Set Up Same Server

Proceed only if...

  1. You have completed the validation and the results indicate you are ready to install TOS Aurora.
  2. You have completed your upgrade design worksheet.

Otherwise, go back.

In this step you will:

  1. Copy your TOS Classic data

  2. If your operating system is TufinOS, Switch mode to TOS Aurora

  3. Install TOS Aurora

Copy Your TOS Classic Data

Copy your TOS Classic data to the conversion directories.

On TOS Aurora, SecureTrack and SecureChange are installed on the same server. If SecureTrack and SecureChange are currently installed on separate servers, the current SecureChange server will no longer be needed, however, if it has the required resources, it may be possible to re-purpose it as a worker node.

If SecureTrack and SecureChange are already installed on the same server, perform all steps that relate to the SecureChange server, on the joint SecureTrack / SecureChange server, except where specified otherwise.

  1. If your operating system is TufinOS or you are using a user other than root on RHEL/CentOS, get root privileges.

    [<ADMIN> ~]$ sudo su -
    sudo su -
  2. Create data migration directories.

    [<ADMIN> ~]# mkdir -p /opt/tufin/data/volumes/migration-pv/sc/pg/
    mkdir -p /opt/tufin/data/volumes/migration-pv/sc/pg/
    [<ADMIN> ~]# mkdir -p /opt/tufin/data/volumes/mongo-sc-rs/
    mkdir -p /opt/tufin/data/volumes/mongo-sc-rs/
    [<ADMIN> ~]# mkdir -p /opt/tufin/data/volumes/migration-pv/sc/scripts/
    mkdir -p /opt/tufin/data/volumes/migration-pv/sc/scripts/
    [<ADMIN> ~]# mkdir -p /opt/tufin/data/volumes/migration-pv/sc/conf
    mkdir -p /opt/tufin/data/volumes/migration-pv/sc/conf
    [<ADMIN> ~]# mkdir -p /opt/tufin/migration/
    mkdir -p /opt/tufin/migration/
  3. Back up the TOS Classic configuration files only (excluding the database) by running the commands below on your TOS Classic server. The output backup file will be named in the format config_YYYY-MM-DD.zip. For example, config_20210225.zip.

    [<ADMIN> ~]# cd /opt/tufin/migration/    
    cd /opt/tufin/migration/
    [<ADMIN> ~]# screen -S backup
    screen -S backup
    [<ADMIN> ~]# tos backup --st --conf-only config
    tos backup --st --conf-only config
  4. Rename the output file.

    [<ADMIN> ~]# mv config_YYYY-MM-DD.zip backup.zip
    mv config_YYYY-MM-DD.zip backup.zip
  5. Skip for remote collectors. Dump your SecureChange data

    If SecureTrack and SecureChange are on the same server, or if you do not use SecureChange at all:

    [<ADMIN> ~]# pg_dump -Upostgres -Fc securechangeworkflow > /opt/tufin/data/volumes/migration-pv/sc/pg/sc_pg.tar
    pg_dump -Upostgres -Fc securechangeworkflow > /opt/tufin/data/volumes/migration-pv/sc/pg/sc_pg.tar

    Else (SecureTrack and SecureChange are on separate servers):

    [<ADMIN> ~]# pg_dump -Upostgres -Fc securechangeworkflow > /opt/sc_pg.tar
    pg_dump -Upostgres -Fc securechangeworkflow > /opt/sc_pg.tar
    [<ADMIN> ~]# rsync -avzhe ssh --progress /opt/sc_pg.tar tufin-admin@<IP>:/opt/tufin/data/volumes/migration-pv/sc/pg/sc_pg.tar --rsync-path="sudo rsync"
    rsync -avzhe ssh --progress /opt/sc_pg.tar tufin-admin@<IP>:/opt/tufin/data/volumes/migration-pv/sc/pg/sc_pg.tar --rsync-path="sudo rsync"
  6. Skip for remote collectors. On the SecureChange server, save file catalina.conf, where <TOMCAT-VER> is the version of your Tomcat server. You can press the tab key to auto-complete the version after typing/pasting cp -p /usr/tomcat-.

