Upgrading ESA with DSGs and 9.1.0.0 Protectors

This section describes steps to upgrade ESAs and DSGs with running 9.1.0.0 protectors in backward compatibility mode.

Important Notes

1. The steps mentioned in this section will ensure zero downtime of 9.1.0.0 Protectors during the event of ESA upgrade.

2. There will be downtime of DSGs during upgrade. However, the downtime can be minimized by spawning the fresh DSGs of version 3.3.0.0 in parallel to upgrading ESAs.

Important Points for ESA Upgrade

Ensure that following important points are adhered:

1. Freeze Policy and Ruleset Changes

   Before upgrading the ESA, ensure all policy and ruleset changes are frozen.

   No changes to the policies and rulesets should be made until the completion of the ESA upgrade.

2. Freeze Configurations in ESA

   Prior to upgrading the ESA, freeze all configurations within the ESA. Ensure no configuration changes are made to any components in any of the ESAs until the upgrade is complete.

   If DSGs are being used, then upgrade the DSGs first. Following that, proceed with upgrading the ESAs. Refer section Upgrading DSG for steps and recommendations related to upgrading DSGs.

   This section elaborates on the upgrade and configuration process for ESAs as per the Deployment with Default Audit logging flow to ESA Architecture diagram. For more information about upgrading ESA, refer Upgrading ESA to v10.

   Important: The ESA v10 only supports protectors having the PEP server version 1.2.2+42 and later. Hence, before proceeding with ESA upgrade, check for the installed protector version. If the protector version is below 1.2.2+42, then it would lead to failure of ESA upgrade. If the protector version is below 1.2.2+42, then remove the registered protectors from Policy Dashboard. For more information on instructions to identify installed protector version, refer Identifying the protector version.

Perform the following steps to upgrade ESAs and DSGs with running 9.1.0.0 protectors in backward compatibility mode.

1. Pre-Upgrade Steps

1. Backup all ESAs.

   • On-Premise: Perform a full OS backup of all ESAs at both sites.

   • Cloud Premises: Take snapshots of each instance to ensure a restore point is available should any issues arise during the upgrade process.

   Refer section Backup the appliance OS for on-premise ESAs and section 9.1.3 Backing Up on Cloud Platforms.

2. Delete TAC replication job from Primary ESA P1.

   Follow the below steps to disable TAC replication scheduled task:

   1. On the Primary ESA P1’s Web UI, navigate to System > Task Scheduler.
   2. Click on the TAC replication scheduled task.
   3. Click Remove.
   4. Click the Apply button to apply the changes.

2. Upgrading the ESAs in DR Site

1. Remove all the ESAs from the DR site from the TAC. It is required to remove all the ESAs at the DR site from the TAC before proceeding with upgrading them.

2. Upgrade ESAs at the DR Site sequentially. Commence the upgrade by focusing on the ESAs located at the DR site. Follow the below sequence:

   1. Upgrade ESA S3
   2. Upgrade ESA S4.
   3. Upgrade ESA S5.

   Prerequisites to understand about the pre-requisites.

   Upgrade Paths to ESA v10.1.0 to understand upgrade paths to ESA v10.1.0.

   Upgrading from v9.2.0.1 for steps to upgrade from ESA v9.2.0.1 to ESA v10.1.0.

   Upgrading from v10.0.1 for steps to upgrade from ESA v10.0.1 to v10.1.0.

   Post Upgrade steps to perform post upgrade of ESA.

3. Ensure each ESA is fully upgraded before proceeding to the next ESA.

3. Post Upgrade Validation of ESAs in DR Site

• Conduct a thorough validation of the upgraded ESAs at the DR site to confirm operational integrity and successful upgrade.

• Perform following validations in all the ESAs:

  1. Log in to ESA Web UI.
  2. Check for correctness of the version under About.
  3. Navigate to Key Management > Key Stores in ESA Web UI and ensure that External Keystore configurations are intact.
  4. Navigate to Settings > Users and check that External Groups settings are intact.
  5. Navigate to Audit Store > Cluster Management and check if ESA S3, ESA S4 and ESA S5 are visible under Nodes tab and Cluster Status is shown as GREEN.

4. Pre-Upgrade Steps for DSG

1. Remove existing DSGs from TAC. It is required to remove all the DSGs from the TAC before proceeding with further upgrade steps.

2. As mentioned at the start of this section, it is expected to have downtime of DSGs. Hence, at this step, stop all the existing DSGs.

5. Redirect Protector Traffic to DR Site

1. Redirect GTM to LTM2. Adjust configurations to redirect the GTM so that it points to LTM2. This ensures that protectors communicate with the upgraded ESAs at the DR site.

