First Published: May 31, 2024

This document provides information about Cisco Crosswork Network Controller 5.0.3, including patch release versions for Cisco Crosswork products and their associated defects, and the patch installation workflow.

The Cisco Crosswork Network Controller 5.0.3 release addresses key customer found issues and security vulnerabilities.

Patch Release Versions for Cisco Crosswork Products

The patch files (.tar.gz) are available on the Cisco Software Download page.

As you progress through the Release Notes, you can use the Cisco Bug Search Tool to search for any bugs and information associated with the product release. See the Bugs section in this Release Notes for detailed instructions.

Table 1. Patch Releases

Defect ID

Description

Applied Crosswork Component Patch

CSCwh62908

Crosswork Optimization Engine user SR policy failed in deletion

Crosswork Optimization Engine 5.0.3

CSCwi26233

The gnmi-collector is unable to parse gNMI Subscribe Response from 3rd party devices

Crosswork Infrastructure 5.0.3

CSCwi28262

 Devices are not discovering accurately when they are added on 5.0.2 version or above in IPv6 setup

Element Management Functions 5.0.3

CSCwi42980

Security vulnerability reported for XSS attack (CVE-2021-4231)

Crosswork Infrastructure 5.0.3

Crosswork Active Topology 5.0.3

Crosswork Change Automation 5.0.3

Crosswork Health Insights 5.0.3

Crosswork Zero Touch Provisioning 5.0.3

CSCwi64836

Crosswork nightly build version bumpup

Crosswork Service Health 5.0.3

CSCwi73629

Bigbend devices are OUTOFSYNC due to failure of the feature ConfigArchive_Capability_bigbend

Element Management Functions 5.0.3

CSCwj02265

Re-enable helios ability to run commands on devices and store output to files during showtech collection

Crosswork Infrastructure 5.0.3

CSCwj02295

Stored Cross-Site Scripting Vulnerability grouping

Crosswork Infrastructure 5.0.3

CSCwj19369

Security vulnerability reported in tomcat 9.0.48 (CVE-2023-46589)

Crosswork Zero Touch Provisioning 5.0.3

CSCwj35878

Unable to download the showtech file

Crosswork Infrastructure 5.0.3

CSCwj38341

Health Insights is failing to parse 3rd party device data and the graphs are empty

Crosswork Infrastructure 5.0.3

CSCwj48720

Crosswork Data Gateway is in a Degraded state after installing Crosswork, followed by MOP patch and the Infrastructure patch.

Crosswork Infrastructure 5.0.3

CSCwj49287

Security vulnerability reported for Change Automation, Health Insights, and Astack on Crosswork 5.0.3

Crosswork Infrastructure 5.0.3

Crosswork Change Automation 5.0.3

Crosswork Health Insights 5.0.3

CSCwj56751

LCM reports results with negative interface utilization

Crosswork Optimization Engine 5.0.3

CSCwj78689

Unable to launch UI post infra 503 patch installation

Crosswork Infrastructure 5.0.3

CSCwj88406

Migration support for RBAC UserPreference

Crosswork Infrastructure 5.0.3

Patch Installation Workflow

This section explains how to install the Cisco Crosswork 5.0.3 patch files.

Before you begin

Ensure you have the following:

  • Crosswork Infrastructure MOP file (signed-cw-na-infra-5.0.3-MOP-020524.tar.gz) and Crosswork patch image files (see the table below) downloaded from Cisco Software Download to a local machine that can be accessed via SCP by Crosswork.

  • Cisco Crosswork Administrator user credentials.

  • Management IP address used for your Crosswork VM deployment.

  • Backed up your data.

The upgrade process is disruptive and should be performed during a maintenance window. The time required for the applications to restart is typically less than 30 minutes per application. If you encounter any error while installing the patch, contact the Cisco Customer Experience team before attempting to move forward with the next step.


Important

Depending on the existing Crosswork version you are upgrading from, the installation sequence can change. Download the patch files and follow the relevant installation sequence for your Crosswork version.

Table 2. Upgrading from Crosswork 5.0.2 version

Upgrading from Crosswork 5.0.2 version

Patch Installation Sequence:

  1. Crosswork Infrastructure: signed-cw-na-infra-patch-5.0.3-12-release-240513.tar.gz

  2. Crosswork Optimization Engine: signed-cw-na-coe-patch-5.0.3-5-release-240514.tar.gz

  3. Crosswork Active Topology: signed-cw-na-cat-patch-5.0.3-2-release-240307.tar.gz

  4. Element Management Functions: signed-cw-na-common-ems-services-patch-5.0.3-31-releaseems503-240401.tar.gz
Table 3. Upgrading from Crosswork 5.0.0 version

Upgrading from Crosswork 5.0.0 version

Patch Installation Sequence:

