IBM BigFix Inventory: Content Release: Application Update 9.2.13 published 2018-09-28

Product:
BM BigFix Inventory application update 9.2.13.

Features:
This update contains features that extend software discovery, enhance license reporting and address security scenarios. The key features include:

• Reporting the Registered User metric for Microsoft Office 365 (BigFix Inventory only)
BigFix Inventory reports utilization of the Registered User metric for Microsoft Office 365. The information is extracted during regular software scans directly from computers where components of Office 365 are installed. Based on the scan results, the Registered User metric is calculated, and its utilization is displayed on the All Metrics report. Detailed information about users is shown on the Software Users report.
Benefits: Thanks to this feature, you can track licenses for Office 365 in BigFix Inventory to analyze trends, define thresholds and optimize costs by identifying users of unused instances.

• Version currency of Internet browsers and other selected software that changes frequently (BigFix Inventory only)
BigFix Inventory automatically detects all versions of a number of software components on Windows. These components include Internet browsers (Chrome, Edge, Firefox, and Opera) as well as components such as Adobe Air, Adobe Flash Player, Slack, and other. The components are detected by generic signatures while their versions are automatically retrieved from files or packages that caused detection.
Benefits: Thanks to the newly introduced approach towards detection of software that is frequently updated, full discovery currency is ensured.

• Preview Features
The Preview features give you a chance to take a sneak peek at what we are currently developing. You can try them out and provide your feedback to influence how they work when they are officially released. You can provide your feedback about the dashboard by clicking the Send Feedback button on the Home Page.
• Preview feature: Visibility of Common Vulnerabilities and Exposures (CVEs) (BigFix Inventory only)

• Information about CVEs is shown on the Software Classification report on which CVEs are matched with software components through component detailed versions.
• The details of CVEs are extended to include a link to a description of the CVE in the National Vulnerability Database as well as the version of the CVSS, either 2.0 or 3.0.
• Information about CVEs can be filtered and sorted by the CVE name. The filter shows the software that meets the specified criteria by searching through the full list of CVEs of each reported software instance.
  Benefits: Thanks to the improvements in showing information about CVEs you can better identify, monitor, and analyze potentially vulnerable software and at the same time prevent potential threats.

• Preview feature: Security dashboard and reporting (BigFix Inventory only)
New Security Dashboard shows a preview of security features in the form of widgets that show the following information:

• The number of software installations that are out of support
• The number of software installations for which support ends within the next three months
• The number of software installations that are vulnerable
• The number of software installations that were discovered within the last two weeks and are vulnerable
• The overall number of software installations
  To view the new dashboard, click Go to New Dashboard & Reporting on the home page.
  Benefits: Summary of the most important security information available at a single view.

• Reporting utilization of FlexPoints
FlexPoint is a license metric unit that can be used to determine the cost of IBM products that are purchased as part of FlexPoint bundles. Each product from a bundle is licensed based on a different license metric but all metrics are converted into FlexPoints. Products that are currently available as part of FlexPoint bundles are products from the IBM Cloud and IBM Analytics brands.
Benefits: BigFix Inventory and License Metric Tool allow you to calculate the current license utilization of IBM FlexPoints, based on the most recent data. For some product that are included in FlexPoint bundles and cannot be automatically measured by BigFix Inventory or License Metric Tool, manual input of the base metric is required.
Thanks to this feature, you can make sure that you are prepared for audits, and that the number of purchased FlexPoints fits your needs.

• New To Do list on the top navigation bar
The top navigation bar is extended with a To Do list that, at present, displays the information about:

• Failed imports of data
• Availability of a new version of the application
• The need to configure connections to virtualization hosts for some of the computers
  Benefits: Thanks to the To Do list you are informed about issues that might affect the accuracy of your reports and thus, immediately take actions to avoid miscalculations. At the same time, you can be up-to-date about the newest application releases.

• Support for BigFix Inventory and License Metric Tool server on MS SQL 2016
MS SQL 2016 is now supported as a database for BigFix Inventory and License Metric Tool.
If you used MS SQL 2016 with earlier versions of BigFix Inventory or License Metric Tool your environment was non-compliant from IBM perspective. The data that was stored in the database might have been invalid and the historical data cannot be fixed. However, data collected after the upgrade to BigFix Inventory or License Metric Tool 9.2.13 will be valid and compliant from IBM perspective.
Benefits: You can use the MS SQL 2016 edition as a database.

