Upgrade Tenable Identity Exposure

Required User Role: Administrator on the local machine

Before you start

  • Download the executable programs for Tenable Identity Exposure and Secure Relay from Tenable’s Downloads site.

  • Review Pre-deployment Requirements for TLS Certificates, Account Privileges, Antivirus (AV) and Endpoint Detection and Response (EDR), among other upgrade requirements.

The upgrade to Tenable Identity Exposure version 3.93 from previous versions requires adapting your previous architecture to include the Secure Relay component. Before you upgrade, review carefully and understand the changes explained in the following sections:

Caution: From Tenable Identity Exposure version 3.59.5 onwards, ensure that your TLS certificates use OpenSSL 3.0.x. See Pre-deployment Requirements for more information.

Upgrade Path

To upgrade to the latest version of Tenable Identity Exposure, you must follow one of these installation paths: 

  • 2.7 -> 3.1 -> 3.11 -> 3.19 -> 3.29 -> 3.42 -> 3.93.

  • 3.x -> 3.59 -> 3.77 -> 3.93.

    Tip: If you are upgrading from v. 3.59, the Secure Relay installation and configuration are automatic.
Note: You can upgrade to the next major release from any minor release.

Upgrade Order

  • From Tenable Identity Exposure 3.42 to 3.93, proceed in the following order:

  • From Tenable Identity Exposure 3.59 or 3.77 to 3.93, proceed in the following order:

Before you start

  • Take a snapshot of your environment before you upgrade. If the upgrade fails, Tenable Identity Exposure support cannot perform a rollback, and this results in a fresh installation and causes you to lose your previous data. See Backups for complete information.

  • Back up and restore the Storage Manager. Tenable strongly recommends that you back up the Storage Manager before you upgrade. For instructions on how to back up or restore MSSQL, see the official Microsoft documentation.

  • Consider the downtime: Depending on your environment and the magnitude of the upgrade, downtime can range from minutes to several hours. Factor this into your scheduling and communication plan. Inform impacted users of the scheduled downtime and potential service disruption.

  • Download the executable programs for Tenable Identity Exposure and Secure Relay from Tenable’s Downloads site.

  • Run the installer as an administrator on the local machine.

  • Restart your server before launching the Tenable Identity Exposure installer for each component.

Upgrade Procedures

The following procedures upgrade the Tenable Identity Exposure components in TLS with autogenerated and self-signed certificates (Default). For more information, see TLS Installation Types.

Note: The "No TLS" installation defaults to this mode.

Directory Listener

To upgrade the Directory Listener:

  1. On the local machine, restart the server and run the Tenable Identity Exposure 3.93 On-Premises installer.

    A welcome screen appears.

  2. In the setup language box, select the language for the installation from the drop-down list and click Next.

    The Setup Wizard appears. The Expert mode checkbox is selected by default.

  1. Click Next.

    The Custom Setup window appears.

  2. The installation program automatically preselects the Directory Listener component based on your previous installation. Click Next.

    The TLS Options window appears.

  3. Select the TLS with autogenerated and self-signed certificates (Default) option.

    Optional: If you select TLS with custom certificates without peer verification or TLS with custom certificates with peer verification, the next TLS certificates screen asks you to provide the following information:

    • In the Server PFX Archive box, click ... to browse to your PFX archive.

    • In the PFX Password box, type the password for the PFX file.

    • In the CA Cert File box, click ... to browse to your CA certificate file.

  1. Click Next.

    The Security Engine Node window appears.

  2. In the Host box for RabbitMQ, type the IP address for the Security Engine Node (or the IP address for the Security Engine Node hosting RabbitMQ if you use a split architecture.)

    Caution: If you leave the default value "127.0.0.1" and click "Next", the installer fails and rolls back.

  1. Click Next.

    The Directory Listener window appears.

  2. You have two options whether to install the Secure Relay on this Directory Listener:

    • Yes — After this installation completes and the Directory Listener reboots, the Secure Relay installer launches.

    • No — You select to install the Secure Relay at a later time or on a separate server (see Secure Relay Architectures for On-Premises Platforms.) A message shows you the location of the Secure Relay installer. A Secure Relay is mandatory whether you install it on the Directory Listener machine or on a separate machine.

  1. Click Next.

    The Ready to Install window appears.

  2. Click Install to begin the upgrade.

    After the upgrade completes, the Completing the Tenable Identity Exposure Setup Wizard window appears.

  3. Click Finish.

    A dialog box asks you to restart your machine.

  4. Click No.

    Caution:  Do NOT reboot the machine now. Follow the restart order after the upgrade of all servers.

