BigFix 9.5 Patch 6 is now available

The IBM BigFix team is pleased to announce the release of version 9.5 Patch 6 (9.5.6.63) of the BigFix Platform.

The main features of this release include:

  • Resigning of Mac Clients with new certificates
  • Console Qualification for Windows 10 Creators Update
  • Security enhancements, including:
  • Relay Diagnostics page is now disabled, by default
  • Ability to password-protect Relay Diagnostics page
  • Ability to block unsigned client reports
  • Ability to enforce secure client registration
  • Console warning when importing dynamic content
  • APAR and defect fixes

This release includes all Platform components.

Please read further details in the 9.5.6 Release Notes document at: https://www.ibm.com/developerworks/community/wikis/home/wiki/Tivoli%20Endpoint%20Manager/page/IBM%20BigFix%209.5.6%20Release%20Notes

Get more information by reading the full technical changelist at: https://support.bigfix.com/bes/changes/fullchangelist-95.txt

Useful Links:

IBM BigFix downloads and release information: http://support.bigfix.com/bes/release/9.5/patch6

Upgrade Fixlets are available in BES Support version 1351 (or later).

4 Likes

I see one the APARs mentions that the console will not work with TLS1.2 only, does this update cover both scenarios where TLS1.2 or TLS1.2 &TLS1.0 are used in parallel? We saw the removal of older ciphers would prevent the console from opening after we disabled them. Does this make it so that only TLS1.2 is available?

Thanks,

Dan

Relevance 5 in Fixlet 3043 is incorrect:

It is:

(it >= “9.2.3” AND it < “9.5.5”) of version of main gather service

Shouldn’t this be:

(it >= “9.2.3” AND it < “9.5.6”) of version of main gather service

The Apar fixes the issue that ODBC driver bundled within the BigFix installers don’t work with TLS 1.2 only sql server instances.
Starting from 9.5.6 the new ODBC driver will be installed during a fresh install so that the console will work correctly also with TLS1.2 only sql server instances.
The upgrade to 9.5.6 will instead keep the existing ODBC driver already present on the machine.
The update to 9.5.6 will cover scenarios where TLS1.2 or TLS1.2 &TLS1.0 are used in parallel.

The relevance is correct, in fact the manual upgrade fixlet should became relevant only if the system is at a level lower than 9.5.5, in fact in this case manual steps are required.
If the system is at a level upper or equal to 9.5.5 you need to use the non manual upgrade fixlets.

1 Like

How is it possible to not replace the driver on the 9.5.6 upgrade but still have full support? I am in the middle of disabling older protocols in my environment and are curious about the changes going on in 9.5.6. I am seeing FIPS mode also mentioned in this upgrade and wanted to make it known that with FIPS enabled it will allow TLS 1.0 to be used as some of the exchanges are FIPS compliant.

We decided to not replace the ODBC driver during the upgrade because they could also be used also by other applications.
In addition the ODBC driver update can be easily accomplished following these steps:

  1. stop BigFix services
  2. download and install the new driver from https://www.microsoft.com/en-us/download/details.aspx?id=50402 (amd64 version).
  3. start BigFix services

is it advisable to go with IBM Bigfix Infra from 9.5.4 to 9.5.6? as i’m seeing from thread, after upgraded to 9.5.6.63 version the FillDB became very slow and files are getting stuck at BufferDir folder.

@Raja,—

Good afternoon. Unfortunately it’s not possible to give you a direct answer to your question with the level of detail that’s been provided. As I’m sure you’re aware, there are numerous factors that must be accounted for when deciding to upgrade your BigFix infrastructure and/or endpoints.

  1. After reviewing the release notes from the BigFix team, is there sufficient fixes, patches, new features to warrant upgrading in your environment?
  2. What is the size & ordinality of your environment/endpoint data, and have you had upgrade issues in the past?
  3. Do you have any hotfixes in place at 9.5.4 and have you confirmed that the related fixes are in 9.5.6?
  4. Do you have a non-production environment where you can perform an upgrade with a copy of your production database and simulate some load (probably not to the same extent as production)?
  5. How frequently do you run BESAdmin tasks to maintain endpoint/environment data your BFENT database? If you do not do this frequently enough and you have high ordinality, you could have issues with the upgrade completing in a timely manner and/or issues post-upgrade.

Speaking from personal experience, if you choose to upgrade make sure to run BESFillDB in full verbose logging + enable FillDBPerf logging for a high utilization period at v9.5.4 and then archive off the those logs. If you happen to have performance issues with FillDB after upgrading to v9.5.6, those will be important to L2/L3 so that they can compare pre-upgrade to post-upgrade performance figures and potentially identify root cause more quickly.

I hope this helps…

Best,
—@cmcannady

1 Like

I just had to comment that in general, upgrades are imminent; I think you’re always warranted. Like most upgrades, taking smaller incremental updates are less risky than holding off and then finally installing a major change. One should never feel like they have to cross their fingers when performing one. Personally, we often like to upgrade every other minor version (9.5.2 to 9.5.4). I wouldn’t say they are fun, but they aren’t too bad; and I hope IBM continues to put great effort in their upgrade process, documentation, and change lists.

2 Likes

Hi Casey,

Thanks for your response.
After reviewing the release notes from the BigFix team, is there sufficient fixes, patches, new features to warrant upgrading in your environment?
We are mainly aiming to avail parallel fillDB processing,baseline synchronization via rest api & security bug fixes from 9.5.6 version.
What is the size & ordinality of your environment/endpoint data, and have you had upgrade issues in the past?
Current Infra running in 9.5.4 version and having 20k endpoints & 150 relays spread across 30 data centres. we had issues while upgrading from 9.0 to 9.2 that was due to some issue with specific version and the same got fixed in 9.2.5.

Do you have any hotfixes in place at 9.5.4 and have you confirmed that the related fixes are in 9.5.6?
Nothing as such
Do you have a non-production environment where you can perform an upgrade with a copy of your production database and simulate some load (probably not to the same extent as production)?
We use to follow that approach but non-prodcution environment will not give the same effect as production.
How frequently do you run BESAdmin tasks to maintain endpoint/environment data your BFENT database? If you do not do this frequently enough and you have high ordinality, you could have issues with the upgrade completing in a timely manner and/or issues post-upgrade
BESAdmin cleanup tasks are being carried out once in a month and current BFEnterprise DB size around 30 GB.

Thanks
Raja

From everything you’ve stated, I’d be relatively comfortable proceeding with upgrading from 9.5.4 to 9.5.6. Of course I’d still take full, offline database backups along with system snapshots to fail back if necessary.

I upgraded two lower environments last night from 9.5.5 to 9.5.6 and they both wen well. One is a development environment that only contains a few hundred endpoints. The other is our performance lab, which is basically a copy of our production database where we can simulate production loads.

I’ll be running tests next week to see how 9.5.6.63 holds-up. :smile:

1 Like

is everything fine post upgrade?

Our production infrastructure upgrade to BigFix v9.5.6.63 doesn’t start until 6pm (est) tomorrow (09/16). I’ll post generic results on Monday assuming all goes well.