Help Center/ SecMaster/ User Guide/ Settings/ Data Collection/ Upgrading the Component Controller
Updated on 2024-11-06 GMT+08:00

Upgrading the Component Controller

Scenarios

This topic describes how to upgrade the component controller from salt-minion to isap-agent for tenant-side data collection. salt-minion was used as component controller in earlier tenant-side data collection.

The upgrade does not affect the data plane.

Preparing for the Upgrade

IAM is used for data collection authorization. You need to create an IAM user with the minimum permission to access SecMaster APIs and disable verification rules such as MFA for the user.
  1. Log in to the management console.
  2. Click in the upper left corner of the page and choose Management & Governance > Identity and Access Management.
  3. Create a user group.
    1. In the navigation pane on the left, choose User Groups. On the displayed page, click Create User Group in the upper right corner.
    2. On the Create User Group page, specify user group name and description.
      • Name: Set this parameter to Tenant collection.
      • Description: Enter a description.
    3. Click OK.
  4. Assign permissions to the user group.
    1. In the navigation pane on the left, choose Permissions > Policies/Roles. In the upper right corner of the displayed page, click Create Custom Policy.
    2. Configure a policy.
      • Policy Name: Set this parameter to Least permission policy for tenant collection.
      • Policy View: Select JSON.
      • Policy Content: Copy the following content and paste it in the text box.
        { 
            "Version": "1.1", 
            "Statement": [ 
                { 
                    "Effect": "Allow", 
                    "Action": [ 
                        "secmaster:workspace:get", 
                        "secmaster:node:create", 
                        "secmaster:node:monitor", 
                        "secmaster:node:taskQueueDetail" ,
                        "secmaster:node:updateTaskNodeStatus" 
                    ] 
                } 
            ] 
        }
    3. Click OK.
  5. Assign permissions to the created user group.
    1. In the navigation pane on the left, choose User Groups. On the displayed page, click Tenant collection.
    2. On the Permissions tab, click Authorize.
    3. On the Select Policy/Role page, search for and select the Least permission policy for tenant collection added in 4, and click Next.
    4. Set the minimum authorization scope. Select All resources for Scope. After the setting is complete, click OK.
    5. Verify the authorization. The policy will be listed on the page.
  6. Create a user.

    During the creation, enable Programmatic access, Access key, and Password.

  7. Add the operation account to the user group.
    1. In the navigation pane on the left, choose User Groups.
    2. In the Tenant collection user group row, click Manage User in the Operation column.
    3. In the displayed Manage User dialog box, select users added in 6.
    4. Click OK.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
  4. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.

    Figure 1 Workspace management page

  5. Deregister a node.

    1. In the navigation pane on the left, choose Settings > Components. On the displayed Nodes tab, locate the row that contains the target node and click Deregister in the Operation column.
    2. In the displayed dialog box, click OK.

      The node is deregistered successfully, and its Health Status changes to Disconnected.

  6. Copy the script.

    1. On the Nodes page, click Create.
    2. On the Create Node page, click Next. On the Verify installed Script page, copy the script.

  7. Install the component controller.

    1. Use a remote management tool, such as Xftp, SecureFX, WinSCP, PuTTY, or Xshell, to log in to the disconnected ECS node.
    2. Run the command copied in 6.b as user root to install the Agent on the ECS.
      Figure 2 Installing the agent
    3. Enter the IAM username and password created in Preparing for the Upgrade as prompted.
    4. If information similar to the following is displayed, the agent is successfully installed:
      install isap-agent successfully
    5. Go to the SecMaster console and check the node status on the Nodes page under Settings.

  8. Delete the old management channel.

    1. Choose Settings > Components > Nodes and click Create. On the Create Node pane displayed, click Delete in the Operation column in the row of each the management.
    2. In the displayed dialog box, click OK.