PAGE NEEDS IMAGES TO BE EMBEDDED - Available in Apps\Patch\Patch Management for Red Hat

 

If you have already setup the RHSM download plugin but are having issues, please see the following guide:

Troubleshooting RHSM Download Plug-in and Download Cacher

 

Related Documentation in the Knowledge Center:

What's included in the RHSM enhancements

The following features and enhancements are included in the RHSM download plug-in release.

Features/enhancementsDescription
Download plug-in transformationBigFix Patch has released an enhanced version of the download plug-in for Red Hat that uses Red Hat Subscription Management (RHSM) to download and cache patches from a vendor’s website to the BigFix server. You must register the RHSM download plug-in in the Manage Download Plug-ins Dashboard from the Patching Support site.
Multiple package baseline installationBigFix Patch offers a solution that can combine the installation of updates for multiple packages into a single task, effectively reducing the execution time of the baseline.
RHSM download cacher
  • Use the download cacher to support x86, x86_64, ppc64le, ppc64be Red Hat patches in air-gapped environments. This tool supports the following sites:
  • Patches for RHEL 6 - Native Tools
  • Patches for RHEL 7 sites
  • Patches for RHEL 7 PPC64LE
  • Patches for RHEL 7 PPC64BE
  • Patches for RHEL 8

 

Note: The RHSMDownloadPlugin does not support patch deployment to RHEL 5. The earlier version of the RHEL plug-in and download cacher can be used for patch deployment until the end of life (EOL) of RHEL 5 in March 2017. For more information, see https://access.redhat.com/errata/RHSA-2016:0561.

 

Note: The  System Identity Certificate is no longer required for v1.0.2.0 of the RHSM Download Plug-in and RHSM download Cacher.

 

Note: The RHSMDownloadPlugin does not work when the Require SHA-256 Downloads option in the BigFix Administration tool is enabled. When this option is enabled, all download verification use only the SHA-256 algorithm. However, there are certain Red Hat repository metadata from the vendor, which do not contain SHA-256 values for packages in the repository that are used by the plug-in.

Consider disabling the Require SHA-256 Downloads option to successfully deploy a patch. Security and package integrity is not compromised as another layer of checking and verification is done using the GPG signature of the package. For more information about the download option, see BigFix Platform Installation Guide at https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Installation/c_getting_authorized_linux.html

Before you use the RHSM enhancements

Prior to using the RHSM enhancements, check the following:

Red Hat Enterprise Linux versionWhat to check
RHEL 6

There is a change in the range of valid Fixlet IDs. Previous RHEL 6 Fixlet IDs are no longer valid. RHEL 6 users with existing baselines need to create new baselines to use the new Fixlets.

RHEL 7RHEL 7 users with existing baselines do not need to create new baselines.

 

Setting up RHSM certificates

 

You must create and download identification certificates through the Red Hat Subscription Management system to use the RHSM Download Plug-in.

Before you use the RHSM Download Plug-in, you must do the following steps to set up the RHSM certificate.

  1. Ensure that you have met the prerequisites to using the RHSM Download Plug-in. The prerequsities are found in Registering the RHSM Download Plug-in.
  2. Register the RHSM Download Plug-in.
  3. Create RHSM certificates through access.redhat.com
  4. Add the certificates to the download plug-in. It is possible to add multiple sets of certificates.

For more information about what other tasks you can do with the download plug-in, including configuring, extending, and unregistering the download plug-in, see Using the RHSM download plug-in section.

 

Important: Red Hat is giving users of the Red Hat Customer Portal the option to try its new interface. The steps documented here uses the earlier version of the portal.

If you are trying to download the system identify certificates with the new interface, you might not see the Download button even if you have the correct access permissions. Revert to the earlier interface where the Download button displays when attempting to download the system identity certificate.

 

Note: The  System Identity Certificate is no longer required from v1.0.2.0 of the RHSM Download Plug-in and RHSM download Cacher.

 

Preparing endpoints before deployment

When using the RHSM features, it is strongly suggested that users apply the described tasks before deploying Fixlets to your endpoints as pre-emptive measures to avoid errors or issues related to GPG keys and prefetch plug-in execution. Red Hat requires the use of GPG keys. The following two tasks import the GPG keys to the endpoints.

Use the Change Timeout for Prefetch Plugins task, which is found in the Patching Support site, to avoid an error with the execution of the prefetch plug-in. The error is caused by a short prefetch timeout setting. To remedy this, run the task to change the timeout to 30 minutes.

