Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > Authors Miho Sjoquist

RSA NetWitness Platform

2 Posts authored by: Miho Sjoquist Employee

The Security Analytics/NetWitness Suite Patch releases can be installed on Service Packs, but not on major releases. For example, 10.6.1.1 can be installed on 10.6.1.0 but not on 10.6.0.0. This also means that the patch release upgrade packages only contain the rpms that are needed to upgrade from the nearest service packs.

If the latest patch was not applied to all appliances at the same time, you need to use a workaround to update them.

 

Preconditions

  • SA server, Log Collector, and Concentrator have been built from the 10.6.0 OVA.
  • Connection to Live Update Repository was turned off.
  • SA Server and Log Collector were upgraded to 10.6.1 by using the split zip packages (7 zip files). But the Concentrator was left as 10.6.0.0.

 

Case 1

The 10.6.1 upgrade package was removed from the local repo (SA UI -> Systems -> Updates -> Settings -> Manage Repository. Select and remove 10.6.1).

Now the 10.6.1.1 packages (5 zip files) were uploaded.

Observation 

SA Server and LC can be upgraded to 10.6.1.1. But Concentrator only sees 10.6.0.2 as a possible upgrade.

 

Workaround

1. Load 10.6.1 so that there will be both 10.6.1 and 10.6.1.1 in the local repo.

2. Log into the Concentrator console.

3. Copy the /etc/yum.repos.d/RSASoftware.repo file and create the temp.repo file under the same location. In the temp.repo file, change the last section of the baseurl with the actual release number to 10.6.1 (SA server's local repo folder.)

Example:

[temp]
baseurl=http://puppetmaster.local/rsa/updates/10.6.1/
enabled=1
gpgcheck=1
sslverify=1

4. From a command prompt, run “yum clean all”, followed by “ yum check-update”. At this point, you should be able to see the SA 10.6.1.1 rpms returned.

6. Run “yum update –y

7. After a successful upgrade, delete the temp.repo file.

 

 

Case 2

From the end of Case 1 --- After upgrading the SA server to 10.6.1.1, add a new 16.0.0.0 ESA.

 

Observation

The new ESA was provisioned successfully.
The only update option available to the ESA is 10.6.0.2 but only sees 10.6.0.2 as a possible upgrade.

Workaround 

The same workaround above will work for ESA.

 

This scenario came from Michael McGillick originally a couple of months ago. I thought that above information is worth sharing.

Thank you Melinda Zelenkov for reviewing this post.

Per request from external teams, I experimented with the NetWitness Suite/Security Analytics 10.6.2 Upgrade in mixed-mode installation.

 

Case 1: SA 10.6.2 and a new host in 10.5.2

Description

  • SA server has been upgraded from 10.6.0 to 10.6.2 using the split zip files.
  • Another host (Decoder) has been built from the 10.5.0 OVA and was upgraded to 10.5.2. 

Observation: 

  • SA 10.6.2 - to - Decoder 10.5.2 provisioning was successful.
  • Upgrade to 10.6.2  is available on the HOST screen and the upgrade was successful. 

 

Case 2: SA 10.6.2 and new host in 10.6.0

Description

  • SA server has been upgraded to 10.6.2 using the split zip files
  • A new host (Concentrator) has been built from the 10.6.0 OVA.

Observation

  • SA 10.6.2 - to - Decoder 10.6.0 provisioning was successful.
  • The new 10.6.0 host can be upgraded using rpms in SA's repo. 

 

Case 3: 10.5.1.2 WLC on Win2K12 and SA 10.6.0 / 10.6.2 setups

Description

  • 10.5.1.2 WLC on Win2K12 and added WLC to 10.6.0 / 10.6.2 setup and tested the functionality of LC and could see all events Concentractor

Observation

  • Upgraded to 10.5.1.2 WLC -> 10.6.2 on WIN2K12 and noticed that NwLogCollector Service crash post upgrade(ASCO-27227).

PEM file issue

If you are upgrading from a new 10.6.0.x systems (from a 10.6.0 image) to 10.6.2 for the first time and you are using SMCUpdate, you must run the following command to create a PEM file.

/# touch /etc/pki/CA/certs/RSACorpCAv2.pem

This workaround has been noted in the 10.6.1 Update Instructions (page 15, Task 8) but not in the 10.6.2 Update Instructions. 

This isn't an issue if you are using 10.6.2 upgrade zip files.

The issue won't be fixed until the next image is released.

 

Note: Background image is Lake Assal is Djibouti. I'm dreaming of a sunny and warm place...

Filter Blog

By date: By tag: