AIX Plugin R2 authentication issues with URX/MRS form link

I’m having authentication issue with AIX Plugin R2, hope someone could help.

I started configuring the AIX Plugin R2 credential and notice different result with different credential.

Credential 1 is my own personal IBM id that was created some time ago. If I use this credential in the Fixlet using AIXProtocolR2 (eg. Fixlet 335 AIX: update for openSSL (1.0.2.5100), it will download the patch successfully. Log as follow:

 17159    : 2018-07-04 15:21:06 : Level 1911 :  AIX Download Plugin version 1.0.0.4. Gonna get to work now.
 17159    : 2018-07-04 15:21:06 : INFO     :  Using regular HTTP wrapper.
 17159    : 2018-07-04 15:21:06 : INFO     :  Login step   https://www-01.ibm.com/marketing/iwm/iwm/web/reg/download.do?source=aixbp&lang=en_US&S_PKG=openssl
 17159    : 2018-07-04 15:21:07 : INFO     :  HTTP POST to: https://www-01.ibm.com//marketing/iwm/iwm/web/reg/acceptLogin.do?source=aixbp&lang=en_US&S_PKG=openssl
 17159    : 2018-07-04 15:21:09 : INFO     :  New download: {'size': None, 'file': '/var/opt/BESServer/wwwrootbes/bfmirror/downloads/ActiveDownloads/indexed_207_1', 'id': 0, 'url': 'AIXProtocolR2://get.file/openssl/openssl-1.0.2.1500', 'sha1': {'value': '8860c2db4d3fa212c28b7622b72df15951780fec', 'algorithm': 'sha1'}}
 17159    : 2018-07-04 15:21:09 : INFO     :  AIX download url AIXProtocolR2://get.file/openssl/openssl-1.0.2.1500.
 17159    : 2018-07-04 15:21:09 : INFO     :  fn is <function UA.get_file at 0x7f90518d9b70>
 17159    : 2018-07-04 15:21:09 : INFO     :  Package Name: openssl
 17159    : 2018-07-04 15:21:09 : INFO     :  Package Version: openssl-1.0.2.1500
 17159    : 2018-07-04 15:21:10 : INFO     :  Getting page: https://www-01.ibm.com/marketing/iwm/iwm/web/reg/download.do?source=aixbp&S_PKG=openssl&lang=en_US&cp=UTF-8&&&dlmethod=http
 17159    : 2018-07-04 15:21:11 : INFO     :  Package version is openssl-1.0.2.1500
 17159    : 2018-07-04 15:21:11 : INFO     :  OS proxy settings: {}
 17159    : 2018-07-04 15:21:17 : INFO     :  Download successful.
 17159    : 2018-07-04 15:21:17 : INFO     :  Plugin returned with code 0.

Credential 2 is a new generic IBM id that I just created for the use solely for BigFix download. If I use it the Fixlet will not be able to download the patch from IBM. Log as follow:

 20759    : 2018-07-05 09:04:39 : Level 1911 :  AIX Download Plugin version 1.0.0.4. Gonna get to work now.
 20759    : 2018-07-05 09:04:39 : INFO     :  Using regular HTTP wrapper.
 20759    : 2018-07-05 09:04:39 : INFO     :  Login step   https://www-01.ibm.com/marketing/iwm/iwm/web/reg/download.do?source=aixbp&lang=en_US&S_PKG=openssl
 20759    : 2018-07-05 09:04:40 : INFO     :  HTTP POST to: https://www-01.ibm.com//marketing/iwm/iwm/web/reg/acceptLogin.do?source=aixbp&lang=en_US&S_PKG=openssl
 20759    : 2018-07-05 09:04:41 : INFO     :  New download: {'file': '/var/opt/BESServer/wwwrootbes/bfmirror/downloads/ActiveDownloads/indexed_209_1', 'sha1': {'value': '8860c2db4d3fa212c28b7622b72df15951780fec', 'algorithm': 'sha1'}, 'id': 1, 'size': None, 'url': 'AIXProtocolR2://get.file/openssl/openssl-1.0.2.1500'}
 20759    : 2018-07-05 09:04:41 : INFO     :  AIX download url AIXProtocolR2://get.file/openssl/openssl-1.0.2.1500.
 20759    : 2018-07-05 09:04:41 : INFO     :  fn is <function UA.get_file at 0x7fd950d1cb70>
 20759    : 2018-07-05 09:04:41 : INFO     :  Package Name: openssl
 20759    : 2018-07-05 09:04:41 : INFO     :  Package Version: openssl-1.0.2.1500
 20759    : 2018-07-05 09:04:43 : INFO     :  Getting page: https://www-01.ibm.com/marketing/iwm/iwm/web/reg/download.do?source=aixbp&S_PKG=openssl&lang=en_US&cp=UTF-8&&&dlmethod=http
 20759    : 2018-07-05 09:04:43 : INFO     :  Package version is openssl-1.0.2.1500
 20759    : 2018-07-05 09:04:43 : WARNING  :  Download failed. Reason: Not able to find download link for Package Version openssl-1.0.2.1500
 20759    : 2018-07-05 09:04:43 : WARNING  :  Some downloads have failed.
 20759    : 2018-07-05 09:04:43 : INFO     :  Plugin returned with code 1.

