import the template that you exported from the test environment.

Many Complete Customization Web Email Protection templates consist of customizations that can be made using an Advanced template. Before you upgrade, consider replacing the Complete Customization template with an Advanced template to avoid all the complexities of dealing with a Complete Customization template. See article 206882 for further details.



Consideration 5: Network routing

When you install from ISO you need to enter an IP address for the server and a default gateway that is on the same subnet. Otherwise you will not be able to connect to the server using a web browser.

When you restore from the backup file, all the original network settings are restored. However, any network routing files in the /etc/sysconfig/network-scripts directory are not backed up and will therefore not be restored.

Therefore, if your connectivity to the PGP Server administration console relies on a manual routing file being present in the /etc/sysconfig/network-scripts directory of the server then you may not be able to connect.

To avoid problems:

  1. Use SCP to download any routing files from the /etc/sysconfig/network-scripts directory of the server.
  2. Install using the New Installation method and ensure that you enter an IP address for the server and a default gateway IP that are on the same subnet.
  3. Once the new installation is completed, configure SSH.
  4. Upload the network routing files to the /etc/sysconfig/network-scripts directory of the server using SCP.
  5. Login to the administration console and navigate to System / Network.
  6. Ensure that the network settings match what they were before you installed from ISO. This may include adding additional network interfaces.
  7. Ensure that you click the Save button on the Network Settings page, even if you made no changes. This will restart the network and load manual routing files.
  8. SSH to the server and restore the backup.



Consideration 6: Custom /etc/crontab file

The new installation will contain a default /etc/crontab file. If you have customized your /etc/crontab file you need to use SCP to download it to a safe location before you install from ISO.

After installing using either the Restore or New Installation method, the /etc/crontab on the server will contain only the default entries.

You will need to edit the /etc/crontab file on the server and add back any custom entries. Then restart the crond service with:

systemctl restart crond

 

 

193931-How to download Symantec Encryption products from the Broadcom download Portal (And where to find the license number for PGP)

 

Upgrade Path for Legacy version 2.12 SP4 to 10.5

1. Create backup from 2.12 SP4 (Build 1128)
2. Restore backup to 3.1.2 SP3 (Build 50 - Install with ISO on new "Linux 2.6 Other 32-bit" VMware system)
3. PUP Update to 3.3.0 (Build 8741)
4. PUP Update to 3.3.2 MP13 (Build 21495)
5. Create a backup from 3.3.2 MP13
6. Restore backup to SEMS 10.5  (Install ISO on new VM system "RHEL 7" or "CentOS 7" in VMware)

 

Upgrade Path for Legacy version 3.0.x to 10.5

1. PUP update from 3.0.x to 3.1.2 SP3.
2. Restore backup to 3.1.2 SP3 (Build 50 - Install with ISO on new "Linux 2.6 Other 32-bit" VMware system)
3. PUP Update to 3.3.0 (Build 8741)
4. PUP Update to 3.3.2 MP13 (Build 21495)
5. Create a backup from 3.3.2 MP13
6. Restore backup to SEMS 10.5  (Install ISO on new VM system "RHEL 7" or "CentOS 7" in VMware)

 

Upgrade Path for Legacy version 3.1.x to 10.5

1. If you're on a version older than 3.1.2 SP3, then PUP update to 3.1.2 SP3 first (Contact Symantec Support if you do not have the PUP updates as these are no longer housed in the download portal.
2. Once you're on version 3.1.2 SP3, then PUP Update to 3.3.0 (Build 8741).
3. From 3.3.0, PUP Update to 3.3.2 MP13 (Build 21495)
4. Create a backup from 3.3.2 MP13.
5. Restore backup to SEMS 10.5  (Install ISO on new VM system "RHEL 7" or "CentOS 7" in VMware)

 

Upgrade Path for Legacy version 3.2.1 to 10.5

1. Create a backup on 3.2.1 MP5 (Build 5033).
2. Restore the backup to 3.3.2 MP13 (Build 21495 - Install 3.3.2 MP13 ISO and restore)
3. Create a backup on 3.3.2 MP13
4. Restore the backup to 10.5 (ISO Install of 10.5).

 

 

Upgrade Path for Legacy version 3.3.x to 10.5

1. Update the PGP server to 3.3.2 MP12.
3. Create a backup on 3.3.2 MP13
4. Restore the backup to 10.5 (ISO Install of 10.5).

