Upgrade Instructions

You need to read the information and follow these procedures for upgrading NetWitness version 12.2.0.1.

Upgrade Path Downloads Required
From 11.6.1.3, 11.6.1.4, 11.7.0.0, 11.7.0.1, 11.7.0.2, 11.7.1.0, 11.7.1.1, 11.7.1.2, 11.7.2.0, 11.7.3.0, 12.0.0.0, 12.1.0.0, 12.1.0.1, and 12.1.1.0 to 12.2.0.1
  • 12.2.0.0 base pack
  • 12.2.0.1 patch release

From 12.2.0.0 to 12.2.0.1

  • 12.2.0.1 patch release

 

You can upgrade 12.2.0.1 patch using one of the following options:

  • If the NetWitness Server has internet connectivity to Live Services, the NetWitness Platform User Interface can be used to apply the patch.
  • If the NetWitness Server does not have internet connectivity to Live Services, the Command Line Interface (CLI) or the NetWitness Platform User Interface can be used to apply the patch.

Note: If you are using S4s device that utilizes SD cards, SSH to NW Server and run the following command before starting the upgrade process.
manage-stig-controls --disable-control-groups 7 --host-id <node uuid>.

Running in Mixed Mode

Running in mixed mode occurs when some services are upgraded to the latest version and some services are on older versions. For more information see the topic "Running in Mixed Mode" in the NetWitness Platform Hosts and Services Getting Started Guide.

Note: If you are running Endpoint Log Hybrid in mixed mode, makesure that Endpoint Broker is on the same version as one of the Endpoint Servers.

Upgrade Tasks

Important Notes

This section lists few important notes you must read before proceeding with the upgrade tasks.

Synchronize Time on Component Hosts with NW Server Host

Before upgrading your hosts, make sure that the time on each host is synchronized with the time on the NetWitness Server.
To synchronize the time, do one of the following:

  • Configure the NTP Server. For more information, see "Configure NTP Servers" in the System Configuration Guide.
  • Perform the following steps on each host:
    1. SSH to the Admin Server host.
    2. Run the following commands.

      salt \* service.stop ntpd

      salt \* cmd.run 'ntpdate nw-node-zero'

      salt \* service.start ntpd

Mixed Mode Unsupported for ESA Hosts

Mixed mode is not supported for ESA hosts in NetWitness Platform XDR version. The NetWitness server, ESA primary host, and ESA secondary host must all be on the same NetWitness Platform XDR version.

Respond Server Service Not Enabled Until NW Server and Primary ESA Host Upgraded to 12.2.0.1

After upgrading the primary NW Server (including the Respond Server service), the Respond Server service is not automatically re-enabled until after the Primary ESA host is also upgraded to 12.2.0.1. The Respond post-upgrade tasks only apply after the Respond Server service is upgraded and is in the enabled state.

Task 1: Upgrade External Repository

Note: Perform the below steps only if you are using an external repository for 12.2.0.1.

To upgrade the external repository which is an externally managed server, do the following:

  1. Upgrade the external repository with the latest upgrade content for the NetWitness Platform XDR netwitness-12.2.0.1.zip.
    The following is the structure after upgrading the external repository:
    12.2.0.1_Repo_Image_287x408.png

Task 2: Disable Decoder Services

Before upgrading to 12.2.0.1, you must disable Capture AutoStart option on Network Decoder and Network Hybrid Services.

To disable Capture Autostart:

  1. Go to AdminIcon_29x25.png (Admin) > Services.
    The Administration Services view is displayed.
  1. Select a Network Decoder or Network Hybrid service and select Actions_Icon.png > View > Config.
    The services config view for the selected Network Decoder or Network Hybrid is displayed.
  1. In the Decoder Configuration panel, deselect the Capture Autostart and click Apply.

Task 3: Upgrade the Patch

You can choose one of the following upgrade methods based on your internet connectivity.

