PGP Universal Server - 3.1 Upgrade Manual

PGP Universal™ Server Upgrade Guide

Upgrade Guide

Version Information

PGP Universal Server Upgrade Guide. PGP Universal Server Version 3.1.0. Released September 2010.

Copyright © 1991-2010 by PGP Corporation. All Rights Reserved. No part of this document can be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of PGP Corporation.

Trademark Information

PGP, Pretty Good Privacy, and the PGP logo are registered trademarks of PGP Corporation in the US and other countries. IDEA is a trademark of Ascom Tech AG. Windows and ActiveX are registered trademarks of Microsoft Corporation. AOL is a registered trademark, and AOL Instant Messenger is a trademark, of America Online, Inc. Red Hat and Red Hat Linux are trademarks or registered trademarks of Red Hat, Inc. Linux is a registered trademark of Linus Torvalds. Solaris is a trademark or registered trademark of Sun Microsystems, Inc. AIX is a trademark or registered trademark of International Business Machines Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company. SSH and Secure Shell are trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X are trademarks or registered trademarks of Apple Computer, Inc. All other registered and unregistered trademarks in this document are the sole property of their respective owners.

Licensing and Patent Information

The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech AG. The CAST-128 encryption algorithm, implemented from RFC 2144, is available worldwide on a royalty-free basis for commercial and non-commercial uses. PGP Corporation has secured a license to the patent rights contained in the patent application Serial Number 10/655,563 by The Regents of the University of California, entitled Block Cipher Mode of Operation for Constructing a Wide-blocksize block Cipher from a Conventional Block Cipher. Some third-party software included in PGP Universal Server is licensed under the GNU General Public License (GPL). PGP Universal Server as a whole is not licensed under the GPL. If you would like a copy of the source code for the GPL software included in PGP Universal Server, contact PGP Support ( may have patents and/or pending patent applications covering subject matter in this software or its documentation; the furnishing of this software or documentation does not give you any license to these patents.

https://support.pgp.com). PGP Corporation

Acknowledgments

This product includes or may include:

-- The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gailly, is used with permission from the free Info-ZIP implementation, developed by zlib ( under the MIT License found at freely available high-quality data compressor, is copyrighted by Julian Seward, © 1996-2005. -- Application server (

http://www.apache.org/), Jakarta Commons (http://jakarta.apache.org/commons/license.html) and log4j, a Java-based library used to parse

server ( HTML, developed by the Apache Software Foundation. The license is at binding framework for moving data from XML to Java programming language objects and from Java to databases, is released by the ExoLab Group under an Apache 2.0-style license, available at Foundation that implements the XSLT XML transformation language and the XPath XML query language, is released under the Apache Software License, version 1.1, available at Protocol") used for communications between various PGP products is provided under the Apache license found at

http://www.apache.org/licenses/LICENSE-2.0.txt. -- mx4j, an open-source implementation of the Java Management Extensions (JMX), is released

under an Apache-style license, available at Independent JPEG Group. ( distributed under the MIT License distributed by University of Cambridge. ©1997-2006. The license agreement is at and Domain Name System (DNS) protocols developed and copyrighted by Internet Systems Consortium, Inc. ( implementation of daemon developed by The FreeBSD Project, © 1994-2006. -- Simple Network Management Protocol Library developed and copyrighted by Carnegie Mellon University © 1989, 1991, 1992, Networks Associates Technology, Inc, © 2001- 2003, Cambridge Broadband Ltd. © 2001- 2003, Sun Microsystems, Inc., © 2003, Sparta, Inc, © 2003-2006, Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, © 2004. The license agreement for these is at by Network Time Protocol and copyrighted to various contributors. -- Lightweight Directory Access Protocol developed and copyrighted by OpenLDAP Foundation. OpenLDAP is an open-source implementation of the Lightweight Directory Access Protocol (LDAP). Copyright © 1999-2003, The OpenLDAP Foundation. The license agreement is at OpenBSD project is released by the OpenBSD Project under a BSD-style license, available at

bin/cvsweb/src/usr.bin/ssh/LICENCE?rev=HEAD. -- PC/SC Lite is a free implementation of PC/SC, a specification for SmartCard integration is released

under the BSD license. -- Postfix, an open source mail transfer agent (MTA), is released under the IBM Public License 1.0, available at

http://www.opensource.org/licenses/ibmpl.php. -- PostgreSQL, a free software object-relational database management system, is released under a

