Upgrading the PGP Encryption Server using an ISO file for FULL Backup and Restore Including Upgrades (Symantec Encryption Management Server)
Article ID: 378459
Updated On:
Products
Issue/Introduction
For most scenarios, it is sufficient to update the PGP Encryption Server using a .PUP file, which is an incremental update file.
For information on the PUP update process, see the following article:
180749 - Upgrading the PGP Encryption Server using a *.pup file (Symantec Encryption Management Server)
For some scenarios, it is necessary to take a full backup of the PGP Encryption Server and restore that backup to a new version.
This article will cover the upgrade process when a full backup is taken and restored using a completely new version of the PGP Encryption Server.
For more information on the benefits and technical considerations of upgrading, see the following articles:
Resolution
The first step to performing an upgrade to a new version is knowing if you need to do a full backup and restore.
If you are unsure about this, review the technical considerations shown in the Introduction section as well as the PGP Encryption Server upgrade guide.
Once you know you need to do a full backup and restore, you will first get the backup from the PGP Encryption Server you wish to upgrade.
In this example, we will be using a backup from PGP Encryption Server version 10.5.1.
We will then restore that to PGP Encryption Server 11.0.1.
Step 1: Obtain the backup as well as the Organization Key Pair from the server you are migrating.
If you are not sure how to obtain the keypair of your org key, see the following article:
180196 - Backup the Organization Key on the PGP Encryption Server (Symantec Encryption Management Server)
For more information on the Organization Keys, see the following article:
156068 - PGP Encryption Server Organization Key and Organization Certificate General Information and Guidelines (Symantec Encryption Management Server)
Step 2: Determine new IP Addresses and Hostnames for your new PGP Encryption Servers.
In this example, we are going to be upgrading using the "New Installation" option. This is especially important if you are using a clustered setup.
You can upgrade one server while the other node is still in production.
For this test, we are upgrading two nodes currently on version 10.5.1. One node with the IP Address of 192.168.1.150 for the host keys150.example.com, and the other node with 192.168.1.160 for the other node keys160.example.com.
As mentioned, both the .150 and .160 nodes are on PGP Encryption Server version 10.5.1.
Step 3: We are going to prepare the PGP Encryption Server 11.0.1.
We will be using the IP address of 192.168.1.170 for keys170.example.com and the IP address of 192.168.1.180 for keys180.example.com.
We will take the backup from .150 and restore to .170.
We will take the backup from .160 and restore to .180.
To prepare your two PGP Encryption Servers on version 11.0.1, see the following article and choose "New Installation":
Step 4: Once you have setup both your "keys170.example.com" and "keys180.example.com" servers that have been setup as completely new installations, we will proceed with the next steps.
You will notice that after configuring each of the servers, and clicking on the Org Keys, you'll see they have their own new Organization Keys.
Notice the Key ID values for each server are different. Neither of these match your existing environment that you are upgrading:
Step 5: Now upload the Organization Key from your existing 10.5.1 environment to the new PGP Encryption Server 11.0.1 environments:
You will get a warning, but this is okay as we want to use the existing Organization Key.
Step 6: Once you have done this for both servers, confirm they have the same Key IDs:
Step 7: Now that both servers on version 11.0.1 have the same Key IDs for the Organization Key, we are ready to then upload the backups from the 10.5.1 servers.
Note: PGP Encryption Server can now allow backups up to 10GBs each.
If you have a backup larger than 10GBs, reach out to Symantec Encryption Support for further guidance.
On the System, Backups tab, you will click on "Upload Backup" and browse to your backup from 10.5.1:
Step 8: New for PGP 11.0.1 and above, you are able to restore a backup to a new server and change the network settings at the same time.
For example, if you wanted to take a backup that had an IP address of "192.168.1.150" and restore it and give it the IP address of "192.168.1.190" with hostname of "keys190.example.com, you can do this.
To do this, simply install the new PGP Encryption Server 11.0.1 with the .190 address, and check the box "Keep current network settings" and the restore will use the destination network settings.
