在ISE上安装补丁
简介
本文档介绍在安装期间安装ISE补丁和常见问题的方法。
先决条件
要求
身份服务引擎(ISE)的基本知识。
使用的组件
本文档中的信息基于以下软件和硬件版本:
- 思科身份服务引擎3.X
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您的网络处于活动状态,请确保您了解所有命令的潜在影响。
背景信息
思科会半定期发布 ISE 补丁。这些修补程序包含漏洞修复,并在必要时包含安全修复(例如,使用SSL发现的Heartbleed和Poodle漏洞)。这可确保应用漏洞修复、插入安全漏洞以及解决方案无缝运行。
当您在ISE节点上安装补丁时,节点会重新启动。安装完成后,重新启动服务。请等待几分钟,然后再登录。
您可以在维护时段安排补丁安装,以避免临时中断。
仅安装适用于网络中部署的思科版本的补丁。思科会报告所有版本不匹配问题,以及补丁文件中的所有错误。
不能安装比当前安装在Cisco上的补丁版本低的补丁。同样,如果思科 ISE 当前安装的补丁版本较高,则无法回滚较低版本补丁引入的更改。
当您从作为分布式部署一部分的主管理节点(PAN)安装补丁时,思科ISE会在主节点上安装补丁,然后在部署中的所有辅助节点上安装补丁。如果在PAN上成功安装补丁,思科ISE则继续在辅助节点上安装补丁。如果PAN上的安装失败,安装不会继续到辅助节点。但是,如果由于任何原因在任何辅助节点上安装失败,它仍会继续执行部署中的下一个辅助节点。
当您从属于双节点部署的PAN安装补丁时,思科会在主节点上安装补丁,然后在辅助节点上安装补丁。
如果PAN上的补丁安装成功,思科将继续在辅助节点上安装补丁。如果PAN上的安装失败,安装不会继续到辅助节点。
使用GUI安装补丁
要从Cisco.com下载ISE补丁,请导航到Downloads > Products > Security > Access Control and Policy > Identity Services Engine > Identity Services Engine Software(此处)。
要在ISE上应用补丁,请登录ISE主要管理节点(PAN)GUI并执行以下说明:
步骤1.导航到管理>System >维护>补丁管理>安装.
步骤2.单击Browse并选择从Cisco.com下载的补丁文件。
第 3 步: 点击 Install(安装)以安装补丁。
使用CLI安装补丁
第 1 步: 配置 ISE 存储库,并将所需的 ISE 补丁放入存储库中。如需配置 ISE 存储库,请参阅如何在 ISE 上配置存储库
步骤2.使用SSH登录ISE CLI。
第 3 步: 确保 ISE CLI 可以列出存储库内容。
ise1/admin# show repository FTP_repository
ise-patchbundle-3.3.0.430-Patch2-24041511.SPA.x86_64.tar.gz
ise-patchbundle-3.3.0.430-Patch3-24070910.SPA.x86_64.tar.gz
ise-patchbundle-3.3.0.430-Patch4-24102504.SPA.x86_64.tar.gz
步骤4.要从CLI在特定ISE节点上安装补丁,请在执行模式下运行命令 patch install。
patch install
通过 SSH 登录到 ISE 节点的 CLI 并运行以下命令:
ise1/admin# patch install ise-patchbundle-3.3.0.430-Patch4-24102504.SPA.x86_64.tar.gz FTP_repository
% Warning: Patch will be installed only on this node. Install using Primary Administration node GUI to install on all nodes in deployment. Continue? (yes/no) [yes] ? yes
Initiating Application Patch installation...
Getting bundle to local machine...
Unbundling Application Package...
Verifying Application Signature...
Patch successfully installed
Broadcast message from root@ISE (pts/3) (Tue Dec 17 09:36:52 2024):
Trying to stop processes gracefully. Reload might take approximately 3 mins
% This application Install or Upgrade requires reboot, rebooting now...