 

 

 

Restore Method

The "New Installation" method is recommended, but there is a "Restore" operation as well where all you see is the restore. 
The steps to restore a backup are below.  To use the New Installation method, you will need to have a new IP address that will not conflict with the old IP address.

For information on the New Installation method, see the following article:

157080 - Pictured Installation Guide for Symantec Encryption Management Server


TIP: For information on how to backup the Organization Key, a needed component for backup/restore/upgrade scenarios, see the following article:

180196 - HOW TO: Backup the Organization Key on Symantec Encryption Management Server (PGP Server)

This consists of the following steps:

  1. Export the Organization Key keypair, not just the public key, by logging into the administration console and navigating to Keys / Organization Keys, clicking on Organization Key and clicking on the Export button. A passphrase is optional. Store it in a safe location:
  2. Run a backup of Encryption Management Server. By default, backups are stored locally but clearly, this is not recommended. The backup location should have already been configured to store backups on a remote FTP or SCP server - please see article 180249 for details on how to do this. If backups are being stored locally, you will need to download the backup file using SCP from the /var/lib/ovid/backups directory. The name of the backup file will, by default, be in the format backup-name-hostname-backup-MM-DD-YY-HH-MI-SS.tar.gz.pgp. For example, PGP-Universal-Backup-keys.example.com-backup-03-31-21-10-09-08.tar.gz.pgp.
  3. Take a note of the server's basic network settings, specifically hostname, IP address, subnet mask, default gateway IP and DNS server IP addresses. If the server has more than one network interface, make a note of the IP addresses. If you have SCP available, download the file /etc/ovid/prefs.xml from the server because this contains not only the network settings but the license key and many other items of information.
  4. Boot from the release 10.5.1 ISO. You are warned that all data on the disk will be deleted and lost forever. For example:
  5. Once installation is completed, enter the basic network settings. Only one DNS server IP needs to be specified at this stage. For example:
  6. The server reboots from the fixed disk and shows Symantec Encryption Server for 3 seconds at the boot stage. For example:
  7. If at reboot the screen containing the warning all data on the disk will be deleted and lost forever is displayed, it means the server has booted from ISO. Shut down the server, disconnect the ISO and power on the server.
  8. After the server has finished booting you are prompted to connect to it using a web browser. For example:
  9. Connect to the server using a web browser on port 9000. Choose to do a Restore:
  10. When prompted, import the Organization Key. If you chose to set a passphrase when you exported it, you will need to enter it:
  11. When prompted, import the backup file:
  12. The data from the backup file will be restored. Please be patient. Restoring data takes at least twice as long as backing it up.
  13. Repeat the above steps for each server in a cluster.
  14. If the restore does not succeed, install from ISO again but this time at the Setup Type page choose New Installation.
  15. If the backup file is over 2 GB or the environment is complex then at the Setup Type page above you will also need to choose New Installation.

 

Troubleshooting

For assistance with general issues restoring backups, see the following article:

153588 - Restore Backup files to Symantec Encryption Management Server (PGP Server)

If you are seeing any other errors not outlined in the article above, please reach out to Symantec Encryption Support for further guidance.  

 

Special Note on Customization of the PGP Server

Custom scripts or files not in /var/lib/ovid/customization

Only custom scripts and files in the /var/lib/ovid/customization directory are backed up.

If you have custom scripts or files that are not in the /var/lib/ovid/customization directory then use SCP to download them to a safe location before installing using either the Restore or New Installation method.

After installing, use SCP to upload them to their original locations.

If the scripts are being run using entries in the /etc/crontab file then update the /etc/crontab file too.

Customization of pgp*sh scripts in the /var/lib/ovid/customization directory

During the installation, any pgp*.sh scripts that were in the /var/lib/ovid/customization directory are moved to the /var/lib/ovid/customization_legacy directory.

If you have modified any of those scripts, you will need to SSH to the server and add back any customizations you made to the pgp*.sh scripts in the /var/lib/ovid/customization directory.

 

 

If you are using Custom Scripts with the PGP Server, you may want to re-evaluate if you still need these. 

Scripts would be provided only in special circumstances by a consulting group who specializes in the PGP server and warranties the customizations performed.
For more information on tis, see article 197045.

 

 

Additional Information

197045 - Custom scripts are moved when upgrading to Encryption Management Server 10.5

Attachments