Upgrading to 22.1.2

Requires ArcSight Platform 22.1.0 or 22.1.1 to be installed in your environment.

To ensure that your environment has the latest fixes and enhancements, we recommend that you upgrade your ArcSight Platform 22.1.0 or 22.1.1 environment to 22.1.2. For more information about this release and to download the files, see the Release Notes for ArcSight Platform 22.1.2.

Perform the upgrade in the following order:

1. Back Up Components and the Database

2. Upgrade the Deployed Capabilities

3. Upgrade the ArcSight Database

4. (Conditional) Restart Pods After Reconfiguring Single Sign-on Settings

Back Up Components and the Database

Before upgrading to this release, ensure that you have a performed a backup of the ArcSight Platform and the ArcSight Database.

Upgrade the Deployed Capabilities

To upgrade the deployed capabilities, you will need image files for the patch except the db-installer file. 

1. (Conditional) If you are using custom data identifiers for Intelligence, ensure that you back up the logstash-config-pipeline config map that is accessible through the Kubernetes dashboard.

2. (Conditional) If you are upgrading an AWS or Azure environment from 22.1.0, complete the following steps:

   1. Launch a terminal session and as a root user, log in to the node where NFS is present.

   2. Navigate to the following directory:

      cd  /<arcsight_nfs_vol_path>/interset/analytics/vertica_loader_sql/0/

   3. Execute the following command to create the 1.9.1.9 directory:

      mkdir 1.9.1.9

   4. Navigate to the following directory:

      cd <arcsight_nfs_vol_path>/interset/analytics/vertica_loader_sql/0

   5. Execute the following command to move the SQL loader scripts from <arcsight_nfs_vol_path>/interset/analytics/vertica_loader_sql/0 to <arcsight_nfs_vol_path>/interset/analytics/vertica_loader_sql/0/1.9.1.9:

      mv *.md5 *.sql 1.9.1.9

   6. Execute the following command to grant permissions to the 1.9.1.9 directory:

      chown -R 1999:1999 1.9.1.9

3. Download the files as described in the Release Notes for ArcSight Platform 22.1.2.

4. Copy the downloaded files to their specific locations for your deployment:

   • On premises: to the master node

   • AWS: to bastion

   • Azure: to the jump host

5. (Conditional) For an on-premises environment, complete the procedures in Upgrading Deployed Capabilities except for Step 11.

6. (Conditional) For an AWS environment, complete the following steps to upgrade the capabilities:

   1. Refresh ECR credentials.

   2. To upgrade the capabilities, follow the procedures in Upgrading Deployed Capabilities on AWS.

      You can ignore Steps 3 and 4 in Downloading the Upgrade Bits procedure, as well as Steps 6 and 10 in Upgrading Deployed Capabilities.

7. (Conditional) For an Azure environment, follow the procedures in Upgrading Deployed Capabilities on Azure.

   You can skip the Step 6 in "Upgrading Deployed Capabilities."

8. (Conditional) If you are upgrading from 22.1.0,, complete the following steps:

   1. Run Analytics to start the next analytics run. For more information, see Running Analytics on Demand in the Administrator’s Guide for ArcSight Platform.

   2. During the analytics run, the 1.9.2.9 folder is created in the following directory with the default SQL loader scripts:

      cd <arcsight_nfs_vol_path>/interset/analytics/vertica_loader_sql/0/1.9.2.9

   3. (Conditional) If you have been using custom SQL loader scripts in 22.1.0, then the SQL loader scripts with inconsistent md5 sums between the current and previous versions are displayed in the Analytics logs. Perform the following steps to review and modify the SQL loader scripts:

      • Execute the following commands to check the logs of the analytics pod:

      export NS=$(kubectl get namespaces |grep arcsight|cut -d ' ' -f1)

      PN=$(kubectl get pods -n $NS | grep -e 'interset-analytics' | awk '{print $1}')

      kubectl logs -f $PN -n $NS -c interset-analytics

      • Review and add the necessary modifications to the new SQL loader scripts present in the following directory:

        cd <arcsight_nfs_vol_path>/interset/analytics/vertica_loader_sql/0/1.9.2.9

      • Update the md5 files with the md5 sums corresponding to the modified SQL loader scripts in the following directory:

        cd <arcsight_nfs_vol_path>/interset/analytics/vertica_loader_sql/0/1.9.1.9

      Analytics is triggered automatically after all the SQL loader scripts with inconsistent md5 sums are updated.

9. (Conditional) For AWS and Azure environments, if Kafka Manager is not accessible after the upgrade, then you should restart the fusion-user-management pod:

   kubectl delete pod -n $(kubectl get namespaces | grep arcsight-installer | awk ' {print $1} ') fusion-user-management-xxxxxxxxxx-xxxxx

   where:

   • fusion-user-management-xxxxxxxxxx-xxxxx is the unique name of the fusion-user-management pod

Upgrade the ArcSight Database

1. Download the database file, db-installer_x.x.x-x.tar.gz, to node 1 of the database cluster.

   For more information about the download files and to verify the signature file, see the Release Notes for ArcSight Platform 22.1.2.

2. To untar the file, run the following commands as user root.

   If you logged in as a non-root user and need to switch to a root user to perform this procedure, we've found that it's necessary to use the 'sudo su -' command (including the hyphen) to make the switch.

   mkdir /opt/upgrade_files

   cd /opt/upgrade_files

   mv <path_to_db-installer>/db-installer_x.x.x-x.tar.gz /opt/upgrade_files/

   tar xvfz db-installer_x.x.x-x.tar.gz

3. To stop event ingestion, run the following command:

   /opt/arcsight-db-tools/kafka_scheduler stop

4. To start the upgrade, run the following commands:

   ./db_upgrade -c upgrade-utilities

   ./db_upgrade -c upgrade-db-rpm

   if an "Incompatible version detected for current database" message appears after the current database rpm version is listed in the output, please disregard it. It just means that your database had already been upgraded to the 11.0.2-4 version. Please skip the next step(s).

5. To complete the upgrade, run the following commands:

   /opt/arcsight-db-tools/db_installer start-db

   /opt/arcsight-db-tools/kafka_scheduler start

6. (Conditional) To use the database in FIPS mode, continue to Enabling FIPS Mode on the Database Server.

7. (Conditional) To check the number of events, and confirm that the environment kept receiving events correctly, go to the /opt/arcsight-db-tools path and execute the following command:

   ./Kafka_scheduler events

Delete Old Metadata

After a successful upgrade to 22.1.2, remove any older patch metadata files from the CDF management portal, as follows:

1. On the CDF management portal, browse to Deployment > Metadata.

2. Delete any metadata files corresponding to versions prior to 22.1.2, such as 22.1.1.

(Conditional) Restart Pods After Reconfiguring Single Sign-on Settings

If you reconfigure the Single Sign-on settings in the CDF Management Portal after successfully upgrading to 22.1.2, ArcSight Platform might fail to display the Reports Portal and the SOAR feature. If this issue occurs, you should restart the following pods:

• soar-web-app

• reporting-web-app

Please allow the pods about 10 minutes to restart before you attempt to log in to the ArcSight Platform.