Broadcast message from root@ISE (pts/3) (Tue Dec 17 09:37:21 2024):
The system is going down for reboot NOW
在部署中的所有ISE节点上安装补丁
当您从属于分布式部署的PAN安装补丁时,思科ISE会在主节点上安装补丁程序,然后会在部署中的所有辅助节点上安装补丁程序。如果在主PAN上成功安装补丁程序,思科ISE则会在辅助节点上继续安装补丁程序。如果PAN上的安装失败,安装不会继续到辅助节点。
但是,如果出于任何原因导致任一辅助节点上的安装失败,则系统仍会继续在部署中的下一个辅助节点上安装补丁。
在部署中的所有ISE节点上回滚补丁
要从部署中的思科 ISE 节点回滚补丁,必须先从 PAN 回滚更改。如果此操作成功,则系统会从辅助节点回滚补丁。如果PAN上的回滚过程失败,则不会从辅助节点回滚补丁程序。但是,如果任何辅助节点上的回滚失败,它仍将继续从部署中的下一个辅助节点回滚补丁程序。
当Cisco ISE从辅助节点回滚补丁时,您可以继续从PAN GUI执行其他任务。辅助节点在回滚后重新启动。
要回滚ISE补丁,请登录到ISE GUI,然后导航到Administration > System > Maintenance > Patch Management,然后选择所需的补丁并单击Rollback,如下所示:
从ISE CLI回滚补丁
第 1 步:通过 SSH 连接到需要删除补丁的 ISE 节点。
步骤2.使用show version命令验证ISE节点上安装的修补程序:
ise1/admin# show version
Cisco Application Deployment Engine OS Release: 3.3
ADE-OS Build Version: 3.3.P.097
ADE-OS System Architecture: x86_64
Copyright (c) 2005-2023 by Cisco Systems, Inc.
All rights reserved.
Hostname: ise-aaa-dnac1
Version information of installed applications
---------------------------------------------
Cisco Identity Services Engine
---------------------------------------------
Version : 3.3.0.430
Build Date : Tue Jul 4 00:31:18 2023
Install Date : Sat Nov 9 22:42:47 2024
Cisco Identity Services Engine Patch
---------------------------------------------
Version : 1
Install Date : Tue Dec 17 09:57:23 2024
Cisco Identity Services Engine Patch
---------------------------------------------
Version : 4
Install Date : Tue Dec 17 11:49:53 2024
步骤3.运行patch remove <application name> <patch file number to be removed>命令。
例如,patch remove ise 4:
ise1/admin# patch remove ise 4
Continue with application patch uninstall? [y/n] y
% Warning: Patch is removed only from this node. Remove patch with Primary Administration node GUI to remove from all nodes in deployment.
Patch successfully uninstalled
% This application Install or Upgrade requires reboot, rebooting now...
Broadcast message from root@ISE (pts/1) (Sun Mar 8 03:16:29 2020):
Trying to stop processes gracefully. Reload takes approximately 3 mins
Broadcast message from root@ISE (pts/1) (Sun Mar 8 03:16:29 2020):
Trying to stop processes gracefully. Reload takes approximately 3 mins
Broadcast message from root@ISE (pts/1) (Sun Mar 8 03:17:41 2020):
The system is going down for reboot NOW
Broadcast message from root@ISE (pts/1) (Sun Mar 8 03:17:41 2020):
The system is going down for reboot NOW
要卸载以前的修补程序,请先卸载最新的修补程序,然后卸载以前的修补程序版本。
ise1/admin#patch remove ise 1
Continue with application patch uninstall? [y/n] y
% Warning: Patch is removed only from this node. Remove patch with Primary Administration node GUI to remove from all nodes in deployment.
Continue? (yes/no) [yes] ? yes
% Patch cannot be rolled back while a newer version exists, which needs to rolled back first.
