在ISE上安装补丁

简介

本文档介绍在安装期间安装ISE补丁和常见问题的方法。

先决条件

要求

身份服务引擎(ISE)的基本知识。

使用的组件

本文档中的信息基于以下软件和硬件版本：

• 思科身份服务引擎 2.X

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始（默认）配置。如果您的网络处于活动状态，请确保您了解所有命令的潜在影响。

背景信息

思科会半定期发布 ISE 补丁。这些修补程序包含漏洞修复程序，并在必要时包含安全修复程序(例如， Heartbleed 和 Poodle 使用SSL发现的漏洞)。

为了确保应用漏洞修复，需要插入安全漏洞，且解决方案能够无缝运行。

当您在ISE节点上安装补丁时，节点会重新启动。安装完成后，重新启动服务。请等待几分钟，然后再登录。

您可以在维护时段安排补丁安装，以避免临时中断。

仅安装适用于网络中部署的思科版本的补丁。思科会报告所有版本不匹配问题，以及补丁文件中的所有错误。

不能安装比当前安装在Cisco上的补丁版本低的补丁。同样，如果思科 ISE 当前安装的补丁版本较高，则无法回滚较低版本补丁引入的更改。

当您从 Primary Administration Node (PAN) 作为分布式部署的一部分，思科ISE在主要节点上安装补丁，然后在部署中的所有辅助节点上安装补丁。

如果补丁安装在 PAN然后，思科ISE继续在辅助节点上安装补丁。如果OSPF在 PAN，安装不会继续到辅助节点。

但是，如果出于任何原因导致任一辅助节点上的安装失败，则系统仍会继续在部署中的下一个辅助节点上安装补丁。

当您从 PAN 作为双节点部署的一部分，思科会在主节点上安装补丁，然后在辅助节点上安装补丁。

如果补丁安装在 PAN然后，思科继续在辅助节点上安装补丁。如果OSPF在  PAN，安装不会继续到辅助节点。

您必须获得超级管理员或系统管理员的身份以安装或回滚补丁。在修补程序安装开始之前，收集配置备份和操作备份。

使用GUI安装补丁

要从Cisco.com下载ISE补丁，请导航至 Downloads > Products > Security > Access Control and Policy > Identity Services Engine > Identity Services Engine Software,(此处。)

注意:Cisco ISE补丁通常累积，这意味着补丁11安装包括从补丁1到补丁10的所有补丁。补丁安装需要重新启动ISE服务器。

注意：下载修补程序文件后验证MD5/SHA512校验和。

要在ISE上应用补丁，请登录ISE Primary Administration Node (PAN) GUI并执行下列说明： 

步骤1:导航至  Administration > System > Maintenance > Patch Management > Install.

第二步：点击 Browse 并选择从Cisco.com下载的补丁文件。

步骤3.单击 Install 安装补丁程序。

使用CLI安装补丁

步骤1:配置ISE存储库并将所需的ISE补丁放入存储库中。如需配置 ISE 存储库，请参阅如何在 ISE 上配置存储库

第二步：使用SSH登录ISE CLI。

第三步：确保ISE CLI可以列出存储库内容。

ISE/admin# show repository FTP_repository

ise-patchbundle-10.2.0.7-Patch6-19021923.SPA.x86_64.tar.gz
ise-patchbundle-10.2.0.7-Patch9-19062923.SPA.x86_64.tar.gz
ise-patchbundle-10.1.0.0-Ptach3-19110111.SPA.x86_64.tar.gz

第四步：要从CLI在特定ISE节点上安装补丁，请运行 patch install 命令。

Patch install 
    
     
    
    

通过 SSH 登录到 ISE 节点的 CLI 并运行以下命令：

ISE/admin#patch install ise-patchbundle-10.1.0.0-Ptach3-19110111.SPA.x86_64.tar.gz FTP_repository
% Warning: Patch installs only on this node. Install with Primary Administration node GUI to install on all nodes in deployment. Continue? (yes/no) [yes] ? yes
Save the current ADE-OS run configuration? (yes/no) [yes] ? yes
Generating configuration...
Saved the ADE-OS run Configuration to startup successfully
Initiating Application Patch installation...

