SUA Catalog Download to endpoints "Unexpected HTTP response: 403 Forbidden"

Gonzalo 2015-11-02 17:33:27 UTC #7

jgstew, está relacionado con la distribución del catalogo a los endpoints, justamente. Cuando intenta enviar estos catalogos a los endpoints desde la consola del bigfix se produce este error.

jgstew 2015-11-02 17:38:14 UTC #8

Thanks for the confirmation. I changed the category of this post to reflect that it is related to SUA so that those responsible are more likely to see it. I also adjusted the title of the post a bit to reflect the info provided a bit more.

I don’t know much about this issue, but I wonder if your clients are trying to download the file directly from the SUA server but they can’t reach it instead of downloading the file from the BigFix relays.

Gonzalo 2015-11-02 17:48:58 UTC #9

El error muestra en su descripción la ruta de descarga desde el servidor.

Gonzalo 2015-11-02 18:11:36 UTC #10

Yo tengo instalado ILMT y estoy siguiendo los pasos del video de Youtube https://www.youtube.com/watch?v=9i6geV4Y4NQ
En el minuto 12 es donde podrán ver que es lo que intento hacer y donde consigo el error.

jgstew 2015-11-02 18:40:14 UTC #11

Here is the direct link to the time in the video that you are working from: https://youtu.be/9i6geV4Y4NQ?t=11m44s

You are downloading the catalog download .bes from ILMT and importing it into the BigFix console and running it against your clients. It is during the running it against the clients that you are having the issue.

I would try to download the file on one of the endpoints that are having the issue in the browser of the endpoint and see if you get the same HTTP 403 Forbidden error.

I would need to see the actionscript in the catalog download action to see what it is doing, but it definitely should have the URL for some of your servers embedded that you should redact.

Gonzalo 2015-11-02 18:45:21 UTC #12

Desde el Browser de un endpoint puedo descargar el catalogo. El script lo voy a tener en unos dias.

jgstew 2015-11-02 19:01:31 UTC #13

The actionscript that this action is using should be about the same for anyone using ILMT or SUA.

I’ll have to see if I can find a recent one in my environment or generate one, but in the meantime, if anyone else could provide it, it would be useful to try to figure out what is going on here.

Gonzalo 2015-11-03 17:24:57 UTC #14

Envio screenshots y scritp ejecutado.

//This
 action is for Catalog: Version: 1127221.0 (Last Modified: 
2015-08-13T06:26:01.217) - Catalog generated: 2015-10-19 14:44:42 UTC
                                               // WINDOWS
if {((name of operating system) as lowercase) contains "win"}
 
                parameter "homefolder" = "{pathname of parent folder of regapp "besclient.exe" & "\LMT\CIT"}"
                parameter "filemasks" = "{(parameter "homefolder") & "\file_mask.txt"}"
                parameter "versionfile" = "{(parameter "homefolder") & "\catalog_version.info"}"
 
                prefetch catalog.xml.bz2 sha1:05e6396801bd7298c96ff41b0ee85f0dcbff936f size:383851 https://10.1.27.59:9081/sam/catalogs/CIT_catalog_WINDOWS.xml.bz2
 sha256:2499bad20f380feadafba58170c188fec4d205c26fbb3f44499a91d5452a3eaf
                delete "{parameter "homefolder" as string}\catalog.xml.bz2"
                copy __Download\catalog.xml.bz2 "{parameter "homefolder" as string}\catalog.xml.bz2"
 
                // Create file with file masks list for software scan
                delete __createfile
                createfile until _END_
_END_
                delete "{parameter "filemasks" as string}"
                move __createfile "{parameter "filemasks" as string}"
 
// UNIX
else
 
               
 parameter "homefolder" = "{pathname of parent folder of parent folder 
of client folder of site "actionsite" & "/LMT/CIT"}"
                parameter "filemasks" = "{(parameter "homefolder") & "/file_mask.txt"}"
                parameter "versionfile" = "{(parameter "homefolder") & "/catalog_version.info"}"
 
                if {name of operating system as lowercase contains "linux"}
                              
prefetch catalog.xml.bz2 sha1:b8395a4cb489d86009b695f2a230965829892c7c size:368888 https://10.1.27.59:9081/sam/catalogs/CIT_catalog_LINUX.xml.bz2 sha256:13c4e9d538e8cac14034e3a6dece3ef5eb3ed582be3ce2f4d59dc133bd90ce34
                endif
 
               
if {name of operating system as lowercase contains "aix"}
                               prefetch catalog.xml.bz2 sha1:6dda19038fff5c1d271b644db9642b3913042136 size:354724 https://10.1.27.59:9081/sam/catalogs/CIT_catalog_AIX.xml.bz2
 sha256:1d02f8949aad15f4f69cbb37c7556981532dc6e0545da3a6e14b3ed5117ee536
                endif
 
