Set Up Same Server

Proceed only if...

You have completed the validation and the results indicate you are ready to install TOS Aurora.
You have completed your upgrade design worksheet.

Otherwise, go back.

In this step you will:

Copy your TOS Classic data
If your operating system is TufinOS, Switch mode to TOS Aurora
Install TOS Aurora

Copy Your TOS Classic Data

Copy your TOS Classic data to the conversion directories.

On TOS Aurora, SecureTrack and SecureChange are installed on the same server. If SecureTrack and SecureChange are currently installed on separate servers, the current SecureChange server will no longer be needed, however, if it has the required resources, it may be possible to re-purpose it as a worker node.

If SecureTrack and SecureChange are already installed on the same server, perform all steps that relate to the SecureChange server, on the joint SecureTrack / SecureChange server, except where specified otherwise.

If your operating system is TufinOS or you are using a user other than root on RHEL/CentOS, get root privileges.
```
[<ADMIN> ~]$ sudo su -
```
sudo su -

Create data migration directories.

[<ADMIN> ~]# mkdir -p /opt/tufin/data/volumes/migration-pv/sc/pg/

mkdir -p /opt/tufin/data/volumes/migration-pv/sc/pg/

[<ADMIN> ~]# mkdir -p /opt/tufin/data/volumes/mongo-sc-rs/

mkdir -p /opt/tufin/data/volumes/mongo-sc-rs/

[<ADMIN> ~]# mkdir -p /opt/tufin/data/volumes/migration-pv/sc/scripts/

mkdir -p /opt/tufin/data/volumes/migration-pv/sc/scripts/

[<ADMIN> ~]# mkdir -p /opt/tufin/data/volumes/migration-pv/sc/conf

mkdir -p /opt/tufin/data/volumes/migration-pv/sc/conf

[<ADMIN> ~]# mkdir -p /opt/tufin/migration/

mkdir -p /opt/tufin/migration/

Back up the TOS Classic configuration files only (excluding the database) by running the commands below on your TOS Classic server. The output backup file will be named in the format config_YYYY-MM-DD.zip. For example, config_20210225.zip.
```
[<ADMIN> ~]# cd /opt/tufin/migration/    
```
cd /opt/tufin/migration/
```
[<ADMIN> ~]# screen -S backup
```
screen -S backup
```
[<ADMIN> ~]# tos backup --st --conf-only config
```
tos backup --st --conf-only config
Rename the output file.
```
[<ADMIN> ~]# mv config_YYYY-MM-DD.zip backup.zip
```
mv config_YYYY-MM-DD.zip backup.zip
Skip for remote collectors. Dump your SecureChange data

If SecureTrack and SecureChange are on the same server, or if you do not use SecureChange at all:
```
[<ADMIN> ~]# pg_dump -Upostgres -Fc securechangeworkflow > /opt/tufin/data/volumes/migration-pv/sc/pg/sc_pg.tar
```
pg_dump -Upostgres -Fc securechangeworkflow > /opt/tufin/data/volumes/migration-pv/sc/pg/sc_pg.tar
Else (SecureTrack and SecureChange are on separate servers):
```
[<ADMIN> ~]# pg_dump -Upostgres -Fc securechangeworkflow > /opt/sc_pg.tar
```
pg_dump -Upostgres -Fc securechangeworkflow > /opt/sc_pg.tar
```
[<ADMIN> ~]# rsync -avzhe ssh --progress /opt/sc_pg.tar tufin-admin@<IP>:/opt/tufin/data/volumes/migration-pv/sc/pg/sc_pg.tar --rsync-path="sudo rsync"
```
rsync -avzhe ssh --progress /opt/sc_pg.tar tufin-admin@<IP>:/opt/tufin/data/volumes/migration-pv/sc/pg/sc_pg.tar --rsync-path="sudo rsync"
Skip for remote collectors. On the SecureChange server, save file catalina.conf, where <TOMCAT-VER> is the version of your Tomcat server. You can press the tab key to auto-complete the version after typing/pasting cp -p /usr/tomcat-.

