Table Of Contents
Installing, Upgrading, Downgrading, Uninstalling, and Reinstalling Server Applications
Changing the Default Location for Temporary Files
Exporting Data from IPS MC 2.2
Installing Server Applications
Upgrading Server Applications
Important Notes for Upgrading AUS Using Backup and Restore
Backing Up a 3.0 Database and Restoring to a 3.0.2 Server
Backing Up a 3.0.1 Database and Restoring to a 3.0.2 Server
Importing IPS MC 2.2 Data
Obtaining Service Packs and Point Patches
Applying Service Packs and Point Patches
Downgrading Server Applications
Uninstalling and Reinstalling Server Applications
Uninstalling Server Applications
Reinstalling Server Applications
Uninstalling Cisco Security Agent
Installing, Upgrading, Downgrading, Uninstalling, and Reinstalling Server Applications
This chapter contains these major sections:
•
Changing the Default Location for Temporary Files
•Exporting Data from IPS MC 2.2
•Installing Server Applications
•Upgrading Server Applications
•Exporting Data from IPS MC 2.2
•Obtaining Service Packs and Point Patches
•Applying Service Packs and Point Patches
•Downgrading Server Applications
•Uninstalling and Reinstalling Server Applications
Changing the Default Location for Temporary Files
The installation utility for Security Manager uses your Windows temporary directory, which Windows associates by default with your C:\ drive. If your target server has more than one local disk drive, and if you have less free space on your C:\ drive than is specified in Server Requirements, page 1-4, you might edit the environment variables for your server so that C:\ is not the default location for temporary files.
To see the environment variables for your sever and edit their values so that you can change the default location for storing temporary files:
Step 1 Right-click My Computer, then select Properties from the shortcut menu.
Step 2 Click the Advanced tab.
Step 3 Click Environment Variables.
The Environment Variables window contains one area for variables that are associated with the active username in the current login session, and another area for variables that always apply to your server. Both of these areas can include variables (with names like TEMP, TMP, and TMPDIR) that tell Windows and other software where to store temporary files.
Step 4 Select the name of a variable that you want to change.
Step 5 Click Edit, change the value for that variable, then click OK.
Exporting Data from IPS MC 2.2
If you migrate data from an installation of IPS MC 2.2, and if the IPS MC server is the same server on which you install Security Manager, you must do the following before you start installing Security Manager, which automatically installs IPS Manager.
Note•We do not support Security Manager coexistence on the same server with VMS 2.3, the suite of applications of which IPS MC is one component. We recommend that you follow all the guidelines in Chapter 1, "Preparing a Server for Installation."
•Available space (on the IPS MC server disk partition where you will store your backup) must not be less than the size of the IPS MC database.
•If the IPS MC database that you import contains Security Monitor sensor alarms or syslog events, IPS Manager ignores those alarms and events when it imports the database. IPS Manager cannot use any records that are associated with Security Monitor.
Step 1 Back up your IPS MC server database files. See http://www.cisco.com/en/US/docs/security/security_management/vms/security_monitor/2.2/user/guide/DbRules.html#wp3263.
Step 2 Move the backed-up database from CSCOpx\MDC\backup to a secure volume.
Installing Server Applications
Tip To learn how to uninstall or reinstall Security Manager, see Uninstalling and Reinstalling Server Applications.
You can install Security Manager 3.0.2 server software directly, or you can upgrade the software on a server where Security Manager either 3.0 or 3.0.1 is installed.
Before You Begin
•For supported OS versions, see Server Requirements, page 1-4.
•We recommend that you install Security Manager on a dedicated server in a controlled environment.
•Security Manager 3.0.2 requires that you use Common Services 3.0.5. Therefore, if you upgrade from an earlier Security Manager version, the installed Common Services version is also upgraded.
•If you install Security Manager and its related applications on a server where you previously installed any version of Common Services earlier than 3.0.5, you must first uninstall the older version and uninstall every application that relies on that version. If you install Security Manager on a server where any unsupported, older version of Common Services is installed, Security Manager might not work correctly. See Chapter 1, "Preparing a Server for Installation."
