Install

Proceed only if...

  1. You are ready to stop all activity on TOS Classic.
  2. You understand that the length of the upgrade process will depend on the amount of data remaining to transfer to the new servers.

Otherwise, go back.

In this step you will:

  1. Make the final data transfer to the new server.

  2. Install TOS Aurora

  3. Verify that the upgrade was successful.

Transfer configuration and all remaining data to the new TOS Aurora server/VM/appliance.

Do not attempt to access the TOS Classic database by any other means, including command line, reports and other UI clients, except as instructed in the current procedure. Failure to adhere to this requirement may cause the upgrade to fail.

In all rsync commands in this section, <AURORA-ADMIN> is an admin user on your new TOS Aurora server, who has permissions to the directories created previously in Data.

  1. Get root privileges.

    Either use your own password,

    [[<ADMIN> ~]$]$ sudo su -
    sudo su -

    or use the root password (RHEL/Rocky Linux only),

    [[<ADMIN> ~]$]$ su -
    su -
  2. Back up the TOS Classic configuration files only (excluding the database) by running the commands below on your TOS Classic server, where <Prefix> is the first part of the new backup file name. The output backup file will be named in the format <Prefix>_YYYY-MM-DD.zip.

    [<ADMIN> ~]# screen -S finaltransfer
    screen -S finaltransfer
    [<ADMIN> ~]# tos backup --st --conf-only <Prefix>
    tos backup --st --conf-only <Prefix>
  3. If you are a PS (Tufin Professional Services) customer:

    1. Stop the PS web service.

      [<ADMIN> ~]# service tufin-ps-web stop
      service tufin-ps-web stop
    2. Disable the PS cron job.

      Edit the cron file.

      [<ADMIN> ~]# crontab -e
      crontab -e

      Comment out the PS-scripts line by adding the # character at the beginning of the line.

      # 1 * * * * cat /opt/tufin/securitysuite/ps/PS-Scripts

  4. Transfer the configuration backup file to the new server/VM/appliance, renaming it to 'backup.zip'. Run the following command, where <FileName> is the full name of the output backup file and <IP> is the IP address of the new server/VM/appliance:

    [<ADMIN> ~]# rsync -avzhe ssh <FileName> <AURORA-ADMIN>@<IP>:/opt/tufin/migration/backup.zip --rsync-path="sudo rsync"
    rsync -avzhe ssh <FileName> <AURORA-ADMIN>@<IP>:/opt/tufin/migration/backup.zip --rsync-path="sudo rsync"
  5. Skip this step for remote collectors. If you have SecureChange, dump your data and transfer it to the new server/VM/appliance. Run the following commands, replacing <IP> with the IP address of the new server/VM/appliance. If SecureChange is installed on a separate server, run them only on the SecureChange server.

    [<ADMIN> ~]# pg_dump -Upostgres -Fc securechangeworkflow -f /opt/Backups/sc_pg.tar
    pg_dump -Upostgres -Fc securechangeworkflow -f /opt/Backups/sc_pg.tar
    [<ADMIN> ~]# rsync -avzhe ssh --progress /opt/Backups/sc_pg.tar <AURORA-ADMIN>@<IP>:/opt/tufin/data/volumes/migration-pv/sc/pg/sc_pg.tar --rsync-path="sudo rsync"
    rsync -avzhe ssh --progress /opt/Backups/sc_pg.tar <AURORA-ADMIN>@<IP>:/opt/tufin/data/volumes/migration-pv/sc/pg/sc_pg.tar --rsync-path="sudo rsync"
  6. Shut down the TOS Classic SecureTrack services:

    [<ADMIN> ~]# st shutdown
    st shutdown
    [<ADMIN> ~]# systemctl stop crond
    systemctl stop crond
    [<ADMIN> ~]# systemctl stop mongod
    systemctl stop mongod
    [<ADMIN> ~]# systemctl stop postgresql-11
    systemctl stop postgresql-11
    [<ADMIN> ~]# systemctl stop ldap-cache
    systemctl stop ldap-cache
    [<ADMIN> ~]# systemctl stop commit-manager
    systemctl stop commit-manager
    [<ADMIN> ~]# systemctl stop device-comm 
    systemctl stop device-comm
    [<ADMIN> ~]# systemctl stop fqdn-cache 
    systemctl stop fqdn-cache
    [<ADMIN> ~]# systemctl stop tufin-topology 
    systemctl stop tufin-topology
    [<ADMIN> ~]# systemctl stop keycloak 
    systemctl stop keycloak
    [<ADMIN> ~]# systemctl stop tufin-jobs 
    systemctl stop tufin-jobs
    [<ADMIN> ~]# systemctl stop tomcat 
    systemctl stop tomcat
    [<ADMIN> ~]# systemctl stop jms 
    systemctl stop jms
  7. Skip for remote collectors. If SecureChange is installed on a separate server, shut down the TOS Classic SecureChange services running on it.