Upgrade Options

Option 1: Upgrade NetWitness Platform XDR

You can use this method if the NetWitness Server host is connected to Live Services and can obtain the package.

Note: If the NetWitness Server does not have access to Live Services, use Option 2: Upgrade NetWitness Platform XDR Offline or Option 3: Upgrade NetWitness Platform XDR using CLI (Offline)

Prerequisites

Make sure that:

  1. The Automatically download information about new upgrades every day option is selected and is applied in AdminIcon_29x25.png (Admin) > System > Updates.
  2. Go to AdminIcon_29x25.png (Admin) > Hosts > Update > Check for Updates to check for upgrades. The Host page displays the Update Available status.
  3. 12.2.0.1 is available under Update Version column.

Note: If you have custom certificates, move any custom certificates from /etc/pki/nw/trust/import/ directory to /root/cert. Follow these steps to move the certificates:
mkdir /root/cert
mv /etc/pki/nw/trust/import/* /root/cert

To Upgrade NetWitness Platform XDR:

  1. Go to AdminIcon_29x25.png (Admin) > Hosts.
  2. Select the NetWitness Server (nw-server) host.
  3. Check for the latest updates.
    Chk4Upds_12.2.0.1_605x126.png

    Note: In 11.7.1.0 and later versions, the (optional) Pre Stage Host option is added in the Update drop-down list. For more information, see Option 4 (Optional): Pre-Stage Upgrade Repository by Downloading Packages.

  4. Update Available is displayed in the Status column if you have a version upgrade in your Local Update Repository for the selected host.
  5.  Select 12.2.0.1 from the Update Version column. If you:
    • Want to view a dialog with the major features in the upgrade and information on the updates, click the information icon ( ic-inline_help.png ) to the right of the upgrade version number.
    • Cannot find the version you want, select Update > Check for Updates to check the repository for any available updates. If an update is available, the message "New updates are available" is displayed and the Status column upgrades automatically to show Update Available. By default, only supported upgrades for the selected host are displayed.
  6. Click Update > Update Host from the toolbar.
  7. Click Begin Update.
  8. Click the Reboot Host when prompted.
  9. Repeat steps 6 to 8 for other hosts.

Note:
• You can select multiple hosts to upgrade at the same time only after updating and rebooting the NetWitness Server host. All ESA, Endpoint, and Malware Analysis hosts should be upgraded to the same version as that of NW Admin Server or NetWitness Server host.

• Not all components have been changed for 12.2.0.1, so after you perform the upgrade steps, it is normal to see some components with different version numbers. For a list of the components that were upgraded for this release, see Build Numbers.

Option 2: Upgrade NetWitness Platform XDR Offline

When you apply version upgrades:

  • You must upgrade the NW Server host first.
  • You can only apply a version that is compatible with the existing host version.

Download the 12.2.0.1 Patch

Download the NetWitness Platform XDR 12.2.0.1 Upgrade Pack file (netwitness-12.2.0.1.zip), which contains all the NetWitness Platform 12.2.0.1 upgrade files, from the NetWitness Community https://community.netwitness.com/t5/netwitness-platform-downloads/tkb-p/netwitness-downloads to a local directory.

Upgrading from Download and Stage file
11.6.1.3, 11.6.1.4, 11.7.0.0, 11.7.0.1, 11.7.0.2, 11.7.1.0, 11.7.1.1, 11.7.1.2, 11.7.2.0, 11.7.3.0, 12.0.0.0, 12.1.0.0, 12.1.0.1, and 12.1.1.0 netwitness-12.2.0.0.zip and netwitness-12.2.0.1.zip
12.2.0.0 netwitness-12.2.0.1.zip

Note: If you get the Download Error, see the Troubleshooting information for resolution.