验证
要查看ISE补丁安装进度,请导航到Administration > System > Maintenance > Patch Management > Show Node Status,如图所示:
从ISE节点验证补丁安装状态。登录到同一ISE服务器并运行show version命令:
ise1/admin# show version
Cisco Application Deployment Engine OS Release: 3.3
ADE-OS Build Version: 3.3.P.097
ADE-OS System Architecture: x86_64
Copyright (c) 2005-2023 by Cisco Systems, Inc.
All rights reserved.
Hostname: ise-aaa-dnac1
Version information of installed applications
---------------------------------------------
Cisco Identity Services Engine
---------------------------------------------
Version : 3.3.0.430
Build Date : Tue Jul 4 00:31:18 2023
Install Date : Sat Nov 9 22:42:47 2024
Cisco Identity Services Engine Patch
---------------------------------------------
Version : 4
Install Date : Tue Dec 17 11:49:53 2024
验证ISE警报中成功和失败的修补程序消息:
成功的补丁安装日志参考
ise1/admin# sh logging system ade/ADE.log tail
2024-12-17T09:28:29.162564+00:00 ise1 CARSSetup[2783958]: ADEAUDIT 2030, type=PATCH INSTALL, name=PATCH INSTALL STARTED, username=system, cause=Application patch install has been inititated, adminipaddress=127.0.0.1, interface=CLI, detail=Patch Install initiated with bundle - ise-patchbundle-3.3.0.430-Patch4-24102504.SPA.x86_64.tar.gz, repo - SFTP-REPO
2024-12-17T09:28:29.104724+00:00 ise1 ADE-SERVICE[1379]: [2783958]:[info] user: cars_install.c[5641] [system]: Illegal characters or double dots not found in name ise-patchbundle-3.3.0.430-Patch4-24102504.SPA.x86_64.tar.gz
2024-12-17T09:28:29.105444+00:00 ise1 ADE-SERVICE[1379]: [2783958]:[info] user: cars_install.c[5641] [system]: Illegal characters or double dots not found in name SFTP-REPO
2024-12-17T09:28:29.162700+00:00 ise1 ADE-SERVICE[1379]: [2783958]:[info] application:install cars_install.c[2568] [system]: Install initiated with bundle - ise-patchbundle-3.3.0.430-Patch4-24102504.SPA.x86_64.tar.gz, repo - SFTP-REPO
2024-12-17T09:28:29.171681+00:00 ise1 ADE-SERVICE[1379]: [2783958]:[info] application:install cars_install.c[2734] [system]: Stage area - /storeddata/Installing/.1734427709
2024-12-17T09:28:29.193007+00:00 ise1 ADE-SERVICE[1379]: [2783958]:[info] application:install cars_install.c[2737] [system]: Getting bundle to local machine
2024-12-17T09:28:29.193704+00:00 ise1 ADE-SERVICE[1379]: [2783958]:[info] transfer: cars_xfer.c[159] [system]: sftp copy in of ise-patchbundle-3.3.0.430-Patch4-24102504.SPA.x86_64.tar.gz requested
2024-12-17T09:28:29.194062+00:00 ise1 ADE-SERVICE[1379]: [2783958]:[info] transfer: cars_xfer_util.c[2643] [system]: Server validation successful x.x.x.x
2024-12-17T09:28:29.194784+00:00 ise1 ADE-SERVICE[1379]: [2783958]:[info] transfer: sftp_handler.c[689] [system]: DEBUG: local user: admin UID: 0 sftp_run_parent FD: 9 remote host: x.x.x.x remote user: admin command: get /ise-patchbundle-3.3.0.430-Patch4-24102504.SPA.x86_64.tar.gz /storeddata/Installing/.1734427709/ise-patchbundle-3.3.0.430-Patch4-24102504.SPA.x86_64.tar.gz
2024-12-17T09:29:24.127455+00:00 ise1 ADE-SERVICE[1379]: [2783958]:[info] transfer: cars_xfer_util.c[2666] [system]: Properties file /tmp/.cars_repodownload.props does not exist
