DownloadWhitelist.txt issue

Sidd · March 2, 2016, 1:21pm

Hi, I am using external repository to store some tools which I prefetch in actionscript.
But action is not able to cache tool exe from repository on IEM server. Error : The requested URL does not pass this deployment's download whitelist

URL : http://bigfix-repo.mydomain.net/utilities/unzip.exe

Contents in DownloadWhitelist.txt

http.*bigfix-repo\.mydomain\.net/.*

Still it is not white listing my prefetch URL.

BigFixNinja · March 2, 2016, 5:44pm

For all the URLs I have whitelisted in my DownloadWhitelist.txt file:

None of them try to regular expression out the :// in http://

Can you try this as an entry?:

http://bigfix-repo.mydomain.net/.*

Sidd · March 2, 2016, 6:36pm

After correcting typo error it started working.
Thanks for all help.

Few things I learned -

Regular expression is not necessary in DownloadWhitelist.txt . One can simply type link like - http://<server>.<domain>/.* to whitelist every path starting with http://<server>.<domain>/
2.No need to escape special character . (dot)

strawgate · March 3, 2016, 3:13am

How are you prefetching these files?

You shouldn’t need to modify the download whitelist if you are just using a standard prefetch – only if you are doing dynamic downloads within your actionscript (which is fairly uncommon)

jgstew · March 3, 2016, 9:17pm

I agree with @strawgate

You should be using a prefetch WITH a hash.

Put the tools on a web server. Have a different filename for each version, and keep them around.

Reference in the prefetch WITH hash. Then this won’t be an issue.

Generally it is a bad idea to do a prefetch WITHOUT a hash, because it opens up a major security risk.

It would be more secure to use the IBM provided unzip.exe with a hash than to use an internally hosted one without a hash.

Diadem · August 1, 2018, 4:08pm

I want to whitelist Java downloads but i can’t see the downloadwhitelist.txt file in the mirror server/config/.

I’m using V9.5.8. Any leads.

JasonWalker · August 1, 2018, 4:27pm

You can’t whitelist the Java downloads - Oracle does not make them available, so if you check the fixlets there is not actually a usable URL for the downloads.

That’s not a configuration issue on your part, it’s intentional aggravation invoked by Oracle.

Diadem · September 19, 2018, 10:49am

Thanks Jason. Now, how do we patch Java using BigFix? Any work around?

JasonWalker · September 19, 2018, 11:53am

Yes, see the description on the fixlet. You have to download the java installer manually and cache it on your server, but once that’s done you can deploy it to your clients with the fixlet.

steve · September 21, 2018, 3:35am

You can also use the custom repository feature to cache all the Java pkgs on a web server, so you don’t have to worry about them expiring out of the cache after not using them for a while. See https://www.ibm.com/support/knowledgecenter/en/SS6MER_9.5.0/com.ibm.bigfix.patch.doc/Patch/Patch_Windows/c_using_the_custom_repository_setting_feature.html