Virtual Host Upgrade: Migrate Disk Drives

Document created by RSA Information Design and Development on Apr 11, 2019Last modified by RSA Information Design and Development on Jun 12, 2019
Version 4Show Document
  • View in full screen mode
 

Caution: 1) You cannot perform the migration if you have a snapshot for your VM.
2). Run the backup immediately before you upgrade hosts for each phase so that the data is not out-dated.
3.) This guide applies to virtual host upgrades exclusively. If have both physical and virtual hosts in your deployment, see the Physical Host Upgrade Instructions for RSA NetWitness Platform 11.3 for the steps you must complete to upgrade physical hosts.

Note: The machines must be in VMware ESX.

There are five tasks you must complete to migrate your Virtual Machine (VM) deployment disk drives from 10.6.6.x to 11.3:

Task 1 - Back up data in your 10.6.6.x VMs.

Task 2 - Deploy the same VM Stack in 11.3 as you have in 10.6.6.x.

Task 3 - Copy the VMDK Files and add them as a hard disk to the new VMs.

Task 4 - Retain MAC address of upgraded SA Server VM.

Task 5 - Restore backup data in 10.6.6.x to 11.3 VMs.

Task 1 - Back Up Data in 10.6.6.x VMs

  1. Prepare Log Collector for the migration:
    1. Log in to the Log Collector using root credentials.
    2. Go to the /opt/rsa/nwlogcollector/nwtools/ directory and run the following command.
      sh prepare-for-migrate.sh --prepare

      See Virtual Log Collector Host (VLC) for detailed instructions on how to upgrade the VLC.

  2. Download and extract the .zip file that contains the 10.6.6.x backup scripts from RSA Link https://community.rsa.com/docs/DOC-81514)) to the external backup host.

    Note: You must set up an external host to use for backing up files. The host must be running CentOS 6 with connectivity through SSH to the NetWitness Platform stack of hosts.

  3. Update the permission of the script file, run the following commands:
    1. cd <Script file>
    2. chmod 777 *

  4. Run the following commands from the nw-backup/scripts directory (see Backup Instructions for a detailed descriptions of the backup scripts).
    ./get-all-systems.sh <SA-IP>
    ./ssh-propagate.sh <path-to-backup-directory/all-systems>
    ./nw-backup.sh -u

    (if you have a Malware VM, substitute -m -u for -u in this command string (for example, ./nw-backup.sh -m -u).

Task 2 - Deploy Same 10.6.6.x VM Stack in 11.3

You must set up the same virtual host stack in 11.3 that you had in 10.6.6.x. See the RSA NetWitness® Platform 11.3 Virtual Host Installation Guide for instructions.

The following steps are the high-level steps on how to deploy an OVA host in the ESXi environment.

Download the 11.3 OVA, from RSA Link > NetWitness > Download to a local directory.

  1. Log on to the ESXi environment.

  2. In the File drop-down, select Deploy OVF Template.
  3. The Deploy OVA Template dialog is displayed.

  4. Browse your local directory for the 11.3 OVAs you downloaded.
  5. Select the to deploy in the virtual environment , and click Next.
  6. Select the appropriate Configuration for the VM and click Next.
  7. Power on the VM, go to Console, and log in to the machine.
    The VM now has the 11.3 base image required to run the Setup Program (that is, nwsetup-tui).

Task 3 - Copy VMDK Files and Add Them as Hard Disk to New VMs

  1. Power off both the 10.6.6.x and 11.3 VMs.
  2. Go to the desired ESX server, click the Configuration tab > Storage.
  3. Right-click the required datastore and click Browse Datastore.
  4. Navigate to the existing 10.6.6.x VM in the datastore.

  5. Select all the VMDK files in the datastore, right-click, and click Copy.

    Caution: Do not copy the base VMDK file (for example, Data_106_SA) because it contains CentOS6.