If SecureTrack and SecureChange are on the same server, or if you do not use SecureChange at all:
```
[<ADMIN> ~]# cp -p /usr/tomcat-<TOMCAT-VER>/conf/catalina.conf /opt/tufin/data/volumes/migration-pv/sc/conf/catalina.conf
```
cp -p /usr/tomcat-<TOMCAT-VER>/conf/catalina.conf /opt/tufin/data/volumes/migration-pv/sc/conf/catalina.conf
Else (SecureTrack and SecureChange are on separate servers):
```
[<ADMIN> ~]# rsync -avzhe ssh --progress /usr/tomcat-<TOMCAT-VER>/conf/catalina.conf tufin-admin@<IP>:/opt/tufin/data/volumes/migration-pv/sc/conf/catalina.conf --rsync-path="sudo rsync"
```
rsync -avzhe ssh --progress /usr/tomcat-<TOMCAT-VER>/conf/catalina.conf tufin-admin@<IP>:/opt/tufin/data/volumes/migration-pv/sc/conf/catalina.conf --rsync-path="sudo rsync"
If you are upgrading from TOS Classic release R20-2 (any version), R21-1 (any version prior to HF3) or R21-2 (any version prior to GA), save the Lucene data.
```
[<ADMIN> ~]# cp -R /opt/tufin/data/volumes/lucene/indexes/st/ /tmp/st/
```
cp -R /opt/tufin/data/volumes/lucene/indexes/st/ /tmp/st/
Uninstall TOS Classic while keeping the data.
```
[<ADMIN> ~]# tos uninstall --keepdbs
```
tos uninstall --keepdbs
If you saved the Lucene data in the step before last:

Recreate the Lucene directory.
```
[<ADMIN> ~]# mkdir -p /opt/tufin/data/volumes/lucene/indexes/st
```
mkdir -p /opt/tufin/data/volumes/lucene/indexes/st
Move the saved Lucene data back.
```
[<ADMIN> ~]# mv /tmp/st/* /opt/tufin/data/volumes/lucene/indexes/st
```
mv /tmp/st/* /opt/tufin/data/volumes/lucene/indexes/st
Skip for remote collectors. If SecureChange is installed on a separate server, run the following commands on the SecureChange server:
```
[<ADMIN> ~]# service tomcat stop
```
service tomcat stop
```
[<ADMIN> ~]# service mongod stop
```
service mongod stop
```
[<ADMIN> ~]# service postgresql-11 stop
```
service postgresql-11 stop
Skip for remote collectors. Transfer your SecureChange data to the data migration directories where,
- <IP> is the IP address of your SecureTrack server
If SecureChange is on a separate server, sync the data from the SecureChange server to the SecureTrack server,
```
[<ADMIN> ~]# rsync -avzhe ssh --progress /opt/tufin/data/volumes/mongo/ tufin-admin<IP>:/opt/tufin/data/volumes/mongo-sc-rs/ --rsync-path="sudo rsync"
```
rsync -avzhe ssh --progress /opt/tufin/data/volumes/mongo/ tufin-admin<IP>:/opt/tufin/data/volumes/mongo-sc-rs/ --rsync-path="sudo rsync"
Else move the data on the same server.
```
[<ADMIN> ~]# mv /opt/tufin/data/volumes/mongo/ /opt/tufin/data/volumes/mongo-sc-rs/
```
mv /opt/tufin/data/volumes/mongo/ /opt/tufin/data/volumes/mongo-sc-rs/

If your operating system is TufinOS, continue with Switch TufinOS Mode, otherwise continue with Install TOS Aurora.

Switch TufinOS Mode

If your operating system is not TufinOS, skip this section and go straight to Install TOS Aurora

Switch TufinOS mode From TOS Classic to TOS Aurora.