After running the task to change the timeout settings, restart the BES client with the TROUBLESHOOTING: Restart BES Client on RHEL/SUSE task. The task is found in the BES Support site.

 

Registering the RHSM download plug-in

Use the Manage Download Plug-ins dashboard to register the RHSM download plug-in on the BigFix server to install x86 or x86_64 RHEL patches.

Before you begin:

You must complete the following tasks:

IDAnalysisSite
45Download Plug-in VersionsBES Support
977Encryption Analysis for ClientsPatching Support

Procedure:

From the Patch Management domain, click All Patch Management > Dashboards > Manage Download Plug-ins dashboard.

  1. From the Servers and Relays table, select the server or relay on which the download plug-in is to be registered. Important: You must always register the download plug-in on the BigFix server.
  2. From the Plug-ins table, select RHSM Plug-in.
  3. Click Register. The Register Red Hat Plug-in wizard displays.
  4. (Optional) Enter the proxy parameters if the downloads must go through a proxy server.

Proxy URL: URL that contains a protocol and a host name. The URL is usually the IP address or DNS name of your proxy server and its port, which is separated by a colon. For example, http://192.168.100.10:8080.

Proxy Username: Your proxy user name if your proxy server requires authentication. It is usually in the form of domain\username.

Proxy Password: Your proxy password if your proxy server requires authentication.

Confirm Proxy Password: Your proxy password for confirmation.

        5. Click OK.The Take Action dialog displays.

        6. Select the target computer.

        7. Click OK.

 You successfully registered the RHSM download plug-in. The plugin.ini configuration file is created in the following locations:

What to do next:

After you have registered the RHSM download plug-in, verify that a folder named 'certs' in the RHSM Protocol folder.

Note: For Linux systems, ensure that the new certs folder is in lower case to avoid issues.

 

Updating the download plug-in configuration file

To use the RHSM download plug-in, you must update the configuration file, plugin.ini, from the following locations:

  1. Update the logger level value to DEBUG.
  2. Change the value of the primaryRepoListFile field to the Patching Support site gather \Patching Support\CurrentSiteData\DLRHELRepoList.json.

Creating the RHSM entitlement certificates

You must create and download certificates through the Red Hat Subscription Management system. From the Red Hat portal, you must register a system then attach your subscriptions (entitlements) to that system. You must have at least one set of certificates that you need to download.

Important: You only need to register at least one system and attach the subscriptions (entitlements) to cover your machines.

Note: Red Hat requires Oracle Java users to enable a new content set to access the Oracle Java SE software. To deploy Oracle Java patches, create separate certificates for Oracle Java (Restricted Maintenance) with the Oracle Java Add-On (Physical or Virtual Nodes) subscription. The steps for creating the certificate and attaching them to a subscription are detailed in this section. For more information about Red Hat requirement to enable the new content set, see the Red Hat Knowledge base site.

Note: The  System Identity Certificate is no longer required from v1.0.2.0 of the RHSM Download Plug-in and RHSM download Cacher.

Certificates whose attached subscription has the name “Red Hat Enterprise Linux for Virtual Datacenters" is known to stop working after one day. If you are having issues with patch deployment after 1 day, we suggest avoiding this subscription and using instead a non-Virtual Datacenters subscription like "Red Hat Enterprise Linux 7 Server (RPMs)".

 

 

To create the RHSM entitlement certificates, follow these steps:

1. Log in to the Red Hat Customer Portal at https://access.redhat.com/.

2. Go to the Subscription Overview page at https://access.redhat.com/management/. Click Systems.

3. Click New to create a new system.

4. Fill in the form with the following information then click Create.

Note; 

Selecting Red Hat Enterprise Linux version 7.2 will create entitlement certs that will also work with RHEL 6. The RHSM download plug-in does not support RHEL 5.

           Note: This should not affect the entitlement but only the cert format.

5.When the page has refreshed, click the Subscriptions tab and click Attach Subscriptions

Note: You only need to do this step once for your BESServers as you can attach multiple subscriptions for the system that you are registering, to cover access to RHEL 6 and RHEL 7 packages.

6. Select the subscription that will be attached to the system you created and click Attach Subscriptions.

7. The page displays the subscriptions attached to the system. Click Download Certificates.

8. Unzip the downloaded certificate. Red Hat now uses a single certificate instead of the earlier RHSM version which required having both an entitlement certificate and an identify certificate.