   Important: At this stage, do not add any new protectors. The validations mentioned in the below steps are required to be performed using the existing protectors.

6. Validate working of 9.1.0.0 Protectors

1. Check the 9.1.0.0 protector status in Policy Management Dashboard.

   1. Log in to ESA S3 Web UI.
   2. Navigate to Policy Management in ESA S3 Web UI and check if Datastores shows all the protector registrations as GREEN or “Ok” and Policy Deploy Status as GREEN or “Ok”.

   Important: This step is applicable only for 9.1.0.0 Protectors.

2. Validate 9.1.0.0 Protector Operations.

3. Confirm that protectors can perform data security operations post-upgrade of the ESAs.

4. Verify that audit events are being forwarded successfully to the ESAs.

   Important: This step is applicable only for 9.1 Protectors.

7. Upgrading the ESAs in Primary Site

1. Remove all the ESAs at the Primary site from the TAC before upgrading them.

2. Upgrade ESAs at the Primary Site sequentially.

3. Follow the below sequence for upgrading all the ESAs in the primary site:

   1. Upgrade ESA P1
   2. Upgrade ESA S1
   3. Upgrade ESA S2

   Prerequisites to understand about the pre-requisites.

   Upgrade Paths to ESA v10.1.0 to understand upgrade paths to ESA v10.1.0.

   Upgrading from v9.2.0.1 for steps to upgrade from ESA v9.2.0.1 to ESA v10.1.0.

   Upgrading from v10.0.1 for steps to upgrade from ESA v10.0.1 to v10.1.0.

   Post Upgrade steps to perform post upgrade of ESA.

4. Ensure each ESA is fully upgraded before proceeding to the next ESA.

8. Post Upgrade Validation of ESAs in Primary Site

1. Validate Primary Site ESAs Post Upgrade.

2. Conduct thorough validation of the upgraded ESAs at the primary site to confirm operational integrity and successful upgrade.

3. Perform following validations in all the ESAs.

   1. Log in to ESA Web UI.
   2. Navigate to Key Management > Key Stores in ESA Web UI and ensure that External Keystore configurations are intact.
   3. Navigate to Settings > Users and check that External Groups settings are intact.
   4. Navigate to Audit Store > Cluster Management and check if ESA P1, ESA S1 and ESA S2 are visible under Nodes tab and Cluster Status is shown as GREEN.

9. Installing and Configuring the DSGs

1. Create fresh DSGs of version 3.3.0.0. Perform this step in parallel to Validate working of 9.1.0.0 Protectors. This is to minimize the DSG downtime. Create DSGs v3.3.0.0 using ISO or cloud image as applicable. For more information about installing DSG 3.3.0.0, refer to the documentation section Installing the DSG.

2. Create a new TAC with the installed DSGs. Starting DSG v3.3.0.0, ESAs and DSGs should be separate TAC. Hence, create a new TAC with DSGs created in the above step.

3. Upload and Install DSG Management Server Certificates in each of the DSGs individually. Ensure the SAN field in each of the certificates has the hostname and FQDN of the DSG node it is going to be installed in.

10. Redirect Protector Traffic to Primary Site

Redirect GTM to LTM1. Reconfigure the GTM to point back to LTM1, allowing protectors to resume communication with the ESAs at the primary site.

11. Managing Node Connectivity Status

1. At this point, Nodes Connectivity Status of some or all the nodes are shown as red (Error) or yellow (Warning) under Policy Management -> Data Stores in ESA P1 Web UI.

   Important: This step is applicable only for 9.1.0.0 Protectors.

2. Perform the following steps to reset the node status to green (OK).

   1. Login to ESA P1 Web UI.
   2. Navigate to Policy Management > Data Stores.
   3. Select nodes showing status as red (Error) or yellow (Warning) and click on delete button to remove entry.

   Important: If there are many pepserver nodes registered, ensure to delete the nodes in a batch of 200.

   After deleting the registered nodes as suggested above, pepserver nodes will get re-registered with ESA and status will get green(“OK”).

   Important: This step is applicable only for 9.1.0.0 Protectors.

12. Validate 9.1.0.0 Protector Operations

1. Confirm that protectors can perform data security operations post-upgrade of the ESAs.

2. Verify that audit events are being forwarded successfully to the ESAs.

   Important: This step is applicable only for 9.1.0.0 Protectors.

