Miho Sjoquist

NetWitness Suite 10.6.2/10.6.0/10.5.2 Mixed-mode Upgrade

Blog Post created by Miho Sjoquist Employee on Dec 15, 2016

Per request from external teams, I experimented with the NetWitness Suite/Security Analytics 10.6.2 Upgrade in mixed-mode installation.


Case 1: SA 10.6.2 and a new host in 10.5.2


  • SA server has been upgraded from 10.6.0 to 10.6.2 using the split zip files.
  • Another host (Decoder) has been built from the 10.5.0 OVA and was upgraded to 10.5.2. 


  • SA 10.6.2 - to - Decoder 10.5.2 provisioning was successful.
  • Upgrade to 10.6.2  is available on the HOST screen and the upgrade was successful. 


Case 2: SA 10.6.2 and new host in 10.6.0


  • SA server has been upgraded to 10.6.2 using the split zip files
  • A new host (Concentrator) has been built from the 10.6.0 OVA.


  • SA 10.6.2 - to - Decoder 10.6.0 provisioning was successful.
  • The new 10.6.0 host can be upgraded using rpms in SA's repo. 


Case 3: WLC on Win2K12 and SA 10.6.0 / 10.6.2 setups


  • WLC on Win2K12 and added WLC to 10.6.0 / 10.6.2 setup and tested the functionality of LC and could see all events Concentractor


  • Upgraded to WLC -> 10.6.2 on WIN2K12 and noticed that NwLogCollector Service crash post upgrade(ASCO-27227).

PEM file issue

If you are upgrading from a new 10.6.0.x systems (from a 10.6.0 image) to 10.6.2 for the first time and you are using SMCUpdate, you must run the following command to create a PEM file.

/# touch /etc/pki/CA/certs/RSACorpCAv2.pem

This workaround has been noted in the 10.6.1 Update Instructions (page 15, Task 8) but not in the 10.6.2 Update Instructions. 

This isn't an issue if you are using 10.6.2 upgrade zip files.

The issue won't be fixed until the next image is released.


Note: Background image is Lake Assal is Djibouti. I'm dreaming of a sunny and warm place...