CSP-102092 Patch Instructions for VMware Identity Manager 3.3.7
search cancel

CSP-102092 Patch Instructions for VMware Identity Manager 3.3.7

book

Article ID: 412021

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

This article provides instructions for upgrading VMware Identity Manager 3.3.7 to the CSP-102092 patch. It also covers the subsequent installation of VMware Aria Suite Lifecycle 8.18 Patch 5, which is a required step after patching Identity Manager.

Applying these patches addresses known issues, improves security, and enhances system stability.

Important Pre-Patch Instructions

Before proceeding, you must complete the following prerequisites to ensure a successful patch process and prevent service interruptions.

  1. Take Snapshots
    Create non-memory snapshots of the VMware Identity Manager and VMware Aria Suite Lifecycle appliances in vCenter. Ensure the environments are in a healthy, stable state before taking the snapshots.
  2. Follow the Correct Patching Sequence
    The order of operations is critical. You must patch the products in the following sequence within the same maintenance window:
    • Step 1: Patch VMware Identity Manager first by following the instructions in KB 412021.
    • Step 2: After the Identity Manager patch is complete and verified, patch VMware Aria Suite Lifecycle by following the instructions in KB 412142.

  3. Retain Snapshots

    Do not delete the snapshots taken in the first step until the entire patching process for both products has been completed and you have verified that the environment is fully functional.

Environment

  • VMware Identity Manager 3.3.7
  • VMware Aria Suite Lifecycle 8.18.0

Resolution

Prerequisites

  • Ensure your VMware Identity Manager is at version 3.3.7 GA or has a previously applied patch. Upgrade any unsupported versions before proceeding.
  • Refer to the VMware Product Lifecycle Matrix for a list of supported versions.
  • Take snapshots of the VMware Identity Manager appliance(s) and database before starting the patch process.
  • Estimated Downtime: Approximately 1 hour for each product patch (vIDM and Aria Suite Lifecycle).
  • Ensure there is sufficient disk space in /db/: 15GB 
  • Grub has been upgraded to version 2: please review installation guide for grub2 here.

Part 1: VMware Identity Manager CSP-102092 Patch Deployment

Note: This is a cumulative patch and will apply all previous fixes if they are not already installed.

Deployment Type Instructions

  • For Cluster Deployments: Patch nodes sequentially in the order of Primary → Secondary 1 → Secondary 2. Do not patch nodes in parallel.
  • For Single-Node Deployments: Apply the patch directly to the node.

Patching Steps (perform on each node)

  1. SSH into the VMware Identity Manager appliance as sshuser.
  2. Elevate to the root user: 
    sudo su -
  3. Download the CSP-102092-Appliance-3.3.7-Patch.zip file and transfer it to the appliance (e.g., into a /db/vidm-upgrade folder) using SCP or WinSCP.
  4. Unzip the patch file: 
    unzip CSP-102092-Appliance-3.3.7-Patch.zip
  5. (Optional) Clean up the zip file to reclaim space: 
    rm -f CSP-102092-Appliance-3.3.7-Patch.zip
  6. Change to the patch directory: 
    cd CSP-102092-Appliance-3.3.7-Patch
  7. Run the patch automation script: 
    ./CSP-102092-patch-automation.sh -f CSP-102092-Appliance-3.3.7.zip -r
  8. The system will reboot automatically after the patch installation is complete.

Example of Successful Console Output

root@vidm-machine [ /db/CSP-102092-Appliance-3.3.7-Patch ]# ./CSP-102092-patch-automation.sh -f CSP-102092-Appliance-3.3.7.zip -r
YYYY-MM-DD 07:17:48 - All checks passed for ZIP '/db/CSP-102092-Appliance-3.3.7.zip'.
YYYY-MM-DD 07:17:48 - Running on node: <vidm-machine.domain.com>
YYYY-MM-DD 07:17:48 - grub2 detected: /boot/grub2/grub.cfg exists
YYYY-MM-DD 07:17:49 - Cluster size detected: 3
YYYY-MM-DD 07:17:49 - Extracting patch bundle
YYYY-MM-DD 07:18:30 - Running prepare-vidm-patch.sh on this node (once per cluster)
YYYY-MM-DD 07:18:30 - Running patch script: CSP-102092-applyPatch.sh
YYYY-MM-DD 07:18:30 - Tail the log file /opt/vmware/var/log/update/vidm-CSP-102092-update.log for live logs..
YYYY-MM-DD 07:18:30 - Pre-checks passed successfully.
YYYY-MM-DD 07:18:31 - Previous patches are not applied, applying now...
YYYY-MM-DD 07:21:37 - Previous patches applied successfully
YYYY-MM-DD 07:21:37 - Applying current patch CSP-102092...
YYYY-MM-DD 07:25:44 - Created update.success marker file.
YYYY-MM-DD 07:25:55 - Patch CSP-102092 applied successfully.
YYYY-MM-DD 07:26:05 - Validating CSP-102092 patch status...
YYYY-MM-DD 07:26:05 - CSP-102092 Patch applied successfully and flag file is present.
YYYY-MM-DD 07:26:05 - Rebooting system...

