CCS Hotfix 10128: CCS 12.5/12.5.1 Agent Update Hotfix for Required Certificates

book

Article ID: 209899

calendar_today

Updated On:

Products

Control Compliance Suite Standards Server Control Compliance Suite Control Compliance Suite Windows Control Compliance Suite Unix

Issue/Introduction

A Control Compliance Suite (CCS) 12.5/12.5.1 Agent Update hotfix is available to update required certificates on the agent. The updated certificates enable future upgrades to work without issues. 

You must apply this hotfix using the (Agent Product Update) APU mechanism prior to June 5, 2021. The current certificates will expire on June 5, 2021. If the certificates are not updated, Agent Product Update (APU) and Agent Content Update (ACU) jobs will not work on the agents and the agents will need to be upgraded manually for the APU and ACU jobs to work again. 

For additional details, including installation instructions, see the readme file that is included with the hotfix package. 

Cause

The Symantec certificate on 12.x.x agents that is used to authenticate APU or ACU jobs on the agent expires on June 5th 2021.  The Hotfix 10128 fix when implemented on your CCS 12.5 or 12.5.1 environment will create an Agent Product Update job that can be run on any 12.0, 12.0.1, 12.5 and 12.5.1 agent to update the agent to 12.5.1+ new Broadcom certificate that allows APU and ACU jobs to run on the agent after June 5th 2021.  If any 12.x.x agent is not updated with the new Broadcom certificate before June 5th 2021, then those agent will need to be manually upgraded to 12.5.2 (when it is available later this year) that will have the new Broadcom certificates applied.

NOTE: Only the APU and ACU jobs will be affected after June 5th 2021.  All data collection and CER (collection-evaluation-reporting) jobs will continue to work on any agents that have not been updated with the Broadcom certificate. 

Environment

Hotfix Release : Hotfix 10128

Component : CCS 12.5 and 12.5.1 agents

Resolution

Prerequisites

The following are the prerequisites to install this hotfix:

  • Ensure that the Control Compliance Suite 12.5 or 12.5.1 is installed.
  • Ensure that the Assembly Verifiers (Hotfix 10129) have been installed in your CCS environment (Link provided in the 'Additional Notes' below.)
  • You must have the local administrator privileges and the Control Compliance Suite administrator privileges.
  • You must take a backup of all the computers.
  • You must close all remote consoles before you install this hotfix.
  • You must ensure that you meet the prerequisites described in the Verifying prerequisites topic.

 

Deploying the updates on the CCS Managers component 

NOTE: This section is only applicable if you have CCS Agents on Windows 2019 Servers in your environment.  This 'Deploying the updates on the CCS Managers component' section can be skipped if you do not have CCS agents on Windows 2019 servers in your CCS environment.

On each CCS manager do the following:

  1. Extract the contents of the HF_10128_CCS_12.x_RU.zip file to a known location.
  2. On all of your CCS managers, stop the 'Symantec Data Processing Service'.
  3. Back up the following files, and then replace them with the updated version of these files that are available in HF_10128_CCS_12.x_RU.zip file:
    • Symantec.CSM.AgentManagement.TaskExecutor.dll
      • C:\Program Files (x86)\Symantec\CCS\Reporting and Analytics\DPS
    • CCSPlatformData.xml
      • C:\Program Files (x86)\Symantec\CCS\Reporting and Analytics\DPS
      • C:\Program Files (x86)\Symantec\CCS\Reporting and Analytics\ESM\Config
  4. Start the Symantec Data Processing Service (DPS).

 

Installing the Agent Update

To install the Agent Update

  1. Extract the CCS1250.12_50_10128_1060_CCS_AGENT_PU.zip file to the following location on the CCS Application Server:
    • C:\ProgramData\Symantec\CCS\LiveUpdateStaging\CCS_AGENT_PU
  2. On the CCS Console, click 'Admin' -> 'LiveUpdate', and then from the Common Tasks drop-down menu, select 'Check Updates'.
    • The CCS Agent Product Update, CCS1250.12_50_10128_1060_CCS_AGENT_PU, should be displayed on the LiveUpdate workspace.
  3. Run an Agent Product Update (APU) to apply the Hotfix to your CCS agents.
  4. To view the product update status for each agent, do one of the following:
    • In the 'Asset System' -> 'Agents' workspace, select an agent and under 'Agent Preview' panel, click the 'Last Upgrade Details' tab for additional information.
    • In the 'Jobs' workspace, select the 'Agent Product Update' job, right-click, and select 'Show Update Status'. You can now view the status of all the agents that are selected for the job in the 'Show update status' dialog box.
  5. After a successful job run, the agent version is changed to match the version of the applied release: Version 12.50.10128.1060

 

Hotfix File Information:

HF_10128_CCS_v12.5.1_APU.zip

MD5: 341b77a0aa6cf89eaf08ebc18753bf84

SHA1: cf06d9aedacab86780b80e4122d08bf71026635c

Additional Information

Official Hotfix 10128 Notification:

https://support.broadcom.com/external/content/critical-alert/CCS-12.5.1-Agent-Update-Hotfix-for-Required-Certificates/16891

KB for Assembly Verifier for 12.5/12.5.1:

https://knowledge.broadcom.com/external/article?articleId=161715

Attachments

HF_10128_CCS_v12.5.1_APU_1614967924217.zip get_app