This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Setting Up the Upgrade Agent

Configurations required to set up the Upgrade Agent.

1: Upgrade Configurations
2: Rollback Behavior
3: Protegrity SDK Upgrade Permissions and Deployment

3.1: User Roles and Groups
3.2: Component Overview
3.3: Recommended File and Folder Permissions

This section explains how users should interact with the Upgrade Agent for performing upgrades and rollback operations for AP Java protectors.

AP Java Upgrade allows you to upgrade the AP Java SDK, RP Agent, and Log Forwarder without stopping your applications.

Note: For both online and offline upgrade, you should not pass the path of the extracted local .tgz build file. The Upgrade agent must extract the .tgz file to generate the signatures/ directory.

Before performing an online or offline upgrade or rollback, review the following important considerations and limitations.

Scalability and Performance Considerations

With a policy size of approximately 5MB, upgrade and rollback operations are validated safely for up to 70 concurrent processes on the tested machine configuration.

Supported Deployment

Ensure that only one RPA and one Log Forwarder are installed on the system.
Upgrading multiple RPAs on the same host is not supported.
Upgrading or rolling back only one version of AP Java at a time is allowed on the same host.

Log Forwarder Upgrade Behavior and Requirements

The Upgrade Agent does not perform fresh installations of the Log Forwarder. The Log Forwarder must already be installed for the agent to upgrade it.
To skip the Log Forwarder upgrade when it is not required or not installed, set the isFluentBit parameter to no in the sdkupgrd.conf file.
If isFluentBit is set to yes in sdkupgrd.conf, you must also configure the Log Forwarder endpoint in the sdkupgrd.conf file.
When Log Forwarder mode is set to error, upgrading renames the Log Forwarder directory from logforwarder to logforwarder_<new_version>.

Port Requirements for Error Mode

If mode=error is enabled in config.ini, ensure that ports 15780 and 15781 are open.
The Upgrade Agent uses port 15781 to run the new Log Forwarder during upgrade.
Although port 15780 is released after an upgrade, it is required again if an online rollback is initiated.

Backup and Rollback Limitations

Backup is maintained only for the most recent upgrade.
Rollback is supported only for that most recent upgrade.

Online vs Offline Upgrade and Rollback Rules

During upgrade or rollback, multiple AP Java installations on a node must be in a consistent state. All processes must be either running or stopped. Mixed process states are not supported.
Offline upgrade and offline rollback requires all AP Java processes to be stopped, while online upgrade and online rollback requires at least one AP Java process to be running.

DevOps Flow Limitations

When using the DevOps flow, only offline upgrade and rollback are supported.
Online upgrade is not supported with the DevOps flow.
To enable the DevOps flow, set the devops parameter to yes in the sdkupgrd.conf file.

Upgrade and Hot Reload Logging

A hot upgrade or reload refers to replacing AP Java JAR and PLM files while the AP Java process is running, without restarting the service.

Protector hot-reload logs are created by the protector and stored under /opt/protegrity/upgrader/logs/<protector_version>/. Protector upgrade logs are not sent to Protegrity Insights.
Upgrade Agent logs are created under /opt/protegrity/upgrader/logs/Agent/. When Fluent Bit is enabled, Upgrade Agent logs are removed after being successfully pushed to Protegrity Insights.

Viewing Upgrade Agent Audit Logs

Upgrade and rollback audit logs generated by the Upgrade Agent are available in Protegrity Insights.

To locate Upgrade Agent logs:

Index:

pty_insight_analytics*troubleshooting_*

Filter:

process.name: sdkupgrd

Use this filter to view audit and troubleshooting logs related specifically to Upgrade Agent execution, including upgrade and rollback activities.

Note: Upgrade is not supported if Log Forwarder contains custom configurations for forwarding audit logs to an external SIEM.

1 - Upgrade Configurations

Settings required to perform upgrades for AP Java.

View the Agent Help

Generic Agent Help

Before running any upgrade or rollback operation, run the agent help using the following command.

/opt/protegrity/upgrader/bin/sdkupgrd -h

/opt/protegrity/upgrader/bin/sdkupgrd --help  
/opt/protegrity/upgrader/bin/sdkupgrd -help

This command displays all supported parameters and usage instructions.

The following help parameters are listed.