  1. Crosswork Infrastructure: signed-cw-na-infra-patch-5.0.3-12-release-240513.tar.gz

  2. Crosswork Optimization Engine: signed-cw-na-coe-patch-5.0.3-5-release-240514.tar.gz

  3. Crosswork Active Topology: signed-cw-na-cat-patch-5.0.3-2-release-240307.tar.gz

  4. Element Management Functions: signed-cw-na-common-ems-services-patch-5.0.3-31-releaseems503-240401.tar.gz

  5. (Optional) Crosswork Service Health: signed-cw-na-aa-patch-5.0.3-3-releasesh500-240305.tar.gz

  6. (Optional) Crosswork Change Automation: signed-cw-na-ca-patch-5.0.3-4-release-240328.tar.gz

  7. (Optional) Crosswork Health Insights: signed-cw-na-hi-patch-5.0.3-4-release-240327.tar.gz

  8. (Optional) Crosswork Zero Touch Provisioning: signed-cw-na-ztp-patch-5.0.3-2-releaseztp500-240320.tar.gz

Ensure you are running the latest version of each application you are using. Please note, that application version numbers may differ as not all applications are patched at the same time.

Procedure

Step 1

Extract and validate the Crosswork patch files: After downloading the Crosswork patch files (see table above for details), extract and validate them.

To extract the signed image package, run the following command: 

tar -xzvf <signed image file>

The signed image package contains the patch file (.tar.gz) and relevant certificates.

To validate the extracted patch file, run the following command:

python3 cisco_x509_verify_release.py3 -e <.cer file> -i <.tar.gz file> -s <.tar.gz.signature file> -v dgst -sha512

Example:

After downloading the Crosswork Infrastructure signed patch image (signed-cw-na-infra-patch-5.0.3-12-release-240513.tar.gz), it is extracted and the signature is verified. 

cd <folder where tar was download>
tar -xzvf signed-cw-na-infra-patch-5.0.3-12-release-240513.tar.gz

README
cw-na-infra-patch-5.0.3-12-release-240513.tar.gz
cw-na-infra-patch-5.0.3-12-release-240513.tar.gz.signature
CW-CCO_RELEASE.cer
cisco_x509_verify_release.py3
python3 cisco_x509_verify_release.py3 -e CW-CCO_RELEASE.cer -i cw-na-infra-patch-5.0.3-12-release-240513.tar.gz -s cw-na-infra-patch-5.0.3-12-release-240513.tar.gz.signature -v dgst -sha512

Retrieving CA certificate from http://www.cisco.com/security/pki/certs/crcam2.cer ...
Successfully retrieved and verified crcam2.cer.
Retrieving SubCA certificate from http://www.cisco.com/security/pki/certs/innerspace.cer ...
Successfully retrieved and verified innerspace.cer.
Successfully verified root, subca and end-entity certificate chain.
Successfully fetched a public key from CW-CCO_RELEASE.cer.
Successfully verified the signature of cw-na-infra-patch-5.0.3-12-release-240513.tar.gz using CW-CCO_RELEASE.cer

Ensure that you extract and validate all the Crosswork patch files you need.

Step 2

Extract and validate the Infrastructure MOP file: Download the signed Crosswork Infrastructure MOP file (signed-cw-na-infra-5.0.3-MOP-020524.tar.gz) to your machine.

  1. Extract the signed file:

    cd <folder where tar was download>
tar -xzvf signed-cw-na-infra-5.0.3-MOP-020524.tar.gz

README
cw-na-infra-5.0.3-MOP-020524.tar.gz
cw-na-infra-5.0.3-MOP-020524.tar.gz.signature
CW-CCO_RELEASE.cer
cisco_x509_verify_release.py3

  2. Validate the contents of the signed file: 

    python3 cisco_x509_verify_release.py3 -e CW-CCO_RELEASE.cer -i cw-na-infra-5.0.3-MOP-020524.tar.gz -s cw-na-infra-5.0.3-MOP-020524.tar.gz.signature -v dgst -sha512

Retrieving CA certificate from http://www.cisco.com/security/pki/certs/crcam2.cer ...
Successfully retrieved and verified crcam2.cer.
Retrieving SubCA certificate from http://www.cisco.com/security/pki/certs/innerspace.cer ...
Successfully retrieved and verified innerspace.cer.
Successfully verified root, subca and end-entity certificate chain.
Successfully fetched a public key from CW-CCO_RELEASE.cer.
Successfully verified the signature of cw-na-infra-5.0.3-MOP-020524.tar.gz using CW-CCO_RELEASE.cer

  3. Copy the cw-na-infra-5.0.3-MOP-020524.tar.gz file (using SCP) to /home/cw-admin/ folder on one of the Crosswork hybrid nodes. 