2024-12-17T09:29:24.127573+00:00 ise1 ADE-SERVICE[1379]: [2783958]:[info] application:install cars_install.c[2794] [system]: Got bundle at - /storeddata/Installing/.1734427709/ise-patchbundle-3.3.0.430-Patch4-24102504.SPA.x86_64.tar.gz
2024-12-17T09:29:24.156171+00:00 ise1 ADE-SERVICE[1379]: [2783958]:[info] application:install cars_install.c[2867] [system]: Unbundling package ise-patchbundle-3.3.0.430-Patch4-24102504.SPA.x86_64.tar.gz
2024-12-17T09:29:41.327286+00:00 ise1 ADE-SERVICE[1379]: [2783958]:[info] application:install cars_install.c[2969] [system]: Verifying signature for package ise-patchbundle-3.3.0.430-Patch4-24102504.SPA.x86_64.tar.gz
2024-12-17T09:29:51.072928+00:00 ise1 ADE-SERVICE[1379]: [2783958]:[info] application:install cars_install.c[2993] [system]: Signed bundle /storeddata/Installing/.1734427709/ise-patchbundle-3.3.0.430-Patch4-24102504.SPA.x86_64.tar.gz confirmed with release key
2024-12-17T09:30:09.180007+00:00 ise1 ADE-SERVICE[1379]: [2783958]:[info] application:install cars_install.c[3172] [system]: Unbundling done. Verifying input parameters...
2024-12-17T09:30:09.180604+00:00 ise1 ADE-SERVICE[1379]: [2783958]:[info] application:install cars_install.c[3214] [system]: Manifest file is at - /storeddata/Installing/.1734427709/manifest.xml
2024-12-17T09:30:09.180652+00:00 ise1 ADE-SERVICE[1379]: [2783958]:[info] application:install cars_install.c[3283] [system]: Manifest file appname - ise
2024-12-17T09:30:09.180953+00:00 ise1 ADE-SERVICE[1379]: [2783958]:[info] application:install cars_install.c[3388] [system]: Patch bundle contains patch(4) for app version(3.3.0.430)
2024-12-17T09:30:09.183179+00:00 ise1 ADE-SERVICE[1379]: [2783958]:[info] application:install ci_util.c[322] [system]: Comparing installed app version:(3.3.0.430) and version of app the patch is meant for:(3.3.0.430)
2024-12-17T09:30:09.183259+00:00 ise1 ADE-SERVICE[1379]: [2783958]:[info] application:install cars_install.c[3443] [system]: Manifest file pkgtype - CARS
2024-12-17T09:30:09.183288+00:00 ise1 ADE-SERVICE[1379]: [2783958]:[info] application:install cars_install.c[4152] [system]: Verifying zip...
2024-12-17T09:30:32.843082+00:00 ise1 root: info:[patchinstall.sh] Current Disable_RSA_PSS=0
2024-12-17T09:30:32.847037+00:00 ise1 root: info:[patchinstall.sh] STARTING PATCH INSTALL SCRIPT. PATCHDIR: /storeddata/Installing/.1734427709 INSTALLDIRS:
2024-12-17T09:30:32.850535+00:00 ise1 root: info:[patchinstall.sh] NEW PATCH VER: 4 PRIOR PATCH VER: 0
2024-12-17T09:30:32.708937+00:00 ise1 ADE-SERVICE[1379]: [2783958]:[info] application:install cars_install.c[4241] [system]: Executing patch install script patchinstall.sh from patch.zip
2024-12-17T09:30:35.742426+00:00 ise1 root: info:[application:operation:cpmcontrol.sh] In Stop Monit
2024-12-17T09:30:35.755071+00:00 ise1 root: Monit daemon with pid [21765] killed
2024-12-17T09:30:36.816209+00:00 ise1 root: info:[application:operation:cpmcontrol.sh] Done Stop Monit
2024-12-17T09:30:37.125419+00:00 ise1 ADEOSShell[2791127]: ADEAUDIT 2062, type=USER, name=M&T Log Processor, username=system, cause=M&T Log Processor Stopped, adminipaddress=127.0.0.1, interface=CLI, detail=Stopping M&T Log Processor
2024-12-17T09:30:45.772624+00:00 ise1 root: info:[application:operation:adprobe.sh] adprobe:Stopping wmi probe...