9. Go to <BES Server>\DownloadPlugins\RHSMProtocol\certs and create a folder. Place the zipped certificates in the newly-created folder. Ensure that your Red Hat subscriptions are active to avoid errors.

Note: In the plugin.ini, the "rootCertDir" value should be "certs", which is the default value. This is the relative path from the RHSMDownloadPlugin.exe to the rootCertDir called "certs".

 

You can run verify access to the repos  when you run RHSMPlugin.exe --check-baserepos. For more information, see the Verifying RHSM download plug-in certificate access to Red Hat repositories section.

 

Verifying RHSM download plug-in certificate access to Red Hat repositories

From the command line, you can use the --check-baserepos and the --check-allrepos commands to check that the entitlement certificates, which are in the 'certs' folder, have access to the supported Red Hat repositories.

Use the following commands to verify if the certificate entitlement found in <BES Server>\DownloadPlugins\RHSMProtocol\certs can access the Red Hat repositories. The results, which are displayed in the command prompt and printed to the RHSMPlugin.log, identify the number of accessible repositories which the certificate is entitled to against the available Red Hat repositories that BigFix supports.

--check-baserepos

Checks if the entitlement certificates in the 'certs' folder has access to the base repositories.

--check-allrepos

Checks if the entitlement certificates in the 'certs' folder has access to the base repositories and the sub-repositories.

For a list of Red Hat repositories that BigFix supports, see https://help.hcltechsw.com/bigfix/10.0/patch/Patch/Patch_RH/c_supported_platforms.html.

 

Configuring the blacklist repository function to allow only entitled repositories

The repository blacklist function blocks access to Red Hat repositories that are not needed for patching.

The repository blacklist improves the performance of the download plug-in. It also reduces the amount of errors that are logged in RHSMPlugin.log.

This functionality is available from version 1.0.0.6 of the RHSM download plug-in. The functionality works around a limitation in how the BES server processes downloads. The limitation might result to unnecessary errors being logged and to longer processing time of the download plug-in.

After the RHSM download plug-in is run for the first time, a file called allowrepos.cfg is created in the same folder as the download plug-in. The file lists the Red Hat repositories that BigFix supports. By default, all repositories are allowed.

Note: You only need to run the RHSM download plug-in once to generate the file.

 

The following is an example output: for "--check-baserepos"

 

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

2017-04-27 14:17:40 : INFO     :  Base Repos Test Summary

2017-04-27 14:17:40 : INFO     :  Certs in <rootCertDir> can access 4 / 14 BaseRepos:

 

2017-04-27 14:17:40 : INFO     :  server-6-x86_64:      Red Hat EnterpriseLinux 6 Server (RPMs)

2017-04-27 14:17:40 : INFO     :  server-6-x86:         Red Hat EnterpriseLinux 6 Server (RPMs)

2017-04-27 14:17:40 : INFO     :  server-7-x86_64:      Red Hat EnterpriseLinux 7 Server (RPMs)

2017-04-27 14:17:40 : INFO     :  server-8-x86_64:      Red Hat EnterpriseLinux 8 Server (RPMs)

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

 

With this example, you have the following settings for the repository blacklist:

client-6-x86 = no

client-6-x86_64 = no

client-7-x86_64 = no

server-6-s390x = no

server-6-x86 = yes                                                     

server-6-x86_64 = yes                                                    

server-7-ppc64le = no

server-7-ppc64be=no

server-7-s390x = no

server-7-x86_64 = yes                                                    

workstation-6-x86 = no                                                   

workstation-6-x86_64 = no                                                

workstation-7-x86_64 = no

server-8-x86_64 = no

 

Before you begin

Identify the Red Hat repositories that your subscription covers. You can run the --check-baserepos command on the RHSMPlugin.exe. For more information, see Verifying RHSM download plug-in certificate access to Red Hat repositories.

 

Procedure:

1.If you have not done so, run the RHSM download plug-in. The allowrepos.cfg file is generated in the same folder as the RHSM download plug-in and the RHSM download cacher.

2.Open allowrepos.cfg in a text editor. The file contains a list of repositories which are set to YES by default.

client-6-x86 = yes

client-6-x86_64 = yes

client-7-x86_64 = yes

server-6-s390x = yes

server-6-x86 = yes

server-6-x86_64 = yes

server-7-ppc64le = yes

server-7-ppc64be = yes

workstation-6-x86 = yes

workstation-6-x86_64 = yes

workstation-7-x86_64 = yes

server-8-x86_64 = yes

•YES or Y = the repository is allowed to be accessed by the plug-in

•NO or N = the repository is allowed to be accessed by the plug-in

3.Set the values of the repositories. Set YES or Y to the Red Hat repositories to which you have access and NO or N to repositories to which you have no access.

