PGP™ Universal Server
Upgrade Guide
3.2
The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.
Version 3.2.0. Last updated: July 2011.
Legal Notice
Copyright (c) 2011 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, PGP, Pretty Good Privacy, and the PGP logo are trademarks or registered trademarks of Symantec Corporation or its
affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering.
No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if
any.
THE DOCUMENTATION IS PROVIDED"AS IS"AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING
ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT
TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR
INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION.
THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights
as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. “Commercial Computer
Software and Commercial Computer Software Documentation”, as applicable, and any successor regulations. Any use, modification, reproduction
release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with
the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
Symantec Home Page (
Printed in the United States of America.
10 9 8 7 6 5 4 3 2 1
http://www.symantec.com)
Contents
About the PGP Universal Server Upgrade Guide
Who Should Read This Guide 1
Common Criteria Environments 1
Using the PGP Universal Server with the Command Line 1
Symbols 2
Getting Assistance 2
Getting product information 2
Technical Support 3
Contacting Technical Support 3
Licensing and registration 4
Customer service 4
Support agreement resources 4
1
About Upgrading PGP Universal Server 5
Upgrade Licenses 5
Backing Up the Data and Organization Key 6
Overview of the Upgrade Process 6
Upgrading Your PGP Universal Server 3.2.0 7
Verifying Your Upgrade 8
Best Practices for Upgrade 9
Supported Client and PGP Universal Server Version Combinations 10
Configuring the PGP Universal Server 11
Restoring Configuration and Data 12
Updating Your PGP Universal Web Messenger Complete Customizations 13
Migrate Groups from PGP Universal Server 2.12 SP4 13
About Restoring Mail Policy Rules 13
Migrating a Cluster
Cluster Migration Overview 21
Cluster Synchronization Issues Before You Migrate 23
Accessing the PGP Universal Server using SSH 23
Migrating your Primary Cluster Server 24
Migrating a Secondary Cluster Member 25
Manually Reconfiguring Non-Replicated Server Settings 27
Changing Your Web Messenger Message Replication Settings 28
21
Index 29
About the PGP Universal Server Upgrade Guide
1
This Upgrade Guide describes how to upgrade previous versions of PGP Universal
Server to version 3.2.0 and how to migrate a cluster to version 3.2.0.
This section provides a high-level overview of PGP Universal Server.
Who Should Read This Guide
This Upgrade Guide is for administrators who will be upgrading PGP Universal Server
or migrating the data in your organization’s PGP Universal Server environment.
Common Criteria Environments
To be Common Criteria compliant, see the best practices in PGP Universal Server 2.9
Common Criteria Supplemental. These best practices supersede recommendations made
elsewhere in this and other documentation.
Using the PGP Universal Server with the Command Line
You can use the PGP Universal Server command line for read-only access to, for
example, view settings, services, logs, processes, disk space, query the database, and so
on.
Note: If you modify your configuration using the command line, and you do not
follow these procedures, your PGP Support agreement is void.
Changes to the PGP Universal Server using command line must be:
Authorized in writing by PGP Support.
Implemented by PGP's partner, reseller, or internal employee who is certified in
the PGP Advanced Administration and Deployment Training.
Summarized and documented in a text file in /var/lib/ovid/customization
on the PGP Universal Server.
Changes made through the command line may not persist through reboots and may
become incompatible in a future release. When troubleshooting new issues, Technical
Support can require you to revert custom configurations on the PGP Universal Server
to a default state.
2 About the PGP Universal Server Upgrade Guide
Symbols
Symbols
Notes, Cautions, and Warnings are used in the following ways.
Note: Notes are extra, but important, information. A Note calls your attention to
important aspects of the product. You can use the product better if you read the
Notes.
Caution: Cautions indicate the possibility of loss of data or a minor security breach. A
Caution tells you about a situation where problems can occur unless precautions are
taken. Pay attention to Cautions.
Warning: Warnings indicate the possibility of significant data loss or a major security
breach. A Warning means serious problems will occur unless you take the
appropriate action. Please take Warnings very seriously.
Getting Assistance
For additional resources, see these sections.
Getting product information
The following documents and online help are companions to the PGP Universal Server
Administrator’s Guide. This guide occasionally refers to information that can be found
in one or more of these sources:
Online help is installed and is available in the PGP Universal Server product.
PGP Universal Server Installation Guide—Describes how to install the PGP
Universal Server.
PGP Universal Server Upgrade Guide—Describes the process of upgrading your
PGP Universal Server.
PGP Universal Mail Policy Diagram—Provides a graphical representation of how
email is processed through mail policy. You can access this document via the PGP
Universal Server online help.
Tutorials—Provides animated introductions on how to manage the mail policy
feature in PGP Universal Server 2.5 and later, and how upgraded PGP Universal
Server settings migrate into the new mail policy feature.
You can also access all the documentation and tutorials by clicking the online help
icon in the upper-right corner of the PGP Universal Server screen.
PGP Universal Satellite for Windows and Mac OS X includes online help.
PGP Universal Server and PGP Satellite release notes are also provided, which may
have last-minute information not found in the product documentation.
Technical Support
Getting Assistance
3 About the PGP Universal Server Upgrade Guide
Symantec Technical Support maintains support centers globally. Technical Support’s
primary role is to respond to specific queries about product features and functionality.
The Technical Support group also creates content for our online Knowledge Base. The
Technical Support group works collaboratively with the other functional areas within
Symantec to answer your questions in a timely fashion. For example, the Technical
Support group works with Product Engineering and Symantec Security Response to
provide alerting services and virus definition updates.
