Technical considerations when upgrading Encryption Management Server to release 10.5

book

Article ID: 211876

calendar_today

Updated On:

Products

Encryption Management Server Encryption Management Server Powered by PGP Technology Gateway Email Encryption Gateway Email Encryption Powered by PGP Technology

Issue/Introduction

Upgrading to Encryption Management Server release 10.5 or above from release 3.3.2 or above is described in the Symantec Encryption Management Server 10.5 Upgrade Guide. The benefits of upgrading to 10.5 or above are covered in article 150915 but note that as of 1 August 2021, all releases below 10.5 are end of service (support).

Before updating, please confirm that the DNS servers and any NTP server that Encryption Management Server is configured to use are still valid. Also, ensure that all Encryption Desktop clients connecting to the servers are running Encryption Desktop release 10.4 or above, otherwise they will not be able to communicate with Encryption Management Server using TLS 1.2.

There are two methods of upgrading and the method you choose depends on the size and complexity of your environment:

  1. Restore.
  2. New Installation.

Both upgrade types involve installing from ISO. Therefore, if Encryption Management Server is a VMware Virtual Machine, be sure to take a VMware snapshot prior to booting from ISO. This will allow you to rollback to snapshot if necessary.

Use the Restore method if all of the following are true:

  1. Your backup file size is under 2 GB.
  2. You do not use Web Email Protection with a Complete Customization template.
  3. When you connect to the administration console you connect to network Interface 1 (eth0) of the server and Interface 1 is on the same subnet as the default gateway.
  4. Your server either does not use a network routing file for Interface 2 or above or you have downloaded it to a safe location. For example /etc/sysconfig/network-scripts/route-eth1.
  5. You have either not customized the /etc/crontab file or you have downloaded it to a safe location.
  6. You either do not have custom scripts or other files in any directory other than /var/lib/ovid/customization or you downloaded the files to a safe location.
  7. You have either not customized any of the pgp*.sh scripts in the /var/lib/ovid/customization directory or the customizations are not critical.

Environment

Symantec Encryption Management Server release 10.5 and above.

Resolution

Restore Method

This consists of the following steps:

  1. Export the Organization Key keypair, not just the public key, by logging into the administration console and navigating to Keys / Organization Keys, clicking on Organization Key and clicking on the Export button. A passphrase is optional. Store it in a safe location:
  2. Run a backup of Encryption Management Server. Backups are stored locally by default but clearly, this is not recommended. The backup location should have already been configured to store backups on a remote FTP or SCP server. If backups are being stored locally, you will need to download the backup file using SCP from the /var/lib/ovid/backups directory. The name of the backup file will, by default, be in the format backup-name-hostname-backup-MM-DD-YY-HH-MI-SS.tar.gz.pgp. For example, PGP-Universal-Backup-keys.example.com-backup-03-31-21-10-09-08.tar.gz.pgp.
  3. Take a note of the server's basic network settings, specifically hostname, IP address, subnet mask, default gateway IP and DNS server IP addresses. If the server has more than one network interface, make a note of the IP addresses. If you have SCP available, download the file /etc/ovid/prefs.xml from the server because this contains not only the network settings but the license key and many other items of information.
  4. Boot from the release 10.5 ISO. You are warned that all data on the disk will be deleted and lost forever. For example:
  5. Once installation is completed, enter the basic network settings. Only one DNS server IP needs to be specified at this stage. For example:
  6. The server reboots from the fixed disk and shows Symantec Encryption Server for 3 seconds at the boot stage. For example:
  7. If at reboot the screen containing the warning all data on the disk will be deleted and lost forever is displayed, it means the server has booted from ISO. Shut down the server, disconnect the ISO and power on the server.
  8. After the server has finished booting you are prompted to connect to it using a web browser. For example:
  9. Connect to the server using a web browser on port 9000. Choose to do a Restore:
  10. When prompted, import the Organization Key. If you chose to set a passphrase when you exported it, you will need to enter it:
  11. When prompted, import the backup file:
  12. The data from the backup file will be restored. Please be patient. Restoring data takes at least twice as long as backing it up.
  13. Repeat the above steps for each server in a cluster.
  14. If the restore does not succeed, install from ISO again but this time at the Setup Type page choose New Installation.
  15. If the backup file is over 2 GB or the environment is complex then at the Setup Type page above you will also need to choose New Installation.

