Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Physical Host 10.6.6.x to 11.3 Upgrade: Upgrade Instructions

Document created by RSA Information Design and Development Employee on Apr 10, 2019Last modified by RSA Information Design and Development Employee on Mar 17, 2020
Version 7Show Document
  • View in full screen mode
 

This topic contains the tasks you must complete to upgrade Security Analytics 10.6.6.x to NetWitness Platform 11.3.0.2. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.

Caution: 1.) Make sure that you backed up your Security Analytics 10.6.6.x data before attempting to upgrade to NetWitness Platform 11.3.0.2.
2). Run the backup immediately before upgrading the hosts for each phase so that the data to avoid restoring stale data.
3.) This guide applies to physical host upgrades exclusively. If have physical and virtual hosts in your deployment, see the Virtual Host Upgrade Guide for the steps to upgrade virtual hosts.

Complete the major upgrade tasks in the following order.

Phase 1 - Upgrade SA Server, Event Stream Analysis, Malware Analysis, and Broker or Concentrator Hosts

Task 1 - Upgrade the 10.6.6.x SA Server to 11.3.0.2 NW Server

Follow the instructions under Upgrade 10.6.6.x SA Server Host to 11.3.0.2 NW Server Host.

Task 2 - Upgrade 10.6.6.x ESA to 11.3.0.2

Caution: If you had C2 modules enabled in 10.6.6.x, the modules will enter a warm-up after you upgrade the Event Stream Analysis service to 11.3.0.2 and they will not be available until the warm up completes.

Follow the instructions under Upgrade a 10.6.6.x Component Host to 11.3.0.2 to upgrade your ESA hosts to 11.3.0.2 plus the following two tasks.

 

  1. Create the base image on your primary ESA host, set it up through the Setup program, and install ESA Primary on the host in the user interface on the Admin Hosts view.

    Note: If you have multiple ESA hosts in your enterprise, you must upgrade the ESA Primary host, where all the mongodb (Mongo Database) backup tar files are located, first, before you upgrade ESA Secondary hosts.

  1. (Conditional) If you have a secondary ESA host, create the base image on your secondary ESA host, set it up through the Setup program, and install ESA Secondary on the host in the user interface on the Admin Hosts view.
 

Task 3 - Upgrade 10.6.6.x Malware Analysis to 11.3.0.2

Follow the instructions under Upgrade a 10.6.6.x Component Host to 11.3.0.2.

Task 4 - Upgrade 10.6.6.x Broker or 10.6.6.x Concentrator to 11.3.0.2

Follow the instructions under Upgrade a 10.6.6.x Component Host to 11.3.0.2.

Note: If you do not have a Broker, upgrade your Concentrator hosts. The 11.3.0.2 NW Server cannot communicate with 10.6.6.x core services for the new Investigate functionality. This is why you must upgrade the Broker or Concentrator hosts in Phase 1.

Phase 2 - Upgrade All Other Hosts

See Appendix B. Stopping and Restarting Data Capture and Aggregation for instructions on how to stop and restart data capture and aggregation when upgrading the Decoder, Concentrator, and Log Collection hosts.

Decoder and Concentrator Hosts

  1. Stop data capture and aggregation.
  2. Complete the steps in Upgrade a 10.6.6.x Component Host to 11.3.0.2.
  3. Restart data capture and aggregation.

Log Decoder Host

  1. Make sure you have prepared the Log Collector as described in "Log Collectors (LC) and Virtual Log Collectors (VLCs): Run prepare-for-migrate.sh" in the Backup Instructions.

  2. Stop data capture on the Log Decoder.
  3. Complete the steps in Physical Host 10.6.6.x to 11.3 Upgrade: Upgrade InstructionsUpgrade a 10.6.6.x Component Host to 11.3.0.2.
  4. Restart data capture on Log Decoder.

    Note: After you upgrade, you will restart log collection after completing the "Task 1. Reset Stable System Values for Log Collector after Upgrade" in the Post Upgrade Tasks.