4.Save your changes.

 

 

Using the RHSM download plug-in

 

The download plug-in is an executable program that downloads relevant packages directly from the patch vendor. Fixlets use an internal protocol to communicate with the download plug-in to download files. These Fixlets are based on updates made by the vendor.





 For the Fixlet to be able to use the protocol, register the download plug-in on the BigFix server. Use the Manage Download Plug-ins dashboard to register the appropriate plug-in.



The Red Hat Subscription Management (RHSM) download plug-in is an enhanced version of the download plug-in for Red Hat that uses the RHSM to download and cache patches from a vendor's website to the BigFix server. The enhanced download plug-in enable the following possibilities.



Customize available repositories through a user extensible repository list.Installation and dependency resolution can easily be extended to all repositories, not just those that are shipped out of the box.

Customers and service teams can easily extend functionalities.

Eliminate dependencies on utilities such as bzip2, gzip, and similar.

You can do the following tasks with the RHSM download plug-in:

Configuring the basic RHSM download plug-in settings

Use the Manage Download Plug-ins dashboard to configure the basic properties, such as proxy settings of the Red Hat Subscription Management (RHSM) download plug-in.





The scope of this task only covers the basic RHSM plug-in configuration from the BigFix console. You might want to take note of your existing configuration for the download plug-in. Existing configurations are overwritten when you configure the download plug-in.

Procedure



1. From the Patch Management domain, click All Patch Management > Dashboards > Manage Download Plug-ins dashboard.

2. From the Servers and Relays table, select the server or relay on which the download plug-in is to be configured.

3. From the Plug-ins table, select RHSM Plug-in.

4. Click Configure.The Configure Red Hat Plug-in wizard displays.

5. Enter the proxy parameters if the downloads must go through a proxy server.



 

Proxy URL

The URL of your proxy server. It must be a well-formed URL that contains a protocol and a host name. The URL is usually the IP address or DNS name of your proxy server and its port, which is separated by a colon. For example: http://192.168.100.10:8080.



Proxy Username

Your proxy user name if your proxy server requires authentication. It is usually in the form of domain\username.



Proxy Password

Your proxy password if your proxy server requires authentication.



Confirm Proxy Password

Your proxy password for confirmation.

 

6. Click OK.The Take Action dialog displays.

7. Select the target computer.

8. Click OK.

Once the action completes successfully, you have successfully applied the settings that you configured.

 

Configuring the advanced RHSM download plug-in settings

For advanced configurations, manually edit the RHSM download plug-in configuration file called plugin.ini.

The plugin.ini file is automatically created when the download plug-in is registered from the Manage Download Plug-in dashboard. It contains the settings for logging and caching, as well as custom configurations for extending the repository list file.

On Linux systems, the file is in the root directory tree occupied by the download plug-in. For example, /var/opt/BESServer/DownloadPlugins/RHSMProtocol.

On Windows systems, the file is in the BigFix server installation directory. For example, %PROGRAM FILES%\BigFix Enterprise\BES Server\DownloadPlugins\RHSMProtocol.
Note: The plugin.ini is divided into sections, which are denoted by square brackets. Ensure that the options are under the correct sections. Moving the options to a different section might result in errors.


primaryRepoListFile
This list file contains the repositories that BigFix supports by default. Use either an absolute path or relative path.

 

extendedRepoListFile
This optional repository list is for extensions to the primaryRepoListFile, the default repository list. It has the same format as primaryRepoListFile. Use either an absolute path or relative path.

 

onlyUseExtendedRepoListFile
This is an optional configuration list file to limit downloads to only custom repositories as stated in the "extendedRepoListFile". Its value can be "yes" or "no". No is the default value.
 

localCache
This setting is used when the RHSM download plug-in is used in an air-gapped environment. The localCache field is a full path to the download directory, (--download_dir) that is specified when using the RHSM Download Cacher. Use an absolute path. For example, localCache = C:\RHEL_Cache
 

localCacheOnly
This setting is used when the RHSM download plug-in is used in an air-gapped environment. By default, its value is set to "no". When this setting is set to "yes", the RHSM download plug-in will get its files from the localCache and will not attempt to get files from the Internet.
 

rootCertDir
This setting stores the relative path of the rootCertDir folder.

