I am trying to patch the AIX server from the patch management and getting an error as “Unsupported protocol: Protocol AIXProtocol not supported or disabled in libcurl”
I have checked the download plugins and there its asking for proxy setting ?
1.Attaching the error Download plugin when trying to register.
2. How to patch from the downloaded file that is in the server ?
Did you read the documentation on registering the AIX Download Plugin: https://www.ibm.com/support/knowledgecenter/en/SS6MER_9.5.0/com.ibm.bigfix.patch.doc/Patch/Patch_AIX/t_registering_aix_download_plug-in.html
The proxy information is optional.
Is there any option to to apply service packs that are already downloaded in the system
See: Download error: The requested URL does not pass this deployment's download whitelist
AIX URLs sometimes changes, so the pre-defined whitelist set during plug-in registration may not be up-to-date.
If you place them in the right place in the BigFix Server cache/download directory, then the BigFix Server will use that instead of trying to download it. Alternative is if you have NFS repository on another AIX machine, you can use that.
Download error: The requested URL does not pass this deployment’s download whitelist
– The link given does not seem to be valid now. Posted in the thread too about the link issue and the asked for the path where the txt file needs to be created.
AIX URLs sometimes changes, so the pre-defined whitelist set during plug-in registration may not be up-to-date. -
–> Now how can we fix the issue and patch ?
If you place them in the right place in the BigFix Server cache/download directory, then the BigFix Server will use that instead of trying to download it. Alternative is if you have NFS repository on another AIX machine, you can use that.
– > Can you let me know the BigFix Server cache/download directory – location and currently we do not have NFS share in our environment.
Found the right link
https://www.ibm.com/support/knowledgecenter/SS6MER_9.5.0/com.ibm.bigfix.patch.doc/Patch/Patch_Windows/c_frequently_asked_questions.html
And added the sites
[root@BFXServer config]# cat DownloadWhitelist.txt
http://download4.boulder.ibm.com/.*
http://delivery04.dhe.ibm.com/.*
AIXProtocol://.*
http://iwm.dhe.ibm.com/.*
AIXProtocolR2://.*
http://software.bigfix.com/download/bes/dep/centos/.*
http://software.bigfix.com/download/bes/dep/pkgdeps/.*
CentOSR2Protocol://.*
http://software.bigfix.com/download/bes/dep/sle/.*
http://software.bigfix.com/.*
RHSMProtocol://.*
http://delivery04-mul.dhe.ibm.com/sar/.*^M
[root@BFXServer config]#
and restarted the service still the same error
Did you not see the ^M in the last line of the file?
Thanks Zevanty for the support.
From the the link it needs to be
http://delivery04-mul.dhe.ibm.com/sar/.* → which resolved the issue.
Now it says cached to the server complete and not proceeding further
@ptonni - thanks for the information.
To “HCL”: might it be an idea to have something where the whitelist can be updated?
When I installed the plugin it generated this:
-rw------- 1 root root 132 Jun 27 2018 DownloadWhitelist.txt
[root@bigfix config]# cat DownloadWhitelist.txt
http://iwm.dhe.ibm.com/.*
AIXProtocolR2://.*
http://download4.boulder.ibm.com/.*
http://delivery04.dhe.ibm.com/.*
AIXProtocol://.*
So, I see why AIXProtocol is “always” working, but AIXProtocolR2 is not.
FYI: I tried re-configuring the R2 plugin, but that did not update the whitelist either.
What I also notice is that the HTTP proxy I use does still get used when AIXProtocol makes it’s call, but the R2 does not.
::::::::::::::
AIXProtocol/plugin.ini
::::::::::::::
[Logger]
verbose = 1
logfile = logs/AIXPlugin.log
timestampLogfile = 1
timestampMsgs = 1
debug = 2
maxAgeLogFiles = 14
maxSizeLogFiles = 52428800
[UA]
proxy = http://192.168.129.64:8080
proxyUser =
proxyPass =
BFArchiveEXE = /var/opt/BESServer/DownloadPlugins/AIXProtocol/BFArchive
::::::::::::::
AIXProtocolR2/plugin.ini
::::::::::::::
[Logger]
file = logs/AIXPluginR2.log
level = INFO
[UA]
Username = MyLittle@secretname.net
Password = HowAboutImprovedHaskAlgorithm==
proxy = http://192.168.129.64:8080
proxyUser =
proxyPass =
primaryRepoListFile =
extendedRepoListFile =
onlyUseExtendedRepoListFile= no
localCache =
localCacheOnly = no
rootCertDir = certs
So, from my proxy log - I used to see:
e.g.:
…
192.168.129.2 - - [15/Feb/2019:13:19:22 +0000] “GET http://delivery04.dhe.ibm.com/sar/CMA/AXA/02rqq/1/U847654.bff HTTP/1.1” 206 713728
192.168.129.2 - - [15/Feb/2019:13:19:23 +0000] “GET http://delivery04.dhe.ibm.com/sar/CMA/AXA/02rc7/0/U838516.bff HTTP/1.1” 206 161792
…
But now only see the Protocol(R1) stuff:
Note line with eccgw01.boulder.ibm.com
192.168.129.2 - - [06/Oct/2019:21:07:00 +0000] "CONNECT sync.bigfix.com:443 HTTP/1.1" 200 -
192.168.129.2 - - [06/Oct/2019:21:15:54 +0000] "GET http://sync.bigfix.com/cgi-bin/bfgather/bessupport HTTP/1.1" 200 740709
192.168.129.2 - - [06/Oct/2019:21:24:55 +0000] "GET http://esupport.ibm.com/eccedge/gateway/services/projects/ecc/serviceProviderIBMnetV2.gz
ip HTTP/1.1" 200 4875
192.168.129.2 - - [06/Oct/2019:21:24:58 +0000] "CONNECT eccgw01.boulder.ibm.com:443 HTTP/1.0" 200 -
192.168.129.2 - - [06/Oct/2019:21:25:59 +0000] "GET http://sync.bigfix.com/cgi-bin/bfgather/bessupport HTTP/1.1" 200 740709
192.168.129.2 - - [06/Oct/2019:21:31:06 +0000] "CONNECT sync.bigfix.com:443 HTTP/1.1" 200 -
Any ideas why the proxy is not being contacted (at least it looks that way!)
Update:
Now that the whitelist is updated the previously missed files are being fetched and logged at the proxy. But, before this MANY (of the 20 listed) where showing as - ah YES - still in cache! and nothing else was being downloaded.
Proxy question solved!
So, to bring a little attention to something else. The HASH used for the R2 password hash is HORRIBLE. Please update to something such as sha256 or sha512. What it is now is frightful - and worthy of a CVE report - inho. (not that I’ll make that report, but someone else trolling might!)
An added thought.
Suppose this list had already been cached. Would I have ever see the message re: the whitelist failure?
If the whitelist file doesn’t change and IBM does not change the root URL where files are hosted, then you shouldn’t see the whitelist error anymore.