If you have exited the session, again run the screen command.
```
[<ADMIN> ~]# screen -S switch
```
screen -S switch
Switch installed TufinOS to TOS Aurora.
```
[<ADMIN> ~]# switch-tos-mainstream
```
switch-tos-mainstream
Reboot the SecureTrack server.
Log in again and get root privileges:
```
[<ADMIN> ~]$ sudo su -
```
sudo su -
Verify that your TufinOS server is now configured for TOS Aurora. The command for this depends on the version of TufinOS you are using. Start with the first command below and if it's not recognized, try the next one below.
```
[<ADMIN> ~]# get-supported-tos
```
get-supported-tos
If 'TOS Aurora' appears in the output, the switch was successful. Otherwise, contact Tufin support for assistance.

If the above command is not recognized, use the following command instead.
```
[<ADMIN> ~]# get-tos-mainstream
```
get-tos-mainstream
If 'TOS-2' appears in the output, the switch was successful. Otherwise, contact Tufin support for assistance.
We recommend running on the latest version of TufinOS, 4.30, you can upgrade now, or later at your convenience - see:
- Upgrade TufinOS 3 to 4 - VMWare ESXi Machine
- Upgrade TufinOS 3 to 4 - Appliances

Continue with Install TOS Aurora.

Install TOS Aurora

If you are going to deploy high availability, we strongly recommend partitioning directory /var to a separate, dedicated disk. If this is not done, performance may be affected.
If not done already,
1. Transfer the TOS Aurora run file, downloaded previously, to /opt/tufin/data.
2. Execute the run file <runfile>:
```
[<ADMIN> ~]# cd /opt/tufin/data
```
  cd /opt/tufin/data
```
[<ADMIN> ~]# sh <runfile>
```
  sh <runfile>
Run the tmux command:
```
[<ADMIN> ~]# tmux new-session -S install
```
tmux new-session -S install
Run the install command, replacing the parameters:
- <PRIMARY> with the IP you will use to access TOS Aurora - the primary VIP for on-prem or with 'external' for cloud deployments
- <SERVICE-CIDR> with the CIDR you have selected for the Kubernetes service network
  <MODULE-TYPE> with one of the following values:
  - ST for SecureTrack only
  - ST, SC for both SecureTrack and SecureChange/SecureApp
  - RC for a remote collector
- <LOAD> with small, medium or large, as specified in your sizing requirements
```
[<ADMIN> ~]# tos install  --migrate --modules=<MODULE-TYPE> --primary-vip=<PRIMARY> --services-network=<SERVICE-CIDR> --load-model=<LOAD> -d
```
tos install --migrate --modules=<MODULE-TYPE> --primary-vip=<PRIMARY> --services-network=<SERVICE-CIDR> --load-model=<LOAD> -d
Examples:
```
[<ADMIN> ~]# tos install  --migrate --modules=ST,SC --primary-vip=external --services-network=10.10.10.0/24 --load-model=medium -d
[<ADMIN> ~]# tos install  --migrate --modules=ST,SC --primary-vip=192.168.1.2 --services-network=10.10.10.0/24 --load-model=medium -d 
[<ADMIN> ~]# tos install  --migrate --modules=RC --primary-vip=162.148.10.0 --services-network=10.10.10.0/24 --load-model=large -d
```
The EULA is displayed. Enter 'y' to accept and again when prompted to start.

The install will run to completion, with no further messages.
The install should complete quietly, without further messages. If however you receive an error message, run tos report to get more information.
```
[<ADMIN> ~]# tos report
```
sudo tos report

Congratulations, you have completed the upgrade from TOS Classic to TOS Aurora. You can now safely exit the CLI screen session:

[<ADMIN> ~]# exit

exit

Can I Proceed?

Continue to the next step only if...

You have executed all the steps leading up to the tos install command and the install has completed successfully.

Now we will verify that the upgrade was successful. Click Next.