Symantec’s support offerings include the following:
A range of support options that give you the flexibility to select the right amount
of service for any size organization
Telephone and/or Web-based support that provides rapid response and
up-to-the-minute information
Upgrade assurance that delivers software upgrades
Global support purchased on a regional business hours or 24 hours a day, 7 days a
week basis
Premium service offerings that include Account Management Services
For information about Symantec’s support offerings, you can visit our Web site at the
following URL:
www.symantec.com/business/support/
All support services will be delivered in accordance with your support agreement and
the then-current enterprise technical support policy.
Contacting Technical Support
Customers with a current support agreement may access Technical Support
information at the following URL:
www.symantec.com/business/support/
Before contacting Technical Support, make sure you have satisfied the system
requirements that are listed in your product documentation. Also, you should be at the
computer on which the problem occurred, in case it is necessary to replicate the
problem.
When you contact Technical Support, please have the following information available:
Product release level
Hardware information
Available memory, disk space, and NIC information
Operating system
Version and patch level
Network topology
Router, gateway, and IP address information
Problem description:
4 About the PGP Universal Server Upgrade Guide
Getting Assistance
Error messages and log files
Troubleshooting that was performed before contacting Symantec
Recent software configuration changes and network changes
Licensing and registration
If your Symantec product requires registration or a license key, access our technical
support Web page at the following URL:
www.symantec.com/business/support/
Customer service
Customer service information is available at the following URL:
www.symantec.com/business/support/
Customer Service is available to assist with non-technical questions, such as the
following types of issues:
Questions regarding product licensing or serialization
Product registration updates, such as address or name changes
General product information (features, language availability, local dealers)
Latest information about product updates and upgrades
Information about upgrade assurance and support contracts
Information about the Symantec Buying Programs
Advice about Symantec's technical support options
Nontechnical presales questions
Issues that are related to CD-ROMs or manuals
Support agreement resources
If you want to contact Symantec regarding an existing support agreement, please
contact the support agreement administration team for your region as follows:
Asia-Pacific and Japan customercare_apac@symantec.com
Europe, Middle-East, Africa
North America, Latin America
semea@symantec.com
supportsolutions@symantec.com
2
About Upgrading PGP Universal Server
This chapter describes how to upgrade previous versions of PGP Universal Server to
version 3.2 for a server.
Warning: If you have a hardware token Ignition Key or a Hardware Security Module
(HSM), you must contact Technical Support before you migrate to PGP Universal
Server 3.2. Migrating to version 3.2 requires that you create a new setting on the
upgraded (3.2) version of PGP Universal Server before you restore the backup file
from your previous system. This setting can only be added through SSH access with
the help of Technical Support. If you migrate to version 3.2 without adding this
preference, you will be locked out of the user interface after the upgrade. As a result,
you cannot use your hardware token Ignition Key to unlock your PGP Universal
Server. This can also occur if you upgrade from 3.0.0 to 3.1.0 using a PUP update. If
you do a PUP update from 3.0.0, you must edit the settings in your 3.0.0 installation
BEFORE the update. If you are running PGP Universal Server version 3.0.1, you do
not need to change any settings.
Warning: If you plan to migrate a cluster from PGP Universal Server version 2.12 SP4
to PGP Universal Server version 3.2.0, before you migrate, run the latest version of
the pgpSyncUsers utility on your 2.12 SP4 cluster to ensure that the user data is
consistent. For more information, see Migrating a Cluster (on page
To migrate your data from PGP Universal Server 2.12 SP4 to PGP Universal Server
version 3.2.0, you need disk space that is 10 times the size of the backup file. (The
backup file will be significantly smaller than the original database.) For example, if your
version 2.12 SP4 backup file is 1 GB, you should have 10 GB of disk space to allow for
the migration and re-expansion of your data into the 3.2 database.
21).
Upgrade Licenses
Although the licensing mechanism for the PGP Universal Server and the managed PGP
Desktop has changed, if you have a valid subscription license or Perpetual 2.x License,
you do not need a new license to use PGP Universal Server 3.2.0.
If you had PGP Desktop licenses configured through Consumer (User) Policies, these
licenses are still valid, and the appropriate features are enabled after you upgrade. If
you install a new version of PGP Universal Server version 3.2, you cannot add your old
PGP Desktop licenses through the Client Licensing page on the Consumer Policies tab.
To use your old PGP Desktop licenses, you must restore a backup that includes your
previous licenses.
6 About Upgrading PGP Universal Server
Backing Up the Data and Organization Key
Backing Up the Data and Organization Key
Before you upgrade, back up the Organization Key and all the data from your PGP
Universal Server. You must back up your data to an external location, because
installing the software deletes all data stored on your PGP Universal Server. If you do
not (or cannot) use FTP to back up your data to an external location, contact Technical
Support.
To back up your data and organization key
1 Access the Organization Key page by doing one of the following:
For 3.0 or earlier, select Organization > Organization Keys.
For 3.0 or later, select Keys > Organization Keys.
2 Click Organization Key.
3 Click Export.
4 Select Export Keypair and type the passphrase.
5 Click Export.
This saves the Organization Keypair to your desktop.
6 Back up the server data and configuration to an external server location
7 Select System > Backups.
8 Click Backup Location.
9 Select Save backups to a remote location.
10 Type the relevant details.
11 Click Save.
You must save the data in a location other than the PGP Universal Server, because
the data on the PGP Universal Server is erased during installation.
12 Click Backup Now.
13 Type a name for your backup.
14 Click Backup.
Overview of the Upgrade Process
You can upgrade your PGP Universal Server in the following ways:
Migration, where you back up data to an external location, install the new
software version from a CD/DVD, and restore your data. For more information
about installing from a CD/DVD, see the PGP Universal Server Installation Guide.