Task 1. Populate Staging Folder (/var/netwitness/common/update-stage) with Version Updates

  • If you are upgrading from 11.6.1.3, 11.6.1.4, 11.7.0.0, 11.7.0.1, 11.7.0.2, 11.7.1.0, 11.7.1.1, 11.7.1.2, 11.7.2.0, 11.7.3.0, 12.0.0.0, 12.1.0.0, 12.1.0.1, or 12.1.1.0 to 12.2.0.1, download the netwitness-12.2.0.0.zip and netwitness-12.2.0.1.zip, upgrade package from NetWitness Community to a local directory.
  • If you are upgrading from 12.2.0.0 to 12.2.0.1, download the netwitness-12.2.0.1.zip, upgrade package from NetWitness Community to a local directory.

 

  1. SSH to the NW Server host.
  2. If you are upgrading from 11.6.1.3, 11.6.1.4, 11.7.0.0, 11.7.0.1, 11.7.0.2, 11.7.1.0, 11.7.1.1, 11.7.1.2, 11.7.2.0, 11.7.3.0, 12.0.0.0, 12.1.0.0, 12.1.0.1, or 12.1.1.0 to 12.2.0.1, copy netwitness-12.2.0.0.zip and netwitness-12.2.0.1.zip from the local directory to the /var/netwitness/common/update-stage/ staging folder. For example:

    mv/var/netwitness/tmp/netwitness-12.2.0.0.zip /var/netwitness/common/update-stage/

    mv/var/netwitness/tmp/netwitness-12.2.0.1.zip /var/netwitness/common/update-stage/

  3. If you are upgrading from 12.2.0.0 to 12.2.0.1, copy netwitness-12.2.0.1.zip from the local directory to the /var/netwitness/common/update-stage/ staging folder. For example:

    mv/var/netwitness/tmp/netwitness-12.2.0.1.zip /var/netwitness/common/update-stage/

Task 2. Apply Updates from the Staging Area to Each Host

Caution: You must upgrade the NW Server host before upgrading any Non-NW Server host.

  1. Log in to NetWitness.
  2. Go to AdminIcon_25x22.png (Admin) > Hosts.
  3. Check for updates and wait for the update packages to be copied, validated, and ready to be initialized.

    "Ready to initialize packages" is displayed if:

    • NetWitness Platform can access the update package.
    • The package is complete and has no errors.

    Refer to Troubleshooting Version Installations and upgrades for instructions on how to troubleshoot errors (for example, "Error deploying version <version-number>" and "Missing the following update package(s)," are displayed in the Initiate Update Package for RSA NetWitness Platform dialog.)

  4. Click Initialize Update.

    It takes some time to initialize the packages because the files are large and need to be unzipped.
    After the initialization is successful, the Status column displays Update Available and you complete the rest of the steps in this procedure to finish the update of the host.

  5. Click Update > Update Hosts from the toolbar.

  6. Click Begin Update from the Update Available dialog.

    After the host is upgraded, it prompts you to reboot the host.

  7. Click Reboot from the toolbar.

Option 3: Upgrade NetWitness Platform XDR using CLI (Offline)

You can use this method if the NetWitness Server host is not connected to Live Services.

Note: Alternatively, you can upgrade using the Option 2: Upgrade NetWitness Platform XDR Offline .

Download the 12.2.0.1 Patch

Download the NetWitness 12.2.0.1 Upgrade Pack file (netwitness-12.2.0.1.zip), which contains all the NetWitness 12.2.0.1 upgrade files, from the NetWitness Community https://community.netwitness.com/t5/netwitness-platform-downloads/tkb-p/netwitness-downloads to a local directory.

Upgrading from Download and Stage file
11.6.1.3, 11.6.1.4, 11.7.0.0, 11.7.0.1, 11.7.0.2, 11.7.1.0, 11.7.1.1, 11.7.1.2, 11.7.2.0, 11.7.3.0, 12.0.0.0, 12.1.0.0, 12.1.0.1, and 12.1.1.0 netwitness-12.2.0.0.zip and netwitness-12.2.0.1.zip
12.2.0.0 netwitness-12.2.0.1.zip

Note: If you are using external repository, you can upgrade the external repository with the latest upgrade content. For more information see, Task 1: Upgrade External Repository.

