The Security Analytics/NetWitness Suite Patch releases can be installed on Service Packs, but not on major releases. For example, 10.6.1.1 can be installed on 10.6.1.0 but not on 10.6.0.0. This also means that the patch release upgrade packages only contain the rpms that are needed to upgrade from the nearest service packs.
If the latest patch was not applied to all appliances at the same time, you need to use a workaround to update them.
- SA server, Log Collector, and Concentrator have been built from the 10.6.0 OVA.
- Connection to Live Update Repository was turned off.
- SA Server and Log Collector were upgraded to 10.6.1 by using the split zip packages (7 zip files). But the Concentrator was left as 10.6.0.0.
The 10.6.1 upgrade package was removed from the local repo (SA UI -> Systems -> Updates -> Settings -> Manage Repository. Select and remove 10.6.1).
Now the 10.6.1.1 packages (5 zip files) were uploaded.
SA Server and LC can be upgraded to 10.6.1.1. But Concentrator only sees 10.6.0.2 as a possible upgrade.
1. Load 10.6.1 so that there will be both 10.6.1 and 10.6.1.1 in the local repo.
2. Log into the Concentrator console.
3. Copy the /etc/yum.repos.d/RSASoftware.repo file and create the temp.repo file under the same location. In the temp.repo file, change the last section of the baseurl with the actual release number to 10.6.1 (SA server's local repo folder.)
4. From a command prompt, run “yum clean all”, followed by “ yum check-update”. At this point, you should be able to see the SA 10.6.1.1 rpms returned.
6. Run “yum update –y”
7. After a successful upgrade, delete the temp.repo file.
From the end of Case 1 --- After upgrading the SA server to 10.6.1.1, add a new 18.104.22.168 ESA.
The new ESA was provisioned successfully.
The only update option available to the ESA is 10.6.0.2 but only sees 10.6.0.2 as a possible upgrade.
The same workaround above will work for ESA.
This scenario came from Michael McGillick originally a couple of months ago. I thought that above information is worth sharing.
Thank you Melinda Zelenkov for reviewing this post.