Product Support Notice

PSN # PSN006084u Avaya Proprietary – Use pursuant to the terms of your signed agreement or company policy.
Original publication date: 19-May-2023. This is Issue #1, Severity/risk level Medium Urgency When convenient
Published date: 19-May-2023.
Name of problem CA certificate of Avaya File Signing Authority used for signing Breeze SVARs expiring
Products affected
Avaya Aura® System Manager: Release 8.1.x and 10.1.x
Avaya Breeze® Platform: All releases
Problem description

PSN Revision history:

Issue #1 – PSN originally published on 19th May 2023

Important:
- Please ensure that you read through the PSN carefully and in its entirety before doing anything.

Note for Avaya Services Team: There is no R2 version of this PSN.

The Breeze SVAR’s are digitally signed by the Avaya File Signing Authority. System Manager is using SVAR’s which are digitally
signed using an Avaya File Signing Authority whose CA certificate expires on Monday 22nd May 2023.

SVAR’s that are signed by the Avaya File Signing Authority whose CA, which expires on Monday 22nd May 2023, will continue to
work without any problems. You will still be able to uninstall / re-install / re-load these SVAR’s even after Monday 22nd May 2023.

Important Notes:
- Do not delete the Avaya File Signing Authority whose CA, which expires on Monday 22nd May 2023, from the System
Manager trusted store.
- This is a CA certificate which is present in the System Manager trusted store. There is no impact on the System Manager
Web UI because of this CA certificate expiring.

Going forward new SVAR’s will be signed using a new Avaya File Signing Authority CA. In order to install any SVARs which are
signed using the new CA one must follow the steps mentioned in the resolution section below.

Resolution

This resolution section applies only if SVAR’s which were issued after 19th May 2023 need to be installed. If an attempt is made to
install new SVARs that are signed using the new CA without first completing the below mentioned steps, an error will be shown on
the System Manager Web UI as follows:

“The service failed to load due to the unsigned SVAR”

There are 2 required steps to this resolution.

Step 1: Upgrading the Breeze Element Manager to version 3.8.1.0.21381005
Step 2: Adding the new Avaya File Signing Authority CA certificate into the System Manager trusted store.

Step 1: Upgrading the Breeze Element Manager to version 3.8.1.0.21381005

Pre-requisite: System Manager version must be 8.1.3.x. Any previous versions of System Manager must be first be upgraded
to System Manager 8.1.3.8 before moving forward.

The below instructions are the same for System Manager 8.1.3.x and 10.1.x

IMPORTANT: If System Manager installation is a Geo-Redundancy enabled deployment, Geo-Redundancy should be

disabled, the patch should be applied to both Primary and Secondary System Manager systems, and then re-enable Geo-
 Redundancy. You should apply the patch on the System Manager servers one a time. Do not install the patch on both primary
and secondary System Manager servers at the same time.

1. Once the Pre-requisite step has been met Disable System Manager Geo redundancy if your System Manager is deployed as a
Geo redundant System. It is important that you disable Geo prior to taking snapshots to avoid issues that might arise due to
postgres WAL segments after you revert the snapshot.
2. Take a snapshot of System Manager virtual machine.
Note: This activity might impact the service.
3. Download the new Avaya Breeze® Platform Element Manager, 3.8.1.0.213810381005 (PLDS ID AB000000310) and copy it
to the System Manager under the /swlibrary/ folder
4. Log in to the System Manager virtual machine command line using the user that was set up during OVA installation.
5. Run “df -h /swlibrary” to ensure adequate space is available. You need approximately 600 MB of space. The
following is an example of the command output:
#df -h /swlibrary
Filesystem Size Used Avail Use% Mounted on
/dev/sdd 21G 7.6G 14G 37% /swlibrary
6. Verify md5sum of the zip file with the value mentioned on PLDS.
6051b427abd715adc1c3af156fba541b BreezeEMInstall-3.8.1.0.21381005.zip
7. On the command line run
#upgradeSolution BreezeEMInstall-3.8.1.0.21381005.zip”.
8. Wait for the execution of the upgradeSolution command to complete.
9. (Optional) Use /var/log/Avaya/breeze-em-upgrade.log to monitor the progress of the installation process.
10. Install the new Breeze Element Manager on the Geo Redundant System Manager if you have one – follow steps 2 through 9
mentioned above for the patch installation.
11. Remove the snapshot taken in step #1 once all functionalities have been verified.
Note: This activity might impact the service.
12. Enable Geo Redundancy if you have Geo Redundant System Manager deployment.