BSD-style license, available at PostgreSQL database using standard, database independent Java code, (c) 1997-2005, PostgreSQL Global Development Group, is released under a BSD-style license, available at database management system, is released under a BSD-style license, available at version of cron, a standard UNIX daemon that runs specified programs at scheduled times. Copyright © 1993, 1994 by Paul Vixie; used by permission. -

- JacORB, a Java object used to facilitate communication between processes written in Java and the data layer, is open source licensed under the GNU Library General Public License (LGPL) available at is an open-source implementation of a CORBA Object Request Broker (ORB), and is used for communication between processes written in C/C++ and the data layer. Copyright (c) 1993-2006 by Douglas C. Schmidt and his research group at Washington University, University of California, Irvine, and Vanderbilt University. The open source software license is available at downloading files via common network services, is open source software provided under a MIT/X derivate license available at

under a BSD-style license, available at libpopt, a library that parses command line options, is released under the terms of the GNU Free Documentation License available at

to communicate with the Intel Corporation AMT chipset on a motherboard, is distributed under the gSOAP Public License version 1.3b, available at

http://www.zlib.net). -- Libxml2, the XML C parser and toolkit developed for the Gnome project and distributed and copyrighted

http://jakarta.apache.org/), web

www.apache.org/licenses/LICENSE-2.0.txt. -- Castor, an open-source, data-

http://www.castor.org/license.html. -- Xalan, an open-source software library from the Apache Software

http://xml.apache.org/xalan-j/#license1.1. -- Apache Axis is an implementation of the SOAP ("Simple Object Access

http://mx4j.sourceforge.net/docs/ch01s06.html. -- jpeglib version 6a is based in part on the work of the

http://www.ijg.org/) -- libxslt the XSLT C library developed for the GNOME project and used for XML transformations is

http://www.opensource.org/licenses/mit-license.html. -- PCRE Perl regular expression compiler, copyrighted and

http://www.pcre.org/license.txt. -- BIND Balanced Binary Tree Library

http://www.isc.org) -- Free BSD

http://net-snmp.sourceforge.net/about/license.html. -- NTP version 4.2 developed

http://www.openldap.org/software/release/license.html. Secure shell OpenSSH developed by

http://www.openbsd.org/cgi-

http://www.postgresql.org/about/licence. -- PostgreSQL JDBC driver, a free Java program used to connect to a

http://jdbc.postgresql.org/license.html. -- PostgreSQL Regular Expression Library, a free software object-relational

http://www.postgresql.org/about/licence. -- 21.vixie-cron is the Vixie

http://www.cs.wustl.edu/~schmidt/ACE-copying.html. -- libcURL, a library for

http://www.cs.fsu.edu/~engelen/license.html. -- Windows Template Library (WTL) is used for developing user interface components and is distributed

under the Common Public License v1.0 found at automate a variety of maintenance functions and is provided under the Perl Artistic License, found at

http://www.perl.com/pub/a/language/misc/Artistic.html. -- rEFIt - libeg, provides a graphical interface library for EFI, including image rendering, text

rendering, and alpha blending, and is distributed under the license found at

reserved. -- Java Radius Client, used to authenticate PGP Universal Web Messenger users via Radius, is distributed under the Lesser General Public License (LGPL) found at Copyright (c) 2009, Yahoo! Inc. All rights reserved. Released under a BSD-style license, available at

JSON-lib version 2.2.1, a Java library used to convert Java objects to JSON (JavaScript Object Notation) objects for AJAX. Distributed under the

Apache 2.0 license, available at available at available at available at common configuration file format used on Windows, on other platforms. Distributed under the MIT License found at

Standard Template Library functions and data structures and is distributed under the MIT License found at

format, are used to serialize structure data in the PGP SDK. Distributed under the BSD license found at