Upgrading Your PGP Universal Server 3.2.0
PUP Update, where you download and install a PGP Update Package (PUP) file
from your PGP Universal Server's administrative interface. This method
automatically preserves your data and system settings. For more information on
performing a PUP update, see the PGP Universal Server Administrator's Guide.
Not all upgrades are available as PUP update files. Some upgrades require a migration
where you must back up your system, install the new version of the software, and
restore your backup. For example, to upgrade from PGP Universal Server 2.X to 3.2,
you must migrate to 3.0.2 SP2 or 3.12 SP2 and then install the 3.2 PUP file for PGP
Universal Server 3.2.
After the software is installed and the Setup Assistant has started, depending on how
you want to restore your data, there are several paths you can take through the setup.
Note: The licensing mechanism for the PGP Universal Server and the managed PGP
Desktop has changed as of PGP Universal Server version 3.2. However, these changes
have minimal effects on the upgrade process, because your existing PGP Universal
Server and PGP Desktop licenses are still valid after you upgrade. If you perform a
migration, your previous licenses are restored, and the features that were previously
enabled are still enabled.
The following applies to PGP Universal Servers that are running as stand-alone
systems or clusters:
Before you upgrade to PGP Universal Server 3.2, you must back up your data and
your organization key to an external location.
You can upgrade to PGP Universal Server 3.2 from these versions:
PGP Universal Server 2.12 SP4
To upgrade from 2.12 SP4, you must back up your data, do a fresh install of
3.0.2 SP2 or 3.1.2 SP2, and restore your backed up data. Then you can do a PUP
update to update to version 3.2.
If you are running a version of PGP Universal Server older than 2.12 SP4, you
must upgrade to version 2.12 SP4.
PGP Universal Server 3.X
To upgrade from PGP Universal Server 3.x, you can do a PUP update to update
to version 3.2.
When you install the software, the data on your system is deleted. You need the backed
up data file and the Organization Key to encrypt and decrypt the backup file. For more
information on installing the software from a DVD, see the PGP Universal Server
Installation Guide.
7 About Upgrading PGP Universal Server
Caution: To upload and restore backups of 2GB or larger through the PGP Universal
Server Web interface, you need to contact Technical Support.
Upgrading Your PGP Universal Server 3.2.0
The following procedures apply to PGP Universal Servers running as standalone
systems and clusters.
Note: Upgrading to 3.2.0 requires installing 2 PUP files: PGPUniversal3.2.0.pup and
PGPUniversal3.2.0_JDK.pup.
8 About Upgrading PGP Universal Server
Upgrading Your PGP Universal Server 3.2.0
To upgrade from PGP Universal Server 2.12 SP4 to PGP Universal Server 3.2:
1 Log in to your PGP Universal Server administrative interface.
2 Back up your data.
3 Upgrade to one of the following versions of PGP Universal Server by performing a
fresh install:
3.0.2 SP2
3.1.2 SP2
4 Restore your data.
5 Select System > Updates.
6 Upload and install the PGPUniversal3.2.0.pup file for PGP Universal Server 3.2.
On the Software Updates page, the file has the version number 3.2.0 and a lower
build number than the JDK.pup file.
7 Upload and install the PGPUniversal3.2.0_JDK.pup. On the Software Updates page,
the file has the version number 3.2.0 and the build number 1700.
When installation is complete, the System Settings screen will not display the
correct build number.
8 Reboot. Upgrading to PGP Universal Server 3.2 includes an update to the kernel,
and if you do not reboot, the system cannot use the updated kernel.
To upgrade from PGP Universal Server 3.x to PGP Universal Server 3.2:
1 Log in to your PGP Universal Server administrative interface.
2 Select System > Updates.
3 Upload and install the PGPUniversal3.2.0.pup file for PGP Universal Server 3.2.
4 Upload and install the PGPUniversal3.2.0_JDK.pup. On the Software Updates page,
Verifying Your Upgrade
After you upgrade to the latest version of PGP Universal Server, you can verify whether
the upgrade was successful.
To verify your upgrade
1 Upgrade in one of the following ways:
On the Software Updates page, the file has the version number 3.2.0 and a lower
build number than the JDK.pup file.
After the upgrade is complete, you must reboot PGP Universal Server. Upgrading
to PGP Universal Server 3.2 includes an update to the kernel, and if you do not
reboot, the system cannot use the updated kernel.
the file has the version number 3.2.0 and the build number 1700.
When installation is complete, the System Settings screen will not display the
correct build number.
Migration
Upgrading Your PGP Universal Server 3.2.0
PUP update
2 After PGP Universal Server restarts, log in.
3 If you upgraded by migrating, select System > Backups.
The following links appear:
Download migration log file
Download backup log file
The backup log contains pointers to the line numbers in the migration log,
where migration errors are detected. A typical error message in the backup log
will look like:
error found at line xxx in <migration log>
The migrated database schema may differ from the default schema in the
current release. At the end of the migration, a schema diff tool detects schema
discrepancies. If discrepancies are found, an error message is written to the
backup log.
4 If you upgraded by PUP updating, select System > Updates
The following links appear:
Download migration log file
Download update log file
The update log contains pointers to the line numbers in the migration log,
where update errors are detected. A typical error message in the update log
will look like:
error found at line xxx in <migration log>
The migrated database schema may differ from the default schema in the
current release. At the end of the upgrade, a schema diff tool detects schema
discrepancies. If discrepancies are found, an error message is written to the
update log
5 Click the appropriate link and open or save the log file.
6 Review the log file. Call Technical Support to resolve the errors and stop them
from appearing.
The download links will continue to appear until you resolve your errors and have
upgraded successfully.
9 About Upgrading PGP Universal Server
Best Practices for Upgrade
The information in this list helps you ensure that your upgrade is successful:
Install and test the upgrade in a lab or staging environment before you integrate
the upgrade into your network.