I opened a ticket with IBM and the response is that when my personal IBM id was created it was not created by the URX form link so it can directly access the old MRS form link https://www-01.ibm.com/marketing/iwm/iwm/web/reg/download.do?source=aixbp&lang=en_US&S_PKG=openssl

However, my new generic IBMid was created by the URX form link (via IBM id sign up page) so it should be accessing the form link Log in to IBM first, then access the old MRS form link https://www-01.ibm.com/marketing/iwm/iwm/web/download.do?source=aixbp&pageType=urx&S_PKG=openssl .

I was also being told that all new IBM id will be created by the URX form link from now on, so I’m not sure if there is something else I can try to make the generic IBM id to work with the AIX Plugin R2.

Did you link the generic IBMid to your ICN (IBM Customer Number)? Your IBM partner or IBM Sales Rep should be able to retrieve this for you if you are unsure. I also included a link below on how to link the IBMid to your ICN.
http://www-01.ibm.com/support/icn/

Hi Marcus, thanks for your tips. I did play around trying to link the ICN and I managed to get Basic site level access which according to IBM ICN help page is enough:

 "If your Site Technical Contact (STC) or SR Administrator allows automatic approval for Basic access, then your request is complete and your additional customer number will be listed under "Existing access" at the bottom of the Support Registrations page."

I think it might not be the ICN link issue since I tried to follow the link https://www-01.ibm.com/marketing/iwm/iwm/web/reg/download.do?source=aixbp&lang=en_US&S_PKG=openssl generated by Big Fix to download the package manually. If I use my own personal IBM ID (not created by URX form link) i can pass the authentication successfully. However, if I try to follow the same link manually with the generic IBM ID (created by URX form link) then it will return error as follow

"You have not signed up for this offering. Please complete the signup process before coming to this page.
message code: 45e"

Then when I try to follow the signup process it will recognize the generic IBM ID is already registered and it takes me to another authentication page. Once authenticated, I can start downloading the package manually.

Update: Just granted full access to the generic IBM ID, still not able to download the file in BigFix.

Can you fetch a TL/SP from fixcentral using the new ID? That would be my basic check.

I have been with many customers and a working “fixcentral” IBMid has always worked with BigFix.

Yes, the new ID has the permission to download from Fix Central as I just successfully tried to download the fix pack for AIX 7.2 TL2 SP2.

If it is still not working, I am out of ideas - other than I ran into issues with it not completing.

Plugin #1 gets the download with the list of files (so let’s assume that worked), and Plugin “R2” worked mostly, except I ran out of of open files - by stopping WebReports and WebUI - that got fixed. Later I increased the number of files root could have open per session.

Thus: how far does your action for TL/SP download get? Does the action even get started?

I did the download test in the firefox browser, not in BigFix, as the Plugin R2 works with my old id but not the new one. I guess it is a problem with the ID not the BigFix itself.

I logged in to the Fix Central with the new ID, pick up the Fix Pack and then start download. Once download starts I get the “IBM_DownloadDirector.jnlp” and run the IBM Download Director java applet which begins to download the bff files. Once i confirmed the files are in my hard drive I aborted the download process.

Well, since BigFix seems to be properly configured (asin it works with ID_A), but does not work with ID_B - you may need to open a PMR so that someone can look internally.

I only have a simple test to test the “R1” plugin - which runs without IBMid credentials. I have not had the need to dig into the inner workings of the R2 plugin.

Other thoughts. Can you setup a HTTP proxy - to see if the files are even being requested? I forget if there is anything “interesting” in the BESRelay.log, but you could also try checking that for any messages.