    [<ADMIN> ~]# systemctl stop tomcat 
    systemctl stop tomcat
    [<ADMIN> ~]# systemctl stop postgresql-11
    systemctl stop postgresql-11
  8. Transfer all TOS Classic data from the existing TOS Classic server to the new server/VM/appliance. Run the following command, replacing <PGVER> with the PostgresSQL version you are using, and replacing <IP> with the IP address of the temp/newserver/VM/appliance:

    [<ADMIN> ~]# rsync -avzhe ssh --progress /var/lib/pgsql/<PGVER>/data/ <AURORA-ADMIN>@<IP>:/opt/tufin/data/volumes/postgres/<PGVER>/data/ --rsync-path="sudo rsync"
    rsync -avzhe ssh --progress /var/lib/pgsql/<PGVER>/data/ <AURORA-ADMIN>@<IP>:/opt/tufin/data/volumes/postgres/<PGVER>/data/ --rsync-path="sudo rsync"
    [<ADMIN> ~]# rsync -avzhe ssh --progress /var/lib/lucene/indexes/ <AURORA-ADMIN>@<IP>:/opt/tufin/data/volumes/lucene/indexes/ --rsync-path="sudo rsync"
    rsync -avzhe ssh --progress /var/lib/lucene/indexes/ <AURORA-ADMIN>@<IP>:/opt/tufin/data/volumes/lucene/indexes/ --rsync-path="sudo rsync"
  9. Skip for remote collectors. If you have SecureChange, run the following commands. If SecureChange is installed on a separate server, run them only on the SecureChange server.

    Replace <IP> with the IP address of the temp/newserver/VM/appliance:

    [<ADMIN> ~]# rsync -avzhe ssh --progress /var/lib/mongo/ <AURORA-ADMIN>@<IP>:/opt/tufin/data/volumes/mongo-sc-rs/ --rsync-path="sudo rsync"
    rsync -avzhe ssh --progress /var/lib/mongo/ <AURORA-ADMIN>@<IP>:/opt/tufin/data/volumes/mongo-sc-rs/ --rsync-path="sudo rsync"

    Tomcat Catalina file. To be done only when SecureChange is installed on a separate server.


    [TOS Classic Server]# rsync -avzhe ssh --progress /usr/tomcat-<tomcat-version>/conf/catalina.conf <AURORA-ADMIN>@<IP>:/opt/tufin/data/volumes/migration-pv/sc/conf/catalina.conf --rsync-path="sudo rsync"
    rsync -avzhe ssh --progress /usr/tomcat-<tomcat-version>/conf/catalina.conf <AURORA-ADMIN>@<IP>:/opt/tufin/data/volumes/migration-pv/sc/conf/catalina.conf --rsync-path="sudo rsync"
  10. Shut down the TOS Classic server(s). You will need the IP address of the TOS ClassicSecureTrack server for the installation phase, next.

Install TOS Aurora

  1. If not done already,

    1. Transfer the TOS Aurora run file, downloaded previously, to /opt/tufin/data.

    2. Execute the run file <runfile>:

      [<ADMIN> ~]# cd /opt/tufin/data
      cd /opt/tufin/data
      [<ADMIN> ~]# sh <runfile>
      sh <runfile>
  2. Run the screen command:

    [<ADMIN> ~]# screen -S install
    screen -S install
  3. Run the install command, replacing the parameters:

    • <PRIMARY> with the IP you will use to access TOS Aurora - the primary VIP for on-prem or with 'external' for cloud deployments

    • <SERVICE-CIDR> with the CIDR you have selected for the Kubernetes service network

      <MODULE-TYPE> with one of the following values:

      • ST for SecureTrack only
      • ST, SC for both SecureTrack and SecureChange/SecureApp
      • RC for a remote collector
    • <LOAD> with small, medium or large, as specified in your sizing requirements
    [<ADMIN> ~]# tos install  --migrate --modules=<MODULE-TYPE> --primary-vip=<PRIMARY> --services-network=<SERVICE-CIDR> --load-model=<LOAD>
    tos install --migrate --modules=<MODULE-TYPE> --primary-vip=<PRIMARY> --services-network=<SERVICE-CIDR> --load-model=<LOAD>

    Examples:

    [<ADMIN> ~]# tos install  --migrate --modules=ST,SC --primary-vip=external --services-network=10.10.10.0/24 --load-model=medium
    [<ADMIN> ~]# tos install  --migrate --modules=ST,SC --primary-vip=192.168.1.2 --services-network=10.10.10.0/24 --load-model=medium  
    [<ADMIN> ~]# tos install  --migrate --modules=RC --primary-vip=162.148.10.0 --services-network=10.10.10.0/24 --load-model=large 
    
  4. The EULA is displayed. Enter 'y' to accept and again when prompted to start.

    The install will run to completion, with no further messages.

  5. The install should complete quietly, without further messages. If however you receive an error message, run tos report to get more information.

    [<ADMIN> ~]# tos report
    sudo tos report

Congratulations, you have completed the upgrade from TOS Classic to TOS Aurora. You can now safely exit the CLI screen session:

[<ADMIN> ~]# exit
exit

Can I Proceed?

Continue to the next step only if...

  • You have executed all the steps leading up to the tos install command and the install has completed successfully.

Now we will verify that the upgrade was successful. Click Next.