This article provides instructions for upgrading VMware Identity Manager 3.3.7 to the CSP-102547 patch. It also covers the subsequent installation of VMware Aria Suite Lifecycle 8.18 Patch 7, which is a required step after patching Identity Manager.

What's New in This Patch:

• Security Vulnerabilities (Cumulative Update): This cumulative patch addresses critical security vulnerabilities across the appliance's core operating system and third-party components.
• Memory Management & Stability Fix (KB 415646): This patch resolves the "Out of Memory" condition detailed in KB 415646.
• Comprehensive list of all resolved vulnerabilities: Please refer to the attached spreadsheet CVEs_FIXED_CSP_102547.xlsx.

If the patch installation fails, collect log bundles from vIDM and Aria Suite Lifecycle Manager before reverting to snapshots, as reverting removes failure details to analyze the issue.

• VMware Identity Manager 3.3.7
• VMware Aria Suite Lifecycle 8.18.0

Pre-Patch Instructions:

Before proceeding, you must complete the following prerequisites to ensure a successful patch process and prevent service interruptions.

1. Take Snapshots & Retain Snapshots
   Create non-memory snapshots of the VMware Identity Manager and VMware Aria Suite Lifecycle appliances in vCenter. Ensure the environments are in a healthy, stable state before taking the snapshots. (Retain Snapshots, Do not delete the snapshots until environment is fully functional.)
2. Follow the Correct Patching Sequence
   The order of operations is critical. You must patch the products in the following sequence within the same maintenance window from Step 1 to Step 4.
3. If vIDM is configured using NSX Load Balancer, follow the steps on KB to Update the NSX Load Balancer (NSX-LB) configuration.

Step 1: VMware Identity Manager CSP-102547 Patch Deployment

Prerequisites:

• Ensure your VMware Identity Manager is at version 3.3.7 GA or has a previously applied patch. Upgrade any unsupported versions before proceeding.
• Refer to the VMware Product Lifecycle Matrix for a list of supported versions.
• Estimated Downtime: Approximately 1 hour for each product patch (vIDM and Aria Suite Lifecycle).
• Ensure there is sufficient disk space of 4 GB in Patch Installation Location.
  • If there is not sufficient disk space, increase it using How to increase vIDM appliance disk space.
• Grub has been upgraded to version 2: please review installation guide for grub2 here.

Note: This is a cumulative patch and will apply all previous fixes if they are not already installed.

Deployment Type Instructions:

• For Cluster Deployments:
  • Do not patch nodes in parallel, wait for one node patch to display the message 'Rebooting system...'  before moving to the next node.
  • Patch nodes sequentially in the order of Primary → Secondary 1 → Secondary 2. 
• For Single-Node Deployments:
  • Apply the patch directly to the node.

Patching Steps (perform on each node):

1. SSH into the VMware Identity Manager appliance as sshuser.
2. Elevate to the root user:

   sudo su -

3. Download the CSP-102547-Appliance-3.3.7-Patch.zip file and transfer it to the appliance (e.g., into a /db/vidm-upgrade folder) using SCP or WinSCP.
4. Unzip the patch file:

   unzip CSP-102547-Appliance-3.3.7-Patch.zip

5. (Optional) Clean up the zip file to reclaim space:

   rm -f CSP-102547-Appliance-3.3.7-Patch.zip

6. Change to the patch directory:

   cd CSP-102547-Appliance-3.3.7-Patch

7. Run the patch automation script:

   ./CSP-102547-patch-automation.sh -f CSP-102547-Appliance-3.3.7.zip -r

8. The system will reboot automatically after the patch installation is complete.

   Example of Successful Console Output:

   root@vidm-machine [ /db/CSP-102547-Appliance-3.3.7-Patch ]# 2026-01-20 05:16:57 - Checking Patch ZIP location, should not be at /db/data...
   2026-01-20 05:16:57 - Patch ZIP location check passed: /db/CSP-102547-Appliance-3.3.7-Patch/CSP-102547-Appliance-3.3.7.zip
   2026-01-20 05:16:57 - Disk space at /db/CSP-102547-Appliance-3.3.7-Patch: 14.38GB free
   2026-01-20 05:16:57 - Disk space at /boot: 78MB free
   2026-01-20 05:16:57 - All checks passed for ZIP '/db/CSP-102547-Appliance-3.3.7-Patch/CSP-102547-Appliance-3.3.7.zip'.
   2026-01-20 05:16:57 - Running on node: vidm-machine
   2026-01-20 05:16:57 - Checking grub2 presence
   2026-01-20 05:16:57 - grub2 detected: /boot/grub2/grub.cfg exists
   2026-01-20 05:16:57 - NOTE : Cluster size is displayed 0 , if prepare-vidm-patch.sh is run in a cluster
   2026-01-20 05:16:57 - Cluster size detected: 1
   2026-01-20 05:16:57 - Extracting patch bundle
   Archive: CSP-102547-Appliance-3.3.7.zip
   creating: CSP-102547-Appliance-3.3.7/
   inflating: CSP-102547-Appliance-3.3.7/cleanup-rpms.sh
   inflating: CSP-102547-Appliance-3.3.7/rabbitmq-server-3.12.4-2.ph3.noarch.rpm
   inflating: CSP-102547-Appliance-3.3.7/CSP-102547-applyPatch.sh
   inflating: CSP-102547-Appliance-3.3.7/prepare-vidm-patch.sh
   inflating: CSP-102547-Appliance-3.3.7/rabbitmq-server-3.11.18-1.ph3.noarch.rpm
   extracting: CSP-102547-Appliance-3.3.7/identity-manager-3.3.7.0-25163938-updaterepo.zip
   2026-01-20 05:17:20 - Patch directory ready: CSP-102547-Appliance-3.3.7
   2026-01-20 05:17:20 - Running patch script: CSP-102547-applyPatch.sh
   2026-01-20 05:17:20 - Tail the log file /opt/vmware/var/log/update/vidm-CSP-102547-update.log for live logs..
   2026-01-20 05:21:34 - Validating CSP-102547 patch status...
   2026-01-20 05:21:34 - CSP-102547 Patch applied successfully and flag file /usr/local/horizon/conf/flags/CSP-102547-3.3.7.0-hotfix.applied is present.
   2026-01-20 05:21:34 - CSP-102547-Appliance-3.3.7 directory cleanup complete
   2026-01-20 05:21:34 - Rebooting system...