•If you obtained a base license for Security Manager and IPS Manager (see Effects of Licensing on Installation, page 1-7), move a copy of the license file to your server. Security Manager sees only the local volumes, not the mapped drives, when you browse directories on your server.
Step 1 Disable every active instance of Sybase, then follow the instructions that apply to your installation:
Installing from the DVD:
|
Installing from Cisco.com:
|
Insert the Security Manager installation DVD in the Windows server DVD drive:
•If autorun is enabled, the installer opens automatically.
•If autorun is not enabled, open the csm3_0_2_win_server folder, double-click Setup.exe, then click Yes to confirm that you are installing or upgrading Security Manager.
|
a. Go to http://www.cisco.com/go/csmanager, then click Download Software.1
b. Download both the documentation and the self-extracting software installation utility for Cisco Security Manager 3.0.2.
Note Save the installation utility on a disk that is local to your server. Installation cannot succeed over a network connection to a remote volume, even if installation seems to succeed.
c. Print and read the documentation to learn what important considerations might affect your installation.
d. Follow the instructions in the documentation for decompressing and starting the installation utility.
The InstallShield Wizard extracts files to a temporary directory and checks their integrity while it constructs the Cisco Security Manager Setup application, which starts automatically.
Tip If an error message says the file contents cannot be unpacked, we recommend that you empty the Temp directory, scan for viruses, delete the C:\Program Files\Common Files\InstallShield directory, then reboot and retry. See also Changing the Default Location for Temporary Files.
|
Tip If you reinstall any applications, or install applications in addition to applications that you installed previously, or if you upgrade your installed applications, the Security Manager server performs a full, mandatory backup before you can advance beyond this step.
Step 2 When the Setup application prompts you to decide among essential options, such as which applications to install, select the options that meet your requirements.
If you do not understand your options, see the step-by-step instructions in Appendix A, "Security Manager Server Installation GUI Reference."
Note When the wizard prompts you to enter passwords for the admin login account and the System Identity login account, you must specify the same password for both accounts. See Understanding User Accounts, page A-1.
If you are installing Security Manager (rather than upgrading it), the installer prompts you to select your license options and enter your license key. You can use the free evaluation license or the base license file that you purchase.
If you use the Professional Edition of Security Manager (see Effects of Licensing on Installation, page 1-7), see the Performing Administrative Tasks section in the online help for information about installing any additional device license increments that you buy.
Step 3 Click Finish.
Setup installs and configures the selected components.
Note If you are evaluating Security Manager, the evaluation period is 90 days and limits the maximum number of managed devices to 50. The evaluation version functions fully in all other ways. Each time that you start the evaluation version, a message is displayed that:
•Counts down the number of days remaining until the evaluation period ends.
•Tells you how to install a Security Manager license.
See Effects of Licensing on Installation, page 1-7.
Step 4 Restart the server.
Your Security Manager server is now:
•Available as a source from which to download the dedicated Security Manager client application. See Chapter 1, "Installing or Uninstalling Security Manager Client."
•Protected by the standalone version of Cisco Security Agent. See Cisco Security Agent, page 1-6, and see Appendix A, "Cisco Security Agent: Standalone Agent Overview."
If you expect to import data from a preexisting installation of IPS MC, first see Importing IPS MC 2.2 Data.
Note If McAfee VirusScan is installed on your server and if you will install RME or Performance Monitor now that Security Manager is installed, you must first:
1. Confirm that VirusScan is running.
2. Confirm that the VirusScan feature called "On-Access Scan" is running.
If VirusScan is installed but turned off, or if its On-Access Scan feature has been turned off, problems might prevent you from installing RME or Performance Monitor. In addition, any RME or Performance Monitor installations that fail for this reason might prevent Security Manager from operating correctly on your server. To work around these problems:
1. Reinstall Security Manager.
2. Start the VirusScan software.
3. Start the On-Access Scan feature in VirusScan.
4. Reinstall RME and Performance Monitor.
For information about the files that are installed on your server and the locations to which they are saved, see Locations of Installed Files on Servers, page 1-9.