Additional acknowledgements and legal notices are included as part of the PGP Universal Server.

http://ezmorph.sourceforge.net/license.html. -- Apache Commons Lang, used by JSON-lib, is distributed under the Apache 2.0 license, http://commons.apache.org/license.html. -- Apache Commons BeanUtils, used by JSON-lib, is distributed under the Apache 2.0 license, http://commons.apache.org/license.html. -- SimpleIni is an .ini format file parser and provides the ability to read and write .ini files, a

http://www.gnu.org/licenses/lgpl.html. -- Yahoo! User Interface (YUI) library version 2.5.2, a Web UI interface library for AJAX.

http://json-lib.sourceforge.net/license.html. -- EZMorph, used by JSON-lib, is distributed under the Apache 2.0 license,

http://opensource.org/licenses/cpl1.0.php. -- The Perl Kit provides several independent utilities used to

http://developer.yahoo.com/yui/license.html. --

http://www.opensource.org/licenses/mit-

http://www.opensource.org/licenses/bsd-

Export Information

Export of this software and documentation may be subject to compliance with the rules and regulations promulgated from time to time by the Bureau of Export Administration, United States Department of Commerce, which restricts the export and re-export of certain products and technical data.

Limitations

The software provided with this documentation is licensed to you for your individual use under the terms of the End User License Agreement provided with the software. The information in this document is subject to change without notice. PGP Corporation does not warrant that the information meets your requirements or that the information is free of errors. The information may include technical inaccuracies or typographical errors. Changes may be made to the information and incorporated in new editions of this document, if and when made available by PGP Corporation.

Unsupported Third Party Products

By utilizing third party products, software, drivers, or other components ("Unsupported Third Party Product") to interact with the PGP software and/or by utilizing any associated PGP command or code provided by to you by PGP at its sole discretion to interact with the Unsupported Third Party Product ("PGP Third Party Commands"), you acknowledge that the PGP software has not been designed for or formally tested with the Unsupported Third Party Product, and therefore PGP provides no support or warranties with respect to the PGP Third Party Commands or the PGP software's compatibility with Unsupported Third Party Products. THE PGP THIRD PARTY COMMANDS ARE PROVIDED "AS IS," WITH ALL FAULTS, AND THE ENTIRE RISK AS TO SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH YOU. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, PGP DISCLAIMS ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS, WHETHER EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NONINFRINGEMENT, QUIET ENJOYMENT, AND ACCURACY WITH RESPECT TO THE PGP THIRD PARTY COMMANDS OR THE PGP SOFTWARE'S COMPATIBILITY WITH THE UNSUPPORTED THIRD PARTY PRODUCT.

Contents

Introduction

Who Should Read This Guide 1 Common Criteria Environments 1 Using the PGP Universal Server with the Command Line 1 Symbols 2 Getting Assistance 2

Getting product information 2 Contact Information 3

Upgrading the PGP Universal Server 5

Licensing the Upgrade 5 Backing Up the Data and Organization Key 6 Overview 7

Best Practices for Upgrade 10

Supported Client and PGP Universal Server Version Combinations 11 Configuring the PGP Universal Server 13 Restoring Configuration and Data 13

Migrating Groups from Version 2.x 14

Restoring Mail Policy Rules 15

Migrating a Cluster 21

Cluster Migration Overview 21 Identifying Cluster Synchronization Issues Prior to Migration 23

Accessing the PGP Universal Server using SSH 24 Migrating your Primary Cluster Server 25 Migrating a Secondary Cluster Member 27

Manually Reconfiguring Non-replicated Server Settings 28 Changing Your Web Messenger Message Replication Settings 29

Index 31

Introduction

This Upgrade Guide describes how to upgrade PGP Universal™ Server software, and how to migrate your data to new versions. It explains how to upgrade previous versions of PGP Universal Server to version 3.1.0, and how to migrate a cluster to version 3.1.0.

This section provides a high-level overview of PGP Universal Server.