    If SecureTrack and SecureChange are on the same server, or if you do not use SecureChange at all:

    [<ADMIN> ~]# cp -p /usr/tomcat-<TOMCAT-VER>/conf/catalina.conf /opt/tufin/data/volumes/migration-pv/sc/conf/catalina.conf
    cp -p /usr/tomcat-<TOMCAT-VER>/conf/catalina.conf /opt/tufin/data/volumes/migration-pv/sc/conf/catalina.conf

    Else (SecureTrack and SecureChange are on separate servers):

    [<ADMIN> ~]# rsync -avzhe ssh --progress /usr/tomcat-<TOMCAT-VER>/conf/catalina.conf tufin-admin@<IP>:/opt/tufin/data/volumes/migration-pv/sc/conf/catalina.conf --rsync-path="sudo rsync"
    rsync -avzhe ssh --progress /usr/tomcat-<TOMCAT-VER>/conf/catalina.conf tufin-admin@<IP>:/opt/tufin/data/volumes/migration-pv/sc/conf/catalina.conf --rsync-path="sudo rsync"
  7. If you are upgrading from TOS Classic release R20-2 (any version), R21-1 (any version prior to HF3) or R21-2 (any version prior to GA), save the Lucene data.

    [<ADMIN> ~]# cp -R /opt/tufin/data/volumes/lucene/indexes/st/ /tmp/st/
    cp -R /opt/tufin/data/volumes/lucene/indexes/st/ /tmp/st/
  8. Uninstall TOS Classic while keeping the data.

    [<ADMIN> ~]# tos uninstall --keepdbs
    tos uninstall --keepdbs
  9. If you saved the Lucene data in the step before last:

    Recreate the Lucene directory.

    [<ADMIN> ~]# mkdir -p /opt/tufin/data/volumes/lucene/indexes/st
    mkdir -p /opt/tufin/data/volumes/lucene/indexes/st

    Move the saved Lucene data back.

    [<ADMIN> ~]# mv /tmp/st/* /opt/tufin/data/volumes/lucene/indexes/st
    mv /tmp/st/* /opt/tufin/data/volumes/lucene/indexes/st
  10. Skip for remote collectors. If SecureChange is installed on a separate server, run the following commands on the SecureChange server:
    [<ADMIN> ~]# service tomcat stop
    service tomcat stop
    [<ADMIN> ~]# service mongod stop
    service mongod stop
    [<ADMIN> ~]# service postgresql-11 stop
    service postgresql-11 stop
  11. Skip for remote collectors. Transfer your SecureChange data to the data migration directories where,

    • <IP> is the IP address of your SecureTrack server

    If SecureChange is on a separate server, sync the data from the SecureChange server to the SecureTrack server,

    [<ADMIN> ~]# rsync -avzhe ssh --progress /opt/tufin/data/volumes/mongo/ tufin-admin<IP>:/opt/tufin/data/volumes/mongo-sc-rs/ --rsync-path="sudo rsync"
    rsync -avzhe ssh --progress /opt/tufin/data/volumes/mongo/ tufin-admin<IP>:/opt/tufin/data/volumes/mongo-sc-rs/ --rsync-path="sudo rsync"

    Else move the data on the same server.

    [<ADMIN> ~]# mv /opt/tufin/data/volumes/mongo/ /opt/tufin/data/volumes/mongo-sc-rs/
    mv /opt/tufin/data/volumes/mongo/ /opt/tufin/data/volumes/mongo-sc-rs/

If your operating system is TufinOS, continue with Switch TufinOS Mode, otherwise continue with Install TOS Aurora.

Switch TufinOS Mode

If your operating system is not TufinOS, skip this section and go straight to Install TOS Aurora

Switch TufinOS mode From TOS Classic to TOS Aurora.

