Virtual Host Upgrade: Set Up Virtual Hosts

Document created by RSA Information Design and Development on Apr 11, 2019Last modified by RSA Information Design and Development on Jun 12, 2019
Version 5Show Document
  • View in full screen mode
 

There two phases to set up your 11.3 virtual stack as shown in the order below.

Phase 1 - Set Up NW Server, Event Stream Analysis, Malware Analysis, and Broker or Concentrator Hosts

Task 1 - Set Up 11.3 NetWitness Server

Follow the instructions under Set Up 11.3 NW Server Host.

Task 2 - Set Up 11.3 ESA

Caution: If you had C2 modules enabled in 10.6.6.x, the modules will enter a warm-up after you upgrade the Event Stream Analysis service to 11.3 and they will not be available until the warm up completes.

Follow the instructions under Set Up 11.3 Component Host to set up your ESA hosts.

  1. Set up your primary ESA host through the Setup program and install ESA Primary on the host in the user interface on the Admin Hosts view.

    Note: If you have multiple ESA hosts in your enterprise, you must upgrade the ESA Primary host, where all the mongodb (Mongo Database) backup tar files are located, first, before you upgrade ESA Secondary hosts.

  2. (Conditional) If you have a secondary ESA host, set it up through the Setup program and install ESA Secondary on the host in the user interface on the Admin Hosts view.

Task 3 - Set Up 11.3 Malware Analysis

Follow the instructions under Set Up 11.3 Component Host.

Task 4 - Set Up 11.3 Broker or Concentrator

Follow the instructions under Set Up 11.3 Component Host.

Note: If you do not have a Broker, upgrade your Concentrator hosts. The 11.3 NW Server cannot communicate with 10.6.6.x core services for the new Investigate functionality. This is why you must upgrade the Broker or Concentrator hosts in Phase 1.

Phase 2 - Set Up The Rest of the Component Hosts

See Appendix B. Stopping and Restarting Data Capture and Aggregation for instructions on how to stop and restart data capture and aggregation when upgrading the Decoder, Concentrator, and Log Collection hosts.

Decoder and Concentrator Hosts

  1. Stop data capture and aggregation.
  2. Complete the steps in Set Up 11.3 Component Host.
  3. Restart data capture and aggregation.

Log Decoder Host

  1. Make sure you have prepared the Log Collector as described in the "Log Collectors (LC) and Virtual Log Collectors (VLCs): Run prepare-for-migrate.sh" in the Backup Instructions.

  2. Stop data capture on the Log Decoder.
  3. Complete the steps in Set Up 11.3 Component Host.
  4. Restart data capture on Log Decoder.

    Note: After you upgrade, you will restart log collection after completing the "Task 11 - Reset Stable System Values for Log Collector after Upgrade" in the Post Upgrade Tasks

Virtual Log Collector Host

  1. Make sure you have prepared the Virtual Log Collector as described in the "Log Collectors (LC) and Virtual Log Collectors (VLCs): Run prepare-for-migrate.sh" in the Backup Instructions.
  2. Back up your 10.6.6.x VLC by editing the all-systems file on host where you performed the backup.

    1. Make sure your all-systems file contents has this information before you perform this step.
      vlc,<host-name>,<IP-address>,<UUID>,10.6.6.x
    1. Run the following command to create backup.
      ./nw-backup.sh -u
      See Backup Instructions for detailed procedures on how to back up the host.
    1. Make sure the backup host contains the VLC backup in the following format.
      <hostname>-<IPaddress>-root.tar.gz
      <hostname>-<IPaddress>-root.tar.gz.sha256
      <hostname>-<IPaddress>-backup.tar.gz
      <hostname>-<IPaddress>-backup.tar.gz.sha256
      <hostname-IPaddress>-network.info.txt
      all-systems-master-copy

    1. Power off the 10.6.6.x VLC so that a new 11.3 VM can be created with the same network configuration.
    2. Deploy a fresh Component Host using the 11.3 NetWitness Platform ova.
    3. Connect to the VM console of the new VLC.
    4. Update the network configuration to be the same as the 10.6.6.x VLC.
      This information is stored in the <hostname-IPaddress>-network.info.txt 10.6.6.x VLC backup file.

      Note: Make sure IPv6 is disabled.