Who Should Read This Guide

This Upgrade Guide is for the person or persons who will be upgrading the software or migrating the data of your organization’s PGP Universal Server environment. These are the PGP administrators.

Common Criteria Environments

To be Common Criteria compliant, please refer to the best practices shown in PGP Universal Server 2.9 Common Criteria Supplemental. Note that these best practices supersede recommendations made elsewhere in this and other documentation.

Using the PGP Universal Server with the Command Line

Using the PGP Universal Server command line for read-only access (such as to view settings, services, logs, processes, disk space, query the database, etc) is supported. However, performing configuration modifications via the command line voids your PGP Support agreement unless these procedures are followed. Any changes made to the PGP Universal Server via the command line must be:

 Authorized in writing by PGP Support.

 Implemented by a PGP Partner, reseller or internal employee who is

certified in the PGP Advanced Administration and Deployment Training.

 Summarized and documented in a text file in

/var/lib/ovid/customization on the PGP Universal Server itself.

PGP Universal™ Server Upgrade Guide Introduction

Changes made through the command line might not persist through reboots and might be incompatible with future releases. PGP Support can require reverting any custom configurations on the PGP Universal Server back to a default state when troubleshooting new issues.

Symbols

Notes, Cautions, and Warnings are used in the following ways.

Note: Notes are extra, but important, information. A Note calls your attention

to important aspects of the product. You can use the product better if you read the Notes.

Caution: Cautions indicate the possibility of loss of data or a minor security

breach. A Caution tells you about a situation where problems can occur unless precautions are taken. Pay attention to Cautions.

Warning: Warnings indicate the possibility of significant data loss or a major

security breach. A Warning means serious problems will occur unless you take the appropriate action. Please take Warnings very seriously.

Getting Assistance

For additional resources, see these sections.

Getting product information

The following documents and online help are companions to the PGP Universal Server Administrator’s Guide. This guide occasionally refers to information that

can be found in one or more of these sources:

 Online help is installed and is available within the PGP Universal Server

product.

 PGP Universal Server Installation Guide—Describes how to install the

PGP Universal Server software.

 PGP Universal Server Upgrade Guide—Describes the process of

upgrading your PGP Universal Server.

 PGP Universal Mail Policy Diagram—Provides a graphical representation

of how email is processed through mail policy. You can access this document via the PGP Universal Server online help.

 Tutorials—Provides animated introductions on how to manage the mail

policy feature in PGP Universal Server 2.5 and later, and how upgraded PGP Universal Server settings migrate into the new mail policy feature.

PGP Universal™ Server Upgrade Guide Introduction

You can also access all the documentation and tutorials by clicking the online help icon in the upper-right corner of the PGP Universal Server screen.

 PGP Universal Satellite for Windows and Mac OS X include online help.

 PGP Universal Server and PGP Satellite release notes are also provided,

which may have last-minute information not found in the product documentation.

The documentation, provided as Adobe Acrobat PDF files, are available on the Documentation ( Portal.

Once PGP Universal Server is released, additional information regarding the product is added to the online Knowledge Base available on PGP Corporation’s

Support Portal (

https://pgp.custhelp.com/app/docs) section on the PGP Support

https://support.pgp.com).

Contact Information

Contacting Technical Support

 To learn about PGP support options and how to contact PGP Technical

Support, please visit the PGP Corporation Support Home Page

https://support.pgp.com).

(

 To access the PGP Support Knowledge Base or request PGP Technical

Support, please visit PGP Support Portal Web Site

https://support.pgp.com). Note that you may access portions of the

(

PGP Support Knowledge Base without a support agreement; however, you must have a valid support agreement to request Technical Support.

 To access the PGP Support forums, please visit PGP Support

http://forum.pgp.com). These are user community support forums hosted

( by PGP Corporation.

Contacting Customer Service

 For help with orders, downloads, and licensing, please visit PGP

Corporation Customer Service (

https://pgp.custhelp.com/app/cshome).

Contacting Other Departments

 For any other contacts at PGP Corporation, please visit the PGP Contacts

Page (

http://www.pgp.com/about_pgp_corporation/contact/index.html).