Virtual Log Collector Host

  1. Make sure you have prepared the Virtual Log Collector as described the "Log Collectors (LC) and Virtual Log Collectors (VLCs): Run prepare-for-migrate.sh" in the Backup Instructions.
  2. Back up your 10.6.6.x VLC by editing the all-systems file on host where you performed the backup.

    1. Make sure your all-systems file contents has this information before you perform this step.
      vlc,<host-name>,<IP-address>,<UUID>,10.6.6.x
    1. Run the following command to create backup.
      ./nw-backup.sh -u
      See Backup Instructions for detailed procedures on how to back up the host.
    1. Make sure the backup host contains the VLC backup in the following format.
      <hostname>-<IPaddress>-root.tar.gz
      <hostname>-<IPaddress>-root.tar.gz.sha256
      <hostname>-<IPaddress>-backup.tar.gz
      <hostname>-<IPaddress>-backup.tar.gz.sha256
      <hostname-IPaddress>-network.info.txt
      all-systems-master-copy

    1. Power off the 10.6.6.x VLC so that a new 11.3.0.2 VM can be created with the same network configuration.
    2. Deploy a fresh NetWitness 11.3.0.2 Component Host using the 11.3.0.2 NetWitness Platform ova.
    3. Connect to the VM console of the new VLC.
    4. Update the network configuration to be the same as the 10.6.6.x VLC.
      This information is stored in the <hostname-IPaddress>-network.info.txt 10.6.6.x VLC backup file.

      Note: Make sure IPv6 is disabled.

      1. Edit the /etc/sysconfig/network-scripts/ifcfg-eth0 file and update the settings. Contents of ifcfg-eth0 should be as follows.
        TYPE=Ethernet
        DEFROUTE=yes
        NAME=eth0
        UUID=<uuid>
        DEVICE=eth0
        DNS1=<nameserver from <hostname>-<ipaddress>-network-info.txt>
        DNS2=<nameserver from <hostname>-<ipaddress>-network-info.txt>
        BOOTPROTO=static
        IPADDR=<ipaddress from <hostname>-<ipaddress>-network-info.txt>
        NETMASK=<netmask from <hostname>-<ipaddress>-network-info.txt>
        GATEWAY=<gateway from <hostname>-<ipaddress>-network-info.txt>
        NM_CONTROLLED=no
        ONBOOT=yes
      2. Submit the following command string.
        systemctl restart network.service
    5. Create the backup directory.
      # mkdir –p /var/netwitness/database/nw-backup/
    6. Copy the backup from the backup host from /var/netwitness/database/nw-backup to the new VLC in the /var/netwitness/database/nw-backup directory.

    7. Complete the steps 2 through 12 inclusive in Physical Host 10.6.6.x to 11.3 Upgrade: Upgrade InstructionsUpgrade a 10.6.6.x Component Host to 11.3.0.2 for the rest of the NetWitness Platform components. Make sure that you select Log Collector for the service in step 12.

    All Other 10.6.6.x Hosts to 11.3.0.2

    Follow the instructions under Upgrade a 10.6.6.x Component Host to 11.3.0.2.

    Upgrade the 10.6.6.x SA Server Host to the 11.3.0.2 NW Server Host

  • Make sure that you have backed up 10.6.6.x data for the SA Server host. You must follow the instructions in Backup Instructions to back up the host.

    Caution: Run the backup immediately before upgrading the SA Server to 11.3.0.2 so that the data is as recent as possible. You must create the all-systems file before you upgrade the SA Server because you cannot do this after the SA Server has been upgraded to 11.3.0.2.

  • Complete the following steps to upgrade the 10.6.6.x SA Server host to the 11.3.0.2 NW Server host.

    1. Create a base image on the host.
      1. Attach media (media that contains the ISO file, for example, a build stick) to the host.
        You must use the build stick labeled “OEMDRV”.

        • Hypervisor installations - use the ISO image.
        • Physical media - use the ISO to create bootable flash drive media the Etcher or another suitable imaging tool etch an Linux file system on the USB drive. See the USB Build Stick Instructions and Later for information on how to create a build stick from the ISO. Etcher is available at: https://etcher.io.
        • iDRAC installations - the virtual media type is:
          • Virtual Floppy for mapped flash drives.
          • Virtual CD for mapped optical media devices or ISO file.
      2. Log in to the host with and reboot it.