The data will be restored, but the IP will now be 192.168.1.190 and hostname "keys190.example.com".
Caution: If you are in a clustered environment, you cannot use this setting as it will wipe out your cluster data!!!
Do NOT check this box if you are in a clustered setup. Instead, leave all the settings unchecked.
In this example, we are in a clustered environment, so we will leave everything unchecked:
If in doubt, reach out to Symantec Encryption Support for further guidance. Breaking a cluster and having to rejoin can cause extra complexity that can be avoided.
Additionally, if you enable "Keep current network settings", the hostname of the PGP Encryption Servers will also change.
This means your PGP Encryption Desktop clients may stop communicating with their configured "PGPStamp".
If this is a concern, do not use this setting.
TIP: It is always nice to have a snapshot of your server before restoring a backup. If needed, it's easy to revert the snapshot and try again.
Step 9: Be careful about the backup you are restoring and confirm the name and version.
In this example, you can see it was named "1051MP2HF1". It's often useful to give your backup a memorable name to make it easy to select during upgrade:
Step 10: At this stage, since we are taking a backup from 150 and 160 and restoring them to 170 and 180 respectively, you should shut down the existing 150/160 servers.
When the restore happens, all the same network settings will occur.
Step 11: Once you have uploaded the backup, click on "Restore":
The following warning will appear:
When restoring backup files, all previous data will be wiped out. They do not add on to existing data.
In this scenario, we are upgrading the test servers so it is easy to do.
Step 12: The restoration process will now take place. If the backup is an older version, all the data will be migrated to the new version:
Step 13: At some point, you should see this page:
Don't stay on this page forever. Because the backup restored the .150 address, eventually this page will no longer work.
Enter in the IP address manually to see if the restore has completed: https://192.168.1.150:9000.
Step 14: Do these same steps for each of the other cluster nodes.
Step 15: Once the backups have been successfully restored, the network settings will have been fully restored from the backups.
The .170 server will now be overwritten with the data and will now take on the original .150 address and hostname.
The 160 server will now be overwritten with the data and will now take on the original .160 address and hostname:
Step 15: Once you enter in the above IP address for your setup, you should be redirected to the "smc" console:
Step 16: Once you login, you'll see all the new KPIs loading:
Once they are loaded, you will see that the PGP Encryption Server needs to be licensed:
Step 17: At this stage of the setup, you are prompted for your license file for PGP Encryption Server."Your trial period will end in 90 days. Upload a license".
Even if you have entered a license number in the past, it is necessary to re-enter the new license .SLF file to the PGP Encryption Server.
For assistance to enter the new license number, see the following article:
For information on how to find your license .SLF file, see the following article:
206503 - How to find your license number for Symantec Encryption products (PGP and SEE)
Step 18: Also on the dashboard, you will see some alerts that some details need to be entered on the "omc" portal.
For example, Directory Synchronization has not been entered, but is not available in the new "smc" console, so the alert states you should login to the SEMS to finish these steps:
To login to the "omc" portal, click the hyperlink in the UI or go to the URL for your IP:
https://192.168.1.170:9000/omc
Note: The "smc" will have new items and advanced reporting capabilities. Most of the functionality is being ported over to the "smc" from the "omc" portal.
Much functionality still exists in the "omc" so for now, both UIs will be used. Eventually, everything will be ported over to the new "smc" portal so familiarize yourself with the new UI.
From here, you can access the old console for familiar management using the OMC icon at the top right of the console:
Now you can enter the credentials and access the omc console:
Step 19: Now login to both of your servers and ensure everything looks like it restored successfully.
Step 20: It is highly recommended to reboot both servers after they are upgraded once you have confirmed everything looks normal.
Step 21: Check to make sure clustering is replicating and happening properly by adding admins on each server and ensuring they replicate back and forth.
Delete the admins and ensure the deletes happen.
Step 22: Take backups of the newly upgraded servers.
Step 23: If you have PGP Encryption Desktop clients, ensure they are communicating to the new hosts.
Feedback
