Upgrade Deep Security Manager AMI

Topics:

• Before you begin
• Choose an upgrade method
• Perform the upgrade:
  • Perform a one-click upgrade
  • Perform a manual upgrade
  • Perform a multi-tenant upgrade

Before you begin

Before upgrading, verify that:

• You have a recent backup of the database (see Backing Up and Restoring Amazon RDS DB Instances). In the event of a catastrophic failure during the upgrade, there may be no way to recover without a backup.
• Deep Security Manager instances are behind an Elastic Load Balancer (ELB) or are using elastic IPs.

Check your manager version and operating system

To choose the correct upgrade method, you need to know which version of Deep Security Manager you're currently running and whether it's running Amazon Linux or Amazon Linux 2.

To check the Deep Security Manager version:

• Open the Deep Security Manager console and in the upper-right corner, click Support > About.

To check whether the manager is running Amazon Linux or Amazon Linux 2:

• In the Deep Security Manager console, go to Administration > System Information. Under System Details, expand each Manager Node and go to Environment > Platform. If you see "amzn2" in the Platform value (for example, Linux 4.14.186-146.268.amzn2.x86_64), the manager is running Amazon Linux 2. If you see something like Linux 4.14.181-108.257.amzn1.x86_64, it's Amazon Linux.
• If you prefer to use the command line to check the platform, SSH into each Deep Security Manager node and use the command uname -r. The string that's returned is similar to those described in the previous bullet.

Choose an upgrade method

Starting with Deep Security 20, Amazon Linux 2 is now used as the operating system for all new Deep Security Manager deployments from AWS Marketplace. Previous versions of the AMI used Amazon Linux, which will be end of life on December 31, 2020.

If you previously installed Deep Security Manager 11.x or 12.x from AWS Marketplace, you will need to complete a one-time manual upgrade from Amazon Linux to Amazon Linux 2. Amazon Linux does not support in-place upgrades to Amazon Linux 2, so one-click upgrade is not available to complete the operating system upgrade from Amazon Linux to Amazon Linux 2.

To allow you time to complete the manual upgrade, Trend Micro will publish one-click upgrades for both Amazon Linux and Amazon Linux 2 until December 31, 2020. After that date (which is the AWS end-of-life date), one-click upgrades will no longer be available on Deep Security Manager deployments that are using Amazon Linux. However, one-click upgrades will continue for Deep Security Manager deployments that are using Amazon Linux 2.

If you are currently running this Deep Security Manager environment	And want to upgrade to	Use this upgrade method
Any version earlier than Deep Security 11	Any version	One-click upgrades became available in Deep Security 11. Earlier versions require that you Perform a manual upgrade.
Deep Security 11 or 12	Deep Security 20 with Amazon Linux	If you see A new version of Deep Security is available in a banner at the top of the Deep Security Manager console, you can Perform a one-click upgrade. Note: One-click upgrades for Amazon Linux will end on December 31, 2020, which is the AWS end-of-life date for Amazon Linux.
Deep Security 11 or 12	Deep Security 20 with Amazon Linux 2	Amazon Linux does not support in-place upgrade to Amazon Linux 2, so one-click upgrade is not available. Perform a manual upgrade.
Deep Security 20 with Amazon Linux	Later versions of Deep Security 20 with Amazon Linux	If you see A new version of Deep Security is available in a banner at the top of the Deep Security Manager console, you can Perform a one-click upgrade. Note: One-click upgrades for Amazon Linux will end on December 31, 2020, which is the AWS end-of-life date for Amazon Linux.
Deep Security 20 with Amazon Linux	Deep Security 20 with Amazon Linux 2	Amazon Linux does not support in-place upgrade to Amazon Linux 2, so one-click upgrade is not available. Perform a manual upgrade.
Deep Security 20 with Amazon Linux 2	Later versions of Deep Security 20 with Amazon Linux 2	If you see A new version of Deep Security is available in a banner at the top of the Deep Security Manager console, you can Perform a one-click upgrade.

Perform a one-click upgrade

If you see A new version of Deep Security is available in a banner at the top of the Deep Security Manager console, click Upgrade Deep Security in the banner to begin the upgrade process. A confirmation message appears, providing information about the upgrade. Click Upgrade to confirm that you want to continue.

The amount of time needed to complete an upgrade depends on a number of factors, including the number of nodes, size of the database, current resources available, and whether the upgrade requires updates to schema tables in the database. For a Deep Security Manager using a best practice configuration, typical upgrade times range between 10 and 30 minutes, but may be longer.

The one-click upgrade also includes OS-related patches for AWS Linux 2.

The upgrade process does not receive progress updates while schema updates are being applied by the database. As a result, for periods of time, you may not see any indication that the upgrade is proceeding. Please be patient and let the upgrade process run to completion. If at any point during the upgrade an issue is encountered, an error will appear. Aborting the upgrade prior to completion can leave the system in an undefined state.