Procedure

You need to perform the upgrade steps for NetWitness Server host and for component hosts.

Note:
• If you copy paste the commands from PDF to Linux SSH terminal, the characters do not work. It is recommended to type the commands.
• Make sure you remove the update zip file from the staging directory after it is extracted.

  • If you are upgrading from 11.6.1.3, 11.6.1.4, 11.7.0.0, 11.7.0.1, 11.7.0.2, 11.7.1.0, 11.7.1.1, 11.7.1.2, 11.7.2.0, 11.7.3.0, 12.0.0.0, 12.1.0.0, 12.1.0.1, or 12.1.1.0, you must stage 12.2.0.0 and 12.2.0.1. Log into the NW Server as root and create the following directory:

    • Option 1 (Manual) : Log into the NetWitness Server and create the following directories:
      /var/netwitness/tmp/upgrade/12.2.0.0/
      /var/netwitness/tmp/upgrade/12.2.0.1/
      and then copy the package zip file to the /var/netwitness/tmp/ directory of the NW Server and extract the package files from /var/netwitness/tmp/ to the appropriate directory using the following commands:
      unzip netwitness-12.2.0.0.zip -d /var/netwitness/tmp/upgrade/12.2.0.0/
      unzip netwitness-12.2.0.1.zip -d /var/netwitness/tmp/upgrade/12.2.0.1/
      Make sure you remove the update zip file from the staging directory after it is extracted.

    • Option 2 (Automated) : Log into the NetWitness Server and create the following directory:
      /var/netwitness/tmp/upgrade/
      and then copy the NetWitness 12.2.0.0 and 12.2.0.1 package zip files to the /var/netwitness/tmp/ directory on the NetWitness Server.
      After this, run the below command to extract, validate, and initialize the 12.2.0.1 zip files:
      [root@SA ~]# upgrade-cli-client --init --stage-dir /var/netwitness
      /tmp/upgrade --download-path /var/netwitness/tmp/ --version 12.2.0.1

      Once the message (INFO) Download and extraction of all the necessary NetWitness zips are completed is displayed in the console of the admin server, only then the initialization process will begin.

Note: If you do not receive the message (INFO) Download and extraction of all the necessary NetWitness zips are completed, run the previous command again.

IMPORTANT: After staging 12.2.0.1 (using the Option 2), if the initialization fails, run the command upgrade-cli-client --init --version 12.2.0.1 --stage-dir /var/netwitness/tmp/upgrade. If the initialization succeeds, ignore the first step under Upgrading the NetWitness Server and component hosts and proceed with the further steps 2-4.

  • If you are upgrading from 12.2.0.0, you only need to stage 12.2.0.1.
    • Option 1 (Manual) : Log into the NetWitness Server and create the following directory:

      /var/netwitness/tmp/upgrade/12.2.0.1/
      and then copy the package zip file to the /var/netwitness/tmp/ directory of the NW Server and extract the package files from /var/netwitness/tmp/ to the appropriate directory using the following command:

      unzip netwitness-12.2.0.1.zip -d /var/netwitness/tmp/upgrade/12.2.0.1
      Make sure you remove the update zip file from the staging directory after it is extracted.

    • Option 2 (Automated) : Log into the NetWitness Server and create the following directory:
      /var/netwitness/tmp/upgrade/
      and then copy the NetWitness 12.2.0.1 package zip files to the /var/netwitness/tmp/ directory on the NetWitness Server.
      After this, run the below command to extract, validate, and initialize the 12.2.0.1 zip files:
      [root@SA ~]# upgrade-cli-client --init --stage-dir /var/netwitness
      /tmp/upgrade --download-path /var/netwitness/tmp/ --version 12.2.0.1

      Once the message (INFO) Download and extraction of all the necessary NetWitness zips are completed is displayed in the console of the admin server, only then the initialization process will begin.