Getting bundle to local machine...
Unbundling Application Package...
Verifying Application Signature...
patch successfully installed

% This application Install or Upgrade requires reboot, rebooting now...
Broadcast message from root@ISE (pts/1) (Fri Feb 14 01:06:21 2020):
Trying to stop processes gracefully. Reload lasts approximately 3 mins
Broadcast message from root@ISE (pts/1) (Fri Feb 14 01:06:21 2020):
Trying to stop processes gracefully. Reload takes approximately 3 mins
Broadcast message from root@ISE (pts/1) (Fri Feb 14 01:06:41 2020):
The system is going down for reboot NOW
Broadcast message from root@ISE (pts/1) (Fri Feb 14 01:06:41 2020):
The system is going down for reboot NOW

如何在部署中的所有ISE节点上安装补丁

当您从 PAN 作为分布式部署的一部分，思科ISE在主要节点上安装补丁，然后在部署中的所有辅助节点上安装补丁。

如果在主 PAN 上安装补丁成功，思科 ISE 之后会继续在辅助节点上安装补丁。如果OSPF在 PAN，安装不会继续到辅助节点。

但是，如果出于任何原因导致任一辅助节点上的安装失败，则系统仍会继续在部署中的下一个辅助节点上安装补丁。

如何在部署中的所有ISE节点上回滚补丁

要从部署中的思科ISE节点回滚补丁，您必须首先从 PAN.

如果此操作成功，则系统会从辅助节点回滚补丁。如果回滚过程在 PAN，补丁不会从辅助节点回滚。

但是，如果任一辅助节点上的补丁回滚失败，系统仍会从部署中的下一个辅助节点回滚补丁。

当Cisco ISE从辅助节点回滚补丁时，您可以继续从执行其他任务 PAN GUI.辅助节点在回滚后重新启动。

要回滚ISE补丁，请登录 ISE GUI 并导航至 Administration > System > Maintenance > Patch Management > 并选择所需的补丁并点击 Rollback,如所示:

如何从 ISE CLI 回滚补丁？

步骤1: 通过SSH连接到要删除补丁的ISE节点。

第二步：使用命令验证ISE节点上安装的补丁  Show Version

ISE/admin# show version

Cisco Application Deployment Engine OS Release: 3.0
ADE-OS Build Version: 3.0.5.144
ADE-OS System Architecture: x86_64
Copyright (c) 2005-2019 by Cisco Systems, Inc.
All rights reserved.
Hostname: ISE

Version information of installed applications
---------------------------------------------
Cisco Identity Services Engine
---------------------------------------------
Version : 10.1.0.0
Build Date : Tue Feb 12 00:45:06 2019
Install Date : Mon Sep 30 12:17:29 2019

Cisco Identity Services Engine Patch
---------------------------------------------
Version : 1
Install Date : Tue Oct 01 01:30:12 2019

Cisco Identity Services Engine Patch
---------------------------------------------
Version : 3
Install Date : Tue Mar 24 05:35:19 2020

第三步：运行命令 patch remove <application name> <要移除的修补程序文件编号> 

            例如： patch remove ise 2

ISE/admin# patch remove ise 3
Continue with application patch uninstall? [y/n] y
% Warning: Patch is removed only from this node. Remove patch with Primary Administration node GUI to remove from all nodes in deployment.

Patch successfully uninstalled

% This application Install or Upgrade requires reboot, rebooting now...
Broadcast message from root@ISE (pts/1) (Sun Mar 8 03:16:29 2020):
Trying to stop processes gracefully. Reload takes approximately 3 mins
Broadcast message from root@ISE (pts/1) (Sun Mar 8  03:16:29 2020):
Trying to stop processes gracefully. Reload takes approximately 3 mins
Broadcast message from root@ISE (pts/1) (Sun Mar 8 03:17:41 2020):
The system is going down for reboot NOW
Broadcast message from root@ISE (pts/1) (Sun Mar 8 03:17:41 2020):
The system is going down for reboot NOW

注意:ISE补丁在本质上是累积的，在存在较新版本时无法回滚。新版本需要首先回滚。

  要卸载以前的修补程序，请先卸载最新的修补程序，然后卸载以前的修补程序版本。

ISE/admin#patch remove ise 1
Continue with application patch uninstall? [y/n] y
% Warning: Patch is removed only from this node. Remove patch with Primary Administration node GUI to remove from all nodes in deployment. 
Continue? (yes/no) [yes] ? yes
% Patch cannot be rolled back while a newer version exists, which needs to rolled back first. 