    You must copy all the numbered VMDK files. For example, if the 10.6.6.x VM name is Data_106_SA, you would copy all the Data_106_SA_1, Data_106_SA_2, Data_106_SA_3, etc files.

  6. Navigate to the new 11.3 VM in the datastore.

  7. Right-click and click Paste.

    Note: You must wait until all the VMDK files from the previous VM are completely copied into the datastore of the new VM.

  8. Select the 11.3 VM, click Edit Settings > Add.
  9. In the dialog box, click HardDisk > Next.

  10. Click Already existing hard disk > Next.

  11. Click Browse and browse to the datastore location to which you copied the vmdk files.

  12. Select the VMDK file from the 11.3 VM that you want to add as a disk.

  13. Repeat steps 8 through 12 for each disk you want to add.

  14. Click OK.

Task 4 - Retain MAC Address of Upgraded SA Server VM

To retain the MAC address of migrated Security Analytics (SA) Server Virtual Machine (VM):

Note: These steps apply to the SA Server VM (created with "Automatic" MAC address assignment selected) to the 11.3 NetWitness Server. For VMs with a Static MAC address, you can change the MAC address by going to Edit Settings for a VM and typing in the MAC address.

  1. Log in to vCenter server.

    Note: The supported versions of vCenter is 5.5 through 6.5 inclusive.

  2. (Conditional) If vCenter server are powered on, Power Off both VMs (NetWitness 10.6.6.x and 11.3).
  3. Click Summary tab, right-click Datastore and browse for the datastore location.
  4. Go to the VM folder and download the .vmx file of 10.6.6.x and 11.3 to the local repository.
    By default, the VM generated with the MAC address is created in the format (as shown in the below figure).

    Note: 00:0c:29:XX:YY:ZZ – 00:0c:29 is the unique identifier for an automatically generated MAC address. 00:50:56:XX:YY:ZZ – 00:50:56 is the unique identifier for a static or manually generated MAC address. This is valid only if the vCenter is not deployed. If vCenter is deployed, this MAC address denotes the unique identifier for an automatically generated MAC address.

  5. Using a text editor, copy the uuid.location and ethernet0.generatedAddress values from 10.6.6.x .vmx file into the 11.3 .vmx file.

    Note: If you deployed the 10.6.6.x stack on the ESX server directly (not through VCenter), you must copy the value for uuid.bios in addition to uuid.location and ethernet0.generatedAddress from 10.6.6.x .vmx file into the 11.3 .vmx file.

  6. Remove both the 10.6.6.x and the 11.3 VMs from inventory.
    1. Navigate to the vCenter server.
    2. Right-click both the 10.6.6.x and the 11.3 VMs.
    3. Select Remove from Inventory.
  7. Upload the modified 11.3 .vmx file to the datastore location by replacing it with the existing .vmx file.
  8. From the datastore, right-click the 11.3 .vmx file and select Add to Inventory.
  9. Navigate to the vCenter server and Power On the 11.3 VM.
    The following message is displayed.
    The virtual machine might have been moved or copied. In order to configure certain management and networking features, VMware ESX needs to know if this virtual machine was moved or copied. If you don't know, answer "I Copied it."


  10. Right-click the VM and select Guest > Answer Question.
    The following figure is displayed.

  11. Select I Moved It.
  12. Click OK.
    The MAC address is retained to the MAC address from 10.6.6.x to 11.3.

Task 5 - Restore Backup Data in 10.6.6.x to 11.3 VMs

Complete the following steps to Power On the 11.3 VM.

  1. Copy backed-up data from the nw-backup directory to the 11.3 VMs.
    • For the NW Server:

      Note: See Virtual Log Collector Host (VLC) for detailed instructions on how to upgrade the VLC.

