Upgrading ESA with 9.1.0.0 Protectors

This section describes steps to upgrade ESAs with 9.1.0.0 protectors already installed. This section does not consider DSGs being installed.

To ensure compatibility and leverage new features, security fixes and enhancements, it is necessary to upgrade the ESA to the latest version. This section outlines the required steps for upgrading from a previous version, applicable to both on-premise and cloud platforms.

If DSGs are installed along with other 9.1.0.0 protectors, then refer Upgrading ESA with DSGs and 9.1.0.0 Protectors.

If only DSGs are installed and other 9.1.0.0 protectors are not installed, then refer Upgrading DSG.

Important: The steps mentioned in this section will ensure zero downtime of 9.1.0.0 Protectors during ESA upgrade.

Important Points for ESA Upgrade

Ensure that following important points are adhered.

1. Freeze Policy and Ruleset Changes

   Before upgrading the ESA, ensure all policy and ruleset changes are frozen.

   No changes to the policies and rulesets should be made until the completion of the ESA upgrade.

2. Freeze Configurations in ESA

   Prior to upgrading the ESA, freeze all configurations within the ESA. Ensure no configuration changes are made to any components in any of the ESAs until the upgrade is complete.

   If DSGs are being used, then upgrade the DSGs first. Following that, proceed with upgrading the ESAs.

   Refer section Upgrading DSG for steps and recommendations related to upgrading DSGs.

   This section elaborates on the upgrade and configuration process for ESAs as per the Deployment with Default Audit logging flow to ESA Architecture diagram.

   For more information about upgrading ESA, refer Upgrading ESA to v10.

   Important: The ESA v10 only supports protectors having the PEP server version 1.2.2+42 and later. Hence, before proceeding with ESA upgrade, check for the installed protector version. If the protector version is below 1.2.2+42, then it would lead to failure of ESA upgrade. If the protector version is below 1.2.2+42, then remove the registered protectors from Policy Dashboard.
   For more information on instructions to identify installed protector version, refer Identifying the protector version.

Upgrade Steps

1. Backup all ESAs.

• On-Premise: Perform a full OS backup of all ESAs at both sites.

• Cloud Premises: Take snapshots of each instance to ensure a restore point is available should any issues arise during the upgrade process.

  • For on-premise, refer Backup the appliance OS.

  • For AWS, refer Backing up and Restoring Data on AWS.

  • For GCP, refer Backing up and Restoring Data on GCP.

  • For Azure, refer Backing up and Restoring VMs on Azure.

2. Delete TAC replication job from Primary ESA P1.

   To disable TAC replication scheduled task, follow these steps:

   1. On the Primary ESA P1’s Web UI, navigate to System > Task Scheduler.
   2. Click the TAC replication scheduled task.
   3. Click Remove.
   4. Click the Apply button to apply the changes.

3. Ensure all the pre-requisites are followed before proceeding with the upgrade of each ESA.

   For more information about the prerequisites, refer Prerequisites.

4. Remove all the ESAs at the DR site from the TAC. It is required to remove all the ESAs at the DR site from the TAC before proceeding with upgrading them.

5. Upgrade ESAs at the DR Site sequentially. Commence the upgrade by focusing on the ESAs located at the DR site. Follow the sequence mentioned below.

   1. Upgrade ESA S3

   2. Upgrade ESA S4.

   3. Upgrade ESA S5.

   For more information, refer the following:

   Prerequisites to understand about the pre-requisites.

   Upgrade Paths to ESA v10.1.0 to understand upgrade paths to ESA v10.1.0.

   Upgrading from v9.2.0.1 for steps to upgrade from ESA v9.2.0.1 to ESA v10.1.0.

   Upgrading from v10.0.1 for steps to upgrade from ESA v10.0.1 to v10.1.0.

   Post Upgrade steps to perform post upgrade of ESA.

6. Ensure each ESA is fully upgraded before proceeding to the next ESA.

7. Validate DR Site ESAs Post Upgrade.

• Conduct a thorough validation of the upgraded ESAs at the DR site to confirm operational integrity and successful upgrade.

• Perform following validations in all the ESAs-

  1. Log in to ESA Web UI.

  2. Check for correctness of the version under About.

  3. Navigate to Key Management > Key Stores in ESA Web UI and ensure that External Keystore configurations are intact.

  4. Navigate to Settings > Users and check that External Groups settings are intact.

  5. Navigate to Audit Store > Cluster Management and check if ESA S3, ESA S4 and ESA S5 are visible under Nodes tab and Cluster Status is GREEN.

8. Redirect GTM to LTM2. Adjust configurations to redirect the GTM so that it points to LTM2. This ensures that protectors communicate with the upgraded ESAs at the DR site.

Important: At this stage, do not add any new protectors. The validations mentioned in the below steps are required to be performed using the existing protectors.

9. Check for 9.1.0.0 protectors status in Policy Management Dashboard.

   1. Log in to ESA S3 Web UI.
   2. Navigate to Policy Management in ESA S3 Web UI and check if Datastores shows all the protector registrations as GREEN or Ok and Policy Deploy Status as GREEN or Ok.

