Other versions

Upgrading the core server deployment

This chapter describes how to upgrade the core platform server components.

Supported upgrade paths

Path Notes
7.3.x to 7.3.x Minor upgrade. However, always consult with your Tanium technical account manager (TAM) for guidance and caveats.
7.2.x to 7.3.x Major upgrade.
7.1.x to 7.3.x Major upgrade. In 7.2, the Tanium Server installer creates the TLS certificate and cryptographic keys necessary to enable TLS connections to it.

In addition, the Module Server installer can automatically register (create certificates and registry entries) the Module Server with the Tanium Server. To support this registration during upgrade, you must install the Tanium Server first so that it has the communication capabilities to accept the registration request from the Module Server.

7.0.x to 7.3.x Major upgrade. In 7.1, RBAC replaces system roles. Make sure you understand RBAC and are ready to assign roles to users before you upgrade.
6.5.x to 7.3.x Major upgrade. In 7.0 and later, the Tanium Console user interface (UI) differs from the earlier UI. The best practice is to upgrade your lab deployment first and verify that you can perform your key tasks with the new 7.x user interface before upgrading your production deployment.

Overview

The maintenance window for an upgrade of Tanium™ Core Platform server components can be less than one hour in most cases. However, to avoid unexpected issues, all server components must run the same software version. You should plan to complete the upgrade for all components in the same maintenance window. If you have an HA cluster, complete the upgrade for both Tanium™ Server instances in the same window.

If you do not need to change the server hostname or SSL certificate or key files, you can simply run the 7.3.x installers to overwrite the existing installation with updated files, and copy the new license file to the installation directory.

In some cases, you might want to take the opportunity to change the server hostname or install new SSL certificates and keys (for example, if the existing ones are due to expire). If so, the upgrade experience is similar to the initial installation and has similar prerequisite steps. You must be able to copy the certificate and key files between host computers to complete the installation. If you change the server hostnames, you must reconfigure the Tanium™ Client on endpoints so they can communicate with the servers.

The upgrade procedures in this guide assume your host and network environment meets the initial installation requirements. There are no new requirements added for 7.3.x.

The settings you manage with the Tanium Console are saved to the database, so any customizations you have saved in your existing deployment will persist through the upgrade.

Before you begin

  • Read the release notes for all of the core platform software versions that were released after your current version to stay informed about expected behavior.
  • Make sure the current deployment is working as expected.  Be sure to check all core platform server components and all solutions.
  • Consult with your TAM if you plan to change the Tanium Server hostname. Your TAM needs the new hostname when creating a Tanium license for you.
  • Obtain the installers (.exe files) and new license file from your TAM.
  • A normal upgrade does not require you to restore from the backups, but backups can save you work in the event you encounter issues and want to restore the system to a known functional state. Take the following actions:
    • Back up the current installation folder, particularly the license files and SSL certificate and key files. The SSL public and private keys are unique to your environment and cannot be recreated or recovered. Copies of these files should be archived, secured, and managed according to your internal security policies as you would any other system-level security and credential files.
    • Back up the tanium and tanium_archive databases.

Order of upgrade

  1. Tanium Server(s)
  2. Module Server
  3. Zone Server

Upgrade Tanium Server

When you upgrade, the Tanium™ Server installer takes the following actions:

  • Stops the Tanium Server service.
  • Installs Tanium Server software and Tanium Console UI components.
  • Updates the Windows registry with the values you specify in the interactive installation wizard.
  • Updates the Tanium databases on the remote database server and re-initializes the database tables in those databases.
  • Opens required ports in the local host computer Windows Firewall.
  • Starts the Tanium Server service.

Note: In an upgrade of a production deployment, the installer detects from the Windows Registry that the Tanium Module Server is not installed locally, so it does not attempt to upgrade it or start the Tanium Module Server service.