Step 2: Adding the new Avaya File Signing Authority CA certificate into the
System Manager trusted store.
If on System Manager version 8.1.3.7 or 8.1.3.8 or 10.1.2 or higher then the new Avaya File signing Authority CA certificate should
already been present in the System Manager trusted store.
Follow instructions in the “How to check if you have the new Avaya File Signing Authority CA certificate installed” section below to
first check if the certificate is present in the trusted store or not.

Adding the new Avaya File Signing Authority CA certificate to the System Manager trusted store

1. Before you begin follow the steps in the “How to check if you have the new Avaya File Signing Authority CA
certificate installed” section from the Resolution section above to make sure that you don’t have the new Avaya File
Signing Authority CA certificate already installed on System Manager. In case of Geo please check both primary and
secondary System Manager system.
2. Assuming the new certificate is not installed - Login to System Manager Web UI (Primary in case you have a Geo Redundant
deployment) as admin user or a user account that has System Administrator role.
Note: even for Geo deployments, secondary System Manager certificates need to be managed via the Primary System
Manager.
3. Navigate to Services → Inventory → Manage Elements and select the entry for System Manager. In case of Geo start with
Primary System Manager first. The (Primary) System Manager entry will be the one with type “System Manager” and the
node column will have the IP of (Primary) System Manager. Select only 1 entry.
4. After selecting the correct System Manager entry, from “More Actions” select the “Manage Trusted Certificates” option. If
the “Manage Trusted Certificates” option is grayed out, then chances are that either multiple entries were selected, or the
wrong (Primary) System Manager entry was selected.
5. Once the list of System Manager’s Trusted Certificates is displayed click on the “Add” button

© 2023 Avaya Inc. All Rights Reserved. Page 2

 6. From the “Select Store Type to add trusted certificate” drop down select “TM_INBOUND_TLS”.
Note: There is no need to add this certificate to all the stores. This certificate is only required to be present in the
“TM_INBOUND_TLS”
7. Select the “Import as PEM certificate” radio button which will display a text box
8. Paste the below PEM certificate into the text box and click on the commit button

PEM Certificate below. The certificate is between the “BEGIN CERTIFICATE” and “END CERTIFICATE” tags.