10. Validate Protector Operations.

    1. Confirm that protectors can perform data security operations after upgrading the ESAs.

    2. Verify that audit events are being forwarded successfully to the ESAs.

11. Remove all the ESAs at the Primary site from the TAC. It is required to remove all the ESAs at the Primary site from the TAC before proceeding with upgrading them.

12. Upgrade ESAs at the Primary Site sequentially.

    a. Follow the below sequence for upgrading all the ESAs in the primary site:

    1. Upgrade ESA P1.
    2. Upgrade ESA S1.
    3. Upgrade ESA S2.

    b. Ensure each ESA is fully upgraded before proceeding to the next ESA.

    For more information, refer the following:

    Prerequisites to understand about the pre-requisites.

    Upgrade Paths to ESA v10.1.0 to understand upgrade paths to ESA v10.1.0.

    Upgrading from v9.2.0.1 for steps to upgrade from ESA v9.2.0.1 to ESA v10.1.0.

    Upgrading from v10.0.1 for steps to upgrade from ESA v10.0.1 to v10.1.0.

    Post Upgrade steps to perform post upgrade of ESA.

13. Validate Primary Site ESAs post upgrade.

    a. Conduct thorough validation of the upgraded ESAs at the primary site to confirm operational integrity and successful upgrade.

    b. Perform following validations in all the ESAs.

    1. Log in to ESA Web UI.

    2. Navigate to Key Management > Key Stores in ESA Web UI and ensure that External Keystore configurations are intact.

    3. Navigate to Settings > Users and check that External Groups settings are intact.

    4. Navigate to Audit Store > Cluster Management and check if ESA P1, ESA S1 and ESA S2 are visible under Nodes tab and Cluster Status is GREEN.

14. Redirect GTM to LTM1. Reconfigure the GTM to point back to LTM1, allowing protectors to resume communication with the ESAs at the primary site.

15. At this point, Nodes Connectivity Status of some or all the nodes is shown as red (Error) or yellow (Warning) under Policy Management -> Data Stores in ESA P1 Web UI.

16. Perform the following steps to reset the node status to green (OK)-

    1. Log in to ESA P1 Web UI.

    2. Navigate to Policy Management > Data Stores.

    3. Select nodes showing status as red(Error) or yellow (Warning) and click on delete button to remove the entry.

    Important: If there are many pepserver nodes registered, ensure to delete the nodes in a batch of 200.

    After deleting the registered nodes as suggested above, pepserver nodes will get re-registered with ESA and status will become green (OK).

17. Validate Protector Operations.

    1. Confirm that protectors can perform data security operations post upgrading the ESAs.

    2. Verify that audit events are being forwarded successfully to the ESAs.

18. Form a TAC including all the ESAs in both Primary and DR site. Form a TAC including all the ESAs in Primary site, that is, ESA P1, ESA S1, and ESA S2 and all the ESAs in DR site, that is, ESA S3, ESA S4 and ESA S5.

19. Create Scheduler tasks in Primary site ESAs. Create all the scheduler tasks in Primary site ESAs as mentioned in section Scheduler Tasks.

20. Migrate Audit logs from DR site ESAs to Primary site ESAs. When the traffic from protectors was redirected to the DR site ESAs as part of step 8 above, audit logs will be generated in those ESAs. Those audit logs need to be migrated to Primary site ESAs.

    Before proceeding with executing the steps, take a note of the following:

    1. Take a note of the time in hours/days that the protectors were pointed to DR site ESAs.

    2. Take a note of the indexes that were created under Audit Store > Cluster Management page’s Indices tab for the time frame noted in above step.

    3. Take a note of the ILM exported indexes that were created under the directory /opt/protegrity/insight/archive in each of the ESAs in DR site for the time frame noted in above step 1.

To migrate Audit logs from DR site ESAs to Primary site ESAs, perform the following steps:

1. Log in to the web UI of ESA S3 in the DR site.

2. Perform ILM Export of all the indexes noted at step b above.

   For more information about performing ILM Export, refer Exporting logs.

3. Log in to OS console of ESA S3. Navigate to the directory /opt/protegrity/insight/archive.

4. Copy all the exported index files generated by ILM Export operation at step 2 and transfer to ESA S2 in primary site under directory /opt/protegrity/insight/archive.

5. Additionally, log in to all the ESAs containing ILM exported index files noted at step 3 above and copy them to ESA S2 under directory /opt/protegrity/insight/archive.

6. Finally, perform ILM Import of all the index files copied from ESAs in DR site as per step 4 and step 5.

   For more information related to ILM Import, refer Importing logs.

Additional Considerations

• Documentation: Maintain detailed records of the upgrade procedure for future reference.

• Troubleshooting: Have contingency plans in place to address potential issues arising during the upgrade.

• Support: Utilize Protegrity support services for guidance or troubleshooting assistance as needed.

By following these structured steps, the upgrade and configuration of ESAs will be executed effectively, ensuring minimal downtime, and maintaining system integrity.