Upgrading an ESM 10 manager to an ESM 11 (AKA CCS Manager) without necessarily needing to keep other Control Compliance Suite components
|Article:TECH189330|||||Created: 2012-05-22|||||Updated: 2013-06-11|||||Article URL http://www.symantec.com/docs/TECH189330|
The purpose of this document is to address installation procedures for customers wanting to only upgrade their existing ESM 10 console and managers to CCS Mangers (ESM 11). This document does not address the settings or further configuration necessary with the intended use of the ESM 11 manager in conjunction with a CCS 11 application server.
Windows and Solaris Sparc platforms that support ESM managers
Definition: For the purposes of this article, a CCS Manager is another name for an ESM 11 manager that has other capabilities than just ESM.
When upgrading an ESM 10 manager to a CCS 11 manager there are some considerations. The first is which media folders to find the ESM installation components in. Here is a quick (not complete) overview of the various folders in the CCS 11 installation media:
--Bv-ControlUpgrade (contains a Bv-control for UNIX Rapid Fire (rf) upgrade)
--CCS_Agent (contains installation for fresh install or upgrade of an existing ESM agent to a CCS Agent. Note: Only upgrading ESM 6.5.3 SP2 or higher agents is supported. Also contains the remote upgrade files needed to remote upgrade existing ESM 6.5.3 SP2 and higher agents to CCS Agents.)
--CCS_Content (contains installer for standards, mandates, regulations, etc. for the CCS Application server)
--CCS_DSS (contains an upgrade package for upgrading existing CCS Directory Support Service installations that were not originally installed on the same host as the CCS Application server)
--CCS_Manager (contains installation package for scratch install of CCS Manager or ability to upgrade a Windows ESM 10 manager to a CCS Manager...A.K.A an ESM 11 manager)
--CCS_Reporting (contains the installation package that can scratch install\upgrade to a CCS 11 Application server as well as the Directory Server on the same machine. Also optionally installs a CCS Manager on the same machine.)
--Documentation (contains the documentation provided with the software)
--en-US (contains the various image files displayed by the installer during execution)
--ESM Components (contains the components to upgrade a Solaris Sparc UNIX ESM 10 manager to an ESM 11 manager without installing a CCS Manager. Also contains files needed to prepare a CCS Manager to import existing ESM agents into a CCS Console if utilizing a CCS Application server with the upgraded ESM manager.)
--Redist (contains redistributable upgrade files for pre-requisite software from other vendors)
--SU (contains some specialized ESM Security Update installer files for various platforms. Also contains an installer to allow CCS Agents, that were remote upgraded from lower version ESM agents, to be capable of running raw data collection when directed to do so from a CCS 11 application server.)
--Tools (utilities for various specialty uses before or after installation\upgrade of a CCS 11 Application server)
Upgrading an existing Windows ESM 10 manager to ESM 11:
If the plan is to upgrade an existing ESM 10 Windows manager to an ESM 11 manager then only the installation files that are located in the CCS_Manager, CCS_Agent, and ESM Components folders will be needed to actually perform the upgrade. However to upgrade ESM 10 to ESM 11 you must install the CCS Manager software on the ESM 10 manager, which does the following:
1. Upgrades the ESM 10 manager to an ESM 11 manager.
2. Installs the other CCS Manager components which can be used later if the CCS application server and CCS console are ever installed or utilized with your ESM 11 installation.
3. Removes the ESM manager from running as a separate service and replaces it with a service called "Symantec CCS Manager". The esmmanager.exe is now run as a process that is launched by the CCS Manager service.
4. Upgrades the ESM 10 agent that is present on the manager to a CCS Agent and changes the name of the service to "Symantec CCS Agent".
Pre-requisite before upgrading ESM 10: In order to upgrade the ESM 10 manager to an ESM 11 manager, you will need to run the setup.exe in the CCS_Manager folder. However this installer will require a certificate be installed. This certificate is created by the Certificate Management Console which is installed with the CCS 11 Application server. So you must first install the CCS 11 application server on a separate machine so the Certificate Management Console can be launched (START\PROGRAMS\SYMANTEC CORPORATION\SYMANTEC CONTROL COMPLIANCE SUITE\CERTIFICATE MANAGEMENT CONSOLE) and a certificate created to use during the upgrade of the ESM 10 manager to a CCS Manager (ESM 11). Once this certificate has been created, you can preserve your CCS 11 application server for future use if required.
Upgrading the Windows ESM 10 console and manager: Fully backup your ESM 10 manager's ESM installation by backing up the .....<install path>\symantec\Symantec Enterprise Security Manager\ESM folder prior to upgrade. Without this backup, removal of ESM 11 may not be possible.
Prior to upgrading the ESM manager, upgrade the ESM console by executing the ESM Components\ESM Console\setup.exe on the existing ESM console machine(s). This will upgrade the console(s) to version 11. To upgrade the ESM 10 manager, execute the setup.exe from inside of the CCS_Manager folder. When prompted input the certificate created in the pre-requisite step above. During the installation a prompt will display asking for a path to remote upgrade files. If it is intended to immediately remote upgrade existing ESM agents to CCS Agents (ESM 11), then input the path to the CCS_Agent\RemoteUpgrade folder to allow the automatic staging of the remote upgrade files. This step can be skipped and the files staged at later time. A further prompt is for the existing ESM superuser account and password. Complete the installation.
Note: At the end of the installation it is not necessary to do any of the NEXT STEPS listed unless it is intended to use the CCS Manager with a full CCS 11 Application server installation. At this point check the login ability of the ESM 11 console to the ESM 11 manager.
Upgrading a UNIX ESM 10 manager: No certificate is needed for a Solaris ESM 10 manager upgrade to ESM 11 (as was needed to upgrade a Windows ESM 10 manager).
First backup the ESM manager installation as mentioned under the Windows manager upgrade above. Also upgrade the ESM 10 console as mentioned in the Windows upgrade above. Binary copy the ESM_Components\manager\UNIX\sun\solaris\sparc\esm110 folder and all its contents to the Solaris ESM 10 manager. Run the esmsetup script and choose to upgrade\install the existing ESM 10 manager to an ESM 11 manager. Follow the prompts.
Note: An ESM 10 Solaris Manager cannot serve as a CCS Manager since the CCS Manager can only be installed on a Windows OS machine. Therefore the upgrade script for an ESM 10 Solaris manager is similar to previous UNIX ESM manager upgrades. A UNIX ESM 11 manager can be utilized to run "message based" data collection (i.e. ESM policy runs) when used in conjunction with a CCS 11 Application server installation.
Article URL http://www.symantec.com/docs/TECH189330