In any case, I assume you are at least ALWAYS seeing this file as downloaded:

If that is failing, then it is not the R2 plugin that is failing.

R2 plugin is responsible for the “.bff” and/or .U files that follow.

Good idea, I’ll create PMR to BigFix team to see if they can help.

From the AIXPluginR2 log I can see the plugin is able to resolve and request the package from the AIX web download pack website for software not found in FixCentral or the AIX toolbox for Linux application website.

25065 : 2018-07-12 10:43:43 : INFO : AIX download url AIXProtocolR2://get.file/openssl/openssl-1.0.2.1500.
25065 : 2018-07-12 10:43:43 : INFO : fn is <function UA.get_file at 0x7f932eb43b70>
25065 : 2018-07-12 10:43:43 : INFO : Package Name: openssl
25065 : 2018-07-12 10:43:43 : INFO : Package Version: openssl-1.0.2.1500
25065 : 2018-07-12 10:43:44 : INFO : Getting page: https://www-01.ibm.com/marketing/iwm/iwm/web/reg/download.do?source=aixbp&S_PKG=openssl&lang=en_US&cp=UTF-8&&&dlmethod=http
25065 : 2018-07-12 10:43:44 : INFO : Package version is openssl-1.0.2.1500

As i tend to think the website is having an issue with the ID which BigFix try to interact with in a certain way, can you please tell me any other Fixlet I can test that is using AIXPluginR2 to download from Fix Central or the Linux toolbox webstie?

The one I normally use is the TL/SP download to an NFS repository.

a) The advanced Deployment Wizard - first register an NFS respository

image979×393 140 KB

I tend to define my own directory, e.g., /export/bfrepo

b) once that is finished you can create an action that will download the TL/SP to the repository

image645×676 65.7 KB

c) and see the summary of the action:
after targeting the NFS repository you just defined.

Note: in a large environment (multiple NFS repositories, e.g.) you could have BES download and cache once, but have it “stored” in multiple locations.

   Relevant - NFS Repo Management: Download fixpacks to Mananged NFS Repository (fixlet:145)
At 16:09:55 +0000 -  ActionLogMessage: (action:145) Action signature verifie                                                   d for Downloads
   DownloadsAvailable: checking for 'http://bigfix.home.local:52311/bfmirror/download/145/0'
   DownloadsAvailable: false (action id 145)
...

• R1 is finished:

At 16:10:46 +0000 -
   DownloadPing command received (ID=145)
At 16:10:49 +0000 -
   DownloadsAvailable: checking for 'http://bigfix.home.local:52311/bfmirror/downloads/145/0'
   DownloadsAvailable: true (action id 145)
   DownloadsAvailable: checking for 'http://bigfix.home.local:52311/bfmirror/downloads/145/0'
   DownloadsAvailable: true (action id 145)
   ActionLogMessage: (action:145) Non-Distributed - DownloadsAvailable
   ActionLogMessage: (action:145) Submitting download request
   ActionLogMessage: (action:145) Download url: 'AIXProtocol://7100-00/7100-05-02-1810'

At the proxy - this happened:

192.168.129.2 - - [12/Jul/2018:16:11:50 +0000] "GET http://esupport.ibm.com/eccedge/gateway/services/projects/ecc/serviceProviderIBMnetV2.gzip HTTP/1.1" 200 5810
192.168.129.2 - - [12/Jul/2018:16:11:53 +0000] "CONNECT eccgw01.boulder.ibm.com:443 HTTP/1.0" 200 -

As it progresses, in client log see e.g.,

   ActionLogMessage: (action:145) Download url: 'http://delivery04.dhe.ibm.com/sar/CMA/AXA/07g2n/1/U878707.bf           f'
   ActionLogMessage: (action:145) Download url: 'http://delivery04.dhe.ibm.com/sar/CMA/AXA/07g2o/1/U878708.bf           f'
   ActionLogMessage: (action:145) Download url: 'http://delivery04.dhe.ibm.com/sar/CMA/AXA/07g2p/1/U880415.bf           f'
At 16:14:58 +0000 -
   DownloadCRCPing command received
At 16:15:11 +0000 -
   DownloadCRCPing command received
   DownloadCRCPing command received
At 16:15:14 +0000 -
   DownloadCRCPing command received
   DownloadCRCPing command received

And the console shows (only the first 20 files…)

Hope this helps!

p.s., when R2 is not working the summary will include a cryptic error message.