9. Once the vIDM patch is successfully applied and the system reaches the "[ OK ] Reached target Cloud-init target" after a successful boot, run the following commands to display the blue screen on the console and then continue on with step 2 of the upgrade process.
   • Start Services in VMware Identity Manager
   • SSH into the vIDM node(s) and run the below commands to ensure the Getty services are running:

   systemctl enable [email protected]
   systemctl start [email protected]

Step 2: VMware Aria Suite Lifecycle Patch 7 Installation: Patch 7 Release Notes

(Optional step) You can monitor the progress of the patch installation by tailing the following log files on the Aria Suite Lifecycle appliance:

cd /var/log/vrlcm/
tail -f os-package-update.log patchcli.log

1. Copy the prep-for-upgrade-lcm.sh script (attached to the KB article) to the /data directory on the appliance and execute it:

   cd /data
   chmod +x prep-for-upgrade-lcm.sh
   ./prep-for-upgrade-lcm.sh

2. (If upgrading from Patch 3 to Patch 7) Delete temporary folders from previous patch attempts by running the following commands:

   rm -r /data/tmp-patch-8180
   rm -r /data/tmp-patch-10318114
   rm -r /data/tmp_patch_storage

3. Download the VMware Aria Suite Lifecycle Patch 7 patch from the Broadcom Support Portal.
4. Copy the downloaded patch file to the /data directory on the Aria Suite Lifecycle appliance.
5. Map the patch binary in the UI. Navigate to Lifecycle Operations > Settings > Binary Mapping and click Patch Binaries.
   • Delete any old patch binaries that may be listed.
   • Enter the local path (e.g., /data) in the Source Location field and click Discover.
   • Select the discovered Patch 7 file and click Add.
6. Install the patch. Navigate to Lifecycle Operations > Settings > System Patches, click New Patch on the top right, select the mapped patch in the list, and then click Install.
7. Wait for the installation to complete. The process takes approximately 20 minutes and will conclude with the appliance rebooting.
8. After the appliance reboots, log in to the VMware Aria Suite Lifecycle UI, navigate to the About page, and verify that the version is listed as 8.18.0 Patch 7.
9. SSH to the appliance and check the Photon OS version. Note that the build number will not change if you are patching from Patch 3 to Patch 7.

   cat /etc/photon-release
   VMware Photon OS 5.0
   PHOTON_BUILD_NUMBER=b9d98344d

10. (vIDM Cluster Only) Patch Postgres Cluster in Aria Suite Lifecycle.
    • In the Aria Suite Lifecycle UI, navigate to: Life Cycle Operations > Environments > Global Environment > View Details > Patch Postgres Cluster
    • Note: If this option is not visible, try accessing the UI from a private/incognito browser window.
11. Map Updated vIDM OVA in Aria Suite Lifecycle.
    • Download the new vIDM OVA (identity-manager-3.3.7.0-25163938_OVF10.ova) and map the binary in Aria Suite Lifecycle to ensure future lifecycle operations function correctly.
12. Start Services in VMware Identity Manager.
    • SSH into the vIDM node(s) and ensure OpenSearch is running:

    /etc/init.d/opensearch status
    /etc/init.d/opensearch start

Step 3: Post Patch Validation

1. Log in to the VMware Identity Manager Console and confirm the System Diagnostics page shows a green status.
2. Verify Legacy Connector functionality by ensuring the Auth Adapters load and open without errors.
3. Perform a Directory Sync and confirm that users and groups are synchronized correctly.
4. Check the UI portal (including the config page at https://<vidm-hostname>:8443) for full functionality.
5. Confirm the new version on the Admin Portal and Connectors page is 3.3.7.0 Build 25163938.

Step 4: Rollback Procedure

To revert this patch, restore the VMware Identity Manager appliance(s) and the Aria Suite Lifecycle appliance from the snapshots taken during the prerequisite phase.

Included Fixes from Previous Patches

This cumulative update includes all fixes from the following previously released patches. For a detailed list of CVEs or components addressed by a specific patch, refer to its original knowledge base article.