Skip to content

CSSM Upgrade to 8-202404

Published: August 12, 2024
Read time: 5 minutes

Cisco recently published a security advisory with a critical CVSS Score of 10.0. You can find the full advisory at this link:

Cisco Security Advisory - CSSM Auth

Who's Affected?

You're likely affected if you haven't upgraded your Cisco Smart Software Manager On-Prem (CSSM) since June 2022.

Cisco SSM On-Prem Release First Fixed Release
8-202206 and earlier 8-202212
9 Not vulnerable

It's better to upgrade to version 8-202404, released in May 2024.

If you're planning to upgrade to the latest version 9-202407 instead, from version 8, you'll need to follow a two-step process:

  1. Upgrade to 8-202404
  2. Migrate to 9-202406 (in-place upgrade isn't supported due to Cisco's switch to Alma Linux) and then do the upgrade to 9-202407

Blog Series

This blog will focus on upgrading to 8-202404. I've covered the migration to 9-202406 in a separate post.

Throughout this blog post, I'll refer to the Smart Software Manager On-Prem as CSSM for brevity. For the purposes of our examples, let's assume your CSSM hostname is abc-cssm01.

Crucial Pre-upgrade Step: Database Backup and VM Snapshots

Critical Step

Ensure you've backed up your database before executing an upgrade. Having a backup will help if something goes wrong and you need to rebuild. The backup maintains records of a product's certificates, which are vital for product validation. Without it, if rebuilding, a new On-Prem instance could lead to re-registering all products associated with the On-Prem license server.

To create a database backup:

  1. SSH into your CSSM using your admin account.
  2. At the prompt (e.g., [admin@abc-cssm01 ~]$), enter the command onprem-console.
  3. At the new prompt (>>), enter database_backup.
  4. Wait for the confirmation message: "Database successfully backed up to [path/filename]."
  5. Use WinSCP to copy the backup from /var/files/backups on CSSM to your PC or admin server.

For other commands in CSSM, refer to the SSM On-Prem 8 Console Guide:

SSM On-Prem 8 Console Guide

As an additional precaution, consider taking a VM snapshot from vCenter.

Unconfirmed Information

VM Snapshots can serve as an alternative backup method. In case of reverting to a Snapshot, you must do a full sync with the Cloud.

Download the CSSM Software Upgrade File

  1. Visit Cisco's software download page: Cisco Software Download
  2. Search for "Smart Software Manager" in the "Select a Product" field.
  3. Choose "Smart Software Manager On-Prem".
  4. Under "Latest Release" in the left column, select Release 8-202404.
  5. Download SSM_On-Prem_8-202404_Upgrade.zip.
  6. After downloading, unzip the file. You will see these two files:

CSSM Upgrade Files

Upload the Upgrade Files to CSSM

While Cisco's documentation suggests an SSH upgrade method, I prefer using WinSCP.

In previous versions, you could directly copy the upgrade files to the /var/files/patches/ directory using WinSCP. However, Cisco has changed this in recent updates. Direct file copying to the /var/files/patches/ path is no longer allowed for security reasons. Instead, we'll use a two-step process:

  1. Copy the files to a temporary directory
  2. Move them to the patches directory using command-line instructions

Here's how to do it:

  1. Use WinSCP to copy both unzipped files to /var/tmp/ on your CSSM.
  2. SSH into your CSSM.
  3. If you're at the >> prompt, type exit to return to the standard prompt.
  4. Enter sudo -s and provide your admin password.
  5. Change to the tmp directory: 
    cd /var/tmp/
  6. Move the files to the patches directory: 
    mv SSM_On-Prem_upgrade-8-202404.sh /var/files/patches/
mv SSM_On-Prem_upgrade-8-202404.sh.sha256 /var/files/patches/
  7. Verify the files are in /var/files/patches/ using the command line or WinSCP.

Perform the Upgrade

  1. If you're still in the root shell, type exit to return to the admin user.
  2. Enter onprem-console to access the CSSM console.
  3. Start the upgrade with: 
    upgrade patches:SSM_On-Prem_upgrade-8-202404.sh
  4. The upgrade process will run several scripts and should take 5-10 minutes.
  5. Upon completion, the system should automatically reboot. If it doesn't, manually reboot with the reboot command.

That's it! You should now be running the new version.

For more information about Smart licensing, check out the Smart License Using Policy FAQ:

Smart License Using Policy FAQ

Share Your Feedback

Did you find this guide helpful? Did you encounter any different challenges? Please reach out via my Notion form or DM me on LinkedIn. I'd love to hear your feedback!