 For general information about PGP Corporation, please visit the PGP Web

Site (

http://www.pgp.com).

PGP Universal™ Server Upgrade Guide Introduction

Upgrading the PGP

Universal Server

This chapter describes how to upgrade previous versions of PGP Universal Server to version 3.1 for a single server.

Warning: If you have a hardware token Ignition Key or a Hardware Security

Module (HSM), you must contact PGP Technical Support before migrating to PGP Universal Server 3.1.0. Migration to version 3.1.0 requires the creation of a new setting on the upgraded (3.1.0) version of PGP Universal Server before you restore the backup from your previous system. This setting can only be added through SSH access, with the help of PGP Technical Support. If you migrate to version 3.1.0 without adding this preference, you will be locked out of the user interface after upgrade and you will not be able to use your hardware token Ignition Key to unlock your PGP Universal Server.

This can also occur if you upgrade from 3.0.0 to 3.1.0 using a PUP update. If you plan to do a PUP update from 3.0.0, you must edit the settings in your

3.0.0 installation BEFORE you do the update. You do not need to change any settings if you are running PGP Universal Server version 3.0.1.

Warning: If you plan to migrate a cluster from PGP Universal Server version

2.x to PGP Universal Server version 3.1.0, you must run the most recent pgpSyncUsers utility on your 2.x cluster to ensure the user data is consistent prior to beginning the migration process. See Migrating a Cluster (on page 21) for details.

Important: In order to successfully migrate your data from PGP Universal

Server 2.x to PGP Universal Server version 3.1.0, you should plan to have disk space available equal to 10 times the size of the backup file (the backup file will be significantly smaller that the size of the original 2.x database). For example, if your version 2.x backup file is 1 GB in size, you should have 10 GB of disk space available to allow for the migration and re-expansion of your data into the 3.1 database.

Licensing the Upgrade

The licensing mechanism for the PGP Universal Server and the managed PGP Desktop has changed as of PGP Universal Server version 3.1. However, if you have a valid subscription license or Perpetual 2.0 License, you will not need a new license to use PGP Universal Server 3.1.0.

PGP Universal™ Server Upgrade Guide Upgrading the PGP Universal Server

If you had PGP Desktop licenses configured through Consumer (User) Policies, these will continue to be valid and the appropriate features will be enabled after you upgrade.

However, if you perform a new installation of PGP Universal Server version 3.1, you will not be able to add your old PGP Desktop licenses through the Client Licensing page of your Consumer Policies. You will need to restore a backup that includes your previous licenses in order to continue to use your old PGP Desktop licenses.

Backing Up the Data and Organization Key

Warning: Back up the Organization Key and all the data from your PGP

Universal Server before you upgrade. Make sure you back up your data to an external location, because the software installation process will delete all data stored on your PGP Universal Server. For more information, see the documentation you received with your version of PGP Universal Server.

Caution: If you do not or cannot use FTP to back up your data to an external

location, contact PGP Support (PGP Corporation Support Home Page

(https://support.pgp.com)).

Export the entire keypair of the Organization Key.

1 From Organization > Organization Keys (for versions prior to 3.0) or Keys

> Organization Keys (for version 3.0 or later), select the Organization Key.

The Organization Key Info dialog appears.

2 Click Export.

The Export Key dialog appears.

3 Select Export Keypair and type the passphrase. Click Export to save the

Organization Keypair to your desktop.

4 Back up the server data and configuration to an external server location.

From System > Backups, click Backup Location.

The Backup Location dialog appears.

5 Specify the remote location where you want the data to be saved, and click

Save. It is important that you save the data somewhere other than the PGP

Universal Server itself, because all data on the PGP Universal Server will be erased during the software installation.

The Backups page appears.

6 Click Backup Now to back up the data.

+ 25 hidden pages

PGP Universal Server - 3.1 Upgrade Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Introduction

Who Should Read This Guide

Common Criteria Environments

Using the PGP Universal Server with the Command Line

Symbols

Getting Assistance

Getting product information

Contact Information

Licensing the Upgrade

Backing Up the Data and Organization Key