验证

要查看ISE补丁安装进度，请导航至 Administration > System > Maintenance > Patch Management  > Show Node Status 如图所示:

从ISE节点验证补丁安装状态。登录到同一ISE服务器并运行命令 Show Version

ISE1/admin# show version

Cisco Application Deployment Engine OS Release: 3.0
ADE-OS Build Version: 3.0.5.144
ADE-OS System Architecture: x86_64

Copyright (c) 2005-2019 by Cisco Systems, Inc.
All rights reserved.
Hostname: ISE1

Version information of installed applications
---------------------------------------------

Cisco Identity Services Engine
---------------------------------------------
Version : 10.1.0.0
Build Date : Tue Feb 12 06:15:06 2019
Install Date : Thu Nov 21 16:39:02 2019

Cisco Identity Services Engine Patch
---------------------------------------------
Version : 1
Install Date : Thu Apr 02 11:00:08 2020

ISE1/admin#  

验证ISE警报中成功和失败的修补程序消息：

成功的补丁安装日志参考

isea/admin# sh log system ade/ADE.log tail
2020-04-19T15:38:01.634794+05:30 isea ADEOSJAVAAPI[26999]: ADEAUDIT 2030, type=PATCH INSTALL, name=PATCH INSTALL STARTED, username=kopriadm, cause=Application patch install has been inititated, adminipaddress=10.65.80.116, interface=GUI, 
detail=Patch Install initiated with bundle - ise-patchbundle-10.1.0.0-Patch3-19110111.SPA.x86_64.tar.gz, repo - tmplocalpatchinstallrepo
2020-04-19T15:38:01.635194+05:30 isea ADE-SERVICE[1158]: [26999]:[info] application:install cars_install.c[796] [test]: Install initiated with bundle - ise-patchbundle-10.1.0.0-Patch3-19110111.SPA.x86_64.tar.gz, repo - tmplocalpatchinsta
llrepo
2020-04-19T15:38:01.784100+05:30 isea ADE-SERVICE[1158]: [26999]:[info] application:install cars_install.c[913] [test]: Stage area - /storeddata/Install/.1587290881
2020-04-19T15:38:01.827925+05:30 isea ADE-SERVICE[1158]: [26999]:[info] application:install cars_install.c[918] [test]: Getting bundle to local machine
2020-04-19T15:38:01.829562+05:30 isea ADE-SERVICE[1158]: [26999]:[error] config:repository: rm_repos_cfg.c[552] [test]: server not found in url
2020-04-19T15:38:01.830656+05:30 isea ADE-SERVICE[1158]: [26999]:[info] transfer: cars_xfer.c[66] [test]: local copy in of ise-patchbundle-10.1.0.0-Patch3-19110111.SPA.x86_64.tar.gz requested
2020-04-19T15:38:02.873630+05:30 isea ADE-SERVICE[1158]: [26999]:[info] transfer: cars_xfer_util.c[2293] [test]: Properties file /tmp/.cars_repodownload.props exists need to cleanup after a SIGNAL or download complete
2020-04-19T15:38:03.247065+05:30 isea ADE-SERVICE[1158]: [26999]:[info] application:install cars_install.c[954] [test]: Got bundle at - /storeddata/Install/.1587290881/ise-patchbundle-10.1.0.0-Patch3-19110111.SPA.x86_64.tar.gz
2020-04-19T15:38:03.247424+05:30 isea ADE-SERVICE[1158]: [26999]:[info] application:install cars_install.c[1002] [test]: Unbundling package ise-patchbundle-10.1.0.0-Patch3-19110111.SPA.x86_64.tar.gz
2020-04-19T15:38:09.066295+05:30 isea ADE-SERVICE[1158]: [26999]:[info] application:install cars_install.c[1064] [test]: Verifying signature for package ise-patchbundle-10.1.0.0-Patch3-19110111.SPA.x86_64.tar.gz
2020-04-19T15:38:13.171615+05:30 isea ADE-SERVICE[1158]: [26999]:[info] application:install cars_install.c[1073] [test]: Signed bundle /storeddata/Install/.1587290881/ise-patchbundle-10.1.0.0-Patch3-19110111.SPA.x86_64.tar.gz confirme
d with release key
2020-04-19T15:38:18.816986+05:30 isea ADE-SERVICE[1158]: [26999]:[info] application:install cars_install.c[1166] [test]: Unbundling done. Verifying input parameters...
2020-04-19T15:38:18.877267+05:30 isea ADE-SERVICE[1158]: [26999]:[info] application:install cars_install.c[1195] [test]: Manifest file is at - /storeddata/Install/.1587290881/manifest.xml
2020-04-19T15:38:18.877604+05:30 isea ADE-SERVICE[1158]: [26999]:[info] application:install cars_install.c[1234] [test]: Manifest file appname - ise