      1. Edit the /etc/sysconfig/network-scripts/ifcfg-eth0 file and update the settings. Contents of ifcfg-eth0 should be as follows.
        TYPE=Ethernet
        DEFROUTE=yes
        NAME=eth0
        UUID=<uuid>
        DEVICE=eth0
        DNS1=<nameserver from <hostname>-<ipaddress>-network-info.txt>
        DNS2=<nameserver from <hostname>-<ipaddress>-network-info.txt>
        BOOTPROTO=static
        IPADDR=<ipaddress from <hostname>-<ipaddress>-network-info.txt>
        NETMASK=<netmask from <hostname>-<ipaddress>-network-info.txt>
        GATEWAY=<gateway from <hostname>-<ipaddress>-network-info.txt>
        NM_CONTROLLED=no
        ONBOOT=yes
      2. Submit the following command string.
        systemctl restart network.service
    5. Create the backup directory.
      # mkdir –p /var/netwitness/database/nw-backup/
    6. Copy the backup from the backup host from /var/netwitness/database/nw-backup to the new VLC in the /var/netwitness/database/nw-backup directory.

    7. Complete the steps 2 through 12 inclusive in Virtual Host Upgrade: Set Up Virtual HostsSet Up 11.3 Component Host for the rest of the NetWitness Platform components . Make sure that you select Log Collector for the service in step 12.

    Set Up 11.3 NW Server Host

  • Make sure that you have backed up 10.6.6.x data for the SA Server host. You must follow the instructions in Backup Instructions to back up the host.

    Caution: Run the backup immediately before upgrading the SA Server to 11.3 so that the data is as recent as possible. You must create the all-systems file before you upgrade the SA Server because you cannot do this after the SA Server has been upgraded to 11.3.

  • Complete the following steps to set up the 11.3 NW Server host.

    1. Log in to 11.3 NW Server VM's console and run the nwsetup-tui command.

      This initiates the Setup program and the EULA is displayed.

      Note: 1.) When you navigate through the Setup program prompts, use the down and up arrows to move among fields, use Tab key to move to and from commands (such as <Yes>, <No>, <OK>, and <Cancel>. Press the Enter key to register your command response and move to the next prompt.
      2.) The Setup program adopts the color scheme of the desktop or console you use access the host.

    2. Tab to Accept and press Enter.

      The Is this the host you want for your 11.3 NW Server prompt is displayed.

      Caution: If you choose the wrong host for the NW Server and complete the upgrade, you must repeat steps 1 through 11 of Set Up 11.3 NW Server Host to correct this error.

    3. Tab to Yes and press Enter.

      Choose No if you already upgraded the NW Server to 11.3.
      The Install or Upgrade prompt is displayed.
    4. Use down arrow to select 2 Upgrade (From Previous Vers.), tab to OK, and press Enter.

      The Backup path prompt is displayed.

      Caution: The backup path in the following prompt must be the same as the path in which your backup is stored. For example, the backup script assigns /var/netwitness/database/nw-backup as the default path. If you used the default backup path during backup and did not change it subsequently, you must keep /var/netwitness/database/nw-backup as the path in the following prompt.

    5. Tab to OK and press Enter if want to keep this path. If not, edit the path, tab to OK and press Enter to change it.

      This table lists the backup and restore paths by host/service
      .

      HostBackup PathRestore Path
      Malware/var/lib/rsamlware/nw-backup /var/netwitness/malware_analytics_server/nw-backup/restore
      Event Stream Analysis/opt/rsa/database/nw-backup/var/netwitness/database/nw-backup/restore
      NW Server/var/netwitness/database/nw-backup /var/netwitness/restore
      All Other Hosts/var/netwitness/database/nw-backup /var/netwitness/database/nw-backup/restore


      The Master Password prompt is displayed.

      The following list of characters are supported for Master Password and Deployment Password:

      • Symbols : ! @ # % ^ + ,
      • Numbers : 0-9
      • Lowercase Characters : a-z
      • Uppercase Characters : A-Z

      No ambiguous characters are supported for Master Password and Deployment Password. For example:
      space { } [ ] ( ) / \ ' " ` ~ ; : .< > -

    6. Type in the Password, down arrow to Verify, retype the password, tab to OK, and press Enter.

      The Deployment Password prompt is displayed.
    7. Type in the Password, down arrow to Verify, retype the password, tab to OK, and press Enter.

      The Update Repository prompt is displayed.
      You must use the same repo that you used for the NW Server hosts for all hosts.
    8. Use the down and up arrows to select 2 An External Repo (on an externally-managed server).

      The External Update Repo URl prompt is displayed.
      Refer to Appendix D. Create External Repository for instructions. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.
    9. Enter the base URL of the NetWitness Platform external repo (for example, http:/testserver/netwitness-repo)and click OK.

      The Disable or use standard Firewall configuration prompt is displayed.
    10. Tab to No (default), and press Enter to use the standard firewall configuration. Tab to Yes, and press Enter to disable the standard firewall configuration.

      • If you select Yes, confirm your selection or No to use the standard firewall configuration.