-----BEGIN CERTIFICATE-----
MIIFIzCCBAugAwIBAgIBZTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzETMBEGA1UEChMKQXZheWE
gSW5jLjEaMBgGA1UECxMRQXZheWEgUHJvZHVjdCBQS0kxHjAcBgNVBAMTFUF2YXlhIFByb2R1Y3QgUm9vdC
BDQTAeFw0yMDAyMTMxODA3NDBaFw0zMDAyMTAxODA3NDBaMIGaMQswCQYDVQQGEwJVUzEOMAwGA1UEChMFQ
XZheWExGjAYBgNVBAsTEUF2YXlhIFByb2R1Y3QgUEtJMRYwFAYDVQQLEw1TcGVjaWFsIElzc3VlMRswGQYD
VQQLExJJRC1zMS1FU0lELVNJRC1NSUQxKjAoBgNVBAMTIUF2YXlhIEZpbGUgU2lnbmluZyBBdXRob3JpdHk
gMjAyMDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKQlwJFQ0eGTAhbyvLNXJrYnIzOsf9ZJO5
LhmQmiXW5ZsKkjxhmBuBiuQ4PPrDVWbl1RtF8GHoytah1QnFEtoCc3yr5/koKfrqvszC5L0wd2SzI28XnO+
OPsPeXq3hWO302DqYhGVdMZUVr0cx9nePCiyuF/wsKXJ8mJazoc6x8FoLrFMC9ihC0tSePkUyIBVEWhK78e
OBXj0pN75BDnGIyWYnCS34WfPBtNc8OpkWD5dUWGlZcuU3pu7e3RqXWm/f7NBF+cuL5gUy/QD472woSAqp+
MtdVwLndsFcTfz4e69odczer0zs+aqfqTD7Z6lHEcpR+CDGabciXZ5P08LmUCAwEAAaOCAa0wggGpMB0GA1
UdDgQWBBRlQ54qZ8zK4dgKah8J1Z6/JkZlgTCBhgYDVR0jBH8wfYAUwpq28XMhgiZtE7D+/lH2XpvcNXuhY
qRgMF4xCzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpBdmF5YSBJbmMuMRowGAYDVQQLExFBdmF5YSBQcm9kdWN0
IFBLSTEeMBwGA1UEAxMVQXZheWEgUHJvZHVjdCBSb290IENBggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAge
AMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIHRBgNVHSAEgckwgcYwgcMGC2CGSAGG/AsHAQEBMIGzMCoGCCsGAQ
UFBwIBFh5odHRwczovL3d3dy5hdmF5YS5jb20vcGtpL0NQUzswgYQGCCsGAQUFBwICMHgwFxYQQXZheWEgU
HJvZHVjdCBDQTADAgEBGl1BdmF5YSBJbmMuIExpbWl0ZWQgTGlhYmlsaXR5IFBLSSBDQS4gIFBsZWFzZSB2
aXNpdCBodHRwOi8vd3d3LmF2YXlhLmNvbS9wa2kvQ1BTIGZvciBkZXRhaWxzLjswDQYJKoZIhvcNAQEFBQA
DggEBADh8KU13P911hxaro0CxwMkbGvXNh2mnBgf5OYe8MrNpIOM+1LKBYs+1mLgBJ8ohKCWdG6xIX5JDk5
jb0XBfU31rP4K3efFH29NM2vQIA/XSyFfUdGEiRBhyyBy05JIq8gOhGDScuEKMbSC/lAjB6YJjnm7oVB5Gt
mHNhy4vhXvEADFFZg/lrnBQG0SwCfi0Mj9eNaaOJ1OnmhLFM2zswLffWcw3n9jdnPMSdiBNZ+PQ7RoV43ih
xGZa6XgxCuvYjP4vcDfXDn0EAq510rylphAjQJDcB3E5xD8PT7W6fcE/+MGI3vFQkWxAvusKD9/qY+5uk5I
bn2dFQhJHKmGcI6Q=
-----END CERTIFICATE-----

See screenshot below for reference

9. Follow the steps in the “How to check if you have the new Avaya File Signing Authority CA certificate installed”
section from the Resolution section below to make sure that the new Avaya File Signing Authority CA certificate is installed
on System Manager under the “TM_INBOUND_TLS” store.

If you have a Geo redundant System Manager deployment repeat steps 1 through 9 for secondary System Manager.

Note: For adding Certificates to Secondary System Manager trusted store using the above-mentioned steps, in step 3 select the
Secondary System Manager entry. The secondary System Manager entry will be the one with type “System Manager” and the node
column will have the IP of Secondary System Manager. Select only 1 entry. The secondary System Manager entry will also have
“secondary” in the name.
© 2023 Avaya Inc. All Rights Reserved. Page 3
How to check if you have the new Avaya File Signing Authority CA certificate installed

1. Login to System Manager Web UI (Primary in case this is a Geo Redundant deployment) as admin user or a user that has
System Administrator role.
Note: even for Geo deployments, secondary System Manager certificates need to be checked via the Primary System
Manager.
2. Navigate to Services → Inventory → Manage Elements and select the entry for System Manager. In case of Geo start with
Primary System Manager first. The (Primary) System Manager entry will be the one with type “System Manager” and the
node column will have the IP of (Primary) System Manager. Select only 1 entry.
3. After selecting the correct System Manager entry, from “More Actions” select the “Manage Trusted Certificates” option. If
the “Manage Trusted Certificates” option is grayed out, then chances are that either multiple entries were selected, or System
Manager entry of the wrong type was selected.
4. Enable the table filter (on the top right-hand side of the table) and in the Subject name filter type “CN=Avaya File” and hit
enter (or click on “Apply” button of Filter on the top right-hand side)
5. You will see a list of certificates that have a CN that start with “CN=Avaya File”. From the list select the certificate with
Subject “CN=Avaya File Signing Authority 2020, OU=ID-s1-ESID-SID-MID, OU=Special Issue, OU=Avaya Product
PKI, O=Avaya, C=US” and Store Type “TM_INBOUND_TLS”

Once the certificate is selected it shows the certificate details which also shows the expiry date of 10th February 2030. Note:
the date/ time shown in the validity is relative to the Time zone that is configured on the System Manager and may change.
The best way to confirm if you have the correct new certificate is by looking at the “Certificate Fingerprint”, “Subject
Name”, and “Issuer Name” details of the certificate.