2020-04-19T15:38:18.878051+05:30 isea ADE-SERVICE[1158]: [26999]:[info] application:install cars_install.c[1286] [test]: Patch bundle contains patch(3) for app version(10.1.0.0)
2020-04-19T15:38:18.878254+05:30 isea ADE-SERVICE[1158]: [26999]:[info] application:install ci_util.c[305] [test]: Comparing installed app version:(10.1.0.0) and version of app the patch is meant for:(10.1.0.0)
2020-04-19T15:38:18.878517+05:30 isea ADE-SERVICE[1158]: [26999]:[info] application:install cars_install.c[1321] [test]: Manifest file pkgtype - CARS
2020-04-19T15:38:18.878712+05:30 isea ADE-SERVICE[1158]: [26999]:[info] application:install cars_install.c[1735] [test]: Verifying zip...
2020-04-19T15:38:27.006433+05:30 isea ADE-SERVICE[1158]: [26999]:[info] application:install cars_install.c[1796] [test]: Executing patch install script patchinstall.sh from patch.zip
2020-04-19T15:38:27.209692+05:30 isea test: info:[patchinstall.sh] START PATCH INSTALL SCRIPT. PATCHDIR: /storeddata/Install/.1587290881 INSTALLDIRS: 
2020-04-19T15:38:27.211274+05:30 isea test: info:[patchinstall.sh] NEW PATCH VER: 3 PRIOR PATCH VER: 0 
2020-04-19T15:38:27.213166+05:30 isea test: info:[patchinstall.sh] IRF-RABBITMQ-RUNTIME and IRF-CORE-ENGINE-RUNTIME Remove Begin
2020-04-19T15:38:27.214840+05:30 isea test: info:[patchinstall.sh] Remove IRF-Rabbitmq container
2020-04-19T15:38:27.753502+05:30 isea test: info:[patchinstall.sh] IRF-Rabbitmq container id - 
2020-04-19T15:38:27.755172+05:30 isea test: info:[patchinstall.sh] No IRF-Rabbitmq container exist to remove.\n
2020-04-19T15:38:27.756631+05:30 isea test: info:[patchinstall.sh] Remove IRF-Core-Engine container
2020-04-19T15:38:27.781127+05:30 isea test: info:[patchinstall.sh] IRF-Core-Engine container id - 
2020-04-19T15:38:27.783028+05:30 isea test: info:[patchinstall.sh] No IRF-Core-Engine container exist to remove.\n
2020-04-19T15:38:27.784724+05:30 isea test: info:[patchinstall.sh] IRF-RABBITMQ-RUNTIME and IRF-CORE-ENGINE-RUNTIME Remove Completed
2020-04-19T15:38:33.077501+05:30 isea test: info:[application:operation:cpmcontrol.sh] In Stop Monit
2020-04-19T15:38:33.197734+05:30 isea test: Monit daemon with pid [12796] killed
2020-04-19T15:38:34.289656+05:30 isea test: info:[application:operation:cpmcontrol.sh] Done Stop Monit
2020-04-19T15:38:34.671998+05:30 isea ADEOSShell[28278]: ADEAUDIT 2062, type=USER, name=M&T Log Processor, username=system, cause=M&T Log Processor Stopped, adminipaddress=127.0.0.1, interface=CLI, detail=Stopping M&T Log Processor
2020-04-19T15:38:43.621160+05:30 isea test: info:[application:operation:adprobe.sh] adprobe:Stopping wmi probe...
2020-04-19T15:38:43.657769+05:30 isea test: info:[application:operation:adprobe.sh] adprobe:wmi probe is disabled
2020-04-19T15:38:43.989085+05:30 isea test: info:[application:operation:syslogprobe.sh] syslogprobe:Stopping syslog probe...
2020-04-19T15:38:44.019674+05:30 isea test: info:[application:operation:syslogprobe.sh] syslogprobe:syslog probe is disabled
2020-04-19T15:38:44.367442+05:30 isea test: info:[application:operation:restprobe.sh] restprobe:Stopping rest probe...
2020-04-19T15:38:44.400103+05:30 isea test: info:[application:operation:restprobe.sh] restprobe:rest probe is disabled
2020-04-19T15:38:44.713844+05:30 isea test: info:[application:operation:agentprobe.sh] agentprobe:Stopping agent probe...
2020-04-19T15:38:44.753547+05:30 isea test: info:[application:operation:agentprobe.sh] agentprobe:agent probe is disabled
2020-04-19T15:38:46.166418+05:30 isea test: info:[application:operation:appservercontrol.sh] Stopping ISE Application Server...
2020-04-19T15:38:46.168374+05:30 isea ADEOSShell[29231]: ADEAUDIT 2062, type=USER, name=Application server status, username=system, cause=Application server stopped, adminipaddress=127.0.0.1, interface=CLI, detail=Application server stopped