      1. Create the nwhome directory under /tmp.
      2. Mount VolGroup00-nwhome on /tmp/nwhome/.
        mount /dev/mapper/VolGroup00-nwhome /tmp/nwhome/
      3. Copy the contents of /tmp/nwhome/ directory to /var/netwitness/.
        cp -r /tmp/nwhome/* /var/netwitness/
      4. Mount VolGroup02-redb on /var/netwitness/database.
        mount /dev/mapper/VolGroup02-redb /var/netwitness/database/

        Note: Make sure that the /var/netwitness/database/nw-backup directory exists with backup tarballs of the appliance.

      5. Unmount VolGroup00-nwhome from /tmp/nwhome/.
        umount /tmp/nwhome
    • For the Archiver, Broker, Concentrator, Log Decoder, Log Collector, and Network Decoder:

      Note: If your 10.6.6.x Decoder or Log Decoder had multiple network interfaces:
      1. Power Off the 11.3 VM 11.3 Decoder or Log Decoder VM.
      2. Go to Edit Settings for the VM and add the required number of Ethernet Adapters.
      3. Power On the VM.
      4. Add the ethernet adapters before restoring the backup data.

      1. Create the nwhome directory under /tmp.
      2. Create a temporary mount VolGroup00-nwhome on /tmp/nwhome/.
        mount /dev/mapper/VolGroup00-nwhome /tmp/nwhome/
      3. Copy the contents of /tmp/nwhome/ directory to /var/netwitness/.
        cp -r /tmp/nwhome/* /var/netwitness/
      4. Unmount VolGroup00-nwhome from /tmp/nwhome/.
        umount /tmp/nwhome
    • For Malware Analysis (Co-located Malware Not Supported in 11.3 Upgrade):
      1. Create the apps directory under /tmp/.

      2. Create a temporary mount VolGroup01-apps on /tmp/apps/.
        mount /dev/mapper/VolGroup01-apps /tmp/apps/
        mkdir /var/netwitness/database

      3. Copy the nw-backup directory to /var/netwitness/.
        cp –r /tmp/apps/nw-backup /var/netwitness/database
      4. Unmount VolGroup01-apps from /tmp/apps/.
        umount /tmp/apps

    • For Event Stream Analysis:
      1. Create the apps directory under /tmp/

      2. Create a temporary mount VolGroup01-apps on /tmp/apps/.
        mount /dev/mapper/VolGroup01-apps /tmp/apps/
        mkdir /var/netwitness/database

      3. Copy the nw-backup directory to /var/netwitness.
        cp -r /tmp/apps/nw-backup /var/netwitness

      4. Unmount VolGroup01-apps from /tmp/apps/.
        umount /tmp/apps
  2. Mount the disks.

    Note: If you have configured any external mount points on the VMs in the stack for any of the following directories, re-mount the external mount points in place of the following mounts.

  • For the NW Server:
    mount /dev/mapper/VolGroup01-ipdbext /var/netwitness/ipdbextractor/

    Note: Make sure that the /var/netwitness/database/nw-backup directory exists with backup tarballs of the appliance.

  • For the Log Decoder/Log Collector:

    Note: The following mounts are not required for the Virtual Log Collector.

    mount /dev/mapper/VolGroup01-decoroot /var/netwitness/logdecoder
    mount /dev/mapper/VolGroup01-index /var/netwitness/logdecoder/index
    mount /dev/mapper/VolGroup01-sessiondb /var/netwitness/logdecoder/sessiondb
    mount /dev/mapper/VolGroup01-metadb /var/netwitness/logdecoder/metadb
    mount /dev/mapper/VolGroup01-logcoll /var/netwitness/logcollector
    mount /dev/mapper/VolGroup01-packetdb /var/netwitness/logdecoder/packetdb

  • For the Network Decoder:
    mount /dev/mapper/VolGroup01-decoroot /var/netwitness/decoder
    mount /dev/mapper/VolGroup01-sessiondb /var/netwitness/decoder/sessiondb
    mount /dev/mapper/VolGroup01-index /var/netwitness/decoder/index
    mount /dev/mapper/VolGroup01-metadb /var/netwitness/decoder/metadb
    mount /dev/mapper/VolGroup01-packetdb /var/netwitness/decoder/packetdb

