RN 11.2.1.2: Update Instructions

Document created by RSA Information Design and Development Employee on Jul 30, 2019Last modified by RSA Information Design and Development Employee on Jul 31, 2019
Version 2Show Document
  • View in full screen mode
 

Update Instructions

You need to read the information and follow these procedures for updating NetWitness Platform version 11.2.1.2.

The following update paths are supported for NetWitness Platform 11.2.1.2:

  • 11.1.x.x to 11.2.1.2
  • 11.2.x.x to 11.2.1.2

To update NetWitness Platform to 11.2.1.2 from either of these versions, you must have files for 11.2.0.0 (base release), 11.2.1.0 (service pack release), 11.2.1.1 (patch release), and 11.2.1.2 (patch release).

Note: Even if you are updating from an 11.2.x.x release, it is possible that the 11.2.0.0 base repository files could have been removed. These files must be on your system for the update to be successful.

For update paths supported for 11.2.0.0, see the Update Guide for Version 11.0.x.x or 11.1.x.x to 11.2.

You can update to the 11.2.1.2 patch release using one of the following options:

  • If the NetWitness Server has internet connectivity to Live Services, the NetWitness Platform User Interface can be used to apply the patch.

  • If the NetWitness Server does not have internet connectivity to Live Services, the Command Line Interface (CLI) can be used to apply the patch.

Update Tasks

Task 1: Disable Decoder Services

Before updating to 11.2.1.2, you must disable Capture AutoStart on Network Decoder and Network Hybrid Services.

To disable the Capture Autostart field:

  1. Go to ADMIN > Services.
    The Administration Services view is displayed.
  1. Select a Network Decoder or Network Hybrid service and select > View > Config.
    The services config view for the selected Network Decoder or Network Hybrid is displayed.
  1. In the Decoder Configuration panel, deselect the Capture Autostart field and click Apply.

Task 2: Update the Patch

You can choose one of the following update methods based on your internet connectivity.

Online Method (Connectivity to Live Services): Update Using NetWitness User Interface

You can use this method if the NetWitness Server is connected to Live Services and can obtain the package.

Note: If the NetWitness Server does not have access to Live Services, use Offline Method (No connectivity to Live Services): Update using the Command Line Interface .

Prerequisites

Make sure that:

  1. The “Automatically download information about new updates every day” option is checked and is applied in ADMIN > System > Updates.
  2. Go to ADMIN > Hosts > Update > Check for Updates to check for updates. The Host page displays the Update Available status.
  3. 11.2.1.2 is available under Update Version column.

Note: If you have custom certs, do the following to move custom certs from /etc/pki/nw/trust/import/ directory to /root/cert:
1.) mkdir /root/cert
2.) mv /etc/pki/nw/trust/import/* /root/cert

Procedure

  1. Go to ADMIN > Hosts.
  2. Select the NetWitness Server (nw-server) host.
  3. Check for the latest updates.

  4. Update Available is displayed in the Status column if you have a version update in your Local Update Repository for the selected host.
  5. Select 11.2.1.2 from the Update Version column. If you:
    • Want to view a dialog with the major features in the update and information on the updates, click the information icon () to the right of the update version number.
    • Cannot find the version you want, select Update > Check for Updates to check the repository for any available updates. If an update is available, the message New updates are available is displayed and the Status column updates automatically to show Update Available. By default, only supported updates for the selected host are displayed.
  6. Click Update > Update Host from the toolbar.
  7. Click Begin Update.
  8. Click the Reboot Host.
  9. Repeat steps 6 to 8 for other hosts.

Note: You can select multiple hosts to update at the same time only after updating and rebooting the NetWitness Admin server. All ESA, Endpoint Insights, and Malware Analysis hosts should be updated to the same version as that of NW Admin Server or NetWitness Admin Server.

Note: Not all components are changed for 11.2.1.2, so after you perform the update steps, it is normal to see some components with different version numbers. For a list of the components that were updated for this release, see Build Numbers.

Offline Method (No connectivity to Live Services): Update using the Command Line Interface

You can use this method if the NetWitness Server is not connected to Live Services.

Prerequisites

Make sure that you have downloaded the following files, which contain all the NetWitness Platform 11.2.1.2 update files, from RSA Link (https://community.rsa.com/) > NetWitness Platform > RSA NetWitness Logs and Network > Downloads > RSA Downloads to a local directory: netwitness-11.2.1.2.zip.