13. Creating TAC of all ESAs in Primary and DR sites

Form a TAC including all the ESAs in both Primary and DR site. Form a TAC including all the ESAs in Primary site, that is, ESA P1, ESA S1, and ESA S2 and all the ESAs in DR site, that is, ESA S3, ESA S4 and ESA S5.

14. Perform ESA Communication

Perform ESA communication from all the DSGs. For all the options in ESA communication except for Update host settings for DSG, provide GTM IP, hostname or FQDN as applicable. For more information about performing set ESA communication, refer Setting up ESA communication.

14.1 Update Host Settings for DSG

For Update host settings for DSG in ESA communication, provide Primary ESA P1’s FQDN or hostname as applicable. For more information about performing set ESA communication, refer to the documentation section Setting up ESA communication.

15 Install DSG Patch on all the ESAs in the Primary and DR site

Install DSG 3.3.0.0 patch on all ESAs in the Primary and DR site, that is, ESA P1, S1, S2, S3, S4, S5.

15.1 Provide DSG Details During Patch Installation

During the prompt for DSG details during patch installation, provide any of the running DSG’s FQDN or hostname in TAC. Ensure the same DSG FQDN or hostname is provided during DSG patch installation in all other ESAs.

16. Perform Post Installation Steps in All ESAs in the Primary and DR site

For information about performing post installation steps in all the ESAs, refer to the documentation section Post installation/upgrade steps.

17. Check DSG’s Cluster Page in ESA

Check if all the DSGs installed are listed under Cloud Gateway > Cluster page in ESA.

18. Deploy Rulesets

Click the Deploy button from the DSG Cluster page in ESA P1 to deploy rulesets in all the DSGs present in the TAC. For more information related to deploying rulesets, refer to the documentation section Deploying configurations to the cluster.

19. Check Health Status of DSGs from Cluster Page

After the deployment of rulesets is successful, check the health status of DSGs in TAC from the DSG’s Cluster page in ESA P1. All the DSGs should show health status as green.

20. Check DSG nodes status in Policy Management Dashboard

1. Login to ESA P1 Web UI.

2. Navigate to Policy Management in ESA P1 Web UI and check if Datastores shows all the DSG nodes registrations as GREEN or Ok and Policy Deploy Status as GREEN or Ok.

21. Validate DSG Protector Operations

1. Confirm that DSGs can perform data security operations post-upgrade of the ESAs.

2. Verify that audit events are being forwarded successfully to the ESAs.

3. Create Scheduler tasks in Primary site ESAs. Create all the scheduler tasks in Primary site ESAs as mentioned in section Scheduler Tasks.

22. Terminate the older version DSGs

With successful upgrade of DSGs and confirming its working with step 1 in Managing Node Connectivity Status, terminate all the older version DSGs which was stopped at step 2 in Pre-Upgrade Steps for DSG to free up resources.

23. Migrate Audit logs from DR site ESAs to Primary site ESAs.

1. When the traffic from protectors were redirected to the DR site ESAs as part of step 6 above, audit logs will be generated in those ESAs. Those audit logs need to be migrated to Primary site ESAs.

   Before proceeding with executing the steps, take a note of the following:

   • The time in hours/days that the protectors were pointed to DR site ESAs.

   • The indexes that were created under Audit Store > Cluster Management page’s Indices tab for the time frame noted at step a.

   • The ILM exported indexes that were created under the directory /opt/protegrity/insight/archive in each of the ESAs in DR site for the time frame noted at step a.

2. Perform the following steps to migrate the audit logs:

   1. Log in to the web UI of ESA S3 in the DR site.

   2. Perform ILM Export of all the indexes noted at step b above. For more information about performing ILM Export, refer to the documentation section Exporting logs.

   3. Log in to OS console of ESA S3. Navigate to the directory /opt/protegrity/insight/archive.

   4. Copy all the exported index files generated by ILM Export operation at step 2 and transfer to ESA S2 in primary site under directory /opt/protegrity/insight/archive.

   5. Additionally log in to all the ESAs containing ILM exported index files noted at step c above and copy them to ESA S2 under directory /opt/protegrity/insight/archive.

   6. Finally, perform ILM Import of all the index files copied from ESAs in DR site as per steps 4 and 5. For more information related to ILM Import, refer Importing logs.

Additional Considerations

• Documentation: Maintain detailed records of the upgrade procedure for future reference.

• Troubleshooting: Have contingency plans in place to address potential issues arising during the upgrade.

• Support: Utilize Protegrity support services for guidance or troubleshooting assistance as needed.

By following these structured steps, the upgrade and configuration of ESAs will be executed effectively, ensuring minimal downtime, and maintaining system integrity.