Back up the Organization Key and all the data from your PGP Universal Server
before you upgrade.
You must back up your data to an external location, because the upgrade process
deletes the data stored on your PGP Universal Server. If you do not (or cannot) use
FTP to back up your data to an external location, contact Technical Support.
10 About Upgrading PGP Universal Server
Upgrading Your PGP Universal Server 3.2.0
Save a copy of the installation media, in case you need to revert to the previous
version.
During upgrade, the PGP Universal Server does not process email.
Before you upgrade PGP Universal Server, you must temporarily remove it from
the mailflow.
Reconfiguring the MTA
If your network includes an MTA, you should reconfigure it to prevent email routing
through the PGP Universal Server.
To reconfigure the MTA
1 Do one of the following:
If your company’s email route through your PGP Universal Server, configure
If email that matches the criteria in your MTA content filter routes through
2 Configure the MTA to queue incoming email that passes through the PGP
Universal Server, such as signed and/or encrypted email.
3 Review the PGP Universal Server log files to ensure that email is not passing
through the PGP Universal Server.
4 Upgrade your PGP Universal Server and restore your user data.
5 Reconfigure your MTA to resume routing email to the PGP Universal Server.
your MTA to halt outbound email processing.
the PGP Universal Server, configure the MTA to queue this email.
Note: You can find more information about moving to PGP Universal Server 3.2.0 on
the Symantec website (http://www.symantec.com).
Supported Client and PGP Universal Server Version Combinations
Symantec Corporation supports backward compatibility for clients only. PGP Universal
Server 3.2.0 supports managing policy of these versions (and subsequent maintenance
releases of each) of PGP Desktop:
9.5.3
9.6.1
9.6.2
9.6.3
9.7.1
9.8.2
9.9.0
9.9.1
9.10.0
9.10.1
Configuring the PGP Universal Server
9.12.0
10.0.0
10.0.1
10.0.2
10.1.0
10.2.0
Note: Limited backward compatibility support means that legacy features, such as
enrollment, policy download, logging and reporting are supported, but legacy clients
cannot access the latest client features in Consumer Policy.
We recommend that you upgrade your PGP Universal Server and your clients, so
that they are eventually on the same release. For the most current information on
which client versions are supported, see the Knowledge Base.
PGP Universal Server 3.2.0 supports managing policy of these versions (and subsequent
maintenance releases of each) of PGP Universal Satellite:
2.5.3
2.6.3
2.7.1
2.8.2
2.9.0
2.10
2.12
3.0
3.0.1
3.1.0
11 About Upgrading PGP Universal Server
Note: Policy options for features that do not exist in supported legacy versions are
ignored by those installations.
PGP Universal Server 3.2.0 provides limited management support (without policy) back
to PGP Desktop version 9.0 and PGP Universal Satellite version 2.0.
Configuring the PGP Universal Server
During configuration, the Setup Assistant transfers the saved data from the previous
version into PGP Universal Server 3.2.0.
To upgrade and restore your data and configuration information:
1 Install the upgrade software as described in the PGP Universal Server Installation
Guide.
2 In the Setup Assistant, begin the configuration.
12 About Upgrading PGP Universal Server
Restoring Configuration and Data
You can perform a New Installation or restore your back-up configuration and
data in this process. If you perform a new installation, you can restore your
backup later through the PGP Universal Server administrative interface.
For more information on using the Setup Assistant to configure the PGP
Universal Server as a new installation, see the PGP Universal Server
Installation Guide.
For more information on restoring your backed up configuration and data
using the Setup Assistant, see Restoring Configuration and Data (on page
Restoring Configuration and Data
To restore backed up data after installing the server:
1 Access the Setup Assistant in the new server.
2 Proceed through the wizard and click Forward.
3 Read the End User License Agreement and click I Agree and Forward.
4 In the Setup Type page, select Restore and click Forward.
5 In the Import Organization Key page, upload a file with your Organization Key
and click Forward.
6 In the Upload Current Backup File page, click Choose File, select the backup file
that you want to restore, and click OK.
7 In Upload Current Backup File page, click Forward.
To upload backups of 2GB or larger, contact Technical Support.
After the backup has installed, the Network Configuration Changed page appears
and the server restarts automatically. You can also check the update or migration
logs for the Database migration check completed. message. You are redirected to
the PGP Universal Server administrative interface, and the server is configured
with the settings from the backup file you selected.
Your PGP Desktop license(s) have been restored with the appropriate Consumer
Policy setting. If your existing PGP Desktop licenses are valid, you do not have to
use the new default PGP Desktop client license. Your mail policy and proxy
settings have been reproduced in the new mail policy feature. For more
information on mail policy and reproducing your previous settings, see Migrating
Groups from Version 2.x (see "
on page
page 13) and the PGP Universal Server Administrator’s Guide.
8 Proceed through the Setup Assistant until you have finished.
PGP Universal Server runs in the Learn Mode.
For more information on configuring the PGP Universal Server after the Setup
Assistant is complete, see the PGP Universal Server Administrator's Guide.
13), Restoring Mail Policy Rules (see "About Restoring Mail Policy Rules" on
Migrate Groups from PGP Universal Server 2.12 SP4"
12).
Restoring Configuration and Data
Updating Your PGP Universal Web Messenger Complete Customizations
As a result of some new PGP Universal Web Messenger features, such as PDF
Messenger Secure Reply and the ability to provide X.509 certificates to external users,
after you upgrade to PGP Universal Server 3.2, you must also update your PGP
Universal Web Messenger Complete Customizations. For more information on
customizing Web Messenger, see Customizing PGP Universal Web Messenger in the PGP
Universal Server Administration Guide.
