Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
HPE StoreVirtual VSA security patch 56002-00 is available for HPE Hyper Converged 380 systems. This patch requires HPE OneView InstantOn Version 1.3.5.31, HPE OneView for VMware vCenter Version 7.8.4, and the Hyper Converged 380 system to be at Version 1.1 Update 2 (1.1 U2). The StoreVirtual security patch disables SSLv3, TLS 1.0, and TLS 1.1 and upgrades the OpenSSL version to 1.0.1e 48. This updates the StoreVirtual VSA system to the latest security protocols. For more information, refer to Security Bulletin HPSBST03642 rev.3 - HPE StoreVirtual Products running LeftHand OS using OpenSSL and OpenSSH, Remote Arbitrary Code Execution, Denial of Service (DoS), Disclosure of Sensitive Information, Unauthorized Access Additional patch information can be found in the patch release notes available through the HPE StoreVirtual Centralized Management Console (CMC). Since HPE OneView for VMware vCenter versions 7.8.3 (and earlier) rely on the TLS 1.x protocol for communicating with the StoreVirtual VSA, and the security patch disables TLS 1.x, installing the security patch without first updating OneView for VMware vCenter causes the solution to stop functioning. IMPORTANT : Do not upgrade HPE Hyper Converged 380 system to HPE OneView for VMware vCenter version 8.0 (or later). HPE OneView for VMware vCenter Versions 8.0 (and later) have an updated architecture that does not work with the HPE Hyper Converged 380 systems. See the Resolution below for instructions to update your Hyper Converge 380 system, upgrade the OneView for VMware vCenter plug-in, upgrade OneView InstantOn and install the HPE StoreVirtual patch.
All HPE Hyper Converged 380 systems must be upgraded to system software 1.1 U2, HPE OneView for VMware vCenter version 7.8.4 and HPE OneView InstantOn version 1.3.5.31 (or later) before installing StoreVirtual VSA security patch 56002-00.
Update your Hyper Converged 380 system in the following order: Upgrade the HPE Hyper Converged 380 system to version 1.1 U2. Upgrade the HPE OneView for VMware vCenter component to version 7.8.4.168. Upgrade HPE OneView InstantOn to version 1.3.5.31 (or later). Install the HPE StoreVirtual VSA security patch. It is important that all these components be updated and in the order listed to minimize system down time. IMPORTANT : Do not upgrade the HPE Hyper Converged 380 system to HPE OneView for VMware vCenter version 8.0 or later. HPE OneView for VMware vCenter versions 8.0 (and later) have an updated architecture that does not work with the HPE Hyper Converged 380 systems. If the Hyper Converged system has not yet been deployed, or an expansion is planned, first deploy or expand the system as described in the HPE Hyper Converged 380 Installation Guide. For questions or concerns regarding these requirements, contact HPE Support for additional guidance: http://h20566.www2.hpe.com/portal/site/hpsc/public/help/contactHP/home . Upgrade the HPE Hyper Converged 380 System Refer to the HPE Hyper Converged 380 Upgrade Guide for instructions to update the system to version 1.1 U2. Locate this guide at the following URL: http://www.hpe.com/info/docs . Select the Integrated Systems tab, then select Hyper Converged Systems under the expanded Products & Solutions banner. Upgrade HPE OneView for VMware vCenter Before performing the following upgrade, launch the OneView for VMware vCenter from the vSphere Web Client. Note the registered storage systems on the Storage Administrator Portal, because this information will be needed to verify the systems again after the update. NOTE: The OneView for VMware vCenter installer will automatically uninstall the previous version. This upgrade preserves the existing Hyper Converged System to vCenter HA to storage pool configuration. 1) Download the HPE OneView for VMware vCenter version 7.8.4.168 installer to the Management VM desktop. To find the latest HPE OneView for VMware vCenter installer, go to: http://www.hpe.com/info/HCupdates and follow the links for your Hyper Converged product. NOTE: Full administrator credentials for VMware vCenter are required to install the OneView for VMware vCenter update. For deployments using a remote vCenter configuration, locate the system hosting the remote instance of vCenter and update the OneView for VMware vCenter component on that system. IMPORTANT : Do not upgrade the HPE Hyper Converged 380 for VMware vSphere system to HPE OneView for VMware vCenter version 8.0 (or later). HPE OneView for VMware vCenter versions 8.0 (and later) have an updated architecture that does not work with the HPE Hyper Converged 380 systems. 2) If it is currently running, stop HPE OneView for VMware vCenter on the Management VM by logging out of and closing the VMware vSphere web client. 