Upgrade
Management Center

Always back up your
Management Center
configuration before upgrading or downgrading. Then, store the backup off-box. This ensures that you can restore your configuration if you experience problems with upgrading or downgrading.
Although Management Center 2.1.x and later use only TLS 1.2 by default, previous TLS settings may be retained if the upgrade path included Management Center 2.0.x. To delete the older TLS protocols, explicitly disable TLSv1 and TLSv1.1 after upgrading. See Upgrade from 2.x to 2.4 for more details.
Before upgrading to
Management Center
2.2.2.x or 2.3.x releases, ensure that the
device communications ssl-context
option is not configured to any of internal "bluecoat-*" SSL contexts. If that option is set to a "bluecoat-*" SSL context, remove it by entering the following command:
# (config)
no device-commuincation ssl-context

Upgrade Best Practice

When upgrading or downgrading the version of Management Center, try to stay within 2 versions of what is currently running. Refer to this article for more information.

Manage
Management Center
System Images

When new features and improvements are made to
Management Center
, you can download a system image from
Symantec
and upgrade the appliance. If you ever experience issues with a new image, you can activate an older image to downgrade the appliance.
Management Center
stores up to six images on the system. For Management Center virtual appliances, this number also depends on the image size and boot partition (limited to 4 GB by default). The image that is marked as the default image will be loaded the next time that the appliance is rebooted.
If the maximum number of images are stored on your system and you download another image,
Management Center
deletes the oldest unlocked image to make room for the new image. To prevent an image from being deleted or replaced, you can lock the image.
You perform image management using
Management Center
CLI commands.
See installed-systems for a description of the commands for adding, deleting, locking, unlocking, and viewing images.

Special Notes Regarding
Management Center
2.x Software Image Installation:

Due to some major changes to the underlying systems Management Center relies on, there are several important points to be aware of:
  • Backups are not compatible or transferable between FIPS and Non-FIPS mode, for the following reasons:
    • Encryption differences between FIPS/Non-FIPS mode.
    • Non-FIPS backup cannot be restored to FIPS appliance without omitting certain backup portions.
  • Starting with
    Management Center
    2.1.1.1, the password used for the admin account is the same for both the CLI and user interface (UI). This means you cannot log into the UI as "admin user" unless you use the CLI admin account password. Refer to the 2.1.1.1 release notes for more information.
  • Although Management Center 2.1.x and later use only TLS 1.2 by default, previous TLS settings may be retained on upgrade if the upgrade path included Management Center 2.0.x. To delete the older TLS protocols, you will have to explicitly disable TLSv1 and TLSv1.1 after upgrading. See Upgrade from 2.2.x or 2.3.x for more details.
  • The new system will generate a new, unique public SSH RSA key.
  • The initial upgrade will take up to ten minutes to complete. Wait for the upgrade to complete—any interruption in the upgrade process may result in instability.

Upgrade
Management Center
Failover Pair

During replication, configuration for both the primary and secondary failover partners is limited. Replication requires that both the primary and secondary partners run the same version of Management Center. To enforce this, the
installed-systems
CLI command is disabled on both failover partners (to deny installing and changing system images).
To upgrade a
Management Center
failover pair, you must first backup the configuration, export it off box, and then disable the failover pair. For full details, refer to Configure
Management Center
Failover
.

Upgrade from 2.2.x or 2.3.x

Management Center supports upgrade from 2 previous versions of what is currently running. (In this case, 2.2.x and 2.3.x).
  1. Before you begin, backup your Management Center configuration and export it off-box.
    This will be used if you need to recover from a failed upgrade.
  2. Access the Broadcom Support portal.
    Follow the instructions in the Getting Started guide to learn how to download your software and retrieve license keys.
    If you are upgrading
    Management Center
    on AWS, use only aws.bcsi images.
  3. Download the desired image.
    1. Transfer the image directly to
      Management Center
      . Select
      Configuration > Files
      and transfer the image using the Transfer File button.
    2. Download the image to a local drive, select
      Configuration > Files
      , and upload the image to
      Management Center
      .
    Alternatively, you can store the image file on a web server that the
    Management Center
    appliance can access. The add image process works with any HTTP server, and HTTPS servers configured with trusted certificates. If your HTTPS server does not have a trusted certificate, place the file on an internal HTTP server.
    If you require HTTP service, enable it using the following command:
    (config)#
    security http enable
    For security reasons, you should immediately disable the HTTP service after retrieving the system image.
  4. Add the system image using the
    #
    installed-systems load <
    URL
    >
    command.
    By default, the URL provided is in HTTPS. If your Management Center does not have a signed HTTPS certificate, installation of the image from the HTTPS URL provided will fail. If that is the case, follow step 4b to modify the provided URL To use HTTP and port 8080 instead.
    where <URL> is the location of the image on a web server, in the following format:
    http://host/path
    , for example
    http://webserver.mycompany.com/images/542386.bcsi
    If the image was uploaded to Management Center, do the following:
    1. Copy the file URL. In the
      Configuration > Files
      page, select the image and click
      Copy URL
      . The file will have a format similar to the following:
      https://10.131.38.36:8082/fs/download/6c80d3a2cc124347aedb2a688da3859e
    2. Change the protocol to HTTP and the port to 8080. The URL should now look like this:
      http://10.131.38.36:8080/fs/download/6c80d3a2cc124347aedb2a688da3859e
      If HTTP access to
      Management Center
      is disabled, you should change the URL to the following:
      http://localhost:8080/fs/download/6c80d3a2cc124347aedb2a688da3859e
    3. Execute the
      installed-systems load
      command and wait for upgrade to complete.
  5. Reboot the hardware appliance to run the new image:
    # restart
    >
    When the appliance restarts, the network connection closes. If boot failure occurs upon an upgrade,
    Management Center
    downgrades to the previous version automatically.
  6. Access the web-based management console at https://
    management_center_ip
    /8082
  7. Access the CLI using an SSH client.
  8. If your upgrade path included 2.0.x, verify your TLS settings to ensure that TLSv1 and TLSv1.1 are not being used.
    Although Management Center 2.1.x and later use only TLS 1.2 by default, previous TLS settings may be retained on upgrade if the upgrade path included Management Center 2.0.x.
    #
    ssl view ssl-context default
    Name: default Keyring: default CCL: browser-trusted Protocols: tlsv1.2 tlsv1.1 tlsv1 Cipher suites: ecdhe-rsa-aes256-sha dhe-rsa-aes256-sha aes256-sha256 aes256-sha ecdhe-rsa-aes128-gcm-sha256 ecdhe-rsa-aes128-sha256 ecdhe-rsa-aes128-sha dhe-rsa-aes128-sha aes128-sha256 aes128-sha
  9. If necessary, disable TLS versions prior to TLSv1.2:
    (config)#
    ssl edit ssl-context default
    (config ssl-context default)#
    protocols view
    tlsv1.2 tlsv1.1 tlsv1 (config ssl-context default)#
    protocols remove tlsv1
    ok (config ssl-context default)#
    protocols remove tlsv1.1
    ok