Upgrading TOS Classic

Overview

These instructions are for performing a direct upgrade from your installed version of TOS Classic to the current version of TOS. For supported upgrade paths to the current version, see Tufin Orchestration Suite Lifecycle.

You can upgrade from any hotfix in the installed release to any hotfix in the target release. For example, you can upgrade directly from hotfix 3 of the installed release to hotfix 2 of the target release if a direct upgrade between the releases is supported. We recommend that you upgrade to the latest hotfix available for your target release. See TOS Build Number History for a list of all releases and hotfixes.

Pre-upgrade Notes

To upgrade, the SecureTrack processes and services must be running on the TOS server. If the TOS server was shut down before the upgrade, wait for it to boot and for the services to start. To confirm the service status, run the command: st stat. See Command Line Reference for more information on the st stat command.

You should make a full backup of TOS including any remote collectors and servers in a distributed architecture. You should also Backup any local customizations.

If the TOS server is in a High Availability or Distributed Architecture deployment, make sure you follow the specific instructions for those deployments.

If you are using SecureChange and SecureTrack on separate servers, upgrade TOS on both servers.

The ssl.conf file will be replaced during install and upgrade progress. Before install and upgrade the existing ssl.conf file is copied to:

• Install - /opt/tufin/securitysuite/conf/httpd/conf.d/orig/ssl.conf
• Upgrade - /etc/httpd/conf.d/ssl.conf.bak

To ensure that your own SSL certificates and SSL configuration customizations are retained during a TOS upgrade, follow the instruction in Customizing SSL.

If your server is behind a NAT, the NAT device must be configured to send one of the following headers for each request. If a request does not include one of these headers, users will not be able to log in to SecureTrack. 

• X-Forwarded-Host - usually used when the NAT device is a reverse proxy

• HOST

  The header should also contain the remote host DNS name or IP address.

Upgrade behavior for existing zones named "Unassociated Networks"

The predefined Unassociated Networks zone is added to the Zone Manager during upgrade.

If you are upgrading from a system that already contains a zone with the name “Unassociated Networks”, the existing zones are renamed as follows:

• The existing zones named “Unassociated Networks” will be renamed copy_of_Unassociated Networks, copy(2)_of_Unassociated Networks, and so on.
• For each domain in multidomain/MSSP mode, any existing zone that is named “Unassociated Networks” will also be renamed.

The existing USP matrices in each domain will change to reflect the renamed zones. They will include the name copy_of_Unassociated Networks (and not "Unassociated Networks").

When you import new matrices after an upgrade, the name of the zone is taken from the CSV without being renamed.

Changes to the locale configuration of the operating system can cause errors when you install or upgrade TOS. Make sure that the LANG value of the locale is set to en_US.UTF-8. 

If you use automated provisioning and you are upgrading from R21-3 or higher, make sure there are no queued provisioning tasks. You can check this using the waiting_tasks API.

To upgrade to a newer version of TOS Classic

1. Review the upgrade limitations for the newer version of TOS Classic in the Release Notes for that version. Make any changes to the TOS server that are required for the upgrade.

2. Download the installation package from the Tufin Support Library.

3. Use SSH to log into the target server as the user: tufin-admin.

4. Log in as root user:

sudo su -

5. Create the following directory: /opt/tufin/pkgs.
6. Copy the installation package to /opt/tufin/pkgs.

7. From the command line on the TOS server, verify package integrity with the command:

   sha1sum <filename>

   where <filename> is in the format:

   tos-<TOS_version>-<release_level>-<TOS_build>-final-release.run.tgz

   Compare the output to the number on the Tufin download site.

8. To extract the file, run:

   tar zxvf <filename>

9. Run the extracted file:

   # screen -S Upgrade
   # /bin/sh <filename>
   # exit

   where <filename> is in the format:

   tos-<TOS_version>-<release_level>-<TOS_build>-final-release.run

10. After the upgrade, to continue working with customer-specific packages provided by Tufin Professional Services (PS), manually restart the tufin-ps-web service on the SecureTrack server. To restart the service, run the following line of code on the server:

    service tufin-ps-web restart

    After upgrading, users may need to clear their browser's cache or restart their browser before they connect to SecureTrack, SecureChange, or SecureApp.

11. For TOS Classic R21-3 HF5 and earlier running on TufinOS 3.100, we recommend manually configuring the SSH ciphers.

If this is the first time you are using SecureChange or SecureApp, you need to configure the following:

• SecureTrack server connection
• Mail server connection
• (optional) LDAP directory connection to use LDAP user accounts
• Local users and user roles

Then you are ready to build your applications and create workflows to manage your change requests, according to your product license.