    Note: If you do not receive the message (INFO) Download and extraction of all the necessary NetWitness zips are completed, run the command [root@SA ~]# upgrade-cli-client --init --stage-dir /var/netwitness/tmp/upgrade --download-path /var/netwitness/tmp --version 12.2.0.1 again to stage 12.2.0.1.

    IMPORTANT: After staging 12.2.0.1 (using the Option 2), if the initialization fails, run the command upgrade-cli-client --init --version 12.2.0.1 --stage-dir /var/netwitness/tmp/upgrade. If the initialization succeeds, ignore the first step under Upgrading the NetWitness Server and component hosts and proceed with the further steps 2-4.

Upgrading the NetWitness Server and component hosts

  1. Initialize the upgrade using the following command:
    upgrade-cli-client --init --version 12.2.0.1 --stage-dir /var/netwitness/tmp/upgrade

    IMPORTANT: Once init is performed, do not reboot the NW Admin server or restart jetty.

  2. Upgrade Netwitness Server using the following command:
    upgrade-cli-client --upgrade --version 12.2.0.1 --host-key <ID / display name / (hostname/ IP address)>
  3. When the component host upgrade is successful, reboot the host from NetWitness UI.

    IMPORTANT: This is a mandatory step. Ensure that you reboot the host from the NetWitness UI.

  4. Change the IP address to the component host being upgraded and repeat the steps 2 and 3 for each component host.

Note: You can check versions of all the hosts, using the command upgrade-cli-client --list on the NetWitness Server. If you want to view the help content of upgrade-cli-client, use the command upgrade-cli-client --help.

Note: If the following error displays during the upgrade process:
2017-11-02 20:13:26.580 ERROR 7994 — [ 127.0.0.1:5671] o.s.a.r.c.CachingConnectionFactory : Channel shutdown: connection error; protocol method: #method<connection.close>(reply-code=320, reply-text=CONNECTION_FORCED - broker forced connection closure with reason 'shutdown', class-id=0, method-id=0)
the patch will install correctly. No action is required. If you encounter additional errors when upgrading a host to a new version, contact Getting Help with NetWitness Platform.

External Repo Instructions for CLI Upgrade

Note: The external repo should have separate directories for 12.2.0.0 and 12.2.0.1, as described in Option 3: Upgrade NetWitness Platform XDR using CLI (Offline).

Note: Make sure you remove the update zip file from the staging directory after it is extracted.

  1. Stage 12.2.0.1 by creating a directory on the NetWitness Server at /var/netwitness/tmp/upgrade/12.2.0.1 and extract the zip package.
    unzip netwitness-12.2.0.1.zip -d /var/netwitness/tmp/upgrade/12.2.0.1
  2. Initialize the upgrade using the following command:
    upgrade-cli-client --init --version 12.2.0.1--stage-dir /var/netwitness/tmp/upgrade
  3. Upgrade Netwitness Server using the following command:
    upgrade-cli-client --upgrade --version 12.2.0.1 --host-addr <IP of Netwitness Server>
  4. When the component host upgrade is successful, reboot the host from NetWitness UI.
  5. Change the IP address to the component host being upgraded and repeat the steps 3 and 4 for each component.

 

Note: You can check versions of all the hosts, using the command upgrade-cli-client --list on NetWitness Server. If you want to view the help content of upgrade-cli-client, use the command upgrade-cli-client --help.

Note: If the following error displays during the upgrade process:
2017-11-02 20:13:26.580 ERROR 7994 — [ 127.0.0.1:5671] o.s.a.r.c.CachingConnectionFactory : Channel shutdown: connection error; protocol method: #method<connection.close>(reply-code=320, reply-text=CONNECTION_FORCED - broker forced connection closure with reason 'shutdown', class-id=0, method-id=0)
the patch will install correctly. No action is required. If you encounter additional errors when upgrading a host to a new version, contact Getting Help with NetWitness Platform.