                if {name of operating system as lowercase contains "sunos 5"}
                               prefetch catalog.xml.bz2 sha1:19a85f9d8101b3f135d7ab4d9fb3cf09e8d2ca40 size:348033 https://10.1.27.59:9081/sam/catalogs/CIT_catalog_SUN.xml.bz2
 sha256:64ba6e056c8b7727f23870e2bc4d6ccdbd506621842809c59601347822c0490b
                endif
 
                if {name of operating system as lowercase contains "hp-ux"}
                               prefetch catalog.xml.bz2 sha1:b3d9c3117479d47845458492b5bcf12c62502bc3 size:337178 https://10.1.27.59:9081/sam/catalogs/CIT_catalog_HPUX.xml.bz2
 sha256:da8bbab7da7648bb9ed4813afa235dd2d802a871edf433af5a406013f6c44645
                endif
 
                delete "{parameter "homefolder" as string}/catalog.xml.bz2"
                copy __Download/catalog.xml.bz2 "{parameter "homefolder" as string}/catalog.xml.bz2"
 
                // Create file with file masks list for software scan
                delete __createfile
                createfile until _END_
_END_
                delete "{parameter "filemasks" as string}"
                move __createfile "{parameter "filemasks" as string}"
 
endif
 
delete "{parameter "versionfile"}"
delete __appendfile
 
appendfile 1127221.0
 
move __appendfile "{parameter "versionfile"}"

Success Criteria
This action will be considered successful when it runs to completion.

jgstew 2015-11-03 22:35:09 UTC #15

Can the root server download the catalog from the SUA server?

Is the root server behind a proxy?

Gonzalo 2015-11-05 17:40:30 UTC #16

jgstew desde el server donde está instalado BIGFIX puedo bajar el archivo

Gonzalo 2015-11-06 12:53:15 UTC #17

Ayer intenté modificando el script que ejecuta la tarea con:
add nohash prefetch item

Pero obtuve el mismo error

jgstew 2015-11-07 18:40:03 UTC #18

The SSL error could be related to the issue, but I’m not sure it would be. The SSL issue is the only thing I am seeing that seems like it could be part of the problem. You could manually cache the catalog on the root server and that would probably get things to work.

I would definitely recommend opening a PMR with IBM about this if you haven’t already: How to ask for IBM product help: PMRs, RFEs, and more

The forum is not really meant for traditional support, though it is often a good idea to pursue both a resolution through the forum and a PMR.

Gonzalo 2015-11-10 13:29:58 UTC #19

jgstew, ya habia hecho este paso de hacer el Cache del catalogo en el servidor root. Si ves la ruta del script verás que apunta al servidor root.

jgstew 2015-11-11 23:15:35 UTC #20

The catalogs don’t seem to point at the root server, they point at the SUA server.

You can check the root server cache and see if a copy of the catalogs are already there. It should be in a file with a matching SHA1 or SHA256 file name. If they are already on the root server, then this suggests to me that the clients are all trying to download the file directly from the SUA server that they cannot reach in all cases, which is causing the issue.

If the catalogs are not already on the root server, then they could be added the same way JAVA updates are manually cached. If the catalogs are not already on the root server, then it STILL may be the case that the clients are trying to download them directly from SUA and this is why it is failing.

You may need to check the endpoints that are failing and see if they are set to download files directly from the internet instead of going through their parent relay.

Gonzalo 2015-12-03 17:04:30 UTC #21

Sabe alguien si se puede hacer esto de otra manera? no tengo nunca habilitado el sacaneo inicial de software

Gonzalo 2016-05-24 15:49:00 UTC #22

Agregamos una Excepción en el Proxy con la IP del servidor ademas del localhost y el error cambió.

Failed copy __Download\catalog.xml.bz2 “{parameter “homefolder” as string}\catalog.xml.bz2”

// Create file with file masks list for software scan

delete __createfile

createfile until END

sai_sreep 2019-02-27 18:31:40 UTC #23

does someone have solution for this error, i am finding same in my environment

MichalPaluch 2019-02-28 09:48:40 UTC #24

check http proxy settings

sai_sreep 2019-02-28 19:30:59 UTC #25

I have tried proxy setting and test connection is successfull

JasonWalker 2019-03-01 03:35:22 UTC #26

I’m afraid you’ll either need to contact support and open a PMR, or provide a lot more detail here. “It doesn’t work” doesn’t give us much to work with.

You’ll probably also need to create a new thread and describe your problem. You’re referencing a problem thread that’s over three years old, in Espanol, and has at least two different problems described in it.

And it looks like the original problem was solved by adding an exception to the proxy settings on the Bigfix root server; this can be done using the BESAdminTool on the root server, the original poster added exceptions so that the IP address of the Inventory / ILMT server, and “localhost” don’t use the Proxy.