Upgrade Deep Security Manager AMI
Topics:
- Before you begin
- Select an upgrade method
- Perform the upgrade:
Before you begin
Verify the following:
- You have a recent backup of the database (see Back up and restore Amazon RDS DB Instances). In the event of a catastrophic failure during the upgrade, there may be no means to recover without a backup.
- Deep Security Manager instances are behind an Elastic Load Balancer (ELB) or are using elastic IPs.
- Your Deep Security Manager version:
- Open the Deep Security Manager console and in the upper-right corner, click Support > About.
- Your Deep Security Manager operating system, which is either Amazon Linux or Amazon Linux 2:
- In the Deep Security Manager console, go to Administration > System Information.
- Under System Details, expand each Manager Node and go to Environment > Platform. If you see the amzn2 string as part of the Platform value (for example, Linux 4.14.186-146.268.amzn2.x86_64), Deep Security Manager is running Amazon Linux 2. If you see Linux 4.14.181-108.257.amzn1.x86_64 or similar, Deep Security Manager is running Amazon Linux.
To check the platform using the command line, SSH into each Deep Security Manager node, execute the uname -r command, and then examine the returned string.
Select an upgrade method
Starting with Deep Security 20, Amazon Linux 2023 is used as the operating system for all new Deep Security Manager deployments from AWS Marketplace. Previous versions of the Amazon Machine Image (AMI) used Amazon Linux 2, which will reach its end of life on June 30, 2026 and Amazon Linux, which already reached its end of life on December 31, 2023.
If you installed Deep Security Manager 11 or 12 from AWS Marketplace, or if you installed Deep Security Manager on Amazon Linux 2, you must complete a one-time manual upgrade to Amazon Linux 2023. Since neither Amazon Linux nor Amazon Linux 2 supports in-place upgrades to Amazon Linux 2023, the one-click upgrade is not available to complete the operating system upgrade from Amazon Linux or Amazon Linux 2 to Amazon Linux 2023.
To help you complete the manual upgrade, Trend Micro published one-click upgrades for Amazon Linux until December 31, 2023 and will continue publishing one-click upgrades for Amazon Linux 2 until December 31, 2026. After these dates (which are the AWS end-of-life dates), one-click upgrades can no longer be made available on Deep Security Manager deployments that are using Amazon Linux 2. One-click upgrades will continue for Deep Security Manager deployments that are using Amazon Linux 2023.
| If you are currently running this Deep Security Manager environment | And want to upgrade to | Use this upgrade method |
|---|---|---|
| Any version earlier than Deep Security 11 | Any version | One-click upgrades became available in Deep Security 11. Earlier versions require that you Perform a manual upgrade. |
| Deep Security 11 or 12 | Deep Security 20 with Amazon Linux |
If you see the "New version of Deep Security is available" message in a banner at the top of the Deep Security Manager console, you can Perform a one-click upgrade. Note that one-click upgrades for Amazon Linux ended on December 31, 2023, which is the AWS end-of-life date for Amazon Linux. |
| Deep Security 11 or 12 | Deep Security 20 with Amazon Linux 2 | Amazon Linux does not support in-place upgrade to Amazon Linux 2, therefore the one-click upgrade is not available. Perform a manual upgrade. |
| Deep Security 20 with Amazon Linux | Later versions of Deep Security 20 with Amazon Linux |
If you see the "New version of Deep Security is available" message in a banner at the top of the Deep Security Manager console, you can Perform a one-click upgrade. Note that one-click upgrades for Amazon Linux ended on December 31, 2023, which is the AWS end-of-life date for Amazon Linux. |
| Deep Security 20 with Amazon Linux | Deep Security 20 with Amazon Linux 2 | Amazon Linux does not support in-place upgrade to Amazon Linux 2, therefore the one-click upgrade is not available. Perform a manual upgrade. |
| Deep Security 20 with Amazon Linux 2 | Later versions of Deep Security 20 with Amazon Linux 2 |
If you see the "New version of Deep Security is available" message in a banner at the top of the Deep Security Manager console, you can Perform a one-click upgrade. Note that one-click upgrades for Amazon Linux 2 will stop on June 30, 2026, which is the AWS end-of-life date for Amazon Linux 2. |
| Deep Security 20 with Amazon Linux | Later versions of Deep Security 20 with Amazon Linux |
If you see the "New version of Deep Security is available" message in a banner at the top of the Deep Security Manager console, you can Perform a one-click upgrade. Note that one-click upgrades for Amazon Linux stopped on December 31, 2023, which is the AWS end-of-life date for Amazon Linux. |
| Deep Security 20 with Amazon Linux 2 | Deep Security 20 with Amazon Linux 2023 | Amazon Linux 2 does not support in-place upgrade to Amazon Linux 2023, therefore the one-click upgrade is not available. Perform a manual upgrade. |
Perform a one-click upgrade
If you see the "New version of Deep Security is available" message displayed in a banner at the top of the Deep Security Manager console, click Upgrade Deep Security to begin the upgrade. When a confirmation message with details about the upgrade appears, click Upgrade.
The amount of time needed to complete an upgrade depends on a number of factors, including the number of nodes, size of the database, current resources available, and whether or not the upgrade requires updates to schema tables in the database. For a Deep Security Manager using a best practice configuration, the typical upgrade duration ranges between 10 and 30 minutes.
