Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

CipherTrust Manager Administration

System Upgrade/Downgrade

search

Please Note:

System Upgrade/Downgrade

You can upgrade/downgrade your CipherTrust Manager by securely downloading and applying a new/older system archive file.

Note

Refer to Cluster Upgrade for details on upgrading a CipherTrust Manager which is part of a cluster of devices.

System Upgrade

Caution

Please read this section carefully before performing an system upgrade.

  • We test upgrades from the three previous minor versions. That means that for 2.10.x, we tested upgrade from 2.9.x, 2.8.x, and 2.7.x. We tested upgrade from lower 2.10.x to higher 2.10.x patches.

    Note

    Upgrades from other versions have not been tested and may not work correctly.

  • You require ksadmin level access with an SSH key.

  • Obtain the signed archive file for the upgrade from the Support Portal. The file has the format ks_upgrade_<major.minor.patch+build_number>.tar.gz.gpg.

  • On CipherTrust Manager create and download a backup with corresponding backup key, in case there are any problems.

    Note

    Upgrades keep all the data and may migrate the data and configuration. Therefore, as a precaution, it is recommended to take a backup before upgrading.
    Consult the backups page for details on forward compatibility for backups. Restoring a newer backup to an older version is never supported.

  • scp the archive file to the CipherTrust Manager. You require the private SSH key associated with the ksadmin account.

    scp -i <path_to_private_SSH_key> <archive_file_name> ksadmin@<ip>:.

  • ssh into the CipherTrust Manager as ksadmin and ensure there is at least 12 GB of space available (not including the upgrade file). Use df -h/ to view available space.

  • Run the following command:

    sudo /opt/keysecure/ks_upgrade.sh -f <archive_file_path>

    Here, <archive_file_path> specifies the CipherTrust Manager path to the signed archive file.

    The signature of the archive file is verified and the upgrade is applied.

  • Reboot the appliance when prompted.

  • Ensure the CipherTrust Manager services have started. From the ksadmin session, run systemctl status keysecure. Alternatively, you can visit the CipherTrust Manager web console or attempt to connect with the ksctl CLI.

System Downgrade

CipherTrust Manager 2.10 can be downgraded to 2.9. For release-specific upgrade/downgrade information, refer to the release notes for your release.

Downgrades perform a CipherTrust Manager reset, which wipes all CipherTrust Manager data except the backup files that already exist.

As well, the PCI HSM drivers on k570 models, and base operating system packages are not changed during downgrade.

Warning

As we cannot guarantee stability, we strongly recommend using downgraded systems for test environments only. Do not use a downgraded CipherTrust Manager in a production environment.
To return to a production environment to a previous version,
1. Take a backup.
2. Perform a system factory reset.
3. Upgrade the CipherTrust Manager to the desired version.
4. Restore the backup.

To downgrade your CipherTrust Manager

  1. SSH into the CipherTrust Manager as "ksadmin".

  2. Downgrade the CipherTrust Manager:

    $ sudo /opt/keysecure/ks_downgrade.sh -f <~/filename>

Usage: ks_downgrade.sh -f <FILE> [-o]

*  `-f`: Path to the signed CipherTrust Manager installer file.

*  `-o`: Clustered node cannot be downgraded. Use this flag to override this behavior.

On this page