Upgrade Management Center
Always back up your
Management Centerconfiguration before upgrading or downgrading. Then, store the backup off-box. This ensures that you can restore your configuration if you experience problems with upgrading or downgrading.
Although Management Center 2.1.x and later use only TLS 1.2 by default, previous TLS settings may be retained if the upgrade path included Management Center 2.0.x. To delete the older TLS protocols, explicitly disable TLSv1 and TLSv1.1 after upgrading. See Upgrade from 2.x to 2.4 for more details.
Before upgrading to
Management Center2.2.2.x or 2.3.x releases, ensure that the
device communications ssl-contextoption is not configured to any of internal "bluecoat-*" SSL contexts. If that option is set to a "bluecoat-*" SSL context, remove it by entering the following command:
no device-commuincation ssl-context
Upgrade Best Practice
When upgrading or downgrading the version of Management Center, try to stay within 2 versions of what is currently running. Refer to this article for more information.
Manage Management Center System Images
Management CenterSystem Images
When new features and improvements are made to
Management Center, you can download a system image from
Symantecand upgrade the appliance. If you ever experience issues with a new image, you can activate an older image to downgrade the appliance.
Management Centerstores up to six images on the system. For Management Center virtual appliances, this number also depends on the image size and boot partition (limited to 4 GB by default). The image that is marked as the default image will be loaded the next time that the appliance is rebooted.
If the maximum number of images are stored on your system and you download another image,
Management Centerdeletes the oldest unlocked image to make room for the new image. To prevent an image from being deleted or replaced, you can lock the image.
You perform image management using
Management CenterCLI commands.
See installed-systems for a description of the commands for adding, deleting, locking, unlocking, and viewing images.
Special Notes Regarding Management Center 2.x Software Image Installation:
Management Center2.x Software Image Installation:
Due to some major changes to the underlying systems Management Center relies on, there are several important points to be aware of:
- Backups are not compatible or transferable between FIPS and Non-FIPS mode, for the following reasons:
- Encryption differences between FIPS/Non-FIPS mode.
- Non-FIPS backup cannot be restored to FIPS appliance without omitting certain backup portions.
- Starting withManagement Center220.127.116.11, the password used for the admin account is the same for both the CLI and user interface (UI). This means you cannot log into the UI as "admin user" unless you use the CLI admin account password. Refer to the 18.104.22.168 release notes for more information.
- Although Management Center 2.1.x and later use only TLS 1.2 by default, previous TLS settings may be retained on upgrade if the upgrade path included Management Center 2.0.x. To delete the older TLS protocols, you will have to explicitly disable TLSv1 and TLSv1.1 after upgrading. See Upgrade from 2.2.x or 2.3.x for more details.
- The new system will generate a new, unique public SSH RSA key.
- The initial upgrade will take up to ten minutes to complete. Wait for the upgrade to complete—any interruption in the upgrade process may result in instability.
Upgrade Management Center Failover Pair
Management CenterFailover Pair
During replication, configuration for both the primary and secondary failover partners is limited. Replication requires that both the primary and secondary partners run the same version of Management Center. To enforce this, the
installed-systemsCLI command is disabled on both failover partners (to deny installing and changing system images).
To upgrade a
Management Centerfailover pair, you must first backup the configuration, export it off box, and then disable the failover pair. For full details, refer to Configure
Upgrade from 2.2.x or 2.3.x
Management Center supports upgrade from 2 previous versions of what is currently running. (In this case, 2.2.x and 2.3.x).
- Before you begin, backup your Management Center configuration and export it off-box.This will be used if you need to recover from a failed upgrade.
- Access the Broadcom Support portal.Follow the instructions in the Getting Started guide to learn how to download your software and retrieve license keys.If you are upgradingManagement Centeron AWS, use only aws.bcsi images.
- Download the desired image.Alternatively, you can store the image file on a web server that theManagement Centerappliance can access. The add image process works with any HTTP server, and HTTPS servers configured with trusted certificates. If your HTTPS server does not have a trusted certificate, place the file on an internal HTTP server.If you require HTTP service, enable it using the following command:(config)#For security reasons, you should immediately disable the HTTP service after retrieving the system image.security http enable
- Add the system image using the#installed-systems load <command.URL>By default, the URL provided is in HTTPS. If your Management Center does not have a signed HTTPS certificate, installation of the image from the HTTPS URL provided will fail. If that is the case, follow step 4b to modify the provided URL To use HTTP and port 8080 instead.where <URL> is the location of the image on a web server, in the following format:http://host/path, for examplehttp://webserver.mycompany.com/images/542386.bcsiIf the image was uploaded to Management Center, do the following:
- Copy the file URL. In theConfiguration > Filespage, select the image and clickCopy URL. The file will have a format similar to the following:https://10.131.38.36:8082/fs/download/6c80d3a2cc124347aedb2a688da3859e
- Change the protocol to HTTP and the port to 8080. The URL should now look like this:http://10.131.38.36:8080/fs/download/6c80d3a2cc124347aedb2a688da3859eIf HTTP access toManagement Centeris disabled, you should change the URL to the following:http://localhost:8080/fs/download/6c80d3a2cc124347aedb2a688da3859e
- Execute theinstalled-systems loadcommand and wait for upgrade to complete.
- Reboot the hardware appliance to run the new image:
># restartWhen the appliance restarts, the network connection closes. If boot failure occurs upon an upgrade,Management Centerdowngrades to the previous version automatically.
- Access the web-based management console at https://management_center_ip/8082
- Access the CLI using an SSH client.
- If your upgrade path included 2.0.x, verify your TLS settings to ensure that TLSv1 and TLSv1.1 are not being used.Although Management Center 2.1.x and later use only TLS 1.2 by default, previous TLS settings may be retained on upgrade if the upgrade path included Management Center 2.0.x.#ssl view ssl-context defaultName: default Keyring: default CCL: browser-trusted Protocols: tlsv1.2 tlsv1.1 tlsv1 Cipher suites: ecdhe-rsa-aes256-sha dhe-rsa-aes256-sha aes256-sha256 aes256-sha ecdhe-rsa-aes128-gcm-sha256 ecdhe-rsa-aes128-sha256 ecdhe-rsa-aes128-sha dhe-rsa-aes128-sha aes128-sha256 aes128-sha
- If necessary, disable TLS versions prior to TLSv1.2:(config)#ssl edit ssl-context default(config ssl-context default)#protocols viewtlsv1.2 tlsv1.1 tlsv1 (config ssl-context default)#protocols remove tlsv1ok (config ssl-context default)#protocols remove tlsv1.1ok