SDK Upgrader Agent Version: 1.0.0+5.g0493

Usage:
 ./sdkupgrd upgrade [--conf <path>] [--esa-user <user>] [--esa-password <pass>]
 ./sdkupgrd rollback
 ./sdkupgrd version | -v | --version
 ./sdkupgrd -h | --help | -help

Commands:
 upgrade                Upgrade agent and protectors to a new version
 rollback               Rollback agent and protectors to a previous version
 version                Display agent version information

Configuration:
 All parameters are read from data/sdkupgrd.conf
 Use --conf <path> to specify a custom conf file path

ESA Credentials (security):
 ESA username and password are NOT stored in the conf file.
 Provide via --esa-user / --esa-password arguments,
 or they will be prompted interactively (password is hidden).

For detailed help on a specific command:
 ./sdkupgrd upgrade -h
 ./sdkupgrd rollback -h

Agent Upgrade Help

Run the agent upgrade help using the following command.

/opt/protegrity/upgrader/bin/sdkupgrd upgrade -h

The following help parameters are listed.

SDK Upgrader Agent Version: 1.0.0+5.g0493

Usage:
 ./sdkupgrd upgrade [--conf <path>] [--esa-user <user>] [--esa-password <pass>]

Description:
 Upgrades the agent, RPAgent, LogForwarder, and protectors to a new version.
 Supports both online (ESA-connected) and offline upgrade modes.

Configuration keys (read from data/sdkupgrd.conf or --conf <path>):

  Key                     Description                                      Default
  ----------------------  -----------------------------------------------  --------------------------------
  location-of-build       URL or local path to the build file (REQUIRED)   -
  offline                 Enable offline upgrade mode (yes/no)              no
  rpagent-path            Path to RPAgent installation                     /opt/protegrity/rpagent
  logforwarder-path       Path to LogForwarder installation                /opt/protegrity/logforwarder
  endpoints               LogForwarder endpoints (comma-separated)         -
  protector-paths         Protector paths (comma-separated)                /opt/protegrity/sdk/java
  devops                  Enable DevOps mode / skip RPAgent (yes/no)       no
  isFluentBit             Enable LogForwarder upgrade (yes/no)              yes
  insecure                RPAgent insecure mode (yes/no)                   no
  esa-host                ESA server hostname or IP address                -
  esa-port                ESA server port                                 25400
  new-logforwarder-path   New logforwarder path (error mode)               /opt/protegrity/logforwarder_{version}
  stdout                  Print logs to console (yes/no)                   no
  debug                   Enable debug logging (yes/no)                    no

ESA Credentials (NOT stored in conf file for security):

  ESA username and password must be provided via CLI arguments or interactive prompt.
  They are never read from the conf file to prevent credential exposure.
  Password input is always masked/hidden for security.

  --esa-user <username>   ESA username (prompted interactively if not provided)
  --esa-password <pass>   ESA password (prompted with hidden input if not provided)

  Note: In DevOps mode (devops=yes), ESA credentials are not required.

Options:
 --conf <path>          Path to sdkupgrd.conf file (default: data/sdkupgrd.conf)
 --esa-user <username>  ESA username
 --esa-password <pass>  ESA password (hidden in logs, masked with *)
 -v, --version          Show agent version
 -h, --help             Show this help message

Examples:
 ./sdkupgrd upgrade                                              # interactive mode
 ./sdkupgrd upgrade --esa-user admin --esa-password secret       # credentials via args
 ./sdkupgrd upgrade --conf /path/to/sdkupgrd.conf                # custom conf file
 ./sdkupgrd upgrade --esa-user admin                             # password prompted

Agent Rollback Help

Run the agent rollback help using the following command.

/opt/protegrity/upgrader/bin/sdkupgrd rollback -h

The following help parameters are listed.

SDK Upgrader Agent Version: 1.0.0+5.g0493

Usage:
 ./sdkupgrd rollback

Description:
 Rolls back the agent, RPAgent, LogForwarder, and protectors to a previous version.
 Restores from the most recent backup created during an upgrade.

Options:
 -v, --version          Show agent version
 -h, --help             Show this help message

Examples:
 ./sdkupgrd rollback                                    # rollback with defaults
 ./sdkupgrd rollback --offline                          # rollback in offline mode

Note: The sdkupgrd rollback -h (or --help) output provides the lists command line options. However, the parameters, such as --offline, --stdout, and --debug are not supported on the command line. These parameters must be configured in the sdkupgrd.conf file instead.