    scp cw-na-infra-5.0.3-MOP-020524.tar.gz cw-admin@{Crosswork Cluster VIP address}:/home/cw-admin/

  4. SSH into the Crosswork hybrid node where you copied the files, and change to root using sudo su - command.

  5. Extract the MOP file that you copied:

    cd /home/cw-admin
tar -xvf cw-na-infra-5.0.3-MOP-020524.tar.gz

signed-cw-na-k8s-orchestrator-5.0.3-1-release-240502.tar.gz
update_orch.sh
nbi_patch.sh

Step 3

Execute the script file (update_orch.sh):

  1. Update the permissions: chmod 755 update_orch.sh

  2. Run the script: ./update_orch.sh

    When you run the script you will be asked for the password for the cw-admin user account.

    Note

     

    Do not enter the password more than once even if you are prompted repeatedly to do so. The script will reuse the password that it read from the earlier input.

    Wait 10 to 15 minutes for the update to complete and verify that system is healthy.

Step 4

Add and install the patch files in the Crosswork UI:

  1. Click on Administration > Crosswork Management, and select the Application Management tab. The Crosswork Platform Infrastructure and any applications that are added are displayed here as tiles.

  2. Click on the Add File (.tar.gz) option to add the patch file (for example, cw-na-infra-patch-5.0.3-12-release-240513.tar.gz) that you extracted. The Add File (tar.gz) via Secure Copy popup window is displayed.

  3. Enter the relevant information and click Add. Once the file is added, you can observe the existing application tile displaying an upgrade prompt. Click the upgrade prompt to install the patch file.

    In the Upgrade pop-up screen, select the new version that you want to upgrade to, and click Upgrade. Click on Job History to see the progress of the upgrade operation.

  4. After the installation is complete, go to Administration > Crosswork Manager and confirm all of the applications are reporting a Healthy status.

    Note

     

    It is expected that some processes will be reported as unhealthy or degraded as the upgrade is deployed (an updated status may take up to 30 minutes before reporting). If, after 30 minutes, the status does not change to Healthy, contact your Cisco Customer Experience representative. It is recommended to wait until the system is back to Healthy status before proceeding to install the next patch file.

Step 5

Repeat Step 4 to add and install the remaining Crosswork application patch files that you need.

Note

 

If the UI becomes unresponsive, perform the following:

  • Verify that the robot-ui pod is up using the below command:

    kubectl get pods | grep robot-ui

  • If no pods are listed in the above command, execute the below script to enable robot-ui: 

    kubectl exec -it -n kube-system $(/opt/robot/bin/orchleader.sh) -- bash
robotctl dunit start pod-du-ui

    Wait for the response "dunit is successfully started" and exit.

If dg-manager is down:

  • Verify that the dg-manager is not present using the below command: kubectl get pods | grep dg-manager

  • If no pods are listed in the above command, execute the below script to enable dg-manager: 

    kubectl exec -it -n kube-system $(/opt/robot/bin/orchleader.sh) -- bash
robotctl dunit start pod-du-dgmanager

    Wait for the response "dunit is successfully started" and exit.

Step 6

This additional step is applicable ONLY if you deployed Element Management Functions on the Crosswork 5.0.0 version and later installed the Crosswork 5.0.2 patch.

Important

 

This step is NOT applicable if you are upgrading directly from Crosswork 5.0.0 to 5.0.3 version.

After installing the Element Management Functions patch using step 4, execute the below commands to ensure that ENABLE_WEBSOCKETS is set on the Tyk pod and the WebSocket subscription is enabled. 

kubectl exec -it -n kube-system $(/opt/robot/bin/orchleader.sh) -- bash
robotctl dunit uninstall pod-du-cw-nbi-alarm-notification

Wait for the response "dunit is successfully uninstalled". 

robotctl dunit install pod-du-cw-nbi-alarm-notification capp-common-ems-services

Wait for the response "dunit is successfully started" and exit.

Bugs

You can use the Cisco Bug Search Tool to search for any bugs associated with the product release.

  1. Go to the Cisco Bug Search Tool.

  2. Enter your registered Cisco.com username and password, and click Log In.

    The Bug Search page opens.


    Note

    If you do not have a Cisco.com username and password, you can register here.

  3. From the Product list, select Cloud and Systems Management > Routing and Switching Management > Cisco Crosswork Network Automation.

  4. Enter 5.0.3 in the Release field.

  5. (Optional) You can enter additional criteria (such as bug ID, problem description, a feature, or a product name) in the Search For field.

  6. Click Search. When the search results are displayed, use the filter tools to narrow the results. You can filter the bugs by status, severity, and so on.


Note

To export the results to a spreadsheet, click Export Results to Excel.