The following options require paths. Relative paths are relative to the download plug-in executable directory. By default, the executable file is in the DownloadPlugins\RHSMProtocol folder. Use the required corresponding path types as indicated in the following list:

Setting the logging level



The logging level determines the amount of detail that is written to the RHSMPlugin.log file.



The available logging levels are as follows:

ERROR :

Contains errors related to the execution of the download plug-in, which might indicate an impending fatal error.

WARNING

Contains information about failed downloads, and reasons for failure.

INFO

Contains general information outlining the progress and successful downloads, with minimal tracing information.

DEBUG

Contains fine-grained information used for troubleshooting issues. This is the most verbose level available.

You can change the logging level option from the [Logger] section of the plugin.ini file.

 

[Logger]

file = logs/RHSMPlugin.log

level = INFO

 

For example, if the logging is set to INFO, the logger outputs any logs for that level and any level above it. In this case, it outputs the INFO, WARNING, and ERROR logs.



Setting the logging level to DEBUG increases the amount of information to log, which might impact performance. Only increase the logging level to DEBUG when investigating an issue, and switch back to INFO or WARNING after the issue is resolved.

 

Adding an extended repository list file



The RHSM download plug-in can be configured to work with repositories that are not officially supported by BigFix, such as debuginfo repository, if required. For more information, see Extending the RHSM Download Plug-in (Optional).

 

Unregistering the RHSM download plug-in

Use the Manage Download Plug-ins dashboard to unregister the RHSM download plug-in.

Procedure

1. From the Patch Management domain, click All Patch Management > Dashboards > Manage Download Plug-ins dashboard.

2. From the Servers and Relays table, select the server or relay on which the download plug-in is to be unregistered.

3. From the Plug-ins table, select RHSM Plug-in.

4. Click Unregister.

5. Select the target computer.

6. Click OK.



You successfully unregistered the RHSM download plug-in.

 

Upgrading the RHSM download plug-in

Use the Manage Download Plug-ins dashboard to upgrade the RHSM download plug-in to the latest version available.



Procedure



1. From the Patch Management domain, click All Patch Management > Dashboards > Manage Download Plug-ins dashboard.

2. From the Servers and Relays table, select the server or relay on which the download plug-in is to be upgraded.

3. From the Plug-ins table, select RHSM Plug-in.

4. Click Upgrade.The Take Action dialog displays.

5. Select the target computer.

6. Click OK.



You now have the latest version of the RHSM download plug-in installed.

 

Extending the RHSM download plug-in (Optional)

You can configure the RHSM download plug-in to download and cache packages from repositories that are not officially supported by BigFix. The RHSM download plug-in can resolve package dependency for unsupported RHSM repositories, allowing the installation of unsupported dependent packages. This extended solution allows you to use BigFix to deploy packages from repositories that are not shipped out of the box, such as debuginfo repositories.

Before you begin, you must complete the following tasks:

Creating an extended repository list file



The Red Hat download plug-in can use an extended repository list file, which contains additional repositories for both base and extension products that are included in your subscription.

The extended repository list file must meet the following criteria:

{

   "<OS_key>":[    

     {"name": "<name>", "baseurl": "<url>"},

     {"name": "<name>", "baseurl": "<url>"}

   ]

}



For example:



{

   "x86":[     

     {"name": "Red Hat Enterprise Linux 6 Server - Oracle Java (Source RPMs)",

"baseurl": "https://cdn.redhat.com//content/rhel/server/6/6Server/

x86/oracle-java/source/SRPMS"}

   ]

}

Note: It uses the same format as the DLRHELRepoList.json file, which is set for repoListFile in the plugin.ini file.

You must replace the placeholders, which are enclosed in angle brackets <>, with the actual values.

OS_key

To use the unsupported repositories with the BigFix RHEL Patching content, use the following OS keys as listed in the DLRHELRepoList.json file. This might not be the full list as later versions of the download plug-in are released. To get the latest and complete copy of the repository list, complete the following actions:



1.  Check whether your endpoints are registered to the latest download plug-in. The Manage Download Plug-ins dashboard indicates when the plug-in is up-to-date or when a new version is available.

2. View the DLRHELRepoList.json file from the following locations:

Important: Use the correct OS key for each repository to avoid download and dependency resolution issues.

You can also add a repository that does not fall under any of the listed OS variant. However, BigFix Patch will not provide the patching content; you are responsible for creating the content to use with the configured RHSM download plug-in.

