After RHEL7 to RHEL8 upgrade BigFix clients are not connecting.

johngary · April 19, 2024, 2:15pm

Folks,

I did an “in place” upgrade on our BigFix/ILMT server from rhel7 to rhel8. It was successful. I also applied fixpack 11.5.4 to db2 so as to be able to run on rhel8. That also seemed successful. The database started up. No changes were made to BigFix or ILMT. This was all done on a clone of the original system. I then shutdown the original system and changed the IP and hostname of the clone to that of the original system and rebooted it. ILMT and BigFix came up and I can connect to the ILMT webpage and the BigFix console. However, clients have not connected to the BigFix server since I swapped systems.

Thank you,
John Gary

itsmpro92 · April 19, 2024, 2:50pm

I would recommend checking the client logs on one of your endpoints and on the root server itself, along with the logs for the GatherDB and FillDB services.

Locations for log files are documented here: Logging (hcltechsw.com)

johngary · April 19, 2024, 9:08pm

Thank you itsmpro92.

The client logs on enpoints look very good. Lots of success and reports posted, and no errors. However, There are only three systems that have current “Last Report Time”. There doesn’t seem to be anything special about these three: not built or rebooted today. I have restarted all linux clients. Most processing is scheduled for overnight/over weekend. I’m going to let this run overnight, and if ILMT reports problems (which it is not now), I will go back to the rhel7 server.

Thank you very much for your attention,
John Gary

johngary · April 20, 2024, 11:58am

itsmpro92

The BigFix clients are not connecting to the BigFix server, however if I select a client which has not connected, the “last report date” is updated as if connected. On closer examination of the /var/log/BESRelay.log, I find many:

Thu, 18 Apr 2024 08:30:52 -0400 - /cgi-bin/bfenterprise/clientregister.exe (1465
902848) - The re-registration request for ComputerID 1624485965 failed. Client d
ata signature could not be verified

errors, perhaps one for each system?

I have tried to run
BESAdmin -findinvalidsignatures -list -sitePvkLocation=/home/db2inst1/license.pvk
but I get this error:
terminate called after throwing an instance of ‘Crypto_wrapper_load_library_Failed’
what(): Dynamic library failed to load (libBEScryptoFIPS.so): libBEScryptoFIPS.so: cannot open shared object file: No such file or directory

Have you any advice for this?
Thank You,
John Gary

JasonWalker · April 20, 2024, 2:36pm

First I’d recommend opening a.support ticket so the team can help you with the procedures.

Read through Migrating the BigFix Server (Linux)

From the messages you’re showing, I believe there are some keys that cannot be decrypted on the new server (we obfuscate with some salts based on a hardware fingerprint) and Supoirt should be able to help you sort it out