      3. Select F11 (boot menu) during reboot to select a boot device and boot to the connected media.
        After system checks during booting, the following Welcome to RSA NetWitness Platform 11.3 installation menu is displayed. The menu graphics will render differently if you use a physical USB flash media.
      4. Select Install RSA Netwitness Platform 11.3 (default selection) and press Enter.

        The Operating System installation runs and stops at the Enter (y/Y) to clear drives.
      5. Enter n (No).
        The default action is No, so if you ignore the prompt, it will select No in 30 seconds and will not clear the drives.

        The Upgrade/Reinstall/Quit(U/Q/R)? prompt is displayed.
      6. Type U to upgrade the host.
        If you ignore the prompt, it will select U in 120 seconds.

        It takes a few minutes for CentOS7 components to install. The installation program displays the components as they are installed, which varies depending on the appliance. When CentOS7 installation is complete, the Continue (Y/N)? prompt is displayed.
      7. Type Y and press Enter to confirm that you want to upgrade this host.

        The old operating system is about to be removed. Continue (Y/N)? warning is displayed.
      8. Type Y and press Enter to confirm that you want to replace the operating system.

        When the host is upgraded to CentOS7, the host automatically reboots and prompts you to log in.

        Caution: Do not reboot the attached media (media that contains the ISO file, for example a build stick).

      9. Log in to the host with the root credentials.

    2. Run the nwsetup-tui command to set up the host.

      This initiates the nwsetup-tui (Setup program) and the EULA is displayed.

      Note: 1.) When you navigate through the Setup program prompts, use the down and up arrows to move among fields, use Tab key to move to and from commands (such as <Yes>, <No>, <OK>, and <Cancel>. Press Enter to register your command response and move to the next prompt.
      2.) The Setup program adopts the color scheme of the desktop or console you use access the host.

    3. Tab to Accept and press Enter.

      The Is this the host you want for your 11.3 NW Server NW Server prompt is displayed.

      Caution: If you choose the wrong host for the NW Server and complete the upgrade, you must restart the step up program and complete the all the steps (steps 2 through 11) to correct this error.

    4. Tab to Yes and press Enter.

      Choose No if you already upgraded the NW Server to 11.3.0.2.
      The Install or Upgrade prompt is displayed.
    5. Use down arrow to select 2 Upgrade (From Previous Vers.), tab to OK, and press Enter.

      The Backup path prompt is displayed.

      Caution: The backup path in the following prompt must be the same as the path in which your backup is stored. For example, the backup script assigns /var/netwitness/database/nw-backup as the default path. If you used the default backup path during backup and did not change it subsequently, you must keep /var/netwitness/database/nw-backup as the path in the following prompt.

    6. Tab to OK and press Enter if want to keep this path. If not, edit the path, tab to OK and press Enter to change it.

      This table lists the backup and restore paths by host/service.

      HostBackup PathRestore Path
      Malware/var/lib/rsamlware/nw-backup /var/netwitness/malware_analytics_server/nw-backup/restore
      Event Stream Analysis/opt/rsa/database/nw-backup/var/netwitness/database/nw-backup/restore
      NW Server/var/netwitness/database/nw-backup /var/netwitness/restore
      All Other Hosts/var/netwitness/database/nw-backup /var/netwitness/database/nw-backup/restore


      The Master Password prompt is displayed.

      The following list of characters are supported for Master Password and Deployment Password:

      Symbols ! @ # % ^ + ,
      Numbers0-9
      Lowercase Charactersa-z
      Uppercase Characters A-Z

      No ambiguous characters are supported for Master Password and Deployment Password. For example:
      space { } [ ] ( ) / \ ' " ` ~ ; : .< > -

    7. Type in the Password, down arrow to Verify, retype the password, tab to OK, and press Enter.

      The Deployment Password prompt is displayed.
    8. Type in the Password, down arrow to Verify, retype the password, tab to OK, and press Enter.

      The Update Repository prompt is displayed.
    9. Use the down and up arrows to select the location from which you want to apply version updates to your hosts, tab to OK, and press Enter.