GPG Signature Verification

The Upgrade Agent performs GPG signature verification before upgrade to ensure the integrity and authenticity of the build file. Ensure that the .gpg file is obtained from the ESA and placed in the /opt/protegrity/upgrader/bin/ directory for the signature verification.

Note: Without the .gpg file, the Upgrade Agent cannot verify or upgrade the protector.

To get the GPG encryption key from the ESA, which is in the /opt/verification_keys/ directory, run the following command on the protector machine.

sshpass -p <ESA root password> scp -r root@<ESA ip>:/opt/verification_keys/10.0.gpg /opt/protegrity/upgrader/bin

For more information about verification of signed protector build, refer to Verification of Signed Protector Build.

Build File Path

When initiating an upgrade, ensure that the compressed .tgz build file is available, or provide the build URL.

location-of-build = <path_to_build.tgz>

Caution: Do not set the path of the extracted .tgz build file manually. The Upgrade Agent expects the raw .tgz file and handles extraction internally.

Upgrade Modes Supported

The Upgrade Agent supports upgrades in two modes:

Online upgrade: When AP Java application is running.
Offline upgrade: When AP Java application is not running.

Offline upgrade mode should be used when:

The application is manually stopped.
DevOps deployment only supports offline upgrade.
For more information about DevOps deployment, refer to DevOps Approach for Application Protector Java.

Upgrade Process

Protector Upgrade

For an upgrade, update the sdkupgrd.conf configuration file located in the data/ directory.

For more information about the configuration file, refer to SDK Upgrader Agent Configuration File.

ESA Credential Requirements

ESA credentials, username and password are required when performing upgrade operations.

2 - Rollback Behavior

Settings required to perform rollbacks for AP Java.

The Upgrade Agent restores all backed-up components to their previous state. Rollback supports both online and offline mode.

If the backup folder is missing or deleted, rollback cannot proceed.
Always verify that the backup directory exists before performing any rollback. The agent performs automatic rollback in case of upgrade failure.
Rollback is supported only for the most recent upgrade, as a backup is created only for the last upgrade performed.

3 - Protegrity SDK Upgrade Permissions and Deployment

Lists user or group configuration, file and folder permissions, and deployment steps.

Overview

Protegrity deployments include the following components:

Upgrade Agent
Application Protector (AP) Java SDK
Resilient Package (RP) Agent
Log Forwarder

It requires a structured permission model to ensure that only authorized users can access protected resources. The permissions define the ability to execute, read, or modify protected resources. This section provides recommended user and group configurations, file and folder permissions, and step‑by‑step deployment guidance for a common use case.

3.1 - User Roles and Groups

Details about user roles and groups for a common setup.

Groups

Group	Purpose	Example
Admin group	Users who manage the Upgrade Agent, RPAgent, and Log Forwarder. This group is always required.	`ptyadmin`
SDK users group	AP Java users who run applications using the SDK.	`ptyusers`

User Configuration Examples

User	Primary Group	Purpose
`ptyadmin`	`ptyadmin`	Admin user who can install and run Upgrade Agent, RPAgent, Log Forwarder, and AP Java.
`ptyuser1`, `ptyuser2`, and so on	`ptyadmin`	AP Java user who can run application using the SDK.

User and Group Setup Commands

This section provide commands to create users and groups on Linux.

sudo groupadd ptyadmin
sudo useradd -m -g ptyadmin ptyadmin
sudo useradd -m -g ptyadmin ptyuser1

Here, ptyuser1 uses ptyadmin as the primary group. PID files are created with the following ownership:

ptyuser1:ptyadmin

The Upgrade Agent can read the files with this permission automatically.

3.2 - Component Overview

Details about ownership of all Protegrity components.

All Protegrity components are owned and primarily run by the ptyadmin user. The following table lists the components and their ownership.

Component	Description	Owner or User^*	Who Runs It
Upgrade Agent	Upgrades and rolls back Protegrity components.	`ptyadmin`	`ptyadmin` user
AP Java SDK	Java libraries used by applications to protect and unprotect data.	`ptyadmin`	User (`ptyuser1`) in the `ptyadmin` group.
RPAgent	Downloads and keeps security policy packages in sync.	`ptyadmin`	`ptyadmin` user
Log Forwarder	- Collects logs and forwards them to the ESA. - It is based on Fluent Bit.	`ptyadmin`	`ptyadmin` user

^* - All components are owned by ptyadmin.