To update your PGP Universal Web Messenger Complete Customization:
1 Select Services > Web Messenger.
2 In the Customization panel, click Add New Template.
3 Read the Customization Notice and click Continue.
4 Select Complete Customization and click Next.
5 Click Download next to one of the displayed options.
6 Select a location to save the file and click Next.
You should save the downloaded files in the same location as the older
customization files. This way, the appropriate files are updated.
7 Zip the locally updated files.
8 Type a template name and click Next.
The other fields are optional.
9 Click Browse to locate the local Zip file and click Next.
The uploaded customization template appears on the Web Messenger page.
13 About Upgrading PGP Universal Server
Migrate Groups from PGP Universal Server 2.12 SP4
Caution: After migrating from a previous version of PGP Universal Server, you must
ensure that the groups are in the correct priority order. If groups are incorrectly
prioritized, users will not receive the correct policy settings.
In PGP Universal Server versions 2.12 SP4, if a user can be matched to more than one
user policy, the user received the policy with the name that was first in alphabetical
order. Administrators could not change this ordering. In PGP Universal Server 3.2,
because users can belong to more than one group, you must make sure that the policies
are ranked correctly.
About Restoring Mail Policy Rules
in PGP Universal Server version 3.2, the Outbound policy chain now includes the
following rules:
Sign + Encrypt, which takes effect when the user selects the Sign and Encrypt
Plug-in buttons.
Sign, which takes effect when the user clicks the Sign plug-in button.
14 About Upgrading PGP Universal Server
Restoring Configuration and Data
Encrypt, which takes effect when the user clicks the Encrypt plug-in button.
When you restore your data from a previous release, the Outbound policy chain
definition is overwritten with the backed up Outbound policy chain. You must manually
add these rules back into the Outbound policy chain.
To add these rules back to the Outbound policy chain, perform the following steps.
To add the Sign+Encrypt Buttons rule
1 In the PGP Universal Server administrative interface, select Mail > Mail Policy
and click Outbound.
2 Click Add Rule.
3 In Rule Name, type Sign + Encrypt Buttons.
4 In Description, type User selects both sign and encrypt plugin buttons.
5 On the Conditions tab, do the following:
a Select If all the following are true.
b Select Message header.
c Type X-PGP-Sign-Button.
d Select contains.
e Type selected.
f Repeat steps b to e, except in the second field, type
X-PGP-Encrypt-Button, instead of X-PGP-Sign-Button.
Your conditions dialog should look like this example.
6 On the Actions tab, do the following:
a Select Send (encrypted/signed).
b Under Encrypt to, select Recipient's key and Require verified key.
c Select Sign.
d Click Save.
Your action dialog should look like this example:
About Upgrading PGP Universal Server
Restoring Configuration and Data
15
7
On the Key Search tab, do the following:
a Select Search for keys in additional locations:
b Select 1 and Keyserver of sender or recipient address.
c Click + to add a location.
d Select 2 and PGP Global Directory.
To change the order, you can select the correct number from the drop-down
list to the left of the row, and the rows automatically renumber.
Your Key Search dialog should look like this example:
8 Click Save.
Your new rule is added to the end of the policy chain on the Outbound policy page.
9 Reorder your new Sign + Encrypt Buttons rule to make it number 10 in the list.
Sign + Encrypt Buttons should follow Always Encrypt Sensitive Messages and
precede Application is Server.
To add the Sign Button rule
1 In the PGP Universal Server administrative interface, select Mail > Mail Policy.
2 Click Outbound and click Add Rule.
16 About Upgrading PGP Universal Server
Restoring Configuration and Data
3 In Rule Name, type Sign Button.
4 In Description, type User selects sign plug-in button.
5 On the Conditions tab, do the following:
Your conditions dialog should look like this following example:
6 On the Actions tab,do the following:
a Select If all the following are true.
b Select Message Header.
c Type X-PGP-Sign-button.
d Select contains.
e Type selected.
a Select Send (encrypted/signed).
b Select Sign.
Your action dialog should look like this following example:
Note: No changes are required on the Key Search tab.
7 Click Save.
Your new rule is added to the end of the policy chain on the Outbound policy page.
8 Reorder your new Sign Button rule to make it number 11 in the list.
About Upgrading PGP Universal Server
Restoring Configuration and Data
To add the Encrypt Button rule
1 In the PGP Universal Server administrative interface, select Mail > Mail Policy.
2 Click Outbound and click Add Rule.
3 In Rule Name, type Encrypt Button.
4 In the Description, type User selects encrypt plug-in button.
5 On the Conditions tab, do the following:
a Select If all the following are true.
b Slect Message Header.
c Type X-PGP-Encrypt-Button.
d Select contains.
e Type selected.
Your conditions dialog should look like this following example:
17
6
On the Actions tab, do the following:
a Select Send (encrypted/signed).
b Select Recipient's key and Require verified key.
Your action dialog should look like the following example.
On the Key Search tab, do the following:
7
a Select Search for keys in additional locations:
18 About Upgrading PGP Universal Server
Restoring Configuration and Data
The keyserver of sender or recipient address must be first, followed by the PGP
Global Directory.
Your Key Search dialog should look like this following example:
8 Click Save.
Your new rule is added to the end of the policy chain on the Outbound policy page.
9 Reorder the Encrypt Button rule to make it number 12, after the Sign Button rule,
but before the Application is Server rule.
Your Outbound policy chain is now updated to restore the rules added for PGP
Universal Server version 3.2 and should look like this example:
b Select 1 and select Keyserver of sender or recipient address.
c Select 2 and select PGP Global Directory.
Restoring Configuration and Data
19 About Upgrading PGP Universal Server
Migrating a Cluster
3
This chapter describes how to upgrade a PGP Universal Server cluster to version 3.2.0.