                         
Updating fromDownload and Stage File
11.1.x.xnetwitness-11.2.0.0.zip, netwitness-11.2.1.0.zip, netwitness-11.2.1.1.zip, and netwitness-11.2.1.2.zip
11.2.0.0 or 11.2.0.1netwitness-11.2.1.0.zip, netwitness-11.2.1.1.zip and netwitness-11.2.1.2.zip
11.2.1.0netwitness-11.2.1.1.zip, and netwitness-11.2.1.2.zip
11.2.1.1netwitness-11.2.1.2.zip

Procedure

You need to perform the update steps for NW Admin servers and for component servers.

Note: If you are updating from 11.1.x.x to 11.2.1.2, you must download the NetWitness Platform 11.2.0.0 files netwitness-11.2.0.0.zip and NetWitness Platform 11.2.1.0 files netwitness-11.2.1.0.zip, and set them up in the staging folder, in addition to the 11.2.1.2 files.

Note: If you copy-paste the commands from PDF to Linux SSH terminal, the characters do not work. It is recommended that you type the commands.

  1. If you are updating from 11.1.x.x, you must stage the required previous releases by creating the following directories on the NetWitness Server, and copying the package zip files to these directories. For more information on packages, see Prerequisites:

    /tmp/upgrade/11.2.0.0
    /tmp/upgrade/11.2.1.0
    /tmp/upgrade/11.2.1.1
    and then extract the zip packages for those releases:
    unzip netwitness-11.2.0.0.zip -d /tmp/upgrade/11.2.0.0
    unzip netwitness-11.2.1.0.zip -d /tmp/upgrade/11.2.1.0
    unzip netwitness-11.2.1.1.zip -d /tmp/upgrade/11.2.1.1

  2. If you are updating from 11.2.x.x, you must stage the required previous releases by creating the following directories on the NetWitness Server, and copying the package zip files to these directories. For more information on packages, see Prerequisites:

    /tmp/upgrade/11.2.1.0
    /tmp/upgrade/11.2.1.1
    and then extract the zip packages for those releases:
    unzip netwitness-11.2.1.0.zip -d /tmp/upgrade/11.2.1.0
    unzip netwitness-11.2.1.1.zip -d /tmp/upgrade/11.2.1.1

  3. Stage 11.2.1.2 by creating a directory on the NetWitness Server at /tmp/upgrade/11.2.1.2 and extract the zip package.
    unzip netwitness-11.2.1.2.zip -d /tmp/upgrade/11.2.1.2
  4. Note: If you copied the .zip file to the created staging directory to unzip, make sure that you delete the initial .zip file that you copied to the staging location after you extract it.

  5. Initialize the update, using the following command:
    upgrade-cli-client –-init --version 11.2.1.2 --stage-dir /tmp/upgrade
  6. Update Netwitness Server, using the following command:
    upgrade-cli-client –-upgrade --host-addr <IP of Netwitness Server> --version 11.2.1.2
  7. When the component host update is successful, reboot the host from the NetWitness UI.
  8. Repeat steps 3 through 5 for each component host, changing the IP address to the component host which is being updated.

Note: You can check versions of all the hosts, using the command upgrade-cli-client --list on the NetWitness Server. If you want to view the help content of upgrade-cli-client, use the command upgrade-cli-client --help.

Note: If the following error displays during the update process, the patch will install correctly.:
2017-11-02 20:13:26.580 ERROR 7994 — [ 127.0.0.1:5671] o.s.a.r.c.CachingConnectionFactory : Channel shutdown: connection error; protocol method: #method<connection.close>(reply-code=320, reply-text=CONNECTION_FORCED - broker forced connection closure with reason 'shutdown', class-id=0, method-id=0)
No action is required. If you encounter additional errors when updating a host to a new version, contact Customer Support (Contacting Customer Care).

External Repo Instructions for CLI Update

Note: External repo which is to be setup should have 11.2.1.2 repo set under the same directory as 11.2.0.0.

  1. Stage 11.2.1.2 by creating a directory on the NetWitness Server at /tmp/upgrade/11.2.1.2 and extract the zip package.
    unzip netwitness-11.2.1.2.zip -d /tmp/upgrade/11.2.1.2

    Note: If you copied the .zip file to the created staging directory to unzip, make sure that you delete the initial .zip file that you copied to the staging location after you extract it.