The 10.0.gpg file is used by the Upgrade Agent for signature verification. However, it is not a part of the product build. Complete the following steps.

Copy it manually from the ESA machine.
Place it in upgrader/bin/.
Set permissions to 640.

3.3 - Recommended File and Folder Permissions

List of permissions required for users and groups, core components, and files.

This section explains the required users and groups, core components, and recommended file permissions for running Protegrity Upgrade Agent and the AP Java SDK securely on Linux systems.

Note: The user running the Upgrade Agent must own the extracted old SDK build used for the upgrade. If a local path is configured in sdkupgrd.conf, the user must also own the downloaded new build.

The following tables describe which users can access specific directories under the Upgrade Agent installation and explain why these permissions are required.

ptyadmin - Admin user who owns and manages the Upgrade Agent, RPAgent, and Log Forwarder.
ptyuser1 - AP Java application user.

Upgrader Agent

The Upgrade Agent is always installed under /opt/protegrity/upgrader/.

Path	Owner:Group	Mode	Notes
`/opt/protegrity/`	`ptyadmin:ptyadmin`	`751`	Allows users to traverse into subdirectories without listing the contents of `/opt/protegrity`.
`upgrader/`	`ptyadmin:ptyadmin`	`750`	-
`upgrader/bin/`	`ptyadmin:ptyadmin`	`750`	-
`upgrader/bin/sdkupgrd`	`ptyadmin:ptyadmin`	`700`	Ensures upgrades and rollbacks can be initiated only by `ptyadmin`.
`upgrader/data/`	`ptyadmin:ptyadmin`	`750`	-
`upgrader/data/metadata.ini`	`ptyadmin:ptyadmin`	`660`	Enables the SDK to read and update active version information required for upgrade coordination.
`upgrader/data/sdkupgrd.conf`	`ptyadmin:ptyadmin`	`660`	-
`upgrader/logs/`	`ptyadmin:ptyadmin`	`770`	Allows SDK users to create and write log files during runtime and upgrades.
`upgrader/active_processes/`	`ptyadmin:ptyadmin`	`770`	Allows SDK users to create PID files so the Upgrade Agent can detect running processes.
`upgrader/backup/`	`ptyadmin:ptyadmin`	`750`	Stores backup and rollback data.

AP Java SDK

Path	Owner:Group	Mode	Notes
`sdk/`	`ptyadmin:ptyadmin`	`750`	Grants AP Java users read and execute access to the SDK.
`sdk/java/lib/`	`ptyadmin:ptyadmin`	`750`	Contains SDK JARs and native libraries.
`sdk/java/lib/ApplicationProtectorJava.jar`	`ptyadmin:ptyadmin`	`640`	Read‑only access for AP Java users.
`sdk/java/lib/jcorelite.plm`	`ptyadmin:ptyadmin`	`640`	Native library used by the SDK runtime.
`sdk/java/data/`	`ptyadmin:ptyadmin`	`750`	SDK configuration directory.
`sdk/java/data/config.ini`	`ptyadmin:ptyadmin`	`640`	SDK configuration file. Read‑only access for AP Java users.

RPAgent

Path	Owner:Group	Mode	Notes
`rpagent/`	`ptyadmin:ptyadmin`	`755`	Allows read and execute access without exposing writable permissions.
`rpagent/bin/rpagent`	`ptyadmin:ptyadmin`	`750`	RPAgent runtime binary.
`rpagent/bin/rpagentctrl`	`ptyadmin:ptyadmin`	`750`	RPAgent control script.
`rpagent/data/rpagent.cfg`	`ptyadmin:ptyadmin`	`640`	RPAgent configuration file.

Log Forwarder

Path	Owner:Group	Mode	Notes
`logforwarder/`	`ptyadmin:ptyadmin`	`755`	Allows read and execute access without write permissions.
`logforwarder/bin/fluent-bit`	`ptyadmin:ptyadmin`	`750`	Log Forwarder runtime binary.
`logforwarder/bin/logforwarderctrl`	`ptyadmin:ptyadmin`	`750`	Log Forwarder control script.
`logforwarder/data/logforwarder.conf`	`ptyadmin:ptyadmin`	`640`	Log Forwarder configuration file.