Upgrading the First KeyControl Node Using the webGUI

The following procedure applies to KeyControl nodes running version 4.1.x or earlier. If your KeyControl nodes are running version 4.2 or later, see Upgrading 4.2 or Later KeyControl Nodes with the KeyControl webGUI.

Before You Begin 

• Make sure you have removed any additional KeyControl nodes from the cluster before you upgrade the node as described in Removing KeyControl Nodes from a Cluster. You cannot upload the ISO file if there are other nodes in the cluster.
• Make sure your internet connection to the KeyControl node is as fast and as stable as possible. To begin the upgrade, you need to upload the ISO image to the KeyControl node in one continuous session. If this upload times out or if connectivity to the KeyControl node is lost during the upload, you will see error messages in KeyControl and you must re-upload the file from scratch. KeyControl cannot resume the upload from where it left off during a previous session.

Procedure 

1. Log into the KeyControl webGUI using an account with Domain and Security Admin privileges.

2. In the top menu bar, click Settings.
3. In the System Settings section, click System Upgrade.
4. Click Browse, navigate to the HyTrust ISO installation file, and click Open.

5. Click Upload File.

   If the Upload File button is not active, make sure that you have selected an ISO file and that you have removed all of the other nodes from the cluster. You cannot upload the ISO file if there are multiple nodes in the cluster.

6. When the upgrade finishes, the KeyControl webGUI displays the Upgrade Success dialog box showing the status of the upgrade. Click Close to continue with the process.
7. Click Reboot to finish upgrading the First Node.

8. Click Proceed at the prompt.

   KeyControl reboots the node and returns you to the KeyControl webGUI Login page.

   Note:

   When KeyControl reboots the node, you may see a message that the application cannot connect to the server, then browser page may display a "connection refused" message. Wait a few moments for the node to finish rebooting, then refresh your browser page. You should see the KeyControl Login page. If Refresh does not work, the hardware signature for the node may have changed during the upgrade. To restore access to KeyControl, contact HyTrust Support at support@hytrust.com or https://hytrust.com/support.

9. To configure the Automatic Vitals Reporting feature, log back into the webGUI after the First Node has finished rebooting. KeyControl automatically displays a pop up dialog box asking if you want to enable the feature the first time a Security Admin logs in after the node has been upgraded to version 4.2.1 or later.

   Automatic Vitals Reporting lets you automatically share information about the health of your KeyControl cluster with HyTrust Support. If you enable this service, KeyControl periodically sends an encrypted bundle containing system status and diagnostic information to a secure HyTrust server. HyTrust Support may proactively contact you if the Vitals Service identifies issues with the health of your cluster.

   KeyControl Security Admins can enable or disable this service at any time by selecting Settings > Vitals in the KeyControl webGUI. For details, see Configuring Automatic Vitals Reporting.

   Tip:

   If your browser does not display the KeyControl webGUI login page correctly, clear your browser cache and navigate to the page again.

10. To verify the upgrade, return to Settings > System Upgrade and verify the settings for Current Version and Previous Version..

What to Do Next 

After you upgrade the First Node, you should not upgrade the other nodes in the cluster. Instead, install the KeyControl software on the other nodes as if you were doing a fresh install and join those nodes with the node you just upgraded. For more information, see:

• Installing KeyControl from an OVA Template followed by Adding a New KeyControl Node to an Existing Cluster (OVA Install).
• KeyControl ISO Installation followed by Adding a KeyControl Node to an Existing Cluster (ISO Install).

Important:

Starting in version 4.2, KeyControl nodes communicate using Transport Layer Security (TLS) protocol version 1.2 by default. This means that KeyControl nodes running version 4.2 or greater cannot communicate with any Policy Agents running version 3.4 or older. If you have Policy Agents running an older version of the software that you do not intend to upgrade, you need to change the KeyControl SSL configuration to use TLS version 1.0. For details, see Configuring SSL Settings.