Upgrade with TLS and with Peer Verification

Required User Role: Administrator on the local machine

This process upgrades the following Tenable Identity Exposure components with custom TLS and with peer verification. It requires the "Expert mode" setting in the installation wizard.

Public Key Infrastructure (PKI) Certificate

To use peer verification, your PKI certificate must include the IP addresses or DNS of all the machines used to install Tenable Identity Exposure.

PKI Certificate

Upgrade the components in the following order:

  1. Directory Listener

  2. Security Engine Node

  3. Storage Manager
Caution: For the installation or upgrade to work, you must run the installer as a local user or a domain user who is a member of the Local Administrators group.
Note: Restart your machine before each upgrade.

After you upgrade the components, restart the machines in the following order:

  1. Storage Manager

  2. Security Engine Node

  3. Directory Listener

  1. On the local machine, run the installation file Tenable.ad_v3.59.x.exe.

    A welcome screen appears.

  2. In the setup language box, click the arrow to select the language for the installation, and click Next.

    Setup language

    The Setup Wizard appears.

  1. Select the Expert Mode checkbox.

  1. Click Next.

    The Custom Setup window appears.

  2. The installation program automatically preselects the Directory Listener component based on the previous installation. Click Next.

    The TLS Options window appears.

  3. Select the TLS with custom certificates with peer verification option.

  1. Click Next.

    The TLS certificates window appears.

  2. Provide the following information:

    • In the Server PFX Archive box, click ... to browse to your PFX archive.

    • In the PFX Password box, type the password for the PFX file.

    • In the CA Cert File box, click ... to browse to your CA certificate file.

  3. Click Next.

    The Security Engine Node window appears.

  4. In the Host box for RabbitMQ, the installer shows the address of the SEN machine based on your previous installation. Check that this information remains valid and correct it if necessary.

  1. Click Next.

    The Directory Listener window appears.

  1. You have two options to install the Secure Relay on this Directory Listener:

    • Yes — After this installation completes, it launches the installer for the Secure Relay, which requires a linking key located in the Tenable Identity Exposure user interface under "Configuration > Relay". (See Secure Relay in the Tenable Identity Exposure Administrator Guide for more information.)

    • No — A message shows you the location of the Secure Relay installer to install it at a later time.

  2. Click Next.

    The Ready to Install window appears.

  3. Click Install to begin the upgrade.

    After the upgrade completes, the Completing the Tenable.ad Setup Wizard window appears.

  4. Click Finish.

    A dialog box asks you to restart your machine.

  5. Click No.

    Caution:  Do NOT reboot the server now.

  6. Upgrade the Security Engine Node (SEN).

  1. On the local machine, run the installation file Tenable.ad_v3.59.x.exe.

    A welcome screen appears.

  2. In the setup language box, click the arrow to select the language for the installation, and click Next.

    Setup language

    The Setup Wizard appears.

  3. Select the Expert Mode checkbox.

  4. Click Next.

    The Custom Setup window appears.

  5. The installation program automatically preselects the Security Engine Node feature based on the previous installation. Click Next.

    The TLS Options window appears.

  6. Select the TLS with custom certificates with peer verification option.

  7. Click Next.

    The TLS certificates window appears.

  8. Provide the following information:

    • In the Server PFX Archive box, click ... to browse to your PFX archive.

    • In the PFX Password box, type the password for the PFX file.

    • In the CA Cert File box, click ... to browse to your CA certificate file.

  9. Click Next.

    The Storage Manager window appears.

  10. The installer shows the hostname or IP address of your MSSQL database from your previous installation. Check that it remains valid and correct if necessary. Click Next.

    Note: If you change the SA password since the previous installation, the installer requires it to follow the syntax described in Strong Passwords for the SQL Server.

    Caution: Remember to update the Event Logs Storage IP or hostname address during this step. Failing to do so leads to attack detection issues. If you have successfully completed this screen and upgraded the SEN, you must update the environment variables for ALSID_CASSIOPEIA_CYGNI_Service__EventLogsStorage__Host and ALSID_CASSIOPEIA_EVENT_LOGS_DECODER_Service__EventLogsStorage__Host from the current value to the accurate value for <Storage Manager hostname or IP address>. For more information, see the Troubleshooting knowledge base article.

  11. Click Next.

    The Security Engine Node window appears.

  12. In the Host box, the installer shows the DNS name (preferred) or IP address of the web server that end users type to access Tenable Identity Exposure from your previous installation. Check that this remains valid and correct if necessary.

Note: By default, the installation process creates a self-signed certificate with the DNS name or the IP address that you entered. For more information, see Change the IIS Certificate.

  1. Click Next.

    The Directory Listener window appears.

  2. In the Ceti box, type the IP address or configured FQDN for the machine hosting the service in charge of the initial collection of AD objects (crawling) and of subscribing to replication flows.

  3. Click Next.

    The Ready to Install window appears.

  1. Click Install to begin the upgrade.

    After the upgrade completes, the Completing the Tenable.ad Setup Wizard window appears.

  2. Click Finish.

    A dialog box asks you to restart your machine.

  3. Click No.

    Caution:  Do NOT reboot the server now.

  4. Upgrade the Storage Manager.

  1. On the local machine, run the installation file Tenable.ad_v3.59.x.exe.

    A welcome screen appears.

  2. In the setup language box, click the arrow to select the language for the installation, and click Next.

    Setup language

    The Setup Wizard appears.

  1. Select the Expert Mode checkbox.

  1. Click Next.

    The Custom Setup window appears.

  2. The installation program automatically preselects the Storage Manager component based on the previous installation. Click Next.

  3. (Optional) Click Browse to change the installation folder location. Change only the drive letter.

    The TLS Options window appears.

  1. Select the TLS with custom certificates with peer verification option.

  2. Click Next.

    The TLS certificates window appears.

  3. Provide the following information:

    • In the Server PFX Archive box, click ... to browse to your PFX archive.

    • In the PFX Password box, type the password for the PFX file.

  1. Click Next.

    The Storage Manager window appears.

  1. The installer reuses the information from your previous installation. Click Next

    Note: If you change the SA password since the previous installation, the installer requires it to follow the syntax described in Strong Passwords for the SQL Server.

  1. Click Next.

    The Ready to Install window appears.

  1. Click Install to begin the upgrade.

    After the upgrade completes, the Completing the Tenable.ad Setup Wizard window appears.

  2. Click Finish.

    A dialog box asks you to restart your machine.

  3. Click Yes.

    The machine restarts.

  4. Restart Services.