Option 4 (Optional): Pre-Stage Upgrade Repository by Downloading Packages

You can pre-stage the upgrade repository by downloading the required packages (.zip) without affecting the system. This minimizes the upgrade downtime and ensures the upgrade is completed within the planned time.

To Pre-Stage the Upgrade Repository

  1. Go to AdminIcon_25x22.png (Admin) > Hosts.
  2. Click Update > Check for Updates from the toolbar.

    All possible update versions will be displayed in the Versions drop-down list.

  3. Click Update > Pre Stage Host and select the version in the update version column.

    A confirmation message for downloading the files is displayed.

    update_pre_stage_host_12.2.0.1.png

    pre_stage_host_confirmation_message_11.7.1.2.PNG

  4. Click Yes to download the upgrade packages to the repo.

  5. Verify the status of the download in the notifications tray as shown below.

    The Pre Stage Host and Upgrade Host will be disabled until pre stage is completed.

    notifications_tray_pre_stage_host_12.2.0.1_765x333.png

    Note: The current version and the update version in the UI will be the same during the pre stage as it is not the actual update. This is because only the repo files are downloaded and no actual upgrade is done. The version will change only after upgrade.

  6. If the download is successful, Check for Updates again to start the initialization.

  7. Click Initialize Update.

    The initialization of the package will take some time as the files are large and will need to be unzipped.

    initialize_update_12.2.0.1_779x239.png

    IMPORTANT: Pre Stage Repo preparation steps from 1 to 4 can be performed at any time. However, from steps 5 to 8 the upgrade process begins and you must NOT reboot the host or restart the jetty server during this time as it will corrupt the .ZIP files.

  8. Check the status of initialization in the notifications tray.

  9. After the initialization is completed successfully, click Update > Update Host.

    After the host is updated, you will be prompted to reboot the host.

  10. Set up and reboot the host.

Post-Upgrade Tasks

This topic provides information about the tasks performed after upgrading from 11.6.1.3 or 11.6.1.4 to 12.2.0.1.

Post Upgrade Tasks for Customers Upgrading from versions 11.6.1.3 or 11.6.1.4

Task 1 (Optional) - Move the Custom Certificates

Move the custom certificates from external directory to/etc/pki/nw/trust/import directory.

Task 2 - Enable Decoder Services

After you upgrade to 12.2.0.1, you must enable Capture AutoStart on Network Decoder and Network Hybrid Services.

To enable the Capture Autostart field:

  1. Go to AdminIcon_29x25.png (Admin) > Services.

    The Administration Services view is displayed.

  2. Select a Network Decoder or Network Hybrid service and select Actions_Icon.png > View > Config.

    The services Config view for the selected Network Decoder or Network Hybrid is displayed.

  3. In the Decoder Configuration panel, select the Capture Autostart field and click Apply.

Task 3 (Optional) - Remove Old Plugins and Reinstall Export Connector Plugin

Follow the below procedure only if you have export connector plugin in your deployment and logstash installed separately.

Remove the old plugin

You must remove the old plugin, so the scans do not list them as vulnerabilities.

  1. Remove old Export Connector Plugin files. Do the following.

    rm -rf /usr/share/logstash/vendor/bundle/jruby/2.5.0/logstash-inputnetwitness_export_connector-1.x.x

    rm -rf /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-inputnetwitness_export_connector-1.x.x

    Note: 1.x.x can be 1.1.0 or 1.0.0

Install the updated plugin

If you have Logstash installed separately, not as part of the NetWitness installation, you must install the updated Export Connector plugin after 12.2.0.1 patch upgrade. For more information to install the updated plugin, see https://community.netwitness.com/t5/netwitness-platform-online/install-netwitness-logstash-input-plugin/ta-p/669115.

Restart the Log Collector

service nwlogcollector restart

Note: In case you have installed Logstash separately, outside NetWitness installation, the path and version of the plugin will be different. Restarting of the Log Collector service may not be required.