2024-12-17T09:30:45.799438+00:00 ise1 root: info:[application:operation:adprobe.sh] adprobe:wmi probe is disabled
2024-12-17T09:30:45.871771+00:00 ise1 root: info:[application:operation:syslogprobe.sh] syslogprobe:Stopping syslog probe...
2024-12-17T09:30:45.898168+00:00 ise1 root: info:[application:operation:syslogprobe.sh] syslogprobe:syslog probe is disabled
2024-12-17T09:30:45.967252+00:00 ise1 root: info:[application:operation:restprobe.sh] restprobe:Stopping rest probe...
2024-12-17T09:30:45.994671+00:00 ise1 root: info:[application:operation:restprobe.sh] restprobe:rest probe is disabled
2024-12-17T09:30:46.074828+00:00 ise1 root: info:[application:operation:agentprobe.sh] agentprobe:Stopping agent probe...
2024-12-17T09:30:46.103781+00:00 ise1 root: info:[application:operation:agentprobe.sh] agentprobe:agent probe is disabled
2024-12-17T09:30:46.619128+00:00 ise1 root: info:[application:operation:appservercontrol.sh] Stopping ISE Application Server...
2024-12-17T09:30:46.621415+00:00 ise1 ADEOSShell[2791750]: ADEAUDIT 2062, type=USER, name=Application server status, username=system, cause=Application server stopped, adminipaddress=127.0.0.1, interface=CLI, detail=Application server stopped
2024-12-17T09:33:00.041627+00:00 ise1 root: info:[patchinstall.sh] ISE 3.3.0.430 patch 4 installFileSystem() INVOKED
2024-12-17T09:33:00.074901+00:00 ise1 root: info:[patchinstall.sh] Updating patched file: /storeddata/Installing/.1734427709/filesystem/opt/sp-hub/libs/cxf-core-3.5.7.jar
2024-12-17T09:33:00.085182+00:00 ise1 root: info:[patchinstall.sh] Updating patched file: /storeddata/Installing/.1734427709/filesystem/opt/sp-hub/libs/cxf-rt-ws-policy-3.5.7.jar
2024-12-17T09:33:00.094910+00:00 ise1 root: info:[patchinstall.sh] Updating patched file: /storeddata/Installing/.1734427709/filesystem/opt/sp-hub/libs/cxf-rt-bindings-soap-3.5.7.jar
2024-12-17T09:33:00.107845+00:00 ise1 root: info:[patchinstall.sh] Updating patched file: /storeddata/Installing/.1734427709/filesystem/opt/sp-hub/libs/prrt-interface-3.3.0.904.6-x86_64.jar
2024-12-17T09:33:00.117375+00:00 ise1 root: info:[patchinstall.sh] Updating patched file: /storeddata/Installing/.1734427709/filesystem/opt/sp-hub/libs/cxf-rt-transports-http-3.5.7.jar
Broadcast message from root@ise1 (pts/3) (Tue Dec 17 09:36:52 2024):
Trying to stop processes gracefully. Reload takes approximately 3 mins
Broadcast message from root@ise1 (pts/3) (Tue Dec 17 09:37:21 2024):
The system is going down for reboot NOW
Session terminated, killing shell... ...killed.
修订历史记录
| 版本 | 发布日期 | 备注 |
|---|---|---|
4.0 |
30-Sep-2024
|
更新的Alt文本和格式。 |
3.0 |
08-Nov-2023
|
重新认证 |
2.0 |
09-Sep-2022
|
修改为从机器转换屏蔽文件名、命令、用户操作和目录导航。次要语法、标点、结构、格式。 |
1.0 |
20-Apr-2020
|
初始版本 |
反馈