  • For the Concentrator:
    mount /dev/mapper/VolGroup01-concroot /var/netwitness/concentrator
    mount /dev/mapper/VolGroup01-sessiondb /var/netwitness/concentrator/sessiondb
    mount /dev/mapper/VolGroup01-index /var/netwitness/concentrator/index
    mount /dev/mapper/VolGroup01-metadb /var/netwitness/concentrator/metadb
  • For the Archiver:
    mount /dev/mapper/VolGroup01-archiver /var/netwitness/archiver
    mount /dev/mapper/VolGroup02-workbench /var/netwitness/workbench
  • For the Broker:
    mount /dev/mapper/VolGroup01-broker /var/netwitness/broker
  1. Add the following mount entries to /etc/fstab.
    • For the NW Server:
      /dev/mapper/VolGroup01-ipdbext /var/netwitness/ipdbextractor/ xfs defaults,noatime,nosuid 1 2
      /dev/mapper/VolGroup02-redb /var/netwitness/database/ xfs defaults,noatime,nosuid 1 2
    • For the Log Decoder/Log Collector:

      Note: The following mounts are not required for the Virtual Log Collector.

      /dev/mapper/VolGroup01-decoroot /var/netwitness/logdecoder ext4 defaults,noatime,nosuid 1 2
      /dev/mapper/VolGroup01-index /var/netwitness/logdecoder/index xfs defaults,noatime,nosuid 1 2
      /dev/mapper/VolGroup01-sessiondb /var/netwitness/logdecoder/sessiondb xfs defaults,noatime,nosuid 1 2
      /dev/mapper/VolGroup01-metadb /var/netwitness/logdecoder/metadb xfs defaults,noatime,nosuid 1 2
      /dev/mapper/VolGroup01-logcoll /var/netwitness/logcollector xfs defaults,noatime,nosuid 1 2
      /dev/mapper/VolGroup01-packetdb /var/netwitness/logdecoder/packetdb xfs defaults,noatime,nosuid 1 2

    • For the Network Decoder:
      /dev/mapper/VolGroup01-decoroot /var/netwitness/decoder ext4 defaults,noatime,nosuid 1 2
      /dev/mapper/VolGroup01-sessiondb /var/netwitness/decoder/sessiondb xfs defaults,noatime,nosuid 1 2
      /dev/mapper/VolGroup01-index /var/netwitness/decoder/index xfs defaults,noatime,nosuid 1 2
      /dev/mapper/VolGroup01-metadb /var/netwitness/decoder/metadb xfs defaults,noatime,nosuid 1 2
      /dev/mapper/VolGroup01-packetdb /var/netwitness/decoder/packetdb xfs defaults,noatime,nosuid 1 2
    • For the Concentrator:
      /dev/mapper/VolGroup01-concroot /var/netwitness/concentrator ext4 defaults,noatime,nosuid 1 2
      /dev/mapper/VolGroup01-sessiondb /var/netwitness/concentrator/sessiondb xfs defaults,nosuid,noatime 1 2
      /dev/mapper/VolGroup01-index /var/netwitness/concentrator/index xfs defaults,noatime,nosuid 1 2
      /dev/mapper/VolGroup01-metadb /var/netwitness/concentrator/metadb xfs defaults,noatime,nosuid 1 2

    • For the Archiver:
      /dev/mapper/VolGroup01-archiver /var/netwitness/archiver xfs defaults,nosuid,noatime 1 2
      /dev/mapper/VolGroup02-workbench /var/netwitness/workbench xfs defaults,nosuid,noatime 1 2
    • For the Broker:
      /dev/mapper/VolGroup01-broker /var/netwitness/broker xfs defaults,nosuid,noatime 1 2

Previous Topic:3. Backup Instructions
You are here
Table of Contents > 4. Migrate Disks from 10.6.6 to 11.3

Attachments

    Outcomes