If a browsers timeout occurs, it will not interrupt the upgrade process. When the process is complete, log in to the Deep Security Manager console and check that the upgrade banner no longer appears.

If the upgrade is successful, you will be redirected to the login page and the upgrade banner will no longer appear.

For more information about the upgrade, you can view the upgrade log (/opt/dsm/upgrade/upgrade.log).

Perform a manual upgrade

If you are upgrading a Deep Security Manager AMI that is earlier than 11.0, or if you are upgrading from a version that includes Amazon Linux to one that uses Amazon Linux 2, you'll need to upgrade it manually.

1. If you originally deployed using the Quick Start, note how these items are configured for each of your current Deep Security Manager instances:
   • instance type
   • VPC
   • subnet
   • IAM role
   • security group
   • key pair name
     

   When you perform a manual upgrade, the AMI ID in your stack will be different from the one originally deployed as part of the Quick Start CloudFormation template. Any manually deployed instances will not be part of that original stack and will not be deleted if you delete the stack. However, you can delete the instances manually, if necessary.

2. Stop all Deep Security Manager instances: right-click the instance on the AWS console and select Instance State > Stop.
3. Deploy a new instance of Deep Security Manager using the latest version from the AWS Marketplace with the same billing model that you are currently using.

   If you originally deployed using the Quick Start, apply the configuration your noted in step 1 and select Auto-assign Public IP when you deploy a new instance.

4. When the instance is running, go to https://ip:8080, enter the Instance ID, and click Sign In.

   Make sure the security group of the new instance allows port 8080 in its inbound rules for connection. If you originally deployed using the Quick Start, you must add 8080 to the inbound rules in the security group of the instance. For instructions, see the AWS documentation.

5. On the License Agreement tab, read and accept the terms of the license agreement and click Next.
6. On the Database tab, enter the configuration parameters of your existing Deep Security database and click Next.
• If you originally deployed using the Quick Start, the default database name is "dsm".
• If you are using "Pay as you Go" billing, the default database username is "dsmadmin" and the database password is the same as the Deep Security Manager console password that was specified when deploying the environment.
• If you are using "Bring your own license" billing, the database username and password are what you set up when deploying the environment.
• To find the RDS endpoint, find the current RDS in the AWS CloudFormation console. The nested stack name for creating RDS is [Your stack name]-MasterMP-[Random string]-DSDatabaseAbstract-[Random string]-DS[DB type]RDS-[Random string]. You can find a link to the RDS console on the Resources tab in the AWS CloudFormation console.
7. On the Previous Version Check tab, click Upgrade and click Next.

8. On the Address and Ports tab, enter the hostname or IP address of the computer where Deep Security Manager is being installed and click Next.

   The Manager Address must be either a resolvable hostname, a fully qualified domain name, or an IP address. If DNS is not available in your environment or if some computers are unable to use DNS, a fixed IP address should be used instead of a hostname. You can also change the default port numbers.

9. On the Credentials tab, click Next.

   The existing credentials will stay the same.

10. On the Review Settings tab, review the installation settings to ensure that they are correct and then click Install.

    The Deep Security Status page will show that the Deep Security Manager is being installed.

11. If you are using an ELB, add the new Deep Security Manager instance to the ELB list. Also add any relays to the list.

    If you originally deployed using the Quick Start, you can find the ELB name in the AWS CloudFormation console. The nested stack name is [Your stack name]-marketplace-MasterMP-[Random string]-DSIELB-[Random string]. You can find a link to the ELB console on the Resources tab in the AWS CloudFormation console.

12. Log in to Deep Security Manager and go to the Computers tab. Delete any Deep Security Relays that were added as part of the old Deep Security Manager installation.
13. Delete old manager nodes by going to the Administration tab in Deep Security Manager, selecting Manager Nodes in the left-hand navigation menu, opening the Properties dialog for each old manager node (Status: "Offline (Upgrade Required)"), and clicking Decommission.
14. Double click on the newly added Deep Security Manager Computer Object and ensure it is Activated and has the correct policy assigned.
15. Delete your old Deep Security Manager instances by right-clicking on the instance from the AWS console and choosing Instance State > Terminate. Also remove the old instances from your ELB, if you're using one

To add more Deep Security Manager nodes, repeat steps 3 to 11. In step 7, click New Manager Node and then Next. If the new node deployment is successful, you will see the new node appear in the Deep Security Manager console, under Administration > Manager Nodes.

Please contact aws.marketplace@trendmicro.com if you have any questions or encounter any issues.

Perform a multi-tenant upgrade

See Upgrade a multi-tenant environment for details.

Post-upgrade tasks

After the upgrade, complete the following tasks.

• (Optional) Replace the server certificate

  After the upgrade, the manager's server certificate is kept, unless you performed a fresh install. If your certificate was created using a weak cryptographic algorithm, such as SHA-1, consider replacing the certificate. Using stronger cryptography ensures compliance with the latest standards, and provides better protection against the latest exploits and attacks. See Replace the Deep Security Manager TLS certificate.