  1. If you have exited the session, again run the screen command.

    [<ADMIN> ~]# screen -S switch
    screen -S switch
  2. Switch installed TufinOS to TOS Aurora.

    [<ADMIN> ~]# switch-tos-mainstream
    switch-tos-mainstream
  3. Reboot the SecureTrack server.
  4. Log in again and get root privileges:

    [<ADMIN> ~]$ sudo su -
    sudo su -
  5. Verify that your TufinOS server is now configured for TOS Aurora. The command for this depends on the version of TufinOS you are using. Start with the first command below and if it's not recognized, try the next one below.

    [<ADMIN> ~]# get-supported-tos
    get-supported-tos

    If 'TOS Aurora' appears in the output, the switch was successful. Otherwise, contact Tufin support for assistance.

    If the above command is not recognized, use the following command instead.

    [<ADMIN> ~]# get-tos-mainstream
    get-tos-mainstream

    If 'TOS-2' appears in the output, the switch was successful. Otherwise, contact Tufin support for assistance.

  6. We recommend running on the latest version of TufinOS, 4.30, you can upgrade now, or later at your convenience - see:

Continue with Install TOS Aurora.

Install TOS Aurora

  1. If you are going to deploy high availability, we strongly recommend partitioning directory /var to a separate, dedicated disk. If this is not done, performance may be affected.

  2. If not done already,

    1. Transfer the TOS Aurora run file, downloaded previously, to /opt/tufin/data.

    2. Execute the run file <runfile>:

      [<ADMIN> ~]# cd /opt/tufin/data
      cd /opt/tufin/data
      [<ADMIN> ~]# sh <runfile>
      sh <runfile>
  3. Run the tmux command:

    [<ADMIN> ~]# tmux new-session -S install
    tmux new-session -S install
  4. Run the install command, replacing the parameters:

    • <PRIMARY> with the IP you will use to access TOS Aurora - the primary VIP for on-prem or with 'external' for cloud deployments

    • <SERVICE-CIDR> with the CIDR you have selected for the Kubernetes service network

      <MODULE-TYPE> with one of the following values:

      • ST for SecureTrack only
      • ST, SC for both SecureTrack and SecureChange/SecureApp
      • RC for a remote collector
    • <LOAD> with small, medium or large, as specified in your sizing requirements
    [<ADMIN> ~]# tos install  --migrate --modules=<MODULE-TYPE> --primary-vip=<PRIMARY> --services-network=<SERVICE-CIDR> --load-model=<LOAD> -d
    tos install --migrate --modules=<MODULE-TYPE> --primary-vip=<PRIMARY> --services-network=<SERVICE-CIDR> --load-model=<LOAD> -d

    Examples:

    [<ADMIN> ~]# tos install  --migrate --modules=ST,SC --primary-vip=external --services-network=10.10.10.0/24 --load-model=medium -d
    [<ADMIN> ~]# tos install  --migrate --modules=ST,SC --primary-vip=192.168.1.2 --services-network=10.10.10.0/24 --load-model=medium -d 
    [<ADMIN> ~]# tos install  --migrate --modules=RC --primary-vip=162.148.10.0 --services-network=10.10.10.0/24 --load-model=large -d
    
  5. The EULA is displayed. Enter 'y' to accept and again when prompted to start.

    The install will run to completion, with no further messages.

  6. The install should complete quietly, without further messages. If however you receive an error message, run tos report to get more information.

    [<ADMIN> ~]# tos report
    sudo tos report

Congratulations, you have completed the upgrade from TOS Classic to TOS Aurora. You can now safely exit the CLI screen session:

[<ADMIN> ~]# exit
exit

Can I Proceed?

Continue to the next step only if...

  • You have executed all the steps leading up to the tos install command and the install has completed successfully.

Now we will verify that the upgrade was successful. Click Next.