      The Install or Upgrade prompt is displayed (Recover does not apply to the installation. It is for 11.3 Disaster Recovery).

    11. Select 1 Upgrade Now, tab to OK, and press Enter.

      When Installation complete is displayed, you have upgraded the 10.6.6.x SA Server to the 11.3 NW Server.

      Note: Ignore the hash code errors similar to the errors shown in the following screen shot that are displayed when you initiate the nwsetup-tui command. Yum does not use MD5 for any security operations so they do not affect the system security.

    12. Complete the "NW Server" Post Upgrade Tasks before you upgrade any of the Component Hosts to 11.3.

    Set Up 11.3 Component Host

    Make sure that you Back up your 10.6.6.x data for the host. You must follow the instructions in Backup Instructions to back up the host.

    Caution: Run the backup immediately before upgrading the host to 11.3 so that the data is as recent as possible.

    Complete the following steps to set up an 11.3 Component Host.

    1. Log in to 11.3 Component Host VM console and run the nwsetup-tui command.
      This initiates the Setup program and the EULA is displayed.
    2. Tab to Accept and press Enter.

      The Is this the host you want for your 11.3 NW Server prompt is displayed.

      Caution: If you choose the wrong the host for the NW Server and complete the upgrade, you must repeat steps 1 through 11 of Set Up 11.3 NW Server Host to correct this error.

    3. Tab to No and press Enter.

      The Install or Upgrade prompt is displayed (Recover does not apply to the installation. It is for 11.3 Disaster Recovery).
    4. Use down arrow to select 2 Upgrade (From Previous Vers.), tab to OK, and press Enter.

      The Backup path prompt is displayed.
    5. Tab to OK and press Enter if want to keep this path. If not, edit the path, tab to OK and press Enter to change it.

      This table lists the backup and restore paths by host/service.

      HostBackup PathRestore Path
      Malware/var/lib/rsamlware/nw-backup /var/netwitness/malware_analytics_server/nw-backup/restore
      Event Stream Analysis/opt/rsa/database/nw-backup/var/netwitness/database/nw-backup/restore
      NW Server/var/netwitness/database/nw-backup /var/netwitness/restore
      All Other Hosts/var/netwitness/database/nw-backup /var/netwitness/database/nw-backup/restore


      The Deployment Password prompt is displayed.

      Note: You must use the same deployment password that you used when you upgraded the NW Server.

    6. Type in the Password, down arrow to Verify, retype the password, tab to OK, and press Enter.

      The Update Repository prompt is displayed.
    7. Use the down and up arrows to select 2 An External Repo (on an externally-managed server), tab to OK, and press Enter.

      The External Update Repo URL prompt is displayed.
      The repositories give you access RSA updates and CentOS updates.
    8. Enter the base URL of the NetWitness Platform external repo (for example, http://testserver/netwitness-repo)and click OK. Refer to Appendix D. Create External Repository for instructions on how to create this repo and its external repo URL so you can enter it in the following prompt.

      The NW Server IP Address is displayed.

    9. Type the IP address of the NW Server, tab to OK, and press Enter.

      The Disable or use standard Firewall configuration prompt is displayed.
    10. Tab to No (default), and press Enter to use the standard firewall configuration. Tab to Yes, and press Enter to disable the standard firewall configuration.

      • If you select Yes, confirm your selection.

      • If you select No, the standard firewall configuration is applied.

      The Install or Upgrade prompt is displayed (Recover does not apply to the installation. It is for 11.3 Disaster Recovery).

    11. Select 1 Upgrade Now, tab to OK, and press Enter.

      When Installation complete is displayed, you have upgraded the host to the 11.3.
    12. Install the service on this host:
      1. Log into NetWitness Platform and click ADMIN > Hosts.
        The New Hosts dialog is displayed with the Hosts view grayed out in the background.

        Note: If the New Hosts dialog is not displayed, click Discover in the Hosts view toolbar.

      2. Click on the host in the New Hosts dialog and click Enable.
        The New Hosts dialog closes and the host is displayed in the Hosts view.
      3. Select that host in the Hosts view (for example, Event Stream Analysis) and click
        The Install Services dialog is displayed.
      4. Select the appropriate service (for example, ESA Primary) and click Install.


        You have completed the upgrade of the Component Host in NetWitness Platform

        Note: When you upgrade a Respond host from 10.6.6.x to 11.3, it takes a period of time for Respond to come back online. This is caused by Respond indexing data while it is restored. The size of the data in the Mongo database will determine the time.


     

    You are here
    Table of Contents > 5. Set Up Virtual Hosts in 11.3

    Attachments

      Outcomes