CSP-102092 Patch Instructions for VMware Identity Manager 3.3.7 and VMware Aria Suite Lifecycle 8.18.0 Patch 5

Products

VMware Aria Suite

Issue/Introduction

This article provides instructions for upgrading VMware Identity Manager 3.3.7 to the CSP-102092 patch. It also covers the subsequent installation of VMware Aria Suite Lifecycle 8.18 Patch 5, which is a required step after patching Identity Manager.

Applying these patches addresses known issues, improves security, and enhances system stability.

Important Pre-Patch Instructions

Before proceeding, you must complete the following prerequisites to ensure a successful patch process and prevent service interruptions.

Take Snapshots & Retain Snapshots
Create non-memory snapshots of the VMware Identity Manager and VMware Aria Suite Lifecycle appliances in vCenter. Ensure the environments are in a healthy, stable state before taking the snapshots. (Retain Snapshots, Do not delete the snapshots until environment is fully functional.)
Follow the Correct Patching Sequence
The order of operations is critical. You must patch the products in the following sequence within the same maintenance window from Step 1 to Step 4
If vIDM is configured using NSX Load Balancer, verify the NSX-T version. Do not proceed with the upgrade if the NSX-T version is lower than 4.2.3.0.0, please contact Broadcom Support

Avoid any manual actions not mentioned in the article. Do not perform operations in vIDM or LCM until the KB steps are fully completed.

If the patch installation fails, collect log bundles from vIDM and Aria Suite Lifecycle Manager before reverting to snapshots, as reverting removes failure details to analyze the issue.

Environment

VMware Identity Manager 3.3.7
VMware Aria Suite Lifecycle 8.18.0

Resolution

Step 1: VMware Identity Manager CSP-102092 Patch Deployment

Prerequisites

Ensure your VMware Identity Manager is at version 3.3.7 GA or has a previously applied patch. Upgrade any unsupported versions before proceeding.
Refer to the VMware Product Lifecycle Matrix for a list of supported versions.
Estimated Downtime: Approximately 1 hour for each product patch (vIDM and Aria Suite Lifecycle).
Ensure there is sufficient disk space of 15 GB in Patch Installation Location.
- If there is not sufficient disk space, increase it using How to increase vIDM appliance disk space
Grub has been upgraded to version 2: please review installation guide for grub2 here.

Note: This is a cumulative patch and will apply all previous fixes if they are not already installed.

Deployment Type Instructions

For Cluster Deployments: Patch nodes sequentially in the order of Primary → Secondary 1 → Secondary 2. Do not patch nodes in parallel.
For Single-Node Deployments: Apply the patch directly to the node.

Patching Steps (perform on each node)

SSH into the VMware Identity Manager appliance as sshuser.
Elevate to the root user:
```
sudo su -
```
Download the CSP-102092-Appliance-3.3.7-Patch.zip file and transfer it to the appliance (e.g., into a /db/vidm-upgrade folder) using SCP or WinSCP.

Unzip the patch file:

unzip CSP-102092-Appliance-3.3.7-Patch.zip

(Optional) Clean up the zip file to reclaim space:
```
rm -f CSP-102092-Appliance-3.3.7-Patch.zip
```
Change to the patch directory:
```
cd CSP-102092-Appliance-3.3.7-Patch
```

Run the patch automation script:

./CSP-102092-patch-automation.sh -f CSP-102092-Appliance-3.3.7.zip -r

The system will reboot automatically after the patch installation is complete.

Example of Successful Console Output

root@vidm-machine [ /db/CSP-102092-Appliance-3.3.7-Patch ]# ./CSP-102092-patch-automation.sh -f CSP-102092-Appliance-3.3.7.zip -r
YYYY-MM-DD 07:17:48 - All checks passed for ZIP '/db/CSP-102092-Appliance-3.3.7.zip'.
YYYY-MM-DD 07:17:48 - Running on node: <vidm-machine.domain.com>
YYYY-MM-DD 07:17:48 - grub2 detected: /boot/grub2/grub.cfg exists
YYYY-MM-DD 07:17:49 - Cluster size detected: 3
YYYY-MM-DD 07:17:49 - Extracting patch bundle
YYYY-MM-DD 07:18:30 - Running prepare-vidm-patch.sh on this node (once per cluster)
YYYY-MM-DD 07:18:30 - Running patch script: CSP-102092-applyPatch.sh
YYYY-MM-DD 07:18:30 - Tail the log file /opt/vmware/var/log/update/vidm-CSP-102092-update.log for live logs..
YYYY-MM-DD 07:18:30 - Pre-checks passed successfully.
YYYY-MM-DD 07:18:31 - Previous patches are not applied, applying now...
YYYY-MM-DD 07:21:37 - Previous patches applied successfully
YYYY-MM-DD 07:21:37 - Applying current patch CSP-102092...
YYYY-MM-DD 07:25:44 - Created update.success marker file.
YYYY-MM-DD 07:25:55 - Patch CSP-102092 applied successfully.
YYYY-MM-DD 07:26:05 - Validating CSP-102092 patch status...
YYYY-MM-DD 07:26:05 - CSP-102092 Patch applied successfully and flag file is present.
YYYY-MM-DD 07:26:05 - Rebooting system...

9. Once the vIDM patch is successfully applied and the system reaches the "[ OK ] Reached target Cloud-init target" after a successful boot, run the following commands to display the blue screen on the console.