Upgrading Server Applications
Note•Security Manager 3.0.2 requires that you use Common Services 3.0.5. Therefore, if you upgrade from an earlier Security Manager version, the installed Common Services version is also upgraded.
•If you expect to upgrade from VMS to Security Manager, see http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5739/ps6498/prod_bulletin0900aecd803ffd79.html. This bulletin explains how you can use your Cisco Software Application Support (SAS) contract number or Cisco Software Application Support plus Upgrades (SASU) contract number for VMS to order a free license for Security Manager in the Product Upgrade Tool (PUT).
Use the following procedure to upgrade the software on a server where Security Manager 3.0 or 3.0.1 (or any of its related applications) is installed:
Step 1 Before you can successfully upgrade to Security Manager 3.0.2, you must make sure that the existing Security Manager database does not contain any pending data, meaning data that has not been committed to the database. If the existing Security Manager database contains pending data, you must commit or discard all uncommitted changes before upgrading:
a. In non-Workflow mode:
–To commit changes, select File > Submit.
–To discard uncommitted changes, select File > Discard.
Note If there are multiple users with pending data, the changes for those users must also be committed or discarded. If you need to commit or discard changes for another user, you can take over that user's session. To take over a session, select Tools > Security Manager Administration > Take Over User Session.
b. In Workflow mode:
–To commit changes, select Tools > Activity Manager. From the Activity Manager window, select an activity, then click Submit.
Note If you have enabled the activity approval requirement, you must also approve all activities after submitting. To approve an activity, select Tools > Activity Manager. From the Activity Manager window, select an activity and click Approve.
–To discard uncommitted changes, select Tools > Activity Manager. From the Activity Manager window, select an activity, then click Discard. Only an activity in the Edit or Edit Open state can be discarded.
Step 2 Create a backup of the database for Security Manager 3.0 or 3.0.1. See "Using Tools > Backup and Restore" in the online help.
Note We recommend that you use any folder other than the one in which Security Manager is installed to save a backup of the database. Specifying the same folder where Security Manager is installed might interfere with the backup framework and corrupt the database.
When you back up the Security Manager database using CLI, information about the total disk space that is required to store the database backup is displayed at the start of the backup operation. Backup requires enough storage space on the target location for the backup to start. Backup process terminates if enough disk space is not available in the directory specified as the target location.
If you are backing up the AUS database, see Important Notes for Upgrading AUS Using Backup and Restore for information on how to handle AUS-related files that are not preserved during backup.
Step 3 To upgrade in place, simply run the installer for Security Manager 3.0.2. For step-by-step instructions, see Installing Server Applications.
Note When you upgrade in place to 3.0.2 from an earlier version of Security Manager and that version contains any pending data, an error message is displayed stating that all pending activities must either be committed or discarded. If you get this error message, click OK to stop the installation, submit or discard all uncommitted data, and restart the installation. We recommend that you also create a backup of your current database after committing or discarding any pending data and before beginning the upgrade. For information on how to submit or discard uncommitted changes, see Step 1.
When you perform an inline upgrade from Security Manager 3.0 or 3.0.1 to Security Manager 3.0.2, you cannot select the Auto Update Server 3.0.2 check box in the component selection screen of the installation wizard because it is grayed out. For more information, see CSCsi94395.
After you have completed the upgrade, skip to Step 5.
Step 4 Alternatively, you can do the following:
a. Uninstall Security Manager 3.0 or 3.0.1. See Uninstalling Server Applications.
A version of Cisco Security Agent is installed on your Security Manager server. When you explicitly uninstall Security Manager, the Cisco Security Agent software remains on your server.
–If Cisco Security Agent is the fully configurable, commercial version, it will never be overwritten by a Security Manager installation or uninstallation.
