Upgrading Tanium Core Platform servers

Supported upgrade paths

Path Notes
7.4.x to 7.4.x Minor upgrade. However, always consult with your Tanium technical account manager (TAM) for guidance and caveats.
7.3.x to 7.4.x Major upgrade. In 7.4 or later, you must enable trust between Tanium Servers in a high availability (HA) deployment and among Tanium Servers, Zone Servers, and Zone Server Hubs. For fresh installations, you must download and deploy an initialization file to Zone Servers, Zone Server Hubs, and Tanium Client 7.4 to enable TLS communication with the Tanium Server.
7.2.x to 7.4.x
7.1.x to 7.4.x Major upgrade. In 7.2 or later, the Tanium Server installer creates the TLS certificate and cryptographic keys necessary to enable TLS connections to it. In addition, the Module Server installer can automatically register (create certificates and registry entries) the Module Server with the Tanium Server. To support this registration during upgrade, you must install the Tanium Server first so that it has the communication capabilities to accept the registration request from the Module Server.
7.0.x to 7.4.x Major upgrade. In 7.1, RBAC replaces system roles. Make sure you understand RBAC and are ready to assign roles to users before you upgrade.
6.5.x to 7.4.x Major upgrade. In 7.0 and later, the Tanium Console user interface (UI) differs from the earlier UI. The best practice is to upgrade your lab deployment first and verify that you can perform your key tasks with the new 7.x user interface before upgrading your production deployment.

Server upgrade overview

The maintenance window for upgrading Tanium Core Platform servers is usually under an hour. To avoid unexpected issues, all servers must run the same software version. As a best practice, complete the upgrade for all the servers in the same maintenance window. If you have a high availability (HA) cluster, complete the upgrade for both Tanium Servers in the same window.

If you do not need to change the server host names, SSL/TLS certificates, or key files, you can simply run the Tanium Core Platform installers to replace the existing installation with updated files, and upload the new license file (if any) to the installation directory on the Tanium Servers (see Managing the Tanium license).

In some cases, you might want to take the opportunity to change server host names or install new SSL/TLS certificates and keys (for example, if the existing ones are due to expire). If so, the upgrade experience is similar to the initial installation and has similar prerequisite steps. If you change the server host names, you must reconfigure the Tanium Client on endpoints so they can communicate with the servers.

The upgrade procedures in this guide assume your host and network environment meets the initial installation requirements (see Requirements).

The settings that you manage through the Tanium Console are saved to the Tanium database. Therefore, any customizations that you saved in your existing deployment persist through the upgrade.

Before you begin

Perform the following tasks before upgrading:

  • Read the release notes for all of the Tanium Core Platform software versions that were released after your current version to stay informed about expected behavior.
  • Make sure the current deployment is working as expected, including all Tanium Core Platform servers and solutions.
  • Consult with your TAM if you plan to change the Tanium Server hostname. Your TAM needs the new hostname when creating a Tanium license for you.
  • Obtain the installers (.exe files) and new license file from your TAM.
  • A normal upgrade does not require you to restore from the backups, but backups can save you work in the event you encounter issues and want to restore the system to a known functional state. Take the following actions:
    • Back up the current installation folder, particularly the license files, pki.db file (see Back up the root keys), and SSL/TLS certificate and key files. The SSL/TLS certificate and keys secure the connection from your web browser to the Tanium Console or API and the connection between the Tanium Server and Module Server. The SSL/TLS public and private keys are unique to your environment, and you cannot recreate or recover them. Archive, secure, and manage the copies of these files according to your internal security policies as you would any other system-level security and credential files.
    • Back up the tanium and tanium_archive databases.
  • Under ordinary circumstances, the installer for each Tanium Core Platform server stops the associated Tanium service, updates the software, and restarts the service. In deployments with an exceptionally large amount of data, stopping a service might take an exceptionally long time, and the installer might abort the installation before the service properly shuts down. As a best practice to avoid this, use the Windows Services program to stop the Tanium Core Platform services in the following order before starting the upgrade:
    • Tanium Zone Server
    • Tanium Zone Server Hub
    • Tanium Module Server
    • (HA deployment only) Non-primary Tanium Server
    • Primary (HA) or standalone (non-HA) Tanium Server

Order of upgrade

You must upgrade Tanium Core Platform servers in the following order:

  1. Tanium Servers (primary and non-primary servers in HA deployments)
  2. Module Server
  3. Zone Server Hub
  4. Zone Server

Upgrade the Tanium Server

When you upgrade, the Tanium™ Server installer takes the following actions:

  • Stops the Tanium Server service.
  • Installs Tanium Server software and Tanium Console UI components.
  • Updates the Windows registry with the values you specify in the interactive installation wizard.
  • Updates the Tanium databases on the remote database server and re-initializes the database tables in those databases.
  • Opens required ports in the local host computer Windows Firewall.
  • Starts the Tanium Server service.

The Windows Secondary Login service (seclogon) must have its Startup type set to Automatic or Manual, not Disabled, or else the Tanium database installation will fail.

Note: In an upgrade of a production deployment, the installer detects from the Windows Registry that the Tanium Module Server is not installed locally, so it does not attempt to upgrade it or start the Tanium Module Server service.

Upgrade a standalone (non-HA) or primary (HA) Tanium Server

  1. Log into the host system as a local administrator or domain user with administrator permissions.
  2. Copy the installer (SetupServer.exe) and license files to a temporary location on the host computer.
  3. If you have new SSL/TLS certificate and key files, copy them to the host computer so you can select them when you run the installer.
  4. Right-click SetupServer.exe and select Run as administrator.
  5. Complete the installation wizard. Consider the following:
    • Select Custom Install, not Express Install. When you select Custom Install, the installer prompts you for each setting and populates the wizard form with the values extant in the present installation. This gives you a chance to review the current installation and replace the certificate and license files, if necessary, or change other installation settings. When you select Express Install, the installer uses the existing values but does not give you an opportunity to review or change them.
    • On the License Configuration page, be sure to select the new license file if appropriate.
    • If the server has new SSL/TLS certificate and key files, use the Certificate Path and Key Path to select them; otherwise, use the values that the installer populates.