For an overview of clustering in PGP Universal Server version 3.2, see Clustering your
PGP Universal Servers in the PGP Universal Server Administrator's Guide.
Important: Before you install new software on any of your cluster members, run the
pgpSyncUsers utility on your PGP Universal Server 2.12 SP4 Primary cluster
member to ensure there are no data inconsistencies between your primary and
secondary servers. Inconsistencies may cause user data to be migrated incorrectly.
Cluster Migration Overview
All cluster members have the same database and configuration information, so changes
on one are replicated to the others. The cluster migration process preserves this
relationship.
Your Primary server must be migrated first. As part of the backup restoration process,
the Primary server's 2.12 SP4 data is migrated into the version 3.2 database. This server
now acts as the sponsoring server for the other cluster members. As it is joined to the
new 3.2.0 cluster, its data is replicated to each cluster member. The join process also
attempts a limited automatic reconciliation of data that exists on the joining server. If
Web Messenger is running in the Home Server mode, the Web Messenger data is
migrated individually on the each cluster member and is not replicated to other cluster
members.
If there are data inconsistencies or conflicts between the PGP Universal Server 2.12 SP4
Primary and its secondary servers, the migration process may not be able to reconcile
the inconsistencies. You can run the pgpSyncUsers utility that identifies data
inconsistencies between your Primary and Secondary cluster members. If you
customized your PGP Universal Server configuration you may have to perform the
customizations again after you migrate your cluster. Contact Technical Support for
more information.
Important: pgpSyncUsers must be run on your PGP Universal Server 2.12 SP4 cluster
before you migrate to PGP Universal Server 3.2.0. For instructions to access and use
pgpSyncUsers, see the Knowledge Base.
Cluster Migration Requirements
All members of a PGP Universal Server cluster must run the same software version.
Since member servers do not share the software upgrade, you must migrate each server
individually. To upgrade a cluster successfully, you must run PGP Universal Server
version 2.12 SP4 or later. If you are running an earlier version, you must upgrade to
PGP Universal Server 2.12 SP4 on each server.
22 Migrating a Cluster
Cluster Migration Overview
The upgraded and restored primary server acts as the sponsor for the other servers that
join the cluster. You should upgrade all cluster members at the same time. If all the
servers are down at the same time, email will not move through your network. For more
information about temporarily stopping the mailflow, see Best Practices for Upgrade
(on page
Migrating Your Cluster
This process provides an overview of the cluster upgrade process.
1 Verify that your PGP Universal Server cluster members are running PGP
2 Download, install, and run pgpSyncUsers to identify whether there is inconsistent
3 Back up all cluster members to an external location.
4 Install PGP Universal Server 3.2.0 on your primary server.
5 Install PGP Universal Server 3.2.0 on each secondary server.
6 Restore each secondary's backup (from Step 3) before you join the secondaries to
9).
Universal Server version 2.12 SP4 or later.
If your cluster members are running an earlier version, you must first upgrade to
version 2.12 SP4.
data between your primary and secondary cluster members.
Inconsistent data may not migrate correctly to version 3.2.0. For more
information, see Identifying Cluster Synchronization Issues Prior to Migration (see
Cluster Synchronization Issues Before You Migrate" on page 23).
"
From PGP Universal Server 2.12 SP4, you must migrate (back up and restore) to
one of the following and then PUP update to PGP Universal Server 3.2:
PGP Universal Server 3.0.2
PGP Universal Server 3.0.1
For more information on backing up your PGP Universal Servers, including their
Organization Keys, see Backing Up the Data and Organization Key (on page 6).
See Upgrade Steps (see "Upgrading Your PGP Universal Server 3.2.0" on page 7) for
more information your PGP Universal Server version and to restore its backup.
This server is the sponsoring server that is used to recreate the cluster. After the
restore, select System > Clustering in the primary server's administrative
interface to see the the previous secondaries that are listed as pending cluster
members.
the new cluster.
Important: Do not use the Cluster Member option in the Setup Assistant.
You should back up the secondary sever if the original cluster was in home server
mode. In high availability mode, only the primary needs to be backed up because
all cluster members share the same user data. It is always faster to update the
primary server and then join the secondary servers.
Note: If you see data inconsistencies, you must contact Technical Support.
7 After restoring the backup, on the previous secondary server, select System >
Clustering and click Join Cluster.
8 Type the IP address of the previous primary server, which is now the sponsoring
server.
Cluster Synchronization Issues Before You Migrate
9 After the secondary server has requested to join a cluster, and is in a waiting state,
select System > Clustering.
10 In the list of pending cluster members, click Contact next to the secondary
server's name.
This step initiates the join and the data replication process. For more information
on migrating your Primary and Secondary cluster members, see Migrating your
Primary Cluster Server (on page
25).
page
When the cluster migration is complete, all cluster members have the replicated
database and many of the same configuration settings. In a cluster from version 3.0 and
later, all cluster members act as peers, where every server in the cluster serves all
requests, and any server can initiate persistent changes.
Note: When you restore your data from a release earlier than version 3.0, some of the
rules in the Outbound mail policy are lost. You must retype these rules manually.
For more information, see Restoring Mail Policy Rules (see "
Policy Rules" on page 13). Since Mail Policies are global, you can retype the rules on
the sponsoring server before you join the other cluster members or on a cluster
member after it has joined the cluster.
24) and Migrating a Secondary Cluster Member (on
About Restoring Mail
23 Migrating a Cluster
Cluster Synchronization Issues Before You Migrate
Before migrating a PGP Universal Server cluster to version 3.2.0, you must run the
pgpSyncUsers utility on the primary server in your 2.12 SP4 cluster to determine if
there are data inconsistencies between your primary and secondary servers. If the
utility identifies data consistency or other data problems, contact Technical Support
before you migrate your cluster. The migration process may not be able to reconcile
data inconsistencies, and in some cases, inconsistent data from a secondary may be
lost.
