1. Release Notes
  2. Introduction to S-Cz8.3.0
  3. Upgrade Information
  4. Upgrade and Downgrade Caveats

Upgrade and Downgrade Caveats

The following items provide key information about upgrading and downgrading with this software version.

Reactivate License Key Features

On the Acme Packet 1100 and Acme Packet 3900 platforms, the software TLS and software SRTP features no longer require license keys. After you upgrade to S-Cz8.3.0, you must run the setup product command to re-activate the features that formerly depended on license keys.

Set the New FIPS Boot File Name

Typically, you change the name of the boot file to the name of the new release by editing the file name in the boot parameters. If FIPS mode is enabled, you cannot edit the boot file name when upgrading from E-CZ7.5.0 to E-CZ8.3.0 on the Acme Packet 1100, Acme Packet 3900, and VNF. You must use the set-boot-file command to set the new boot file name.

Reset the rsa_ssh.key

After you upgrade from 7.x to S-Cz8.3.0, you must manually reset the rsa_ssh.key when the host OpenSSH client version is 7.6 or newer. Applies to all platforms.

  1. Delete the old ssh_rsa.key in the /code/ssh directory in the shell environment.
  2. Reboot the E-SBC, using reboot from the ACLI prompt.

Reset Local Passwords for Downgrades

Oracle delivers increased encryption strength for internal password hash storage for the S-Cz8.3.0 release. This affects downgrades to the E/SC-z7.x and E/SC-z8.0.0 releases because the enhanced password hash algorithm is not compatible with those earlier SBC software versions. The change does not affect downgrades to E/SCz8.1.0 or E/SCz8.2.0.

If you change any local account passwords after upgrading to S-Cz8.3.0, then you attempt to downgrade to the earlier release, local authentication does not succeed and the system becomes inaccessible.

Oracle recommends that you do not change any local account passwords after upgrading to S-Cz8.3.0 from a prior release, until you are sure that you will not need to downgrade. If you do not change any local account passwords after upgrading to S-Cz8.3.0, downgrading is not affected.

Caution:

If you change the local passwords after you upgrade to S-Cz8.3.0, and then later want to downgrade to a previous release, reset the local user passwords with the following procedure while running the newer version, before attempting the downgrade.

Perform the following procedure on the standby SBC first, and then force a switchover. Repeat steps 1-10 on the newly active SBC. During the procedure, the SBC powers down and you must be present to manually power up the SBC.

Caution:

Be aware that the following procedure erases all of your local user passwords, as well as the log files and CDRs located in the /opt directory of the SBC.
  1. Log on to the console of the standby SBC in Superuser mode, type halt sysprep on the command line, and press ENTER.

    The system displays the following warning: 

    *********************************************
WARNING: All system-specific data will be permanently 
erased and unrecoverable.

Are you sure [y/n]
  2. Type y, and press ENTER.
  3. Type your Admin password, and press ENTER.

    The system erases your local passwords, log files, and CDRs and powers down.

  4. Power up the standby SBC.
  5. During boot up, press the space bar when prompted to stop auto-boot so that you can enter the new boot file name.

    The system displays the boot parameters.

  6. For the Boot File parameter, type the boot file name for the software version to which you want to downgrade next to the existing version. For example,nnECZ800.bz.
  7. At the system prompt, type @, and press ENTER.

    The standby reboots.

  8. After the standby reboots, do the following:
    1. Type acme, and press ENTER.
    2. Type packet, and press ENTER.
  9. Type and confirm the password that you want for the User account.
  10. Type and confirm the password that you want for the Superuser account.
  11. Perform a notify berpd force on the standby to force a switchover.
  12. Repeat steps 1-10 on the newly active SBC.

Time Division Multiplexing

Do not set the replace-uri action when routing to a TDM interface.

vSBC License Keys

See "Encryption for Virtual SBC" under "Self-Provisioned Entitlements" for important information about licensing changes for virtual SBCs.

Maintain DSA-Based HDR and CDR Push Behavior

To maintain your existing DSA key-based CDR and HDR push behavior after upgrading from 7.x to S-Cz8.3.0, perform the following procedure:
  1. Navigate to the security, ssh-config, hostkey-algorithms configuration element and manually enter the DSA keys you want to use.
  2. Save and activate your configuration.
  3. Execute the reboot command from the ACLI prompt.

Errors for authentication-over-ipsec

When upgrading from a previous release to S-Cz8.3.0m1p7 or later, the authentication-over-ipsec attribute of the authentication element is enabled by default. This may cause verify-config to repot the error:
ERROR: authentication-over-ipsec is enabled, but x.x.x.x tacacs server 
does not match any of the security-policy's remote-ip-addr-match/mask subnet
To remove these errors, set authentication-over-ipsec to disabled.