Upgrade a standalone Tanium Server (or the first member of an active-active cluster)

  1. Log into the host system as a local administrator or domain user with administrator privileges.
  2. Copy the installer (SetupServer.exe) and license files to a temporary location on the host computer.
  3. If you have new SSL certificate and key files, copy them to the host computer so you can select them when you run the installer.
  4. Right-click the SetupServer.exe file and select Run as administrator.
  5. Complete the installation wizard. Consider the following:
    • Select the Custom installation type, not Express. When you select Custom, the installer prompts you for each setting and populates the wizard form with the values extant in the present installation. This gives you a chance to review the current installation and replace the certificate and license files, if necessary, or change other installation settings. When you select Express, the installer uses the existing values but does not give you an opportunity to review or change them.
    • On the License Configuration page, be sure to select the new license file.
    • If the server has new SSL certificate and key files, use the SSL Certificate and Key controls to select them; otherwise, retain the values populated by the installer.

Upgrade the second member of an active-active cluster

  1. Log into the host system as a local administrator or domain user with administrator privileges.
  2. Copy the installer (SetupServer.exe) and license files to a temporary location on the host computer.
  3. If you have updated the SSL certificate and key files, copy the following files from the Tanium Server installation directory on the primary host to the installation directory on the secondary host:
    • SOAPServer.crt
    • SOAPServer.key
    • tanium.license
    • tanium.pvk
    • tanium.pub
    • Always follow your organization's best practices for securely copying sensitive files, such as the Tanium Server private key file. For example, use GPG to encrypt the files before copying and then decrypt when they are in place on the target server.

  4. Right-click the SetupServer.exe file and select Run as administrator.
  5. Complete the installation wizard. Consider the following:
    • Select the Custom installation type, not Express. When you select Custom, the installer prompts you for each setting and populates the wizard form with the values extant in the present installation. This gives you a chance to review the current installation and replace the certificate and license files, if necessary, or change other installation settings. When you select Express, the installer uses the existing values but does not give you an opportunity to review or change them.
    • On the License Configuration page, be sure to select the new license file.
    • If the server has new SSL certificate and key files, use the SSL Certificate and Key controls to select them; otherwise, retain the values populated by the installer.
  6. Upgrade the Tanium Module Server. When you run the installer, register with the first Tanium Server. See Upgrade Tanium Module Server.
  7. On the Module Server host computer, use the CLI to register with the second Tanium Server. For example:
    cmd-prompt>TaniumModuleServer register ts2.tam.local
    Enter administrator username: TaniumAdmin
    Enter password for user 'TaniumAdmin':
    Successfully completed registration.
    cmd-prompt>

    For information about using the CLI, see Reference: Tanium server CLI.

    You typically only need to perform registration one time when you first upgrade to the latest release. You only need to re-register if you change the Tanium Server or Module Server certificates.

Upgrade Tanium Module Server

When you upgrade, the Tanium™ Module Server installer takes the following actions:

  • Stops the Tanium Module Server service.
  • Updates Tanium Module Server software.
  • Updates the Windows registry with the values you specify in the interactive installation wizard.
  • Initiates registration with the Tanium Server (if selected).
  • Opens required ports in the local host computer Windows Firewall.
  • Starts the Tanium Module Server service.

Before you begin

When you first upgrade to the latest release, the best practice is to automatically register the Tanium Server to Module Server communication. Ensure the following prerequisites are met and take the following actions:

  • Make sure your network security administrator has configured network firewall rules to allow communication between Tanium Server and Tanium Module Server on TCP port 17477.
  • Go to the Windows Registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Tanium\Tanium Server and clear the setting for the Module Server. (Clear the value 127.0.0.1.)

Upgrade the Tanium Module Server

  1. Log into the Tanium Module Server host system as an administrator user.
  2. Copy the installer (SetupModuleServer.exe) to a temporary location on the host computer.
  3. If the Tanium Module Server has new certificate and public key files, copy them to a temporary location on the Tanium Module Server host computer so you can select them when you run the installer.
  4. Right-click the SetupModuleServer.exe file and select Run as administrator.
  5. Complete the installation wizard. Consider these points:
    • If the Tanium Module Server has a new certificate and key, use the Use Existing Certificate and Key controls to select them.
    • If the Tanium Server has a new certificate, use the Register with the Tanium Server or Manually specify Tanium Server certificate controls to select it.
    • If you do not use automatic registration, or if registration fails, see Install the Tanium Module Server and manually register with the Tanium Server for post-installer steps you must do manually to complete registration.