 

New Installation Method

The New Installation setup type will:

  1. Require you to enter a license key. The old license key is in the /etc/ovid/prefs.xml file which you should downloaded prior to installing from ISO. Search for the xml tag <license-number>.
  2. Allow you to change the network settings if you wish.
  3. Generate a new Organization Key.
  4. Create an administrator account with the username admin and prompt you to set a password for that account.

At the end of the process you will have a fresh installation of Encryption Management Server with default settings.

Backup larger than 2 GB

If the only complexity in your environment is the size of your backup file:

  1. Login to the administration console and navigate to Organization Keys.
  2. Click on the button in the Import column next to the Organization Key.
  3. Import the Organization Key that you exported before installing from ISO, replacing the Organization Key that was created as part of the new installation.
  4. Configure SSH.
  5. Use SCP to upload the backup file to the /root directory of the server.
  6. SSH to the server and restore the backup with this command where PGP-Universal-Backup-keys.example.com-backup-03-31-21-10-09-08.tar.gz.pgp is the name of the backup file:
    pgpbackup -r PGP-Universal-Backup-keys.example.com-backup-03-31-21-10-09-08.tar.gz.pgp
  7. When the backup has been restored you will need to login with the username and password you used before you installed from ISO.

Web Email Protection

A Simple Web Email Protection template will be restored successfully.

An Advanced Web Email Protection template consists mainly of image files so there is a very good chance that it will be restored successfully but ensure you have a backup of the zipped images in a safe location.

However, a Complete Web Email Protection template is unlikely to be restored successfully. This is because it contains HTML files.

The only way to be certain that a Complete Web Email Protection template will work successfully in a new release is to install a new Encryption Management Server from ISO in a test environment and import the template. Correct any problems with the template in the test environment and then export it. When you have upgraded the production environment, import the template that you exported from the test environment.

Many Complete Customization Web Email Protection templates consist of customizations that can be made using an Advanced template. Before you upgrade, consider replacing the Complete Customization template with an Advanced template to avoid all the complexities of dealing with a Complete Customization template.

Network routing

When you install from ISO you need to enter an IP address for the server and a default gateway that is on the same subnet. Otherwise you will not be able to connect to the server using a web browser.

When you restore from the backup file, all the original network settings are restored. However, any network routing files in the /etc/sysconfig/network-scripts directory are not backed up and will therefore not be restored.

Therefore, if your connectivity to the Encryption Management Server administration console relies on a manual routing file being present in the /etc/sysconfig/network-scripts directory of the server then you may not be able to connect.

To avoid problems:

  1. Use SCP to download any routing files from the /etc/sysconfig/network-scripts directory of the server.
  2. Install using the New Installation method and ensure that you enter an IP address for the server and a default gateway IP that are on the same subnet.
  3. Once the new installation is completed, configure SSH.
  4. Upload the network routing files to the /etc/sysconfig/network-scripts directory of the server using SCP.
  5. Login to the administration console and navigate to System / Network.
  6. Ensure that the network settings match what they were before you installed from ISO. This may include adding additional network interfaces.
  7. Ensure that you click the Save button on the Network Settings page, even if you made no changes. This will restart the network and load manual routing files.
  8. Optionally, SSH to the server and set a password for the root user so that you can login to the console in case of routing problems. Use this command to set the root password:
    passwd
  9. SSH to the server and restore the backup.

Custom /etc/crontab file

The new installation will contain a default /etc/crontab file. If you have customized your /etc/crontab file you need to use SCP to download it to a safe location before you install from ISO.

After installing using either the Restore or New Installation method, the /etc/crontab on the server will contain only the default entries.

You will need to edit the /etc/crontab file on the server and add back any custom entries. Then restart the crond service with:

systemctl restart crond

Custom scripts or files not in /var/lib/ovid/customization

Only custom scripts and files in the /var/lib/ovid/customization directory are backed up.

If you have custom scripts or files that are not in the /var/lib/ovid/customization directory then use SCP to download them to a safe location before installing using either the Restore or New Installation method.

After installing, use SCP to upload them to their original locations.

If the scripts are being run using entries in the /etc/crontab file then update the /etc/crontab file too.

Customization of pgp*sh scripts in the /var/lib/ovid/customization directory

During the installation, any pgp*.sh scripts that were in the /var/lib/ovid/customization directory are moved to the /var/lib/ovid/customization_legacy directory.

If you have modified any of those scripts, you will need to SSH to the server and add back any customizations you made to the pgp*.sh scripts in the /var/lib/ovid/customization directory.

See article 197045 for further details.

Attachments