IBM BigFix Patch: SCC Download Plug-in and other SUSE patching enhancements released 2016-10-26

BigFix is pleased to announce the release of the SCC Plug-in in the Manage Download Plug-ins dashboard. This new and enhanced download plug-in for SUSE uses the SUSE Customer Center (SCC) to download and cache patches from the Novell’s website to the BigFix server. It retrieves package data directly from the vendor to help improve the accuracy and reliability of the package dependency resolution and repository support.

All patch Fixlets in the ‘Patches for SLE 11 Native Tools’ and ‘Patches for SLE 12 Native Tools’ sites are updated to use the SCC download plug-in.

The enhancements to the download plug-in make it highly extensible and robust, enabling such possibilities:

• Ability to support new channels and repositories.
• Installation and dependency resolution, as well as other patching functionalities, can be extended to other channels, not just to those that are shipped out of the box.
• Eliminates dependencies on utilities such as bzip2, expect, and similar.
• Improved performance related to downloading large numbers of packages, which consequently shortens the turnaround time for patching.

Note: The SUSE download plug-in is still available and can be used with the Fixlets that are in custom sites. However, the SUSE download plug-in and outdated content are no longer supported for SUSE Linux Enterprise Desktop and SUSE Linux Enterprise Server (x86 and x86-64).

Along with this release, BigFix Patch provides several other enhancements and features:

• A solution that can combine the installation of updates for multiple packages into a single task, effectively reducing the execution time of the baseline and improving patch performance.
• Enhanced download cacher that uses the SUSE repositories to download patches.
• Improved logging messages for better troubleshooting.

Patching using the SCC download plug-in and the Multiple-Package Baseline Installation feature can lead to improved reliability and faster deployment (about eight times faster than the previous solution). This data was determined in a controlled environment and may vary across environments.

Highlights:
Updated the Fixlets to support the new download plug-in. (Please see the latest site versions under Published sites.)
SCC Download Plug-in v1.0.0.1
SCC Download Cacher v1.0.0.1
Enable the Multiple-Package Baseline Installation feature - SLE 11 (ID #201)
Enable the Multiple-Package Baseline Installation feature - SLE 12 (ID #201)
Delete SUSE 11 Package List File for Multiple-Package Baseline Installation (ID #200)
Delete SUSE 12 Package List File for Multiple-Package Baseline Installation task (ID #200)
TROUBLESHOOTING: SUSE 11 Patching Deployment Logs – Cleanup task (ID #300)
TROUBLESHOOTING: SUSE 12 Patching Deployment Logs – Cleanup task (ID #300)
Multiple-Package Baseline Installation - SLES 11 - x32 - SP0 (ID #101)
Multiple-Package Baseline Installation - SLED 11 - x32 - SP0 (ID #102)
Multiple-Package Baseline Installation - SLES 11 - x86_64 - SP0 (ID #103)
Multiple-Package Baseline Installation - SLED 11 - x86_64 - SP0 (ID #104)
Multiple-Package Baseline Installation - SLES 11 - x32 - SP1 (ID #111)
Multiple-Package Baseline Installation - SLED 11 - x32 - SP1 (ID #112)
Multiple-Package Baseline Installation - SLES 11 - x86_64 - SP1 (ID #113)
Multiple-Package Baseline Installation - SLED 11 - x86_64 - SP1 (ID #114)
Multiple-Package Baseline Installation - SLES 11 - x32 - SP2 (ID #121)
Multiple-Package Baseline Installation - SLED 11 - x32 - SP2 (ID #122)
Multiple-Package Baseline Installation - SLES 11 - x86_64 - SP2 (ID #123)
Multiple-Package Baseline Installation - SLED 11 - x86_64 - SP2 (ID #124)
Multiple-Package Baseline Installation - SLES 11 - x32 - SP3 (ID #131)
Multiple-Package Baseline Installation - SLED 11 - x32 - SP3 (ID #132)
Multiple-Package Baseline Installation - SLES 11 - x86_64 - SP3 (ID #133)
Multiple-Package Baseline Installation - SLED 11 - x86_64 - SP3 (ID #134)
Multiple-Package Baseline Installation - SLES 11 - x32 - SP4 (ID #141)
Multiple-Package Baseline Installation - SLED 11 - x32 - SP4 (ID #142)
Multiple-Package Baseline Installation - SLES 11 - x86_64 - SP4 (ID #143)
Multiple-Package Baseline Installation - SLED 11 - x86_64 - SP4 (ID #144)
Multiple-Package Baseline Installation - SLES 12 - x86_64 - SP0 (ID #101)
Multiple-Package Baseline Installation - SLED 12 - x86_64 - SP0 (ID #102)
Multiple-Package Baseline Installation - SLES 12 - x86_64 - SP1 (ID #111)
Multiple-Package Baseline Installation - SLED 12 - x86_64 - SP1(ID #112)

Published sites:
Patching Support site, version 652
Patches for SLE 11 Native Tools, version 91
Patches for SLE 12 Native Tools, version 154

Actions to take:

• Review your baselines. Ensure that the best practices for baselines listed at https://ibm.biz/Bdsc8D are followed.
• Use the Manage Download Plug-in Dashboard (from the Patching Support site) to register the SCC download plug-in on the BigFix server.
• Use the Baseline Synchronization Dashboard to update existing baselines and custom sites with the latest content from the external Fixlet sites. For details on how to sync your baseline components with the external sites, see https://ibm.biz/Bdsc8d.

Resources:

• For more information about the download plug-in, see https://ibm.biz/BdsRWA.
• For more information about the download cacher, see https://ibm.biz/BdsRWV.
• For more information about the Multiple-Package Baseline Installation feature, see https://ibm.biz/BdsRW9.
• For troubleshooting information, see https://ibm.biz/BdsRW7.
• For Frequently Asked Questions, see https://ibm.biz/BdsRWk.

Application Engineering team
IBM BigFix Patch

This update created an issue for my Bigfix server getting out to the internet. We use white listing techniques for HTTPS/SSL traffic.

What URI’s does BigFix need to communicate with to properly gather packages via the new SCC protocol? Thus far I have seen:

https://scc.suse.com/*
https://updates.suse.com/*

What else? I am currently working with our Web Filter admin and having trouble determining this without trial and error. Are the required accesses of these protocol(s) specified in documentation anywhere?

Hi Matt,

These are the only URLs that are being accessed by the download plugin/cacher to access the repositories for both SUSE 11 and 12.

The protocol, domain, and port information are added in the documentation (Knowledge Center) right after the release, however, the Knowledge Center hasn’t been refreshed yet. For the meantime, this information is added in the wiki at:
https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20Endpoint%20Manager/page/Download%20Plug-in%20for%20SUSE%20Linux%20Enterprise

Are you still seeing issues even after adding those two URLs in your whitelist?

Yes I am still having issues, working PMR 78487,004,000. I believe the external access is good. I have not yet been able to successfully install packages since the upgrade to SCC protocol.

All tasks result in on the following line:

Failed add prefetch item {concatenation " ; " of lines of file (parameter “EDR_PkgRequest”)}

I would like to note that after 1month of PMR, the issue was determined to be the BigFix Enhanced Security option: -requireSHA256Downloads was enabled. SUSE uses SHA1 for SCC protocol downloads, so I had to disable this setting and patches performed as desired!