13.2 Upgrading a Traditional Installation

Ensure that NTP synchronized your computer time with the network time. Perform the upgrade in the following order:

After completing the upgrade, perform the post upgrade configurations.

13.2.1 Upgrading Change Guardian

If you are upgrading the Change Guardian server on a computer running RHEL, ensure that the 64-bit expect RPM is installed before you start the upgrade.

To upgrade the Change Guardian Server in a traditional installation:

  1. Back up your information using the cgbackup_util.sh script.

    For information about using the backup utility, see Section 12.0, Backing Up and Restoring Data.

  2. Download the latest installer from the Downloads website.

    You must be a registered user to download patches. If you have not registered, click Register to create a user account in the patch download site.

  3. Copy the installer file to a directory that has 0755 permissions.

    NOTE:Trying to upgrade from any directory within /root fails because certain upgrade commands run as non-root user. Such commands cannot run if the installer is in the /root directory.

  4. Log in as root to the Change Guardian server you want to upgrade.

  5. Extract install files from the tar file:

    tar -zxvf <install_filename>
  6. Change to the directory where the install file was extracted.

  7. Start the upgrade:

    ./install-changeguardian.sh
  8. (Conditional) If you want to upgrade from a custom path, specify the following command:

    ./install-changeguardian.sh --location=<custom_CG_directory_path>

    NOTE:You can only upgrade from a custom path used for the original installation and the path must have 0755 permissions.

  9. (Conditional) If NTP could not synchronize your computer time with the network time, make the required changes.

  10. (Conditional) If your system does not meet the recommended disk space, make the required changes to the computer.

    NOTE:The recommended disk space is for Change Guardian upgrade files. Allocate the recommended space in /, /var/opt, and /opt.

  11. To proceed with a language of your choice, select the number next to the language.

  12. If there are changes to the end user license agreement, read and accept the changes.

  13. Specify yes to approve the upgrade.

    The upgrade might take a few seconds to complete.

  14. (Conditional) If you are upgrading from Change Guardian 5.2 to 6.1, perform the following steps:

    1. Select the desired migration option. Specify option 1, 2, or 4.

      Following options are displayed:

      [1] --> Migrate both Alerts and Security Intelligence data (recommended)
      [2] --> Migrate only Alerts data
      [3] --> Migrate only Security Intelligence data
      [4] --> Only upgrade without migrating data

      WARNING:Ensure that you select the appropriate option because you cannot repeat this procedure after the upgrade is successful.

      The data that was stored in MongoDB is retained as a backup.

    2. Specify yes to process with the migration.

    3. If data migration is not successful, clean up data from PostgreSQL.

  15. (Conditional) The data in MongoDB is redundant because Change Guardian 6.0 stores data only in PostgreSQL. To remove redundant data from MongoDB, clear the disk space:

    ./mongodb_cleanup.sh

  16. Verify that you see the migrated content and that you are receiving new alerts by logging in to the Threat Response Dashboard.

  17. Verify that you can connect to the Change Guardian web interface by accessing the following URL:

    https://IP_Address_Change_Guardian_server:8443

Based on your security requirement, perform the post upgrade configurations.

13.2.2 Upgrading the Operating System

If the Change Guardian server is running a version of an operating system that is not certified, some features might not function as expected. Upgrade to a supported operating system for a seamless experience.

To upgrade the operating system:

  1. Log in as root to the machine running Change Guardian.

  2. Stop the Change Guardian services:

    /opt/netiq/cg/scripts/cg_services.sh stop

  3. (Conditional) If Change Guardian was in FIPS mode before the operating system upgrade, upgrade the NSS database:

    certutil -K -d sql:/etc/opt/novell/sentinel/3rdparty/nss -X

    Follow the on-screen instructions to upgrade the NSS database.

    Give full permissions to novell user for the following files in the /etc/opt/novell/sentinel/3rdparty/nss directory:

    cert9.db
    key4.db 
    pkcs11.txt 
  4. Upgrade the operating system.

  5. (Conditional) If you use Mozilla Network Security Services (NSS) 3.29 or later, install the two dependent RPM files:

    • libfreebl3-hmac

    • libsoftokn3-hmac

  6. (Conditional) For RHEL 7.x, check whether there are any errors in the RPM database:

    rpm -qa --dbpath <install_location>/rpm | grep novell

    Example: # rpm -qa --dbpath /custom/rpm | grep novell

    • If there are any errors, fix the errors:

      rpm --rebuilddb --dbpath <install_location>/rpm

      For example: # rpm --rebuilddb --dbpath /custom/rpm

    • Recheck that there are no errors:

      rpm -qa --dbpath <install_location>/rpm | grep novell

NOTE:If the base operating system version changes, see Upgrading Python.