Part 2: VMware Aria Suite Lifecycle Patch 5 Installation

IMPORTANT: VMware Identity Manager services will not be operational until VMware Aria Suite Lifecycle 8.18 Patch 5 is also applied.

  1. Follow the instructions in the VMware Aria Suite Lifecycle 8.18 Patch 5 Installation Runbook.
  2. Review the Patch 5 Release Notes for additional information.

Part 3: Post-Patching Actions

After applying both patches, complete the following tasks:

  • Cluster Deployments: Perform steps 1, 2, and 3.
  • Single-Node Deployments: Perform steps 2 and 3 only.
  1. (Cluster Only) Patch Postgres Cluster in Aria Suite Lifecycle
    In the Aria Suite Lifecycle UI, navigate to:
    Life Cycle Operations > Environments > Global Environment > View Details > Patch Postgres Cluster
    (Note: If this option is not visible, try accessing the UI from a private/incognito browser window.)
  2. Map Updated vIDM OVA in Aria Suite Lifecycle
    Download the new vIDM OVA (identity-manager-3.3.7.0-24966008_OVF10.ova) and map the binary in Aria Suite Lifecycle to ensure future lifecycle operations function correctly.
  3. Start Services in VMware Identity Manager
    SSH into the vIDM node(s) and ensure the OpenSearch and Getty services are running: 
    /etc/init.d/opensearch status
/etc/init.d/opensearch start

systemctl enable [email protected]
systemctl start [email protected]

Part 4: Patch Deployment Validation

  1. Log in to the VMware Identity Manager Console and confirm the System Diagnostics page shows a green status.
  2. Verify Legacy Connector functionality by ensuring the Auth Adapters load and open without errors.
  3. Perform a Directory Sync and confirm that users and groups are synchronized correctly.
  4. Check the UI portal (including the config page at https://<vidm-hostname>:8443) for full functionality.
  5. Confirm the new version on the Admin Portal and Connectors page is 3.3.7.0 Build 24966008.

Part 5: Rollback Procedure

To revert this patch, restore the VMware Identity Manager appliance(s) and the Aria Suite Lifecycle appliance from the snapshots taken during the prerequisite phase.

Additional Information

Additional Information

Included Fixes from Previous Patches

This cumulative update includes all fixes from the following previously released patches. For a detailed list of CVEs or components addressed by a specific patch, refer to its original knowledge base article.

Patch ID Summary of Fixes Link
CSP-99024 Addresses numerous security vulnerabilities in Photon OS and third-party components. KB 387748
CSP-97727 Upgrades Photon OS, Tomcat, and RabbitMQ to address vulnerabilities. KB 380348
CSP-97577 Upgrades multiple platform components, including Java and Tomcat. KB 404054
CSP-96928 Upgrades Photon OS, Tomcat, and RabbitMQ to address several vulnerabilities. KB 377094
CSP-95247 Addresses two security vulnerabilities in Photon OS. KB 373159
CSP-93316 Upgrades the Java version to address multiple vulnerabilities. KB 369294
CSP-91401 Upgrades OpenSSH to fix CVE-2023-38408. KB 327324
CSP-90495 Upgrades Angular XLTS to address licensing and CVEs. KB 327323
HW-189454 Upgrades JQuery and Java versions to address multiple vulnerabilities. KB 327326
HW-170932 Addresses VMSA-2023-0011 (CVE-2023-20884) and updates the connector. KB 369609
Powered by Wolken Software