Upgrade a non-primary (HA) Tanium Server

  1. Log into the host system as a local administrator or domain user with administrator permissions.
  2. Copy the installer (SetupServer.exe) and license files to a temporary location on the host computer.
  3. If you updated the SSL/TLS certificate and key files, copy the following files from the Tanium Server installation directory on the primary host to the installation directory on the non-primary host:
    • SOAPServer.crt
    • SOAPServer.key
    • tanium.license
    • Always follow your organization's best practices for securely copying sensitive files, such as the Tanium Server SOAPServer.key file. For example, use GNU Privacy Guard (GPG) to encrypt the files before copying and then decrypt when they are in place on the target server.

  4. Right-click SetupServer.exe and select Run as administrator.
  5. Complete the installation wizard. Consider the following:
    • Select the Custom installation type, not Express. When you select Custom, the installer prompts you for each setting and populates the wizard form with the values extant in the present installation. This gives you a chance to review the current installation and replace the certificate and license files, if necessary, or change other installation settings. When you select Express, the installer uses the existing values but does not give you an opportunity to review or change them.
    • On the License Configuration page, be sure to select the new license file if appropriate.
    • If the server has new SSL/TLS certificate and key files, use the SSL Certificate and Key controls to select them; otherwise, retain the values that the installer populated.
    • After upgrading the Tanium Module Server, you must manually register it with the non-primary Tanium Server (see the last step under Upgrade the Tanium Module Server).

Upgrade the Tanium Module Server

When you upgrade, the Tanium™ Module Server installer takes the following actions:

  • Stops the Tanium Module Server service.
  • Updates Tanium Module Server software.
  • Updates the Windows registry with the values you specify in the interactive installation wizard.
  • Initiates registration with the primary (HA) or standalone Tanium Server (if selected).
  • Opens required ports in the local host computer Windows Firewall.
  • Starts the Tanium Module Server service.

Before you begin

When you first upgrade to the latest release, the best practice is to automatically register the Module Server with the primary (HA) or standalone Tanium Server. Ensure the following prerequisites are met and take the following actions:

  • Make sure your network security administrator has configured network firewall rules to allow communication between Tanium Server and Tanium Module Server on TCP port 17477.
  • Go to the Windows Registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Tanium\Tanium Server and clear the setting for the Module Server. (Clear the value 127.0.0.1.)

Upgrade the Tanium Module Server

  1. Log into the Tanium Module Server host system as an administrator user.
  2. Copy the installer (SetupModuleServer.exe) to a temporary location on the host computer.
  3. If the Tanium Module Server has new certificate and public key files, copy them to a temporary location on the Tanium Module Server host computer so you can select them when you run the installer.
  4. Right-click SetupModuleServer.exe and select Run as administrator.
  5. Complete the installation wizard. Consider these points:
    • If the Tanium Module Server has a new certificate and key, use the Use Existing Certificate and Key controls to select them.
    • If the Tanium Server has a new certificate, use the Register with the Tanium Server or Manually specify Tanium Server certificate controls to select it. In an HA deployment, register with the primary Tanium Server.
    • If you do not use automatic registration, or if registration fails, see Install the Tanium Module Server and manually register with the Tanium Server for post-installer steps you must do manually to complete registration.
  6. (HA only) Access the CLI of the Module Server host and run the following commands to register with the non-primary Tanium Server.

    cmd-prompt>cd <Module Server>
    cmd-prompt>TaniumModuleServer register <Tanium_Server_FQDN>
    Enter administrator username: <username>
    Enter password for user '<username>':
    Successfully completed registration.

    For information about using the CLI, see Tanium Core Platform Deployment Reference Guide: Command-line interface.

    You typically only need to perform registration one time when you first upgrade to the latest release. You only need to re-register if you change the Tanium Server or Module Server certificates.

Upgrade the Tanium Zone Server

Tanium™ Zone Server software is installed on the Zone Server Hub (a host computer in the internal network, typically the Tanium Server host computer) and on one or more dedicated Zone Server host computers in the DMZ. Upgrade both types of servers.

When you upgrade, the Tanium Zone Server installer takes the following actions:

  • Stops the Tanium Zone Server service.
  • Updates Tanium Zone Server software.
  • Updates the Windows registry with the values you specify in the interactive installation wizard.
  • Opens required ports in the local host computer Windows Firewall.
  • Starts the Tanium Zone Server service.

Upgrade the Zone Server Hub

  1. Log into the Tanium Server host system as an administrator user.
  2. Copy the installer (SetupZoneServer.exe) to a temporary location.
  3. Right-click SetupZoneServer.exe and select Run as administrator.
  4. Complete the installation wizard.

Upgrade the dedicated Zone Server

  1. Log into the Tanium Zone Server host system as an administrator user.
  2. Copy the installer (SetupZoneServer.exe) to a temporary location.
  3. Right-click SetupZoneServer.exe and select Run as administrator.
  4. Complete the installation wizard.

Verify the servers upgrade

  1. Open the Tanium Console URL.
  2. Log in as a user with the Administrator role.

    The Tanium Console opens to the home page, which displays any errors that occurred during the Module Server upgrade.

  3. From the Main menu, select Console > Administration > System Status to review recent Tanium Client registration details and verify that clients are registering as expected.

    If verification fails, see Troubleshooting the deployment.