  1. Initialize the update using the following command:
    upgrade-cli-client –-init --version 11.2.1.2 --stage-dir /tmp/upgrade
  2. Update Netwitness Server using the following command:
    upgrade-cli-client –-upgrade --host-addr <IP of Netwitness Server> --version 11.2.1.2
  3. When the component host update is successful, reboot the host from the NetWitness UI.
  4. Repeat steps 3 and 4 for each component host, changing the IP address to the component host which is being updated.

Note: You can check versions of all the hosts using the command upgrade-cli-client --list on NetWitness Server. If you want to view the help content of upgrade-cli-client, use the command upgrade-cli-client --help.

Note: If the following error displays during the update process, the patch will install correctly. :
2017-11-02 20:13:26.580 ERROR 7994 — [ 127.0.0.1:5671] o.s.a.r.c.CachingConnectionFactory : Channel shutdown: connection error; protocol method: #method<connection.close>(reply-code=320, reply-text=CONNECTION_FORCED - broker forced connection closure with reason 'shutdown', class-id=0, method-id=0)
No action is required. If you encounter additional errors when updating a host to a new version, contact Customer Support (Contacting Customer Care).

Post-Update Tasks

This topic is divided into two sections, based on the version that you are updating from:

Post Update Tasks if you are Updating From 11.1.x.x

Perform all the tasks in this section if you are updating from 11.1.x.x.

Task 1 - Update HIVE version

If you are updating from 11.1.x.x, you must install the HIVE version that is compatible with Warehouse. To install the latest HIVE version, run the following commands on the NetWitness Admin server and restart the Reporting Engine service.

  1. To install HIVE 0.12 version, run the following command:
    rpm -ivh rsa-nw-hive-jdbc-0.12.0-1.x86_64.rpm
  2. To install HIVE 1.0 version, run the following command:
    rpm -ivh rsa-nw-hive-jdbc-1.0.0-1.x86_64

Task 2 (Optional) - Move the custom certs

Move the custom certs from external directory to the /etc/pki/nw/trust/import directory.

Task 3 (Conditional) - Reconfigure PAM Radius Authentication

If you configured PAM Radius authentication in 11.2.x.x using the pam_radius package, you must reconfigure it in 11.2.1.2 using the pam_radius_auth package.

You need to execute the below commands on NW Server on which the Admin server resides.

Note: If you have configured pam_radius in 11.x.x.x, perform the below steps to uninstall the existing version, or you can proceed with step 2.

  1. Verify the existing page and uninstall the existing pam_radius:

rpm –qi |grep pam_radius

yum erase pam_radius

  1. To install the pam_radius_auth package, execute the following command:

yum install pam_radius_auth

  1. Edit the RADIUS configuration file, /etc/raddb/server as follows and add the configurations for radius server:

# server[:port] shared_secret timeout (s)

server secret 3

For example - 111.222.33.44 secret 1

  1. Edit the NetWitness Server PAM configuration file /etc/pam.d/securityanalytics to add the following line. If the file does not exist, create it and add the following line:

auth sufficient pam_radius_auth.so

  1. Provide the write permission to /etc/raddb/server files using the command:

chown netwitness:netwitness /etc/raddb/server

  1. To copy the pam_radius_auth library, execute the following command:

cp /usr/lib/security/pam_radius_auth.so /usr/lib64/security/

  1. Restart the jetty server after making the changes to pam_radius_auth configurations, execute the following command:

systemctl restart jetty

Task 4 - Restart the Respond Server

Restart the Respond server:

systemctl restart rsa-nw-respond-server

Post Update Tasks if you are Updating From 11.2.x.x

Perform all the tasks in this section if you are updating from 11.2.x.x.

Task 1 - Update HIVE version

If you are updating from 11.2.0.0, 11.2.0.1 to 11.2.1.2, you must install the HIVE version that is compatible with Warehouse. To install the latest HIVE version, run the following commands on the NetWitness admin server, and restart the Reporting Engine service.

  1. To install HIVE 0.12 version, run the following command:
    rpm -ivh rsa-nw-hive-jdbc-0.12.0-1.x86_64.rpm
  2. To Install HIVE 1.0 version, run the following command:
    rpm -ivh rsa-nw-hive-jdbc-1.0.0-1.x86_64

Task 2 - Restart the Respond Server

Restart the Respond server:

systemctl restart rsa-nw-respond-server

Previous Topic:Known Issues
You are here
Table of Contents > Release Notes > Update Instructions

Attachments

    Outcomes