• Discovery of new components from Citrix, Symantec, and Oracle (BigFix Inventory only)
The software catalog is extended to discover new components from Citrix, Symantec, and Oracle. To discover the components, ensure that you upgrade BigFix Inventory to version 9.2.13.
Below is the list of the newly added components. To learn about their exact versions, use the Software Catalog widget in BigFix Inventory to browse the catalog content.

• Added discovery capability for Citrix products
  o Citrix Edgesight
  o Citrix Presentation Server
  o Citrix XenDesktop
• Added discovery capability for Symantec products
  o Veritas Cluster Enterprise Agents
  o Veritas Cluster ServerVeritas Cluster Server Bundled Agents
  o Veritas Cluster Server Disk Reservation Modules and Utilities
• Added discovery capability for Oracle products
  o Oracle Clusterware
  o Oracle GoldenGate
  o Sun Cluster HA for WebSphere MQ
  Benefits: More visibility into deployed products and components and better license management without the need to develop custom signatures.

• Information about the end of support dates is refreshed (BigFix Inventory only)
The information about the end of support dates is refreshed for your IBM software components for which the dates were announced since the last update of the list. The data is based on the information contained in IBM Lifecycle in September.
Benefits: The information about the end of support dates for the IBM software used in your organization is up-to-date and thus, you can prepare for the forthcoming software updates.

• Security enhancements

• On the server side:
  o Java is upgraded to the newest version to maintain security.
  o TLS 1.2 is enabled in IBM Java by default.
  o WebSphere Application Server Liberty is upgraded to version 18.0.0.2 to address CVE-2018-1553.
• On the endpoint side:
  o Update of the Xerces library to version 3.2.1 on Windows to keep the scanner secure and reliable.

• Support for new virtualization technologies

• vSphere ESXi 6.7 and vSphere vCenter Server 6.7.

Action to take
To learn how to get the application update and deploy it as well as to view the full list of new features and APARs that were fixed in this application update, see: https://ibm.biz/bfi_update_9213.
During the upgrade, new versions of the software catalog and PVU table are uploaded. The versions that are uploaded are the newest ones that were available during the release of the application update to which you are upgrading.

With 9.2.13 BFI introduced a Relevance query :

(names of applicable computers of it, name of it,ids of applicable computers of it) of unique values of relevant fixlets whose (id of it = 1002 
and name of site of it="IBM Endpoint Manager for Software Use Analysis") of bes computers

that in our environment is taking as long as 50 minutes to run, de facto killing or severely slowing down our Web Reports Server

I re-wrote it, and this version takes less than a couple of seconds to run:

(names of items 0 of it,name of item 1 of it, ids of items 0 of it) 
of (applicable computers of it,it) of bes fixlet whose (id of it =1002 and name of site of it = "IBM Endpoint Manager for Software Use Analysis")

…now… where can I modify the query in BFI so that it doesn’t overload our WebReports server every 2 hours as it is doing right now?

@iLorenz Thank you for posting this. The same problem is affecting the BigFix 9.5.10 Web Reports servers I help manage where we also have BigFix Inventory 9.2.13 in the same environment.

We do not see the original query returning a result. When Web Reports gets overloaded with these long-running queries, it stops running scheduled activities & stops updating it’s cache. All the computer properties (Last Report Time, for example) get frozen for hours after the query starts. We are forced to reboot the servers (restarting the service just times out) in order to get an up-to-date cache - a process that takes at least 25 minutes (+200K endpoints).

Please take a look @BKowalska BSU-488

@erowley @iLorenz Can you both please open support tickets so the issue can be tracked and you can be helped individually? In the meantime I will alert L3 of BFI of this posting and issue.

@iLorenz nice refactoring of the session relevance. :respect:

@erowley
In order to find out what queries are ‘killing’ your web repors server, you have to put it in debug mode, by adding the following Registry Keys:

[DWORD] LogOn = 1 
[STRING] LogPath = <full path of the log file>

in

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BigFix\Enterprise Server\BESReports

Once you have some day worth of logging, take a look for the queries that take a long (>200000ms) time to complete.
In our case, the first query (“unique values of relevant fixlets whose (id of it = 1002”) was the culprit.