Remember the following:
For more information on pgpSyncUsers, see the Knowledge Base.
Your PGP Universal Server 2.12 SP4 cluster must be running PGP Universal
Server version 2.12 SP4. If you running a version earlier than 2.12 SP4, do a
backup and restore to 3.0.2 or 3.1.2 and then a PUP update to version 3.2.0.
To install and run the utility, you must have command line access via SSH to your
PGP Universal Server cluster primary server. See Accessing the PGP Universal
Server using SSH (UN) (see "
23) for more information.
Note: If the utility identifies inconsistencies in user data, contact Technical Support.
Accessing the PGP Universal Server using SSH
To access PGP Universal Server through the command line, you must create an SSHv2
key and add it to the superuser administrator account in PGP Universal Server. You can
do this, for example, by using PuTTYgen to create an SSHv2 key and PuTTY to log in to
the command line interface. You add the SSHv2 key to your superuser administrator
account through the PGP Universal Server administrative interface.
Accessing the PGP Universal Server using SSH" on page
24 Migrating a Cluster
Migrating your Primary Cluster Server
PuTTY is a free suite of SSH tools that includes the following:
PuTTYgen
PuTTY
PSFTP
Pageant, the PuTTY authentication agent
The PuTTYgen and PuTTY.exe files can be downloaded separately from the Internet. To
set up command line access to the PGP Universal Server, see the Knowledge Base.
Migrating your Primary Cluster Server
Before you migrate, you must ensure that your PGP Universal Server cluster members
are running PGP Universal Server 2.12 SP4 or later. If your cluster member is running
an earlier version, you must upgrade to version 2.12 SP4.
To migrate your primary cluster
1 Download, install, and run pgpSyncUsers.
Inconsistent data may not migrate correctly to version 3.2.0. For more
information, see the Knowledge Base.
2 Back up your primary PGP Universal Server, including the Organization Key, to an
external location.
For detailed information see Backing Up the Data and Organization Key (on page
6).
3 Follow Upgrade Steps (see "
to migrate your primary server to PGP Universal Server version 3.2.0.
For more information on installing 3.2.0 and running the Setup Assistant, see the
PGP Universal Server Installation Guide. In the Setup Assistant, you can select
New Installation or Restore.
Upgrading Your PGP Universal Server 3.2.0" on page 7)
Warning: Do not select Cluster Member for your primary server.
4 If you selected New Installation in the Setup Assistant, in the administrative
interface, select System > Backups to restore the backup to the former primary
server.
5 After the restore is complete, select System > Clustering in the former primary
server to see the secondary servers appear as pending cluster members.
Until the secondary servers rejoin the cluster, their status remains as pending.
The join action must be requested by each former secondary. The Contact button
that appears next to each pending member does not have an effect until the
former secondary server has migrated and requests a join to the cluster.
Note: For the sponsoring server to successfully contact the joining server, the
hostname and IP address of the joining server must be resolvable via DNS. If not,
the sponsoring server cannot contact the joiner, and the join will not succeed. If
your cluster members do not have DNS resolvable hostnames, contact Technical
Support.
Migrating a Secondary Cluster Member
6 After the secondary has been migrated to version 3.2.0 and has requested a join, in
the sponsoring server's administrative interface, select System > Clustering.
7 Click Contact next to the secondary that is joining the cluster.
The joining cluster member's status changes from Pending to Replicating. This
step initiates the join process, which involves replicating data from the sponsor to
the new cluster member. The configuration settings for the PGP Universal Server
you are installing as a cluster member, including administrator login and
password, primary domain, and ignition key (if any) are replicated from the
sponsoring server.
The join process also performs reconciliation of data that may have existed
uniquely on the former secondary. For example, if your cluster was previously
running PGP Universal Web Messenger in Home Server mode, the join process
migrates all Web Messenger data that was kept on the secondary. If the database
on the sponsoring server in a cluster has a large database, the join of a cluster
member can take a long time. To avoid a join failure, you can increase the join
timeout value setting before you start the join. This setting can only be modified
through SSH access, with the help of Technical Support.
PGP Universal Server 3.2 allows you to specify whether a cluster member is
located in your DMZ and whether it should be allowed to host private keys for
internal users.
When you migrate a secondary from an earlier release, it is migrated with these
default settings:
Not located in the DMZ.
Allowed to host private keys.
You can change these settings by selecting System > Clustering > Edit Member
and clicking the cluster member name.
25 Migrating a Cluster
Note: Customers with databases larger than 1GB should use the manual join
scripts instead of joining through the administrative interface.
After your cluster member has joined the cluster, you must restore your Outbound Mail
Policy on one of the servers in your cluster by following the instructions in Restoring
Mail Policy Rules (see "
are replicated to the other cluster members.
About Restoring Mail Policy Rules" on page 13). These changes
Migrating a Secondary Cluster Member
Before you perform the backups, run pgpSyncUsers to identify and correct data
synchronization problems in your version 2.12 SP4 clusters.
To migrate a secondary cluster member
This procedure provides instructions to migrate your secondary cluster members.
1 Back up each of your secondary servers, including their Organization Keys, to an
external location.
For more information, see Backing Up the Data and Organization Key (on page
6).
26 Migrating a Cluster
Migrating a Secondary Cluster Member
2 Follow the instructions in Upgrade Steps (see "Upgrading Your PGP Universal
Server 3.2.0" on page 7) to migrate your secondary server to PGP Universal Server
version 3.2.0.
Detailed instructions on installing the 3.2.0 software and running the Setup
Assistant are found in the PGP Universal Server Installation Guide.