–If Cisco Security Agent is the customized and standalone version, with predefined policies that you cannot change, it will be overwritten only when you install a new Security Manager version.
You can uninstall Cisco Security Agent manually, but we recommend that you do not. See Uninstalling the Standalone Agent, page A-4.
b. Install Security Manager 3.0.2. See Installing Server Applications.
c. Restore the database from its backup. See "Using Tools > Backup and Restore" in the online help.
Note If you are restoring the Security Manager database that contains AUS data, see Important Notes for Upgrading AUS Using Backup and Restore for information on how to handle AUS-related files that were not preserved during backup.
Step 5 After you upgrade Security Manager, you must also uninstall Security Manager Client on every client system, then download and run the new version of the Security Manager Client installation utility. See Chapter 1, "Installing or Uninstalling Security Manager Client."
Important Notes for Upgrading AUS Using Backup and Restore
This section describes important notes that you must remember when you upgrade from AUS 3.0 or 3.0.1 to AUS 3.0.2 by backing up and restoring the Security Manager database.
Backing Up a 3.0 Database and Restoring to a 3.0.2 Server
When you back up the Security Manager 3.0 database from one server to restore to a different server running AUS 3.0.2, or to the same server after installing 3.0.2, you must copy the library.prop file to a different location on your local disk. You need to manually copy the library.prop file before upgrading to 3.0.2. because this file is not preserved during the database backup operation. After you restore the 3.0 database to an AUS 3.0.2 system, you must manually copy the library.prop file to the NMSROOT\MDC\tomcat\vms\autoupdate\WEB-INF\classes\com\cisco\nm\callhome\library\properties directory.
Note The value of NMSROOT, which is the directory in which AUS is installed, on the target system that you upgraded to 3.0.2 should be the same as the value of NMSROOT on the server where you created the backup database. If it is different, you must manually change the value of NMSROOT in the library.prop file to reflect the path in which AUS is installed on the target system.
The CNS bootstrap password in the callhome.prop file depends on the BK key stored in the library.prop file. You must preserve both the callhome.prop and library.prop files for the database restored from a different server to function properly. To do so, you must reset the CNS bootstrap password configured in AUS and stored in the callhome.prop file after you restore the 3.0 database to the same or different server running 3.0.2, because the old password is not retained after you restore the database and would be invalid for the new AUS 3.0.2 system. For more information on how to change the default CNS bootstrap password in an AUS 3.0.2 server, see http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/auto_update_server/3.2/user/guide/as_boot.html#wp1014471.
Backing Up a 3.0.1 Database and Restoring to a 3.0.2 Server
When you back up the Security Manager 3.0.1 database from one server and restore it to a different server running 3.0.2 or to the same server after installing 3.0.2, only the library.prop file is preserved and not the callhome.prop file. As a result, the old CNS bootstrap password stored in the callhome.prop file is not retained after you restore the database and is invalid for the new AUS system. Because the callhome.prop file is not preserved from the backed up database, you must reset the CNS bootstrap password configured in AUS. For more information on how to change the default CNS bootstrap password in an AUS 3.0.2 server, see http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/auto_update_server/3.2/user/guide/as_boot.html#wp1014471.
Importing IPS MC 2.2 Data
Before You Begin
If you migrate data from IPS MC 2.2 to IPS Manager 3.0, you can complete the following procedure successfully only after you:
1. Complete the procedure described in Exporting Data from IPS MC 2.2.
2. Complete the Security Manager installation that installs IPS Manager automatically. See Installing Server Applications.
Note•If the IPS MC database that you import contains Security Monitor sensor alarms or syslog events, IPS Manager ignores those alarms and events when it imports the data. IPS Manager cannot use any records that are associated with Security Monitor.
•When you import IPS MC data into IPS Manager:
–Do not use spaces anywhere in the path.
–Do not use a path that is longer than 67 characters, including the drive letter and any backslash characters.
–We recommend that available space on the server disk partition be at least twice the size of the database file that you import.
