How to upgrade CipherTrust Manager from 2.0 to the higher/latest version?

The CipherTrust data security platform’s core management point is CipherTrust Manager. With the help of this market-leading enterprise key management solution, businesses can set up security policies, give granular access controls, and centrally manage encryption keys. The key lifecycle tasks managed by CipherTrust Manager include creation, rotation, destruction, import, and export. It also gives role-based access control to keys and policies, allows thorough auditing and reporting, and provides REST APIs that are easy for management and development. The physical and virtual form factors of CipherTrust Manager are FIPS 140-2 compliant up to level 3. Additionally, hardware security modules (HSM) like Thales Luna and Luna Cloud HSM can be used to anchor the CipherTrust Manager.

Are you still using the older version of CipherTrust Manager in your environment? Then it’s time to upgrade it to the latest version. The below upgrade details will help you upgrade your CipherTrust Manager all by yourself. This document covers basic system upgrade details for the Thales CipherTrust Manager. For more detailed instructions, please refer to the Thales System Upgrade Guide.

Pre-requisites:

Pre-requisites are important to plan and be ready for the upgrade. The following checks must be run before the upgrade of the CipherTrust Manager is complete:

• Know your current software version of the CipherTrust Manager (CM) and the desired version of the CipherTrust Manager. Example: Your Current version of CM is 2.0, and the desired version is 2.9.
• Define the upgrade path: For the above example: The upgrade path would be 2.0 > 2.3 > 2.6 > 2.9 [NOTE: Thales tests upgrades from the three previous minor versions. Upgrades from other versions have never been tested and may not work correctly.]
• Ensure you have access as Ksadmin with an SSH Key.
• Take a system-level backup and ensure that you have downloaded the CM backup file and backup key. (This can be done via the CM Web UI).
• Run the command df -h toensureat least 12 GB of space available (excluding the upgrade file)
• SCP the upgrade file to the CipherTrust Manager (while using Winscp, ensure that SCP is selected for the file protocol). The upgrade file can be transferred via the WinSCP application or the following command:

scp -i <path_to_private_SSH_key> <upgrade_file_name> ksadmin@<ip>:.

[NOTE: Upgrade files can be downloaded from the Thales Support portal for the desired version. Or you can also open a ticket with Thales support to help you get the upgrade files]

Upgrade Workaround:

1. Login as Ksadmin via SSH
2. Run the following command to upgrade sudo /opt/keysecure/ks_upgrade.sh -f <archive_file_path>
3. Reboot the appliance once all the services are running Sudo reboot

[NOTE: The upgrade can also be performed via serial connect as a ksadmin]

Post-upgrade Checks:

The following checks should be run after upgrading the CTM:

1. Check that all services are running with the following command: sudo docker ps | wc -l
2. Ensure the CipherTrust Manager services have started. From the ksadmin session, run “systemctl status keysecure.”
3. Alternatively, you can visit the CipherTrust Manager web console or attempt to connect with the ksctl CLI

Known issue

There is a known issue in CipherTrust Manager instances upgraded from 2.6 and earlier, where network device names sometimes swap MAC addresses after reboot. This has been observed for network interfaces beginning with eth and bonded connections created from network interfaces beginning with eth. To avoid this, a connection for each network interface should be configured.

Conclusion

This document does not replace the standard Safenet documentation set for the CipherTrust Manager User Guides. Rather it is an addendum designed to be used alongside that documentation. It is always a best practice to upgrade your security solution software with the major release.

Sources: thalesdocs.com