Start Services in VMware Identity Manager
SSH into the vIDM node(s) and run the below commands to ensure the Getty services are running.

systemctl enable [email protected]
systemctl start [email protected]

IMPORTANT: VMware Identity Manager services will not be operational until VMware Aria Suite Lifecycle 8.18 Patch 5 is also applied.

Step 2: VMware Aria Suite Lifecycle Patch 5 Installation: Patch 5 Release Notes

Copy the prep-for-upgrade-lcm.sh script (attached to the KB article) to the /data directory on the appliance and execute it:
```
cd /data
chmod +x prep-for-upgrade-lcm.sh
./prep-for-upgrade-lcm.sh
```
(If upgrading from Patch 3 to Patch 5) Delete temporary folders from previous patch attempts by running the following commands:
```
rm -r /data/tmp-patch-8180
rm -r /data/tmp-patch-10318114
rm -r /data/tmp_patch_storage
```
Download the vrslcm-8.18.0-Patch5.patch patch from the Broadcom Support Portal:
Copy the downloaded patch file to the /data directory on the Aria Suite Lifecycle appliance.
Map the patch binary in the UI. Navigate to Lifecycle Operations > Settings > Binary Mapping and click Patch Binaries.
- Delete any old patch binaries that may be listed.
- Enter the local path (e.g., /data) in the Source Location field and click Discover.
- Select the discovered Patch 5 file and click Add.
Install the patch. Navigate to Lifecycle Operations > Settings > System Patches and click Install Patch.
Wait for the installation to complete. The process takes approximately 20 minutes and will conclude with the appliance rebooting.
After the appliance reboots, log in to the VMware Aria Suite Lifecycle UI, navigate to the About page, and verify that the version is listed as 8.18.0 Patch 5.
SSH to the appliance and check the Photon OS version. Note that the build number will not change if you are patching from Patch 3 to Patch 5.

# cat /etc/photon-release
VMware Photon OS 5.0
PHOTON_BUILD_NUMBER=b9d98344d

10. (VIDM Cluster Only) Patch Postgres Cluster in Aria Suite Lifecycle.

In the Aria Suite Lifecycle UI, navigate to:
Life Cycle Operations > Environments > Global Environment > View Details > Patch Postgres Cluster

(Note: If this option is not visible, try accessing the UI from a private/incognito browser window.)

11. Map Updated vIDM OVA in Aria Suite Lifecycle

Download the new vIDM OVA (identity-manager-3.3.7.0-24966008_OVF10.ova) and map the binary in Aria Suite Lifecycle to ensure future lifecycle operations function correctly.

12. Start Services in VMware Identity Manager

SSH into the vIDM node(s) and ensure the OpenSearch and Getty services are running:

/etc/init.d/opensearch status
/etc/init.d/opensearch start

Logs to Monitor

You can monitor the progress of the patch installation by tailing the following log files on the Aria Suite Lifecycle appliance:

/var/log/vrlcm/os-package-update.log
/var/log/vrlcm/patchcli.log

Known Issue: /tmp Directory Space

Potential Issue

During the installation, you may encounter an error with code LCMPATCHUPDATE16002. This error indicates that there is not enough free space in the /tmp directory for the patch to be extracted.

If this occurs, please refer to KB 345990 for instructions on how to temporarily increase the space in the /tmp directory.

Step 3: Post Patch Validation

Log in to the VMware Identity Manager Console and confirm the System Diagnostics page shows a green status.
Verify Legacy Connector functionality by ensuring the Auth Adapters load and open without errors.
Perform a Directory Sync and confirm that users and groups are synchronized correctly.
Check the UI portal (including the config page at https://<vidm-hostname>:8443) for full functionality.
Confirm the new version on the Admin Portal and Connectors page is 3.3.7.0 Build 24966008.

Step 4: Rollback Procedure

To revert this patch, restore the VMware Identity Manager appliance(s) and the Aria Suite Lifecycle appliance from the snapshots taken during the prerequisite phase.

Additional Information

Included Fixes from Previous Patches

This cumulative update includes all fixes from the following previously released patches. For a detailed list of CVEs or components addressed by a specific patch, refer to its original knowledge base article.

Patch ID	Summary of Fixes	Link
CSP-99024	Addresses numerous security vulnerabilities in Photon OS and third-party components.	KB 387748
CSP-97727	Upgrades Photon OS, Tomcat, and RabbitMQ to address vulnerabilities.	KB 380348
CSP-97577	Upgrades multiple platform components, including Java and Tomcat.	KB 404054
CSP-96928	Upgrades Photon OS, Tomcat, and RabbitMQ to address several vulnerabilities.	KB 377094
CSP-95247	Addresses two security vulnerabilities in Photon OS.	KB 373159
CSP-93316	Upgrades the Java version to address multiple vulnerabilities.	KB 369294
CSP-91401	Upgrades OpenSSH to fix CVE-2023-38408.	KB 327324
CSP-90495	Upgrades Angular XLTS to address licensing and CVEs.	KB 327323
HW-189454	Upgrades JQuery and Java versions to address multiple vulnerabilities.	KB 327326
HW-170932	Addresses VMSA-2023-0011 (CVE-2023-20884) and updates the connector.	KB 369609

Attachments

prep-for-upgrade-lcm.sh get_app