To transfer IPS MC 2.2 data to IPS Manager 3.0:
Step 1 Move to your Security Manager server a copy of the IPS MC backup that you saved on a secure volume.
Step 2 Note the full pathname of the newly transferred copy of your backup file.
Step 3 From a Windows command line prompt in the NMSROOT\bin directory, run IpsMcDbUpgrade.pl, where NMSROOT is the path to the Security Manager installation directory. The default is C:\Program Files\CSCOpx.
The command line argument to use includes the full pathname of the backup file; for example: IpsMcDbUpgrade.pl D:\backup\20060104184347\ids-mdc
The time required to import IPS MC data varies according to the size of the database file and the percentage of its records that must be discarded because they are associated with Security Monitor.
Obtaining Service Packs and Point Patches
Caution Do not download or open any file that claims to be a service pack or point patch for Security Manager unless you obtain it from Cisco. Third-party service packs and point patches are not supported.
After you install Security Manager, you might install a service pack or point patch from Cisco Systems to fix bugs, support new device types, or otherwise enhance Security Manager.
•To learn when Cisco has prepared a new, regularly scheduled service pack, and to download any service pack that matters to you, open Security Manager, then select Help > Security Manager Online. Alternatively, point your browser to: http://www.cisco.com/go/csmanager.
•If your organization submits a Cisco TAC service request, TAC will tell you if an unscheduled point patch exists that might solve the problem you have described. Cisco does not distribute Security Manager point patches in any other way.
Service packs and point patches provide server support for client software updates and detect version level mismatches between a client and its server.
Applying Service Packs and Point Patches
After you choose to download and install a service pack or a point patch for your server, you must apply the equivalent software update to each of your client systems. See:
•Patching a Server.
•Patching a Client, page 1-9.
Patching a Server
Tip Before you apply a service pack or a point patch to your server, you might choose to create a compressed ZIP archive of NMSROOT/MDC, where NMSROOT is the path to the Security Manager installation directory. (The default is C:\Program Files\CSCOpx.) Then, if the service pack or point patch that you apply is not right for your needs or you have technical difficulties when you apply it, you can ask that a Cisco technical support engineer use the MDC.ZIP archive to restore your server. See Obtaining Documentation, Obtaining Support, and Security Guidelines, page viii, or see Appendix B, "Troubleshooting."
•To learn how to obtain a service pack or point patch, see Obtaining Service Packs and Point Patches.
•The version number of the service pack or point patch that you apply to your server must be the same as the version number of the service pack or point patch that you apply to your client systems. See Patching a Client, page 1-9.
•For information about the files that are installed on your server and the locations to which they are saved, see Locations of Installed Files on Servers, page 1-9.
For step-by-step instructions that help you to apply a downloaded service pack or point patch to your server, see the readme or other user documentation that accompanies the file.
To patch a client, see Patching a Client, page 1-9.
Downgrading Server Applications
Security Manager supports downgrading from release 3.0.2 to either release 3.0 or release 3.0.1 (including downgrades to IPS Manager and AUS), but only when you meet all of these conditions:
•You upgraded previously from either release 3.0 or release 3.0.1 to release 3.0.2.
•You kept a copy of the backup that Security Manager created when you upgraded.
•You have the installation DVDs for both releases.
To downgrade:
Step 1 Uninstall Security Manager 3.0.2 and AUS 3.0.2. See Uninstalling Server Applications.
Step 2 Install either Security Manager 3.0 or 3.0.1 and (optionally) either AUS 3.0 or 3.0.1. See Installation Guide for Cisco Security Manager 3.0.1 on Cisco.com.
Step 3 (Optional) If you have an installation DVD for Security Manager 3.0 but not for 3.0.1, obtain the upgrade utility from http://www.cisco.com/go/csmanager, then upgrade from 3.0. to 3.0.1.
Step 4 Restore your database from its backup. See the Security Manager online help topic at Using Tools > Backup and Restore.
