CSP-96928: Patch instructions to upgrade Photon-OS Library, Tomcat template, and RabbitMQ server
search cancel

CSP-96928: Patch instructions to upgrade Photon-OS Library, Tomcat template, and RabbitMQ server

book

Article ID: 377094

calendar_today

Updated On:

Products

VMware

Issue/Introduction

This article provides important information for upgrading the Photon-OS Library, Tomcat template, and RabbitMQ server.

List of affected version

Product Component  

Version(s)

Applicable CVE(s) 

VMware Identity Manager Appliance

3.3.7 

CVE-2016-10195

CVE-2023-24998

CVE-2023-28708

CVE-2023-28709

CVE-2023-34981

CVE-2023-41080

CVE-2023-42794

CVE-2023-42795

CVE-2023-44487

CVE-2023-45648

CVE-2023-46589

CVE-2024-24549

CVE-2024-23672

Environment

VMware Identity Manager 3.3.x

Resolution

Before You Begin:

  1. It is recommended to upgrade instances of unsupported versions to newer, supported versions first before applying the patch. This procedure will not work for other versions. Please refer to the VMware Lifecycle Matrix https://support.broadcom.com/group/ecx/productlifecycle#/ for the list of supported versions of the product.

  2. It is strongly recommended to take a snapshot or backup of the Appliance(s) and the database server before applying the procedure.

  3. Verify the permission of /usr/local/horizon/conf/flags folder, it should be 777 for the patch to apply successfully.

Patch Deployment Procedure:

  1. Login as sshuser, sudo to root level access

  2. Check current rabbimq version and feature flag settings by commands below:

    /usr/lib/rabbitmq/lib/rabbitmq_server-<version>/sbin/rabbitmqctl version
    /usr/lib/rabbitmq/lib/rabbitmq_server-<version>/sbin/rabbitmqctl list_feature_flags

    If the rabbitmq version is prior to (not including) 3.11.x and feature flags are disabled, all features flags should be set to enabled before patch installation, in which rabbitmq 3.11.18 is inclused.

    Refer to the documentation below:

    Required feature flags in RabbitMQ 3.11.0

    "If the feature flags are not enabled, RabbitMQ 3.11.0+ will refuse to start."

    So commands below should be executed to enable all features flags then validate the settings:

    /usr/lib/rabbitmq/lib/rabbitmq_server-<version>/sbin/rabbitmqctl enable_feature_flag all
    /usr/lib/rabbitmq/lib/rabbitmq_server-<version>/sbin/rabbitmqctl list_feature_flags

    The result should be as below, all flags are enabled:



  3. Download and transfer CSP-96928-Appliance-3.3.7.zip to the virtual appliance. This zip file can be saved anywhere on the file system. Broadcom recommends SCP protocol to transfer the file to the appliance. Tools such as Winscp can also be used to transfer the file to the appliance.

  4. Unzip the file using the command below.
    unzip CSP-96928-Appliance-3.3.7.zip -d CSP-96928-Appliance-3.3.7

  5. Navigate to the files within the unzipped folder using the command below.
    cd CSP-96928-Appliance-3.3.7.zip

  6. Run the patch script using the below command
    ./CSP-96928-applyPatch.sh

  7. In the case of vIDM 3 node Cluster, if the LCM version is less than 8.14.0 and the cluster seems down after the patch deployment, the user will have to follow the KB (https://knowledge.broadcom.com/external/article/367175) after application of the patch on all the 3 nodes.

Note: If you are running a cluster deployment, repeat the steps above on all additional nodes of the cluster.

Patch Deployment Validations:

After the patch deployment, perform the below steps to confirm the patch has been applied successfully

  1. Login as an Administrator to the VIDM Console and verify the System Diagnostics page is green.

  2. If the patch is applied successfully you can find a flag file created as CSP-96928-3.3.7-hotfix.applied in the /usr/local/horizon/conf/flags directory.

  3. Login as a local administrator into the Service and navigate to the Legacy Connector page. Click on the Worker link and check whether the auth adapters load under the "Auth Adapters" tab. Click on any Enabled auth adapter and check if the page opens correctly. 

  4. Perform Directory Sync to validate users/groups are synced.

  5. Check in the UI portal, if all tabs open properly, including the cfg page https://<vidm-hostname>:8443

  6. Check the Admin Portal and the Connectors page shows the version as "3.3.7.0 Build 23103647"

Note: 

  • If you are running a cluster deployment, repeat the steps above on all additional nodes of the cluster.

  • Patch application should be sequential i.e Primary -> Secondary -> Secondary Nodes

  • User needs to run Remediate action from LCM on the vIDM cluster if vRLCM version is 8.12.0 and below

  • For vRLCM version 8.14.0 and above, Auto recovery would take care of the cluster health on reboot.

  • This is a cumulative patch and this will perform an installation of other patches including CSP-95247, CSP-93316, CSP-91401, CSP-90495, HW-189454, and HW-170932.

Related Information:

To revert this patch, you can revert to the appliance(s) snapshot and the database backup taken before applying these steps. 

Powered by Wolken Software