search cancel

Data Center Security Server (DCS) Upgrade Plan: Know before you upgrade

book

Article ID: 213959

calendar_today

Updated On:

Products

Data Center Security Server Data Center Security Server Advanced Data Center Security Monitoring Edition

Issue/Introduction

If you plan to upgrade your DCS Manager you should follow this article to ensure a seamless upgrade

Environment

Data Center Security (DCS) 

Resolution

Backups
- Make a backup of the database. (Possibly shrink, follow up with DBA)

Make a database backup

- Snapshot or backup of the DCS manager

Backup and restore DCS database

- Backup all the .ssl files and certs in the DCS directories. (install directory/server)

      --cacerts file location (install directory/server/jre/lib/security/cacerts)

- Backup of the server.xml and the quartz.properties files (install directory/server/tomcat/conf)

- Ensure you have adequate space on the manager and DB.
System requirements for DCS environment

SQL Users and Settings 
 - Stop all maintenance tasks on the DB (nothing should be running, Splunk connectors, etc.)

 - Disable and log out any SIEM type of users so nothing is pulling data from the database

 - Verify your database users (sa, scsp_ops, scspdba) are present/enabled in the database and have the correct permissions and you have the passwords that you installed with. In addition there will be a umcadmin user for the dcsc_umc database. It's common for DBAs to disable accounts like SA and the umcadmin account and these are needed during the upgrade.

 - Ensure scsp_ops and umcadmin passwords are 17 or more characters in length, the upgrade will fail on the UMC database if the password is under 17 characters

 - Use the actual "sa" account when upgrading, it will only be used during the upgrade as we make changes in SQL that require the "sa" account

DCS Manager Action Items
 - Stop DCS services on ALL managers, disable the SISManager service on all but the primary manager (You will re-enable those when you start the upgrade on those managers)

 - Stop AV and disable UAC and SmartScreen (SEP tamper protection in particular, if applicable)

 - Ensure no GPO is set to re-enable the services.

 - If there's an agent on the managers, set the prevention policy to null.

- Verify registry key TomcatOnlyInstall on primary server does not exist or should be set to FALSE
DCS Tomcat only registry key

- Upgrade primary (run server.exe from an Administrative Command Prompt)

- After the primary has been upgraded, login to UMC and ensure you can see your Assets page

Upgrading Secondary Servers (aka Tomcat Only)
- Enable the SISManager Service (disabled in prior steps)
- Run server.exe from an Administrative Command Prompt

Additional Information

-If you have windows agents lower than 6.7.3.1474, you will need to apply the liveupdate fix after your upgrade is complete. (Partner with support for the workaround)

-Sometimes the Java console fails to upgrade with 6.9.0 due to lack of permissions to a directory that houses legacy console files
DCS java console Error-The JVM could not be started

-You will see an automatic upgrade option in the UMC for the Linux agents in 6.9. This feature will not work to upgrade any agents lower than 6.9.0 and there will not be a new agent released that works for the auto upgrade until 6.9.1. Please don't use that feature quite yet