Continuing on my string of blog posts about VMware Identity Manager (IDM), this time I’m going over my recent patch/upgrade process and experience.
Wait…there’s patches for IDM?? Yep! A whole bunch too, which is very nice because the patches resolve many vulnerabilities and CVE’s.
Taking a look at version, my IDM appliance was on IDM 3.3.7.0 Build 2117300, released on Jan 26th, 2023. The most recent build is 23103647 which was updated on Dec 18th, 2024.
So, I’ve got some work to do…let’s get started.
Login to the Broadcom Support Portal
Locate the IDM downloads – My Downloads -> in the search box, search for “Identity” and click the item to drop into the downloads for that product.
I’m patching IDM version 3.3.7, so I’ll select that version.
There are quite a few CSP’s in the list – and per the KB they are cumulative, so I downloaded the most recent CSP-97727 patch released on Dec 18th, 2024, which will bring my installation up to build number 23103647.
This is where I pause to reflect and figure out the plan and process before starting.
I read through the notes and I think it’s important to point out the notes at the bottom of the KB: CSP-97727: Patch instructions to upgrade Photon-OS Library
- If you are running a cluster deployment, repeat the steps above on all additional nodes of the cluster.
- Patch application should be sequential i.e. Primary -> Secondary -> Secondary Nodes
- User needs to run Remediate action from LCM on the vIDM cluster if vRLCM version is 8.12.0 and below
- For vRLCM version 8.14.0 and above, Auto recovery would take care of the cluster health on reboot.
- This is a cumulative patch and this will perform an installation of other patches including CSP-96928-Appliance-3.3.7.zip, CSP-95247, CSP-93316, CSP-91401, CSP-90495, HW-189454, and HW-170932.
I mentioned it a couple of times, but the patch is cumulative, and there are at least 5 previous patches to apply.
In short, the package I downloaded will extract and take up additional disk, so it’s important that I verify there’s enough disk available.
Also, I need to backup the appliance (I use and recommend Veeam Community Edition) plus I will take a snapshot before starting the process.
And snapshot taken!
From here I logged via SSH into IDM as root.
Looking at the available disk space (df -h), I think 8.5Gb (yellow) available may not be enough for the file extraction, so just to be safe I’ll put the file in the /db directory that has 19Gb available (green).
Create a new dir called “patch” and chmod 755 so we can rwx in that directory.
mkdir patchchmod 755 patch
Transfer the .zip file over to /db/patch on my IDM appliance via WinSCP
Unzip the file.
unzip CSP-97727-Appliance-3.3.7.zip -d CSP-97727-Appliance-3.3.7
Then navigate into the extracted directory.
cd CSP-97727-Appliance-3.3.7Run the patch.
./CSP-97727-applyPatch.shFrom here it started applying previous CSP’s…
A question popped up asking to verify a snapshot was taken of the appliance, then I answered Y to continue…
Patches continued to apply and occasionally before applying each patch it asked for snapshot confirmation…
At some point in the process the appliance rebooted, and came back up, so it was time to validate that the patches applied. I followed the validation steps listed in the KB.
I switched to the Remote Console view to see and verify all services started, and they did, and the console was at the login screen. Although…I noticed that the build # had not updated. Maybe it will update on the next reboot? Anyway…let’s continue to check and validate…
I logged back into the IDM administration page and looked to see if the status was green…yep!
Also, I see the build version has been updated to 23103647. Interesting that it updated here, but not at the console…
To verify more…I SSH’d back in to the appliance, navigated to
/usr/local/horizon/conf/flagsI found the file called “CSP-97727-3.3.7-hotfix.applied”, and it was there…plus I saw the same files associated with the other CSP files, so that means the previous CSP’s also applied successfully.
I performed a directory sync, that was successful.
My cluster is only a single node, so there’s nothing left to do, and all is finished. I manually deleted the VM snapshot, and from here it’s time to move to the next task!
That’s all for this blog! If you learned something or I helped you out in some way, please make a comment and let me know. Thanks!
Leave a Reply