3) Start the installer by double-clicking the HPE OneView for VMware vCenter icon on the desktop, or right-clicking the icon and selecting Run as Administrator. 4) Click Continue each time the ATTENTION pop up screens appear. 5) Click Next to acknowledge removal of the previous HPE OneView for VMware vCenter version. 6) Click Uninstall . This should take 2 to 3 minutes. 7) When the uninstall completes, click Done . If prompted to do so, reboot the Windows Management VM. 8) Click Next twice to move through the first two introductory pages. 9) Accept the License Agreement and click Next . 10) Select Typical Installation and click Next . 11) Accept the Support Data License Agreement and click Next . 12) If using a FTP proxy service, select Yes . Otherwise, select No and click Next . 13) On the Storage Administrator Portal Credentials screen, select whether to Allow all vSphere users or Allow a single vSphere user, then click Next . The default is to allow all vSphere users. 14) Provide the VMware vCenter administrator credentials when prompted. 15) After the credentials are validated, a green View Certificate status appears. Click Next . 16) Review the Installation Summary and click Next . 17) Installation can take up to 5 minutes. Click Done when it is finished. Two HPE OneView for VMware vCenter shortcuts appear on the desktop. One is for the Storage Administrator Portal, and the other for the Server Administrator Portal. 18) Open the Windows Control Panel and verify that HPE OneView for VMware vCenter is now at version 7.8.4.168. 19) Launch the updated OneView for VMware vCenter from the vSphere Web Client and validate the list of registered storage systems that you noted before the upgrade. Re-register any missing storage systems. Upgrade HPE OneView InstantOn If the system was deployed or expanded using HPE OneView InstantOn version 1.3.5.31 or later, this step is complete. Proceed with the next section, "Obtaining HPE StoreVirtual VSA Security Patches for Systems without an Internet Connection." 1) Download HPE OneView InstantOn version 1.3.5.31 or later to the Management VM desktop. To find the latest version of HPE OneView InstantOn, go to: http://www.hpe.com/info/HCupdates and follow the links for your Hyper Converged product. Windows full administrator credentials are required to install HPE OneView Instant On on the Management VM. 2) If OneView InstantOn is running on theManagement VM, close it. 3) Double-click the InstantOn icon on the desktop of the Management VM. The Welcome window of the OneView InstantOn Setup Wizard appears. 4) Click Next to proceed with the upgrade. 5) When the upgrade is finished, the Upgrade Complete window appears. Click Finish . Obtaining HPE StoreVirtual VSA Security Patches for Systems without an Internet Connection If the Hyper Converged 380 System does not have a connection to the internet, use the following steps to obtain StoreVirtual VSA patches. If the system does have an internet connection, proceed to the next section, Installing the HPE StoreVirtual VSA Security Patches. 1) Install the CMC on a computer or laptop that can access the internet. a. Go to this URL: http://www.hpe.com/info/StoreVirtualDownloads b. Click Select in the upper right corner. c. Enter your HPE Passport credentials and click Sign in . d. Fill out the customer information, accept the software license terms, and click Next . e. Click Download next to the HPE StoreVirtual Centralized Management Console option appropriate for your system. f. When the download completes, double-click the HPE StoreVirtual Centralized Management Console icon to begin the installation. 2) Click Help->Preferences->Upgrades and select Download Directory to view and change the directory into which patch and upgrade files are downloaded. This directory will be made available inside the firewall for updating the system. 3) If not already connected, connect your computer to the Internet outside of the firewall. 4) Start the CMC. 5) On the CMC menu bar, select Tasks->Download All Upgrade Files. 6) Start the download and close the progress window. To check the progress, open the window again by selecting Tasks->Download All Upgrade Files. NOTE: If the download must be stopped before it completes, continue the download by again selecting Tasks->Download All Upgrade Files. The download will continue downloading the remaining files only. 7) Close the CMC. 8) Reconnect the computer to your network. 9) Copy the downloaded files to a network share location or to portable media, or use the CMC on your computer to upgrade your storage systems. If the files are copied to a network location, any CMC used to do the upgrades must point to that network location to see the files. Install the HPE StoreVirtual VSA Security Patches 1) Open the HPE StoreVirtual Centralized Management Console (CMC): Start->All Programs->HPE->HPE StoreVirtual. 