Upgrade Tanium Zone Server

Tanium™ Zone Server software is installed on the Zone Server hub (a host computer in the internal network, typically the Tanium Server host computer) and on one or more dedicated Zone Server host computers in the DMZ. Upgrade both types of servers.

When you upgrade, the Tanium Zone Server installer takes the following actions:

  • Stops the Tanium Zone Server service.
  • Updates Tanium Zone Server software.
  • Updates the Windows registry with the values you specify in the interactive installation wizard.
  • Opens required ports in the local host computer Windows Firewall.
  • Starts the Tanium Zone Server service.

Upgrade the Zone Server hub

  1. Log into the Tanium Server host system as an administrator user.
  2. Copy the installer (SetupZoneServer.exe) to a temporary location.
  3. If the Tanium Server has a new public key, go to the Tanium Server host system installation directory and copy the Tanium Server SSL public key file (tanium.pub) to a temporary location on the Tanium Zone Server host system so you can select it when you run the installer.
  4. Right-click the SetupZoneServer.exe file and select Run as administrator.
  5. Complete the installation wizard. Be sure to select the Make this server the hub server option.

Upgrade the dedicated Zone Server

  1. Log into the Tanium Zone Server host system as an administrator user.
  2. Copy the installer (SetupZoneServer.exe) to a temporary location.
  3. If the Tanium Server has a new public key, go to the Tanium Server host system installation directory and copy the Tanium Server SSL public key file (tanium.pub) to a temporary location on the Tanium Zone Server host system so you can select it when you run the installer.
  4. Right-click the SetupZoneServer.exe file and select Run as administrator.
  5. Complete the installation wizard. Be sure to not select the Make this server the hub server option.

Verify the server upgrade

  1. Open the Tanium Console URL.

  2. Log in as a user with the Administrator role.

    The Tanium Console opens to the home page. If there are issues with the Module Server upgrade, errors are reported to the console here.

  3. Go to Administration > System Status to review recent client registration details and verify that Tanium Clients are registering as expected.

Troubleshooting

Under ordinary circumstances, the installer: (1) stops the Tanium service; (2) updates the software; (3) restarts the Tanium service. In deployments with an exceptionally large amount of data, stopping the service may take an exceptionally long time, and it is possible that the installer will abort the installation before the service has been properly shut down. If this occurs (or to avoid it), you can stop the Tanium service manually before you run the installer. In most cases, you do not need to do this.

Basic tips

  • Ensure all Tanium Core Platform components are the same version. For example, make sure all have build number 7.3.314.3424.
  • Ensure your environment meets the host system and network requirements.
  • Review any error messages reported to the user interface or installation log files.
  • If you encounter failed access messages when running an installer, examine the privileges for the logged in user.
  • Many installation settings get populated to the Windows Registry. Review the registry entries for typos.
  • If you encounter failed connections, use standard tools like ping and traceroute to verify basic connectivity. If those checks fail, work with your network administrator to diagnose. If those pass, it might be a certificate problem or firewall issue.
  • If the Tanium Console is unavailable, check the status of the Tanium Server Windows Service and the Tanium databases on the database server.

Upgrade logs

The upgrade log files are chronological logs of the actions taken by the installer. If you encounter issues with your upgrade, examine the installation log file to see which actions completed successfully and which failed.

Table 1:   Upgrade logs
Component Location
Tanium Server C:\Program Files\Tanium\Tanium Server\Install.txt
Tanium Module Server C:\Program Files\Tanium\Tanium Module Server\Install.txt
Tanium Zone Server C:\Program Files (x86)\Tanium\Tanium Zone Server\Install.txt

Tanium Support

Your TAM is your first contact for assistance with preparing for and performing the upgrade, as well as verifying and troubleshooting the initial deployment.

If you require further assistance from Tanium Support, please be sure to include version information for Tanium Core Platform components and specific details on dependencies, such as the host system hardware and OS details and database server version. Log into https://support.tanium.com and submit a new ticket or send us an email at [email protected]

Last updated: 11/6/2018 5:24 PM | Feedback