      • If you select 1 The Local Repo (on the NW Server) the setup program makes sure that you have the appropriate media attached to the host (media that contains the ISO file, for example a build stick) from which upgrade to NetWitness Platform 11.3.0.2. If the program cannot find the attached media, you receive the following prompt.

      • If you select 2 An External Repo (on an externally-managed server), the UI prompts you for a URL. The repositories give you access RSA updates and CentOS updates. Refer to Appendix D. Create External Repository for instructions on how to create this repo and its external repo URL so you can enter it in the following prompt.

        Enter the base URL of the NetWitness Platform external repo and click OK.
        See "Set Up an External Repository with RSA and OS Updates" under "Hosts and Services Procedures" in Hosts and Services Getting Started Guide for instructions.

      The Disable or use standard Firewall configuration prompt is displayed.

    10. Tab to No, and press Enter to use the standard firewall configuration. Tab to Yes, and press Enter to disable the standard firewall configuration.

      • If you select Yes your selection is confirmed.

      • If you select No, the standard firewall configuration is applied.

      The Install or Upgrade prompt is displayed (Recover does not apply to the installation. It is for 11.3.0.2 Disaster Recovery).

    11. Select 1 Upgrade Now, tab to OK, and press Enter.

      When Installation complete is displayed, you have upgraded the 10.6.6.x SA Server to the 11.3.0.2 NW Server.

      Note: Ignore the hash code errors similar to the errors shown in the following screen shot that are displayed when you initiate the nwsetup-tui command. Yum does not use MD5 for any security operations so they do not affect the system security.

    12. Complete the Post Upgrade Tasks before you upgrade any of the component hosts to 11.3.0.2.

    Upgrade a 10.6.6.x Component Host to 11.3.0.2

    Make sure that you backed up 10.6.6.x data for the host. You must follow the instructions in Backup Instructions to back up the host.

    Caution: Run the backup immediately before upgrading the host to 11.3.0.2 so that the data is as recent as possible.

    Complete the following steps to upgrade a 10.6.6.x component host to 11.3.0.2.

    1.  Create a base image on the host.
      1. Attach media (media that contains the ISO file, for example a build stick) to the host.
        See the USB Build Stick Instructions and Later for more information.

        • Hypervisor installations - use the ISO image.
        • Physical media - use the ISO to create bootable flash drive media the Etcher or another suitable imaging tool etch an Linux file system on the USB drive. Etcher is available at: https://etcher.io.
        • iDRAC installations - the virtual media type is:
          • Virtual Floppy for mapped flash drives.
          • Virtual CD for mapped optical media devices or ISO file.
      2. Log in to the host and reboot it.
      3. Select F11 (boot menu) during reboot to select a boot device and boot to the connected media.
        After some system checks during booting, the following Welcome to RSA NetWitness Platform 11.3 installation menu is displayed. The menu graphics will render differently if you use a physical USB flash media.

      4. Select Install RSA Netwitness Platform 11.3 (default selection) and press Enter.

        The Operating System installation runs and stops at the Enter (y/Y) to clear drives.
      5. Enter n (No).
        The default action is No. If you ignore the prompt, it will select No in 30 seconds and will not clear the drives.

        The Upgrade/Reinstall/Quit (U/R/Q?) prompt is displayed.
      6. Type U to upgrade the host.
        If you ignore the prompt, it will select U in 120 seconds.

        It takes a few minutes for CentOS7 components to install. The installation program displays the components as they are installed which varies depending on the appliance. When CentOS7 installation is complete, the Continue (Y/N)? prompt is displayed.
      7. Type Y and press Enter to confirm that you want to upgrade this host.

        The old operating system is about to be removed. Continue (Y/N)? warning is displayed.
      8. Type Y and press Enter to confirm that you want to replace the operating system.

        When the host is upgraded to CentOS7, the host automatically reboots and prompts you to log in.

        Caution: Do not reboot the attached media (media that contains the ISO file, for example a build stick).

      9. Log in to the host with the root credentials.

    2. Run the nwsetup-tui command to set up the host.
      This initiates the nwsetup-tui (Setup program) and the EULA is displayed.
    3. Tab to Accept and press Enter.

