Upgrade process overview

This section describes how to upgrade from version 8.0.00, 8.1.00, 8.2.00, or 9.0.00.

Note

If you are upgrading a 

MainView Middleware Administrator

 (

MVMA

) cluster (MongoDB® replica set) you must stop all 

MVMA

 servers and MongoDB® instances running on each host in the cluster, then follow the steps below on each host.

Note

It is recommended to compact database files prior to upgrading MVMA as these may have grown significantly after using the product for a long time. To do so stop the MVMA service, backup your current database files and run the mongod command with the --repair option from the MVMA installation directory. For example:

mongodb\mongodb-win32-x86_64-2.4.9\bin\mongod --dbpath data\db --repair

Be aware that running this command requires additional free disk space (about equal to the size of your current data set). See the MongoDB product documentation for more details.

IMPORTANT

Opposed to the previous MVMA installations, an upgrade to MVMA 9.1.00 no longer preserves configuration/wrapper.conf. The original files are located in the backupV90 sub-directory, and you have to re-do any previous edits made to those files, using the backupV90 versions as a reference.

To upgrade MVMA

  1. Stop the MVMA service.
  2. The upgrade preserves the following files and folders, but they should be reviewed after the installation has completed to confirm their preservation:
    • etc/jetty.xml
    • etc/jetty-deployer.xml
    • etc/jetty-selector.xml
    • etc/data.conf
    • etc/known_hosts
    • configuration/services/*
    • security/*
  3. Backup the installation directory. Zipping it and storing it somewhere safe is sufficient to backup the installation directory.

  4. To accelerate the upgrade process, the contents of the work/ directory can be deleted prior to the upgrade installation being run.

    Note

    Note that the default path has changed (to C:\BMC\MVMA); you may need to adjust the path to your current installation.

  5. Start the installation process (see Performing-the-installation). The installer displays a screen that allows the user to specify where the current product is installed.
  6. Start the MVMA service and verify correct functionality of the product.

Note

After upgrading MVMA, users should clear their browser cache to ensure the browser is picking up the upgraded Web-UI components. Otherwise, interference with cached components of a previous version of the product may cause unpredictable results when the browser renders the Web UI.

Note

In installations where TrueSight Middleware Administrator 8.2 has been integrated with TrueSight Middleware and Transaction Monitor (TMTM), the "HTTP request header verification" security enhancement (an upgrade to MVMA 9.0) can cause this integration to break. BMC recommends you apply the latest fixes for TMTM (Server Fix Pack D or later) as it becomes available. Alternatively, HTTP request header verification can be disabled, as described in How-to-implement-HTTP-Request-Header-verification.

Preventing attacks such as framing ("clickjacking"), document caching, cross site scripting (XSS) or data injection

After upgrading in etc/jetty.xml as re-instated from the previous installation, make sure protection against framing attacks (so-called 'clickjacking') and others such as document caching, cross site scripting (XSS) or data injection is  enabled by opening etc/jetty.xml and verifying the following sections exist under the top-level <Configure> folder: 

 <!-- =========================================================== -->
   <!-- Rewrite handlers -->
   <!-- =========================================================== -->
    <New id="RewriteHandler" class="org.eclipse.jetty.rewrite.handler.RewriteHandler">
      <Set name="rules">
        <Array type="org.eclipse.jetty.rewrite.handler.Rule">
          <Item>
            <New id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
              <Set name="pattern">*.jsp</Set>
              <Set name="name">X-Frame-Options</Set>
              <Set name="value">DENY</Set>
            </New>
          </Item>


          <Item>
            <New id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
              <Set name="pattern">*.jsp</Set>
              <Set name="name">Cache-Control</Set>
              <Set name="value">no-store</Set>
            </New>
          </Item>


          <Item>
            <New id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
              <Set name="pattern">*.jsp</Set>
              <Set name="name">Pragma</Set>
              <Set name="value">no-cache</Set>
            </New>
          </Item>


          <Item>
            <New id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
              <Set name="pattern">*.jsp</Set>
              <Set name="name">Strict-Transport-Security</Set>
              <Set name="value">max-age=31536000; includeSubDomains</Set>
            </New>
          </Item>


          <Item>
            <New id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
              <Set name="pattern">*.jsp</Set>
              <Set name="name">X-XSS-Protection</Set>
              <Set name="value">1; mode=block</Set>
            </New>
          </Item>


          <Item>
            <New id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
              <Set name="pattern">*.jsp</Set>
              <Set name="name">X-Content-Type-Options</Set>
              <Set name="value">nosniff</Set>
            </New>
          </Item>


          <Item>
            <New id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
              <Set name="pattern">*.jsp</Set>
              <Set name="name">Content-Security-Policy</Set>
              <Set name="value">default-src 'none'; font-src 'self'; connect-src 'self'; img-src 'self'; frame-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval' 'unsafe-inline'</Set>
            </New>
          </Item>
        </Array>
      </Set>
    </New>

 Disabling weak cipher suites

After upgrading in etc/jetty.xml as re-instated from the previous installation, make sure weak cipher suites are disabled by opening etc/jetty.xml and verifying the following list under the <Set name="ExcludeCipherSuites"> folder:

<Set name="ExcludeCipherSuites">
       <Array type="String">
         <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
         <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
         <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
         <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
         <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
         <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
         <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
         <Item>.*DES.*</Item>
         <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
         <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
         <Item>TLS_RSA_WITH_AES_128_GCM_SHA256</Item>
         <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
         <Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item>
         <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Item>
         <Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Item>
         <Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Item>
       </Array>
     </Set>

Disabling older TLS versions

After upgrading in etc/jetty.xml as re-instated from the previous installation, make sure older TLS versions are disabled by opening etc/jetty.xml and verifying the folder <Set name="ExcludeProtocols">  following the <Set name="ExcludeCipherSuites"> folder listing the disabled cipher suites (see the above section) :

  <Set name="ExcludeProtocols">
       <Array type="java.lang.String">
         <Item>TLSv1</Item>
         <Item>TLSv1.1</Item>
       </Array>
     </Set>

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*