@brolly33 : we already filed a support ticket some day ago

Since we had some serious issues with data not being updated in our production environment, and while waiting for an official patch, our marvelous @glbproject found that the offending query lies in:

c:\Program Files\ibm\BFI\wlp\usr\servers\server1\apps\tema.war\WEB-INF\app\models\datasource_tem_server.rb

so changing the line
response = send_request(:get, "query?relevance=(names of applicable computers of it, name of it,ids of applicable computers of it) of unique values of relevant fixlets whose (id of it = #{fixlet_id} and name of site of it =\"#{site_name}\" ) of bes computers ")

to:
response = send_request(:get, "query?relevance=(names of items 0 of it,name of item 1 of it, ids of items 0 of it) of (applicable computers of it,it) of bes fixlet whose (id of it = #{fixlet_id} and name of site of it = \"#{site_name}\")")

temporarily solved our problems

I do not reccommend to anyone to try it, and I strongly suggest to wait for an official patch, but I’m posting it should someone be in dire needs like we were.

Thank you @iLorenz and @glbproject for all the details. BFI Team is working on an official solution.

IBM BigFix Inventory Team approves workaround provided by iLorenz. Please remember to restart IBM BigFix Inventory server after the modification.

Fix will be included in the next Inventory release.

My Web Reports was crashing about once a week out of the blue, but this was about 1 month after upgrading to BFI 9.2.13 (and each time it happened with in a minute or two of 5AM EST; so odd). We’ve since upgraded to BFI 9.2.14 and haven’t had the crash (yet). We are at BES 9.5.8. The code you list is there, but I think I’ll wait to hear from IBM on a fix/or posting for a work around (as you suggested).

Great info! Thank you.

UPDATE: I had to make a correction: We’re actually at 9.5.8, but upgrading to 9.5.10 next week.

Fix provided by iLorenz optimises relevance that is run from BigFix Inventory every two hours. Without the fix relevance execution may run long and consume resources. BFI 9.2.14 doesn’t include the fix, it has the same code (in this part) as 9.2.13. If your WebReports crash once a week, there might be something more.

Comment number 4 provides info, how to diagnose which queries are causing problems.
If it is this query, you may apply the fix (please make a backup of the original file to a safe place).

I’ve copied and renamed the file, modified the original, and restarted the IBM BigFix Inventory 9.2.14.0 service service.

Has the BFI team implemented any controls so customers can set the intervals for which these API requests run? It may help performance to have these run more or less frequently.

It was supposed to be a simple query which takes milliseconds, therefore there hasn’t been any configuration controls provided. In normal operation the query has been designed to run once a day.

Ok, thanks. I have one more question:

Is it critical to have the query working, or is it OK for customers to remove the API credentials from the BFI configuration? I believe that’s under the “IBM BigFix Server Authentication (Console Operator)” section in “Management: Data Sources” - correct?

That would be a simpler workaround versus hand-patching the .rb file. Looking for a solution so we don’t have to restart the Web Reports service a couple times every day.

Patching .rb file keeps BFI fully operational. Disconnecting BFI from BigFix, is like disconnecting browser from the Internet (you can still view some pages offline, but you won’t get any new data). In case of BFI the import will be failing (/management/imports) and there will be errors in the logs as BFI will be attempting to reconnect. This is not recommended.

Yes, I understand that. Please know I am not asking about disconnecting the data source. Obviously that would be bad.

BFI has never needed API credentials in the past. I want to remove these API credentials. What I want to know is: Will that be safe, and how do I accomplish it?

Removing the API credentials is the simple fix. Patching the .rb files and later testing them with 9.2.14 (we are scheduled to upgrade 3 servers at the end of the month) will require more work.

Invalid API credentials would make import fail with error message:
RuntimeError: Check Data Source: API connectivity failed. Check whether the BigFix server is accessible under the following URL: 127.0.0.1:52311/api/login. If not, contact the Administrator of BigFix.

If someone doesn’t feel like patching the .RB file, I’m attaching the patched one
Just backup the original (rename
c:\Program Files\ibm\BFI\wlp\usr\servers\server1\apps\tema.war\WEB-INF\app\models\datasource_tem_server.rb

to something like datasource_tem_server.bak) and put the attached file in its place
(rename it from .BES to .RB since this forum doesn’t allow to attach .RB files)
no other effort required

datasource_tem_server.bes (7.3 KB)

Edit: this file is tested only on BFI 9.2.13 and 9.2.14