2) Log into the management group using the StoreVirtual credentials created during initial deployment with HPE OneView Instant On. In the left navigation window, select the management group and log in by any of the following methods: a. Double-click the management group. b. Right-click the management group and select Log in to Management Group. c. Click any of the "Log in to view links" on the Details tab. Enter your user name and password, and click Log In . Enter your user name and password, and click Log In . 3) If the StoreVirtual VSA Security patches were obtained as described in the preceding section for systems without an internet connection: a. Navigate to the Upgrades tab. b. Click Use Local Media and navigate to the directory where the downloaded upgrade and patch files are stored. c. Click OK . 4) Within the CMC, select Tasks->Download Upgrades Manifest. When completed, a pop-up window appears confirming, "Download Upgrades Manifest file completed." 5) From the menus across the top of the CMC window, select Urgent Patches Available. Click Start Download next to the StoreVirtual management group created during initial deployment. 6) After the download completes, select the Upgrades tab, still under the Urgent Patches Available menu. Click the link, "Click here to stay on current software version..." 7) Check the box for "Only notify me of patches available for my current version of software." 8) Click Continue . 9) A pop-up window appears, listing the VSA patches to be applied. Click Install and patch application begins. 10) Verify successful patch installation: a. Within the CMC, identify each VSA in the left-hand navigation pane. Expand the menu under the VSA. b. Select Diagnostics. c. Select Hardware Information. d. The Package Selection pop-up window appears listing the available patches for the VSA. Applied patches will have a check mark preceding them. Click Cancel to return to the CMC. 11) Log out of the management group. In the navigation window, select the management group. Click Management Group Tasks on the Details tab, and select Log Out of Management Group. 12) Repeat steps 2 through 10 for any additional management groups in the solution. 13) Close the CMC. Applying the StoreVirtual Security Patch following System Expansion After performing the upgrade and applying the patches detailed above, the hyper converged system can still be expanded. Expand your system following the instructions in the Hyper Converged 380 Installation Guide. When the expansion completes, take the following steps to ensure all StoreVirtual VSAs have the same security protections and update the remote instance of HPE OneView for VMware vCenter, if necessary. 1) Repeat the procedure in Obtaining HPE StoreVirtual VSA Security Patches for Systems without an Internet Connection and/or Installing the HPE StoreVirtual VSA Security Patch to apply the security patches to the newly added StoreVirtual VSAs. 2) If the solution was deployed with a local instance of vCenter, you are now done. If the solution was deployed with a remote instance of vCenter, locate the system with the remote HPE OneView for VMware vCenter plug-in used during the initial deployment. 3) From the local management VM or the remote HPE OneView for VMware vCenter plug-in, open the Storage Administrator Portal and re-enter the OneView for VMware for vCenter credentials, if requested. 4) Verify the Storage Administrator Portal shows information for the expanded nodes. If it does not show the additional nodes, do the following: a. Under System Name, select the expanded management group. Click Modify . b. Enter the StoreVirtual administrator credentials established during initial deployment and click Next . c. Verify the pending updates and click Next . d.Ensure the Full Access option is checked, as shown below and click Finish . e. The additional nodes now appear in the Storage Administrator Portal. f. Close the Storage Administrator Portal. RECEIVE PROACTIVE UPDATES : Receive support alerts (such as Customer Advisories), as well as updates on drivers, software, firmware, and customer replaceable components, proactively via e-mail through HPE Subscriber's Choice. Sign up for Subscriber's Choice at the following URL: Proactive Updates Subscription Form. NAVIGATION TIP : For hints on navigating HPE.com to locate the latest drivers, patches, and other support software downloads for ProLiant servers and Options, refer to the Navigation Tips document . SEARCH TIP : For hints on locating similar documents on HPE.com, refer to the Search Tips document .