      The Is this the host you want for your 11.3 NW Server prompt is displayed.

      Caution: If you choose the wrong host for the NW Server and complete the upgrade, you must restart the step up program and complete the all the steps (steps 2 through 11) of Upgrade the 10.6.6.x SA Server Host to the 11.3.0.2 NW Server Host to correct this error.

    4. Tab to No and press Enter.

      The Install or Upgrade prompt is displayed.
    5. Use the down arrow to select 2 Upgrade (From Previous Vers.), tab to OK, and press Enter.

      The Backup path prompt is displayed.
    6. Tab to OK and press Enter if want to keep this path. If not, edit the path, tab to OK and press Enter to change it.

      This table lists the backup and restore paths by host/service.

      HostBackup PathRestore Path
      Malware/var/lib/rsamlware/nw-backup /var/netwitness/malware_analytics_server/nw-backup/restore
      Event Stream Analysis/opt/rsa/database/nw-backup/var/netwitness/database/nw-backup/restore
      NW Server/var/netwitness/database/nw-backup /var/netwitness/restore
      All Other Hosts/var/netwitness/database/nw-backup /var/netwitness/database/nw-backup/restore


      The Deployment Password prompt is displayed.

      Note: You must use the same deployment password that you used when you upgraded the NW Server.

    7. Type in the Password, down arrow to Verify, retype the password, tab to OK, and press Enter.

      The Update Repository prompt is displayed.
      Select the same repo you selected when you upgraded the NW Server Host for all hosts.
    8. Use the down and up arrows to select the location from which you want to apply version updates to your hosts (for example, 1 The Local Repo (on the NW Server), tab to OK, and press Enter.

      • If you select 1 The Local Repo (on the NW Server), the setup program makes sure that you have the appropriate media attached to the host (media that contains the ISO file, for example a build stick) from which it can upgrade to NetWitness Platform 11.3.0.2.
      • If you select 2 An External Repo (on an externally-managed server), the UI prompts you for a URL. The repositories give you access RSA updates and CentOS updates. Enter the base URL of the NetWitness Platform external repo and click OK. The repositories give you access RSA updates and CentOS updates. Refer to Appendix D. Create External Repository for instructions on how to create this repo and its external repo URL so you can enter it in the following prompt.

      The NW Server IP Address prompt is displayed.

    9. Type the IP address of the NW Server, tab to OK, and press Enter.

      The Disable or use standard Firewall configuration prompt is displayed.
    10. Tab to No, and press Enter to use the standard firewall configuration. Tab to Yes, and press Enter to disable the standard firewall configuration. The following example shows No with the standard firewall configuration selected.

      • If you select Yes, confirm your selection.

      • If you select No, the standard firewall configuration is applied.

      The Install or Upgrade prompt is displayed (Recover does not apply to the installation. It is for 11.3.0.2 Disaster Recovery).

    11. Select 1 Upgrade Now, tab to OK, and press Enter.

      When Installation complete is displayed, you have upgraded the host to the 11.3.0.2.
    1. Install the service on this host:
      1. Log into NetWitness Platform and go to ADMIN > Hosts.
        The New Hosts dialog is displayed with the Hosts view grayed out in the background.

        Note: If the New Hosts dialog is not displayed, click Discover in the Hosts view toolbar.

      2. Click on the host in the New Hosts dialog and click Enable.
        The New Hosts dialog closes and the host is displayed in the Hosts view.
      3. Select that host in the Hosts view (for example, Event Stream Analysis) and click .
        The Install Services dialog is displayed.
      4. Select the appropriate service (for example, ESA Primary) and click Install.


        You have completed the upgrade of the Component Host in NetWitness Platform

        Phase 3 - (Optional) Install Warm Standby NW Server

        Refer to "Warm Standby NW Server Host" under "Deployment Option Setup Procedures" in the Deployment Guide for instructions on how to set up a Warm Standby NW Server.

     

     

     

    Previous Topic:3. Backup Instructions
    You are here
    Table of Contents > 4. Upgrade Tasks

    Attachments

      Outcomes