Note Your downgraded copy of Security Manager 3.0.x includes only the information that you saved before you upgraded to release 3.0.2.
Uninstalling and Reinstalling Server Applications
Note•To learn which data files are essential to Common Services operation and understand how to create archives of that data, see the Common Services online help or read the documentation on Cisco.com.
•If you reinstall any applications, the Security Manager server performs a full, mandatory backup before you can continue.
To uninstall or reinstall applications on your server, see:
•Uninstalling Server Applications
•Reinstalling Server Applications
•Uninstalling Cisco Security Agent
Uninstalling Server Applications
Caution A server that is infected with a virus might be unstable after you uninstall software from it and reboot. If your server is not stable after an uninstallation and reboot, we recommend that you scan it for viruses and other kinds of malware.
Note The standalone version of Cisco Security Agent is not affected in any way if you uninstall Common Services, Security Manager, or AUS. You must uninstall the standalone agent separately. See Uninstalling the Standalone Agent, page A-4.
Before You Begin
•We recommend that you back up copies of all essential data files from your server before you uninstall Security Manager. See the Security Manager online help topic at Using Tools > Backup and Restore.
•If any version of Windows Defender (which was known in its public beta test versions as both Microsoft AntiSpyware and Giant AntiSpyware) is installed, you must disable it before you try to uninstall Security Manager. Otherwise, the uninstallation application cannot run.
Step 1 Select Start > Programs > Cisco Security Manager > Uninstall Cisco Security Manager.
Step 2 From the list of applications, select one or more applications to uninstall.
Step 3 Click Next twice.
The uninstaller removes the applications that you selected.
Note If a Windows command line prompt window is open in \CSCOpx\bin when you uninstall server applications, the uninstaller cannot delete \CSCOpx\bin. In this case, you can choose whether and how to delete the directory.
Step 4 Only after you uninstall Security Manager, Common Services, and all their related applications, assuming that you choose to uninstall all server applications:
a. If a folder exists at C:\Program Files\CSCOpx, either delete, move, or rename the folder.
b. If the C:\CMFLOCK.TXT file exists, delete it.
c. Use a Registry editor to delete these Registry entries before you try to reinstall Security Manager or any of its related applications:
•My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\Resource Manager
•My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\MDC
Tip Although no reboot is required, we recommend that you reboot the server after an uninstallation so that Registry entries and running processes on the server are in a suitable state for a future reinstallation.
Note If the uninstallation causes an error, see the "Troubleshooting the Installation" chapter in Installation and Setup Guide for CiscoWorks Common Services 3.0.5 (Includes CiscoView) on Windows.
Step 5 (Optional) If you disabled Windows Defender before uninstalling Security Manager, you can choose now whether to reenable it.
Tip If you uninstalled Performance Monitor or any other supported CiscoWorks application that was not installed automatically when you installed Security Manager, you might see that a Windows shortcut for it is still visible in your Start > Programs menu. In this case, you can right-click the shortcut and select Delete from the shortcut menu.
Reinstalling Server Applications
Your server will perform a full and mandatory backup when you select the required options to reinstall any Security Manager-related applications.
If you install Common Services and Security Manager on a server, then reinstall Common Services later, you must also reinstall Security Manager.
Note During reinstallation, you might see a warning message that says:
The application that you are installing requires new tasks to be
registered with ACS. If you have already registered this application
with ACS from another server, you do not need to register it again.
However if you re-register the application, you will lose any custom
roles that you had created earlier for this application in ACS.
In this case, log in to your Cisco.com account and see "CiscoWorks-ACS Task Registration During Upgrade and Re-installation" in Installation and Setup Guide for CiscoWorks Common Services 3.0.5 (Includes CiscoView) on Windows.
Step 1 If you are reinstalling because a problem on your server corrupted your Security Manager database, you must run restorebackup.pl.
Step 2 To reinstall one or more Security Manager server applications, see Installing Server Applications.
Uninstalling Cisco Security Agent
See Uninstalling the Standalone Agent, page A-4.
