Post Expedited Upgrade Tasks
Expedited Upgrade Workflow
Some items cannot be brought over automatically in the expedited upgrade process. Many of the preparation tasks include backing up data from the source Gateway. The back up tasks appear in Preparing for Expedited Upgrade.
indicates that the restoration task has been automated as part of the Automated Expedited Procedure.
If you are following the manual expedited procedure, you still need to perform this task manually.
Complete any of the following tasks that apply to your installation:
Restore Custom and Modular Assertions and Other Gateway Artifacts
Perform this task if you have previously backed up custom and modular assertions from the source Gateway. Run ssgrestore.sh to restore custom and modular assertion on the primary node, secondary node and remaining processing nodes. Check if the modular assertions require a version update or are applicable to Gateway 10.
/opt/SecureSpan/Gateway/config/backup/ssgrestore.sh -image name.zip -ca -ma
In addition to custom and modular assertions, you can also restore other backed up Gateway artifacts such as log files, audit records, and configuration files with ssgrestore.sh. To learn more, see Restore Gateways.
Restore PAPIM EPAgent Files and Configuration
Perform this if you have previously backed up the PAPIM EPAgent Files and Configuration.
To restore PAPIM EPAgent:
- Create the PAPIM user then add the user to the layer7 and gateway groups:# useradd -m <apmusr> # usermod -a -G layer7 apmus # usermod -a -G gateway apmusr
- Restore the /opt/apm105 backup folder.If the hostname has changed, updateintroscope.agent.hostNameat /opt/apm105 /epagent/IntroscopeEPAgent.Change directory ownership of /opt/apm105:# chown -R apmusr:apmusr /opt/apm105Change directory permissions:# chmod -R 775 /opt/apm105
- Restore start script file: /etc/init.d/epagentChange file permissions:# chmod 755 /etc/init.d/epagentConfigure epagent service to start on boot:# chkconfig --add epagent
- Restore .bash_profile and .my.cnf files to user directory /home/apmusr/.my.cnfChange file ownership then file permissions:# chown apmusr:apmusr /home/apmusr/.my.cnf # chown apmusr:apmusr /home/apmusr/.bash_profile # chmod 400 /home/apmusr/.my.cnf # chmod 400 /home/apmusr/.bash_profile
- Start the epagent service:#service epagent start
Copy .JAR Files
The .JAR files are required for some features such as JDBC or JMS. Copy all .JAR files from the source Gateway to these directories on the destination Gateway:
Reapply iptables File Modifications
If the source Gateway had port redirects in the
iptablesfile, manually reapply these redirects on the destination Gateway.
Copy System Property Modifications
property modificationsmade to the file contents in
/opt/SecureSpan/Gateway/node/default/etc/confmust be manually copied from the source Gateway to the destination Gateway. For example, you may have modified properties in the
Post-Upgrade Update for SafeNet Luna
Post-Upgrade Tasks for nShield HSMs
The following post-upgrade procedures apply if your expedited upgrade involves nShield Solo+ or Connect/Connect XC HSMs.
nShield Solo+ Post-Upgrade Tasks
If you have backed up private keys for the nShield Solo+ HSM from your source Gateway appliance, you may restore them to your target Gateway appliance with the following steps:
- Restore the backed-up files from the /opt/nfast/kmdata folder.
- Set the correct permissions and ownership withkmdata dir: tar --same-owner -svf
- Enable the use of the HSM on the Gateway via the Gateway Main Menu (Appliance).
nShield Connect/Connect XC Post-Upgrade Tasks
After importing the backed-up MySQL database to the target Gateway appliance and reconfiguring the HSM (keys restored along with permissions and ownership) as described in the Manual Expedited Upgrade topic, enable the use of the HSM on the Gateway via the Gateway Main Menu (Appliance).
These tasks only apply if the source and destination Gateway cluster.hostname are different.
Co-located OTK Database Tasks
Post-upgrade configuration is required for co-located OTK databases if the source and destination Gateway cluster.hostname are different. A co-located OTK database is deployed locally on the Gateway node.On the destination Gateway, open the Policy Manager and perform the following tasks:
- Navigate to Tasks > Global Settings > Manage Cluster-Wide Properties.
- Add theoauth_client_key.callbackkey with the destination Gateway'scluster.hostnamevalue.
- Edit thecluster.hostnamekey with the new value.
- Navigate to Tasks > Data Sources > Manage JDBC Connections
- Select the OTK connection and clickEdit.
- Edit the JDBC URL to reflect the new cluster.hostname value and clickOK.
- If the host's SSL certificate has changed, import the new SSL certificate:
- Navigate to Tasks > Certificates Keys & Secrets > Manage Certificates.
- SelectImport from Private Key's Certificate Chain
- Select 'ssl' in Software DB.
- ClickNext. ClickNext.
- Select at least the first three usage options. ClickNext.
- ClickCertificate is a Trust Anchor.
TSSG Related Tasks
If the source TSSG and destination TSSG cluster.hostname are different you need to re-enroll TSSG.
- Delete all portal.* cluster properties, and cluster.apiplan* cluster properties.mysql> delete from cluster_properties where propkey like 'portal.%'; mysql> delete from cluster_properties where propkey like 'cluster.apiplan%';
- Delete the following Trusted Certificates:
- Delete Portal Related Scheduled Tasks. Go to Tasks > Global Settings > Manage Scheduled Tasks and remove the following tasks:
- Portal *
- Delete Portal Entities
- Move Metrics Data Off Box Task
- Follow Portal instructions on how to enroll the TSSG.
Update my.cnf File in CentOS7
In CentOS7, systemd manages MySQL server startup and shutdown. [mysqld_safe] is not installed as it is not needed. Some parameters are defined in the
[mysqld_safe]section in my.cnf file such as log file path and pid-file. To ensure all these parameters are considered and reflected correctly, edit the
my.cnffile to copy all the parameters to
- Move all the content from[mysqld_safe]section to[mysqld]section.Example content shown below:max_allowed_packet=1G net_buffer_length=100000 log-error=/var/log/mysqld.log pid-file=/var/run/mysqld/mysqld.pid
- Restart the MySQL server.
Ensure that you overwrite the
pid-fileparameter line. If there are multiple entries in the
[mysqld]section for a parameter, then only the last line is prioritized and earlier entries are ignored.