Solved: Re: Cisco CSSM || Smart Satellite upgrade process Version 8 Release 20 - Page 2

James Hawkins · ‎06-15-2021

Has anyone had any luck upgrading CSSM On_Premise to the latest version?

In previous versions I think you were able to upload the required files to the /var/files/patches directory using WinSCP or similar.

Now when you try that you get a permission denied response.

The install guide says the process is to go into onprem-console mode and then copy the files off an SCP server using the command below:

copy <your username>@<your remote host>.com:/path/SSM_On-Prem-8-202102_upgrade.sh patches:

I tried this using a Windows SCP server (BitVise) and got a failure message saying the following:

Operating in CiscoSSL FIPS mode
FIPS mode initialized
Unable to negotiate with 10.0.4.245 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss

I tried a different Windows SCP server (Solarwinds) and am now getting the failure message below:

Operating in CiscoSSL FIPS mode
FIPS mode initialized
Warning: Permanently added '10.0.4.245' (RSA) to the list of known hosts.
ssh_dispatch_run_fatal: Connection to 10.0.4.245 port 22: incorrect signature

It looks like the server has saved the SSH key used by the first SCP server software I tried and will not allow the second server to be used because the key is different.

There do not seem to be any commands to clear the cached keys available - I guess I could boot from a CentOS ISO and try to work out how to do that but I am very angry that Cisco have made this whole process so unnecessarily difficult - how this software made it through testing baffles me.

If anyone has any recommendations for an SCP server that might work to upload the patches please let me know and, if anyone can give guidance on how to clear cached SSH keys please share that too.

Thanks

bbirchfield · ‎08-23-2021

Try Bitvise Client instead of WinSCP.

HUBERT RESCH · ‎08-23-2021

Thx, but the solution was using scp instead of sftp

Uriah Erter · ‎05-12-2022

This was also the fix for me. Thank you Hubert.

haprinz · ‎02-23-2024

hostas ehh hiibrocht?

rpidcock@bankrcb.net · ‎12-10-2021

Trying to upgrade my on prem CSSM from 8-202010 to 8-202108. Having trouble with the copy command in step #6, getting error "permission denied". I'm logging in using admin account. Do I need to use a different account? (i.e. root?)

andy1176 · ‎10-25-2021

Some additional hints for the SSM running in STIG Mode to upload the upgrade image.

Solution provided by TAC.

From the CLI of the SSM:

>> curl -k -u ftp-user ftp://IP_Address/ipsla-test-ftp.txt -o /var/files/patches/ipsla-test-ftp.txt

or

>> curl -k -u admin ftp://IP_Address/SSM_On-Prem_8-202108_upgrade.sh -o /var/files/patches/SSM_On-Prem_8-202108_upgrade.sh

This was a solution for us to upload the upgrade image to the SSM (running in STIG mode)

Michael Berry · ‎02-06-2024

Hi, hopefully this helps others as an alternate solution... The incorrect signature error is due to FIPS being enabled and it can simply be disabled for the duration of a copy session by running "export CISCOSSH_FIPS_MODE=no" under your "admin" user or via sudo for the root user. I believe the onprem-console may kick off the copy command as root/sudo. Otherwise, you can edit /etc/environment and update with "no" for the FIPS variable and reboot...

Cisco CSSM || Smart Satellite upgrade process Version 8 Release 202102