Post Expedited Upgrade Tasks

Expedited Upgrade Workflow
Some items cannot be brought over automatically in the expedited upgrade process. Many of the preparation tasks include backing up data from the source Gateway. The back up tasks appear in Preparing for Expedited Upgrade.  
indicates that the restoration task has been automated as part of the Automated Expedited Procedure.
If you are following the manual expedited procedure, you still need to perform this task manually.   
Complete any of the following tasks that apply to your installation:
Restore Custom and Modular Assertions and Other Gateway Artifacts
Perform this task if you have previously backed up custom and modular assertions from the source Gateway. Run ssgrestore.sh to restore custom and modular assertion on the primary node, secondary node and remaining processing nodes. Check if the modular assertions require a version update or are applicable to Gateway 10.
/opt/SecureSpan/Gateway/config/backup/ssgrestore.sh -image name.zip -ca -ma
In addition to custom and modular assertions, you can also restore other backed up Gateway artifacts such as log files, audit records, and configuration files with ssgrestore.sh. To learn more, see Restore Gateways.
Restore PAPIM EPAgent Files and Configuration
Perform this if you have previously backed up the PAPIM EPAgent Files and Configuration.
To restore PAPIM EPAgent:
  1. Create the PAPIM user then add the user to the layer7 and gateway groups:
    # useradd -m <apmusr> # usermod -a -G layer7 apmus # usermod -a -G gateway apmusr
  2. Restore the /opt/apm105 backup folder.
    If the hostname has changed, update
    introscope.agent.hostName
    at /opt/apm105 /epagent/IntroscopeEPAgent.
    Change directory ownership of /opt/apm105:
    # chown -R apmusr:apmusr /opt/apm105
    Change directory permissions:
    # chmod -R 775 /opt/apm105
  3. Restore start script file: /etc/init.d/epagent
    Change file permissions:
    # chmod 755 /etc/init.d/epagent
    Configure epagent service to start on boot:
    # chkconfig --add epagent
  4. Restore .bash_profile and .my.cnf files to user directory /home/apmusr/.my.cnf
    Change file ownership then file permissions:
    # chown apmusr:apmusr /home/apmusr/.my.cnf # chown apmusr:apmusr /home/apmusr/.bash_profile # chmod 400 /home/apmusr/.my.cnf # chmod 400 /home/apmusr/.bash_profile
  5. Start the epagent service:
    #service epagent start
Copy .JAR Files
The .JAR files are required for some features such as JDBC or JMS. Copy all .JAR files from the source Gateway to these directories on the destination Gateway:
/runtime/lib/ext /runtime/lib
Reapply iptables File Modifications
If the source Gateway had port redirects in the
iptables
file, manually reapply these redirects on the destination Gateway.
Copy System Property Modifications
Any
property modifications
made to the file contents in
/opt/SecureSpan/Gateway/node/default/etc/conf
must be manually copied from the source Gateway to the destination Gateway. For example, you may have modified properties in the
system.properties
or
telemetry.properties
files.
Post-Upgrade Update for SafeNet Luna
Install and configure your Luna HSM Client for your destination Gateway via one of the options: For either options, be sure to make the required java.security modifications as instructed.
Post-Upgrade Tasks for nShield HSMs
The following post-upgrade procedures apply if your expedited upgrade involves nShield Solo+ or Connect/Connect XC HSMs.
nShield Solo+ Post-Upgrade Tasks
If you have backed up private keys for the nShield Solo+ HSM from your source Gateway appliance, you may restore them to your target Gateway appliance with the following steps:
  1. Restore the backed-up files from the /opt/nfast/kmdata folder.
  2. Set the correct permissions and ownership with
    kmdata dir: tar --same-owner -svf
  3. Enable the use of the HSM on the Gateway via the Gateway Main Menu (Appliance).
nShield Connect/Connect XC Post-Upgrade Tasks
After importing the backed-up MySQL database to the target Gateway appliance and reconfiguring the HSM (keys restored along with permissions and ownership) as described in the Manual Expedited Upgrade topic, enable the use of the HSM on the Gateway via the Gateway Main Menu (Appliance).
Co-located OTK Database Tasks
These tasks only apply if the source and destination Gateway cluster.hostname are different.
Post-upgrade configuration is required for co-located OTK databases if the source and destination Gateway cluster.hostname are different. A co-located OTK database is deployed locally on the Gateway node.On the destination Gateway, open the Policy Manager and perform the following tasks:
  1. Navigate to Tasks > Global Settings > Manage Cluster-Wide Properties.
  2. Add the
    oauth_client_key.callback
    key with the destination Gateway's
    cluster.hostname
    value.
  3. Edit the
    cluster.hostname
    key with the new value.
  4. Navigate to Tasks > Data Sources > Manage JDBC Connections
  5. Select the OTK connection and click
    Edit
    .
  6. Edit the JDBC URL to reflect the new cluster.hostname value and click
    OK
    .
  7. If the host's SSL certificate has changed, import the new SSL certificate:
    1. Navigate to Tasks > Certificates Keys & Secrets > Manage Certificates.
    2. Click
      Add
      .
    3. Select
      Import from Private Key's Certificate Chain
    4. Select 'ssl' in Software DB.
    5. Click
      Next
      .  Click
      Next
      .
    6. Select at least the first three usage options. Click
      Next
      .
    7. Click
      Certificate is a Trust Anchor
      .
    8. Click
      Finish
      .
TSSG Related Tasks
If the source TSSG and destination TSSG cluster.hostname are different you need to re-enroll TSSG.
  1. Delete all portal.* cluster properties, and cluster.apiplan* cluster properties.
    mysql> delete from cluster_properties where propkey like 'portal.%'; mysql> delete from cluster_properties where propkey like 'cluster.apiplan%';
  2. Delete the following Trusted Certificates:
    • analytics*
    • pssg
    • apim-ssg*
  3. Delete Portal Related Scheduled Tasks.  Go to Tasks > Global Settings > Manage Scheduled Tasks and remove the following tasks:
    • Portal *
    • Delete Portal Entities
    • Move Metrics Data Off Box Task
  4.  Follow Portal instructions on how to enroll the TSSG.
Update my.cnf File in CentOS7
In CentOS7, systemd manages MySQL server startup and shutdown. [mysqld_safe] is not installed as it is not needed. Some parameters are defined in the
[mysqld_safe]
section in my.cnf file such as log file path and pid-file. To ensure all these parameters are considered and reflected correctly, edit the
my.cnf
file to copy all the parameters to
[mysqld]
section.
  1. Edit
    my.cnf
    file.
  2. Move all the content from
    [mysqld_safe]
    section to
    [mysqld]
    section.
    Example content shown below:
    max_allowed_packet=1G net_buffer_length=100000 log-error=/var/log/mysqld.log pid-file=/var/run/mysqld/mysqld.pid
  3. Restart the MySQL server.
Ensure that you overwrite the
pid-file
parameter line. If there are multiple entries in the
[mysqld]
section for a parameter, then only the last line is prioritized and earlier entries are ignored.