The one-click upgrade also includes OS-related patches for AWS Linux 2023.
The upgrade process does not receive progress updates while schema updates are applied by the database. As a result, you may not see any indication that the upgrade is proceeding. Be patient and let the upgrade process run to completion. If at any point during the upgrade an issue is encountered, an error appears. Aborting the upgrade prior to completion can leave the system in an undefined state.
If a browser times out, the upgrade process is not interrupted. When the process is complete, you need to log in to the Deep Security Manager console and check that the upgrade banner no longer appears.
If the upgrade is successful, you are redirected to the login page and the upgrade banner is no longer visible.
For more information about the upgrade, examine the upgrade log file (/opt/dsm/upgrade/upgrade.log).
Perform a manual upgrade
If you are upgrading a Deep Security Manager AMI earlier than 11.0, or if you are upgrading from a version that includes Amazon Linux 2 to the version that uses Amazon Linux 2023, you must upgrade it manually.
- If you originally deployed using CloudFormation, note how the following is configured for each of your current Deep Security Manager instances:
- instance type
- VPC
- subnet
- IAM role
- security group
- key pair name
When you perform a manual upgrade, the AMI ID in your stack is different from the one originally deployed as part of the CloudFormation template. Any manually-deployed instances are not part of that original stack and are not deleted if you delete the stack. However, you can delete the instances manually.
- Stop all Deep Security Manager instances by right-clicking the instance on the AWS console and selecting Instance State > Stop.
- Deploy a new instance of Deep Security Manager using the latest version from the AWS Marketplace with the same billing model that you are currently using.
If you originally deployed using CloudFormation, apply the configuration you noted in step 1 and select Auto-assign Public IP when you deploy a new instance. - When the instance is running, go to https://ip:8080, enter the Instance ID, and click Sign In.
Make sure the security group of the new instance allows port 8080 in its inbound rules for connection. If you originally deployed using CloudFormation, you must add 8080 to the inbound rules in the security group of the instance. For instructions, see the AWS documentation. - On the License Agreement tab, read and accept the terms of the license agreement, and then click Next.
- On the Database tab, enter the configuration parameters of your existing Deep Security database and click Next. Keep in mind the following:
- If you originally deployed using CloudFormation, the default database name is "dsm".
- If you are using Pay-as-you-go billing, the default database username is "dsmadmin" and the database password is the same as the Deep Security Manager console password that was specified when deploying the environment.
- If you are using Bring-your-own-license" billing, the database username and password are what you created when deploying the environment.
- To find the Relational Database Serivice (RDS) endpoint, find the current RDS in the AWS CloudFormation console. The nested stack name for creating RDS is [Your stack name]-MasterMP-[Random string]-DSDatabaseAbstract-[Random string]-DS[DB type]RDS-[Random string]. You can find a link to the RDS console on the Resources tab in the AWS CloudFormation console.
- On the Previous Version Check tab, click Upgrade, and then click Next.
- On the Address and Ports tab, enter the hostname or IP address of the computer where Deep Security Manager is being installed and click Next.>
The Manager Address must be either a resolvable hostname, a fully qualified domain name, or an IP address. If DNS is not available in your environment or if some computers are unable to use DNS, a fixed IP address should be used instead of a hostname. You can also change the default port numbers. - On the Credentials tab, click Next.
The existing credentials will stay the same. - On the Review Settings tab, review the installation settings to ensure that they are correct, and then click Install.
The Deep Security Status page will show that the Deep Security Manager is being installed. - If you are using Elastic Load Balancing (ELB), add the new Deep Security Manager instance to the ELB list. Also add any relays to the list.
If you originally deployed using CloudFormation, you can find the ELB name in the AWS CloudFormation console. The nested stack name is [Your stack name]-marketplace-MasterMP-[Random string]-DSIELB-[Random string]. You can find a link to the ELB console on the Resources tab in the AWS CloudFormation console. - Log in to Deep Security Manager and go to the Computers tab. Delete any Deep Security relays that were added as part of the old Deep Security Manager installation.
- Delete old Deep Security Manager nodes by going to the Administration tab in Deep Security Manager, selecting Manager Nodes in the left-hand navigation menu, opening the Properties dialog for each old manager node (Status: Offline (Upgrade Required)), and clicking Decommission.
- Double-click the newly-added Deep Security Manager Computer Object and ensure it is Activated and has the correct policy assigned.
- Delete your old Deep Security Manager instances by right-clicking the instance from the AWS console and choosing Instance State > Terminate. Also remove the old instances from your ELB, if you are using it.
To add more Deep Security Manager nodes, repeat steps 3 to 6. For step 7, click New Manager Node and then Next. If the new node deployment is successful, you will see the new node appear in the Deep Security Manager console under Administration > Manager Nodes. Continue with steps 8 through 11.
Contact aws.marketplace@trendmicro.com if you have questions or encounter any issues.
Perform a multi-tenant upgrade
See Upgrade a multi-tenant environment.
Post-upgrade tasks
After the upgrade, you may choose to complete the following tasks:
- Replace the server certificate: After the upgrade, the Deep Security Manager's server certificate is preserved, unless you performed a fresh install. If your certificate was created using a weak cryptographic algorithm, such as SHA-1, consider replacing the certificate. Using stronger cryptography ensures compliance with the latest standards and provides better protection against the latest exploits and attacks. See Replace the Deep Security Manager TLS certificate.