3 Restore the backup.
You should only back up the secondary servers when your cluster is running Web
Messenger in the home server (HS) mode. Otherwise, it is always more efficient
to install PGP Universal Server 3.2.0 on the secondary servers and join these
servers to the sponsor server. Typically, the following local server settings are not
replicated:
Network settings
SMTP settings
SNMP settings
SSL/TLS certificates
Backup
Mail routes
Mail proxies
Mail queue
Service access control
Key cache
Your log files are not preserved during the migration. When you restore the
backup, these settings and files are restored.
You may have to restore the backup to a secondary server under these conditions:
You are not running PGP Universal Web Messenger in HS mode or Web
Messenger was not running on this server.
You do not need to preserve server-specific settings for mail routes, mail
proxies, or external LDAP servers.
You do not need to restore the SSL/TSL certificate for this secondary server.
For more information, see Manually Reconfiguring Non-replicated Server Settings
(on page
27).
Note: Restoring the secondary nodes followed by a join will take more time.
4 After the restore, log in to the administrative interface of the former secondary
server.
5 Select System > Clustering and click Join Cluster.
6 (Optional) Enter the hostname or IP address of the sponsoring server (the former
primary server) and click Save.
After a warning, the joining server is put into a pending state until contact is
initiated from the sponsoring server.
7 In the sponsoring server's administrative interface, select System > Clustering
and click Contact next to the secondary that is in the Wait state.
8 The sponsoring server initiates the join and data replication.
9 Monitor the progress bar to track the replication.
Repeat these steps to migrate and rejoin all your former secondary servers to the
version 3.2.0 cluster. We recommend that you always use the former primary server as
the sponsoring server.
Manually Reconfiguring Non-Replicated Server Settings
If you do not plan to restore the backup onto a secondary server, but would like to
preserve some non-replicated settings, you can individually restore those settings after
you migrate to 3.2.0.
Important: You must back up the data from every cluster member to an external
location. If you do not have individual settings for your secondary cluster members,
rather than restoring the secondary backups, you can rely on the data replicated
from your primary server.
To save specific, non-replicated settings
You must export or note the following, as appropriate to your installation.
1 Export your server SSL/TLS certificates.
Migrating a Secondary Cluster Member
27 Migrating a Cluster
a On each secondary server, select System > Network and click
Certificates at the bottom of the dialog box.
b Select a certificate.
c Click Export.
The certificate is exported as a PKCS#12 file.
d Repeat this process for all the certificates you want to export.
2 Note the settings of your mail routes and proxies.
You need to re-configure these settings on the secondary after you install 3.2.0.
3 Select Reporting > Logs and click Export Logs.
The logs are saved in a separate location from the full backup.
To restore specific, non-replicated settings
After you install and configure the PGP Universal Server 3.2.0 on your former
secondary server, and before you join this server to the new 3.2.0 cluster, you must
restore your certificates, mail route, and mail proxy configurations. If you cannot
manually restore your log files, and you want to restore the log files to a secondary
server, you must restore the full backup.
1 If your secondary server used a different SSL/TLS certificate from the former
primary server, import the certificate you exported in step c above.
a When the replication is complete, log in to the cluster member's
administrative interface.
b Select System > Network and click Certificates.
c Click Add Certificates.
d Click Import
28 Migrating a Cluster
Changing Your Web Messenger Message Replication Settings
You can import your saved PKCS#12 file in the Import SSL/TLS Certificate
page.
2 In the cluster member's administrative interface, configure the appropriate mail
routes and mail proxies.
Select Mail > Mail Routes and click Add Mail Route.
For more information, see Specifying Mail Routes in the PGP Universal Server
Administrator's Guide.
Select Mail > Mail Proxies and click Add Proxy.
For more information, see Configuring Mail Proxies in the PGP Universal
Server Administrator's Guide.
Changing Your Web Messenger Message Replication
Settings
In PGP Universal Server version 3.2, if you run PGP Universal Web Messenger in a
cluster, you can control how Web Messenger message replication is handled.
You can still have Web Messenger messages:
Replicated to all cluster members (as in the former HA mode)
Not replicated (as in the former HS mode).
You can now choose to have Web Messenger messages replicated only to a subset of
servers that are running Web Messenger. This allows you to take advantage of the PGP
Universal Server replication services without incurring the costs of replicating to all
Web Messenger servers in the cluster. For example, if you have four servers running
Web Messenger, you can Have messages replicated only to two of the four servers.
When the cluster migration from a version 2.12 SP4 cluster is complete, if this cluster
was running in Home Server mode, Web Messenger message replication is set to Off. If
the cluster was running in HA mode, message replication is set to All. To change the
message replication settings, select Services > Web Messenger, and on the Options tab,
click Edit. Since the message replication setting is global, you can Take this setting
from the administrative interface of any cluster member.
Index
B
backups
upgrading software version • 6
best practices • 9
resolving migration errors • 8
L
Learn Mode
software upgrades • 12
M
mail policy
migrating clusters • 21
reproducing proxy settings • 21
upgrading previous versions • 21
migration
mail policy • 21
proxy settings • 21
MTA • 9
O
backing up and restoring data • 6
backing up Organization Key • 6
best practices • 9
clusters • 21
configuring the PGP Universal Server • 11
from version 2.0.6 • 6
from versions before 2.0.6 • 6
Learn Mode • 12
license requirement • 5, 12
MTA • 9
overview • 6
restoring configuration and data • 12
Setup Assistant • 12
updating complete customizations • 13
V
version compatibility • 10
Organization Key
upgrading software version • 6
P
proxies
setting migration • 21
R
restoring
data and configuration during upgrade • 12
S
Setup Assistant
restoring from a server backup • 12
U
upgrading
Loading...