2020-04-19T15:41:37.224949+05:30 isea test: info:[patchinstall.sh] ISE 10.1.0.0 patch 3 installFileSystem() INVOKED
2020-04-19T15:41:37.245321+05:30 isea test: info:[patchinstall.sh] Updating patched file: /storeddata/Install/.1587290881/filesystem/opt/CSCOcpm/mnt/xde/xdeRuntime/packages/std/WorkflowsProject.xar 
2020-04-19T15:41:37.251672+05:30 isea test: info:[patchinstall.sh] Updating patched file: /storeddata/Install/.1587290881/filesystem/opt/CSCOcpm/mnt/bin/ctl/radius_auth.ctl 
2020-04-19T15:41:37.258874+05:30 isea test: info:[patchinstall.sh] Updating patched file: /storeddata/Install/.1587290881/filesystem/opt/CSCOcpm/mnt/report-definitionsV2/Audit/Internal-Administrator-Summary.xml 
2020-04-19T15:41:37.265939+05:30 isea test: info:[patchinstall.sh] Updating patched file: /storeddata/Install/.1587290881/filesystem/opt/CSCOcpm/mnt/report-definitionsV2/Endpoints and Users/Posture-Assessment-by-Endpoint.xml 
2020-04-19T15:41:37.273866+05:30 isea test: info:[patchinstall.sh] Updating patched file: /storeddata/Install/.1587290881/filesystem/opt/CSCOcpm/mnt/report-definitionsV2/Endpoints and Users/Posture-Assessment-by-Condition.xml 
2020-04-19T15:41:37.280143+05:30 isea test: info:[patchinstall.sh] Updating patched file: /storeddata/Install/.1587290881/filesystem/opt/CSCOcpm/mnt/lib/mnt-collection.jar 
2020-04-19T15:41:37.288008+05:30 isea test: info:[patchinstall.sh] Updating patched file: /storeddata/Install/.1587290881/filesystem/opt/CSCOcpm/mnt/lib/libJniCollector.so 
2020-04-19T15:41:37.295128+05:30 isea test: info:[patchinstall.sh] Updating patched file: /storeddata/Install/.1587290881/filesystem/opt/CSCOcpm/appsrv/apache-tomcat-ca-8.5.32/apr/lib/libapr-1.a 
2020-04-19T15:41:37.302031+05:30 isea test: info:[patchinstall.sh] Updating patched file: /storeddata/Install/.1587290881/filesystem/opt/CSCOcpm/appsrv/apache-tomcat-ca-8.5.32/apr/lib/libtcnative-1.a 
2020-04-19T15:41:37.308615+05:30 isea test: info:[patchinstall.sh] Updating patched file: /storeddata/Install/.1587290881/filesystem/opt/CSCOcpm/appsrv/apache-tomcat-ca-8.5.32/webapps/ocsp-responder-webapp/WEB-INF/lib/import-export-2.6
.0-156.jar

Broadcast message from root@isea (Sun Apr 19 15:50:40 2020):

Trying to stop processes gracefully. Reload takes approximately 3 mins

Broadcast message from root@isea (Sun Apr 19 15:51:01 2020):

The system is going down for reboot NOW

Session terminated, killing shell... ...killed.