  5. Upgrade the Security Engine Node (SEN).

Security Engine Node

To upgrade the SEN:

  1. On the local machine, restart the server and run the Tenable Identity Exposure 3.93 On-Premises installer.

    A welcome screen appears.

  2. In the setup language box, click the arrow to select the language for the installation, and click Next.

    The Setup Wizard appears. The Expert mode checkbox is selected by default.

  3. Click Next.

    The Custom Setup window appears.

  4. The installation program automatically preselects the SEN component based on your previous installation. Click Next.

    The TLS Options window appears.

  5. Select the TLS with autogenerated and self-signed certificates (Default) option.

    Optional: If you select TLS with custom certificates without peer verification or TLS with custom certificates with peer verification, the next TLS certificates screen asks you to provide the following information:

    • In the Server PFX Archive box, click ... to browse to your PFX archive.

    • In the PFX Password box, type the password for the PFX file.

    • In the CA Cert File box, click ... to browse to your CA certificate file.

  6. Click Next.

    The Storage Manager window appears.

  7. Verify or enter the following information:

    • In the Host box, check that your MSSQL database's FQDN or IP address from your previous installation remains valid and correct it if necessary.

    • In the Event Logs Storage box, type the IP address of the machine storing your event logs, which is typically the same as the MSSQL database IP address.

    Note: If you changed the SA password since the previous installation, the installer requires an SA password containing only alphanumeric characters for the SQL Server. Using special characters causes the installer to fail.

    Caution: Remember to update the Event Logs Storage IP or hostname address during this step. Failing to do so leads to attack detection issues. If you have successfully completed this screen and upgraded the SEN, you must update the environment variables for TENABLE_CASSIOPEIA_CYGNI_Service__EventLogsStorage__Host and TENABLE_CASSIOPEIA_EVENT_LOGS_DECODER_Service__EventLogsStorage__Host from the current value to the accurate value for <Storage Manager hostname or IP address>. For more information, see the Troubleshooting knowledge base article.

  8. Click Next.

    The Security Engine Node window appears.

  9. In the DNS name or IP box, the installer shows the DNS name (preferred) or IP address of the web server that end users type to access Tenable Identity Exposure from your previous installation. Check that this remains valid and correct if necessary.

  1. Click Next.

    The Directory Listener window appears.

  2. In the Ceti box, type the IP address for the Directory Listener.

  3. Click Next.

    The Ready to Install window appears.

  4. Click Install to begin the upgrade.

    After the upgrade completes, the Completing the Tenable Identity Exposure Setup Wizard window appears.

  5. Click Finish.

    A dialog box asks you to restart your machine.

  6. Click No.

    Caution:  Do NOT reboot the server now. Follow the restart order after the upgrade of all servers.

  7. Upgrade the Storage Manager.

Storage Manager

To upgrade the Storage Manager:

  1. On the local machine, restart the server and run the Tenable Identity Exposure On-Premises installer.

    A welcome screen appears.

  2. In the setup language box, click the arrow to select the language for the installation, and click Next.

    The Setup Wizard appears. The Expert Mode checkbox is selected by default.

  1. Click Next.

    The Custom Setup window appears. The installation program automatically preselects the Storage Manager component based on the previous installation.

  2. Click Next.

  3. (Optional) Click Browse to change the installation folder location. Change only the drive letter.

    The TLS Options window appears.

  4. Select the TLS with autogenerated and self-signed certificates (Default) option.

    Optional: If you select TLS with custom certificates without peer verification or TLS with custom certificates with peer verification, the TLS certificates screen asks you to provide the following information:

    • In the Server PFX Archive box, click ... to browse to your PFX archive.

    • In the PFX Password box, type the password for the PFX file.

  5. Click Next.

    The Storage Manager window appears.

  6. The installer reuses the information from your previous installation. Click Next.

    Note: If you changed the SA password since the previous installation, the installer requires an SA password containing only alphanumeric characters for the SQL Server. Using special characters causes the installer to fail.

  1. Click Next.

    The Ready to Install window appears.

  1. Click Install to begin the upgrade.

    After the upgrade completes, the Completing the Tenable Identity Exposure Setup Wizard window appears.

  2. Click Finish.

    A dialog box asks you to restart your machine.

  3. Click Yes.

    The machine restarts.

  4. Restart the SEN.

  5. Restart the DL.

  6. Install the Secure Relay for Tenable Identity Exposure 3.93 using a separate installer.

  1. Review Secure Relay Requirements.

  2. Select Secure Relay Architectures for On-Premises Platforms.

  3. Install the Secure Relay for Tenable Identity Exposure 3.93.