Important things to note:

- If you do not find a certificate with Subject “CN=Avaya File Signing Authority 2020, OU=ID-s1-ESID-SID-MID,
OU=Special Issue, OU=Avaya Product PKI, O=Avaya, C=US” then you do not have the required new certificate in the
trusted store. Follow the instruction in the “Adding the new Avaya File Signing Authority CA certificate to the System
Manager trusted store” section above to add the certificate to the trusted store.
- The CA certificate in question only needs to be present in the “TM_INBOUND_TLS” store. Even though the old certificate
is seen in 2 certificate stores (“TM_INBOUND_TLS” and “TM_OUTBOUND_TLS”), for the new certificate, if it is present
in the “TM_INBOUND_TLS” store it is ok. There is no need to add the new certificate in the “TM_OUTBOUND_TLS”
store

See screenshot below for reference.

© 2023 Avaya Inc. All Rights Reserved. Page 4

 6. If you have a Geo redundant System Manager deployment repeat steps 1 through 5.
Note: For checking Secondary System Manager Certificates using the above-mentioned steps, in step 2 you need to select the
Secondary System Manager entry. The secondary System Manager entry will be the one with type “System Manager” and
the node column will have the IP of Secondary System Manager. Select only 1 entry. The secondary System Manager entry
will also have “secondary” in the name.

Workaround or alternative remediation

Remarks
While a jboss restart is usually not required after adding certificate to the trusted store, if you continue to get an error like

“The service failed to load due to the unsigned SVAR”

even after completing all the remediation steps then login to the System Manager command line using your customer user account and
run

$>smgr restart

to restart the System Manager jboss service.

If you have any questions or run into any issues, please contact Avaya Support with the following information:
Problem description, detailed steps to reproduce the problem, if any and the release version in which the issue occurs.

Patch Notes
The information in this section concerns the patch, if any, recommended in the Resolution above.
Backup before applying the patch
Recommended
Download
N/A
Patch install instructions Service-interrupting?
N/A YES
Verification
N/A
Failure
In case of issues (or questions) with the patch, you can:
1. Retry the action. Carefully follow the instructions in this document.
2. Contact Avaya Support, with following information: Problem description, detailed steps to reproduce the problem, if any
and the release version in which the issue occurs.

Patch rollback instructions

N/A

Security Notes
The information in this section concerns the security risk, if any, represented by the topic of this PSN.
Security risks
N/A
Avaya Security Vulnerability Classification
Not Susceptible
Mitigation
N/A
© 2023 Avaya Inc. All Rights Reserved. Page 5
 If you require further information or assistance, please contact your Authorized Service Provider or visit
support.avaya.com. There you can access more product information, chat with an Agent, or open an online
Service Request. Support is provided per your warranty or service contract terms unless otherwise specified in
the Avaya support Terms of Use.
Disclaimer:
ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS PROVIDED “AS IS”.
AVAYA INC., ON BEHALF OF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES (HEREINAFTER COLLECTIVELY
REFERRED TO AS “AVAYA”), DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE,
AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS RECOMMENDED WILL ELIMINATE
SECURITY OR VIRUS THREATS TO CUSTOMERS’ SYSTEMS.IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY
DAMA GES WHATSOEVER ARISING OUT OF OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED
ACTIONS PROVIDED HEREIN, INCLUDING DIRECT, INDIRECT, CONSEQUENTIAL DAMAGES, LOSS OF BUSINESS
PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.

THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN PLACE FOR AVAYA
PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED AS PER EXISTING AGREEMENTS
WITH AVAYA.

All trademarks identified by ® or TM are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are
the property of their respective owners.

© 2023 Avaya Inc. All Rights Reserved. Page 6