Upgrading the First KeyControl Node Using the HyTrust ISO Image

The following procedure describes how to upgrade the First KeyControl Node by booting that node directly from the HyTrust DataControl ISO image and using the provided HyTrust TUI (Text-based User Interface). To upgrade the First Node using the KeyControl webGUI, see Upgrading the First KeyControl Node Using the webGUI.

Tip:

If your KeyControl nodes are running KeyControl version 4.2 or later, you can upgrade all nodes in the cluster at once using the KeyControl webGUI. For details, see Upgrading 4.2 or Later KeyControl Nodes with the KeyControl webGUI.

Before You Begin 

Make sure you have removed any additional KeyControl nodes from the cluster before you upgrade the first KeyControl node as described in Removing KeyControl Nodes from a Cluster. Upgrading a cluster of multiple KeyControl nodes could cause serious problems with your KeyControl installation.

Procedure 

1. Shut down the KeyControl node you want to upgrade.
   1. Log in as root on a server hosting one of the KeyControl nodes in the cluster. KeyControl displays the System Console Menu TUI (Text-based User Interface).
   2. Select Shutdown System.
   3. Select OK and press Enter.
   4. Select Yes and press Enter.
2. Boot the target system from the HyTrust ISO image for the release to which you want to upgrade.

3. On the HyTrust SecureOS Installation/Upgrade screen, select Upgrade from version old-version to new-version and press Enter.

   The installer makes sure that the system can be upgraded and then begins the process.

4. On the Upgrading the Following Host screen, review your selections. To continue with the upgrade, select OK and press Enter.

5. If another node exists in a cluster with the selected node, you will see a prompt explaining the issue and asking if you want to override the check and continue to upgrade the current node. Press Enter to cancel the upgrade process, then remove the additional nodes as described in Removing KeyControl Nodes from a Cluster. Once you have removed the additional nodes, re-start this procedure.

   Important:

   HyTrust highly recommends that you only upgrade individual KeyControl nodes. Upgrading clustered nodes is likely to cause problems with your KeyControl installation.

6. When the software is upgraded, the HyTrust SecureOS Upgrade screen displays a success message and prompts for a system reboot. Press Enter to perform the reboot and complete the installation.

   The system automatically ejects the ISO CD/DVD and restarts the system from the KeyControl node.

7. If you have installed KeyControl in a VM, disconnect the CD drive.

   Tip:

   If you are using vSphere, select Virtual Machine Properties > Hardware > CD/DVD drive and make sure the Connect at power on check box in the Device Status section is not checked.

8. After the system reboots, press Enter on the HyTrust SecureOS successfully upgraded screen.
9. To verify the upgrade:

   1. Log into the KeyControl webGUI using an account with Domain and Security Admin privileges.

      Note:

      When you first log into the webGUI, you may see a message that the application cannot connect to the server, then browser page may display a "connection refused" message. Refresh your browser page and you should see the KeyControl Login page. If Refresh does not work, the hardware signature for the node may have changed during the upgrade. To restore access to KeyControl, contact HyTrust Support at support@hytrust.com or https://hytrust.com/support.

   2. In the top menu bar, click Settings.
   3. In the System Settings section, click Upgrade.
   4. Verify the settings for Current Version and Previous Version.

What to Do Next 

After you upgrade the First Node, you do not need to upgrade the other nodes in the cluster. Instead, install the KeyControl software on the other nodes as if you were doing a fresh install and re-join those nodes with the node you just upgraded. For more information, see:

• Installing KeyControl from an OVA Template followed by Adding a New KeyControl Node to an Existing Cluster (OVA Install).
• KeyControl ISO Installation followed by Adding a KeyControl Node to an Existing Cluster (ISO Install).

Important:

Starting in release 4.2, KeyControl nodes communicate using Transport Layer Security (TLS) protocol version 1.2 by default. This means that KeyControl nodes running version 4.2 or greater cannot communicate with any Policy Agents running version 3.4 or older. If you have Policy Agents running an older version of the software that you do not intend to upgrade, you need to change the KeyControl SSL configuration to use TLS version 1.0. For details, see Configuring SSL Settings.