Upgrading to Encryption Management Server release 10.5 or above from release 3.3.2 or above is described in the Symantec Encryption Management Server 10.5 Upgrade Guide. The benefits of upgrading to 10.5 or above are covered in article 150915 but note that as of 1 August 2021, all releases below 10.5 are end of service (support).
Before updating, please confirm that the DNS servers and any NTP server that Encryption Management Server is configured to use are still valid. Also, ensure that all Encryption Desktop clients connecting to the servers are running Encryption Desktop release 10.4 or above, otherwise they will not be able to communicate with Encryption Management Server using TLS 1.2.
There are two methods of upgrading and the method you choose depends on the size and complexity of your environment:
Both upgrade types involve installing from ISO. Therefore, if Encryption Management Server is a VMware Virtual Machine, be sure to take a VMware snapshot prior to booting from ISO. This will allow you to rollback to snapshot if necessary.
Use the Restore method if all of the following are true:
Symantec Encryption Management Server release 10.5 and above.
This consists of the following steps:
The New Installation setup type will:
At the end of the process you will have a fresh installation of Encryption Management Server with default settings.
If the only complexity in your environment is the size of your backup file:
A Simple Web Email Protection template will be restored successfully.
An Advanced Web Email Protection template consists mainly of image files so there is a very good chance that it will be restored successfully but ensure you have a backup of the zipped images in a safe location.
However, a Complete Web Email Protection template is unlikely to be restored successfully. This is because it contains HTML files.
The only way to be certain that a Complete Web Email Protection template will work successfully in a new release is to install a new Encryption Management Server from ISO in a test environment and import the template. Correct any problems with the template in the test environment and then export it. When you have upgraded the production environment, import the template that you exported from the test environment.
Many Complete Customization Web Email Protection templates consist of customizations that can be made using an Advanced template. Before you upgrade, consider replacing the Complete Customization template with an Advanced template to avoid all the complexities of dealing with a Complete Customization template.
When you install from ISO you need to enter an IP address for the server and a default gateway that is on the same subnet. Otherwise you will not be able to connect to the server using a web browser.
When you restore from the backup file, all the original network settings are restored. However, any network routing files in the /etc/sysconfig/network-scripts directory are not backed up and will therefore not be restored.
Therefore, if your connectivity to the Encryption Management Server administration console relies on a manual routing file being present in the /etc/sysconfig/network-scripts directory of the server then you may not be able to connect.
To avoid problems:
The new installation will contain a default /etc/crontab file. If you have customized your /etc/crontab file you need to use SCP to download it to a safe location before you install from ISO.
After installing using either the Restore or New Installation method, the /etc/crontab on the server will contain only the default entries.
You will need to edit the /etc/crontab file on the server and add back any custom entries. Then restart the crond service with:
systemctl restart crond
Only custom scripts and files in the /var/lib/ovid/customization directory are backed up.
If you have custom scripts or files that are not in the /var/lib/ovid/customization directory then use SCP to download them to a safe location before installing using either the Restore or New Installation method.
After installing, use SCP to upload them to their original locations.
If the scripts are being run using entries in the /etc/crontab file then update the /etc/crontab file too.
During the installation, any pgp*.sh scripts that were in the /var/lib/ovid/customization directory are moved to the /var/lib/ovid/customization_legacy directory.
If you have modified any of those scripts, you will need to SSH to the server and add back any customizations you made to the pgp*.sh scripts in the /var/lib/ovid/customization directory.
See article 197045 for further details.