 

The OS keys in the patching content must match the OS keys that are listed in the extended repository list file.

name

You can retrieve the name from the Red Hat Customer Portal; see Retrieving the repository information.



baseurl

You can retrieve the distribution target name from the Red Hat Customer Portal; see Retrieving the repository information. In the baseurl, replace the architecture $basearch and $releasever values.

 

Retrieving the repository information



To retrieve repository information from the Red Hat Customer Portal, complete the following steps:

1. Log in to the Red Hat Customer Portal at https://access.redhat.com/.

2. Go to the Subscription Overview page at https://access.redhat.com/management/.

3. Click the appropriate subscription. The Subscription Information page is displayed.

4. From the Manage section, under Subscriber Inventory, you can see the number of subscribed systems and hypervisors. Click Systems.

5. From the Content Sets tab, go to the row of the repository and click View.



6. You can derive the values for the name and baseurl keys based on the following guidelines:

 

name

Select the repository name value from the Name column. An example of the name value is Red Hat Enterprise Linux 6 Server - Oracle Java (Source RPMs)

 

baseurl

The baseurl starts with https://cdn.redhat.com/. You can see the repository baseurl from the Content details column, in the Content Download URL field. For example,



/content/rhel/server/6/$releasever/$basearch/oracle-java/source/SRPMS

 

Replace the values for $releasever and $basearch. See the table for examples of values. When the values are replaced, an example of the baseurl is:



https://cdn.redhat.com//content/rhel/server/6/6Server/x86/oracle-java/source/SRPMS

 

Architecture in baseurlPossible values
$releasever

6Server

6Client

6Workstatsion

7Server

7Client

7Workstation

$basearchx86_64, i386, ppc64le, ppc64be

 

Note: This table contains examples of values. For more updated and complete values, see the Red Hat Customer Portal at https://access.redhat.com/

To verify if the certificate has access to the repository that you chose to setup, import the certificate to the browser, then use the URL to check if it can be accessed.





Updating the RHSM download plug-in configuration file



Configure the RHSM Download Plug-in to use an extended repository list file. The plugin.ini configuration file is overwritten when the RHSM download plug-in is unregistered or configured from the Manage Download Plug-in dashboard. Any change that you make in the configuration file is lost, therefore take note of the previous changes.



The configuration file includes the following:

primaryRepoListFile

This list file contains the repositories supported by default by BigFix.



extendedRepoListFile

This optional repository list is for extensions to the default repository list. It has the same format as the default repository list.



onlyUseExtendedRepoListFile

This is an optional configuration list file to limit downloads to only custom repositories.

 

1. Use a text editor to open the plugin.ini file from the following locations:

2. In the extendedRepoListFile field, enter the absolute path or relative path to the extended repository list file. If it is set to a relative path, the path must be relative to the location of the RHSM download plug-in executable.



For example:



extendedRepoListFile  = C:\Program Files (x86)\BigFix Enterprise\



              BES Server\DownloadPlugins\RHSMProtocol\<extendedRepoList>.json



3. If you want set the RHSM Download Plug-in to only use the extended repository list, set the onlyUseExtendedRepoListFile field to yes.



For example:



onlyUseExtendedRepoListFile= yes

If you want to set RHSM Download Plug-in to use both repository list files, configure the setting to no. In cases where the same OS key is used in both files, the repositories will be combined.



4. Save the file.

In the following examples, the EPEL 6 repo was added to server-6-x86_64 and the EPEL 7 repo was added to server-7-x86_64. Running the  `RHSMPlugin.exe --check-allrepos` command will have the following output.

 

Example: When EPEL 6 repo is added to server-6-x86_64

4496     : 2018-02-28 15:26:31 : INFO     :  Testing Certs access to: server-6-x86_64

4496     : 2018-02-28 15:26:31 : INFO     :  EPEL_6

4496     : 2018-02-28 15:26:31 : INFO     :  Success!

4496     : 2018-02-28 15:26:31 : INFO     :  Red_Hat_Enterprise_Linux_6_Server_(RPMs)

4496     : 2018-02-28 15:26:31 : INFO     :  Success!

 

Example: When EPEL 7 repo is added to server-7-x86_64:

4496     : 2018-02-28 15:26:31 : INFO     :  Testing Certs access to: server-7-x86_64

4496     : 2018-02-28 15:26:31 : INFO     :  EPEL_7

4496     : 2018-02-28 15:26:31 : INFO     :  Success!

4496     : 2018-02-28 15:26:31 : INFO     :  Red_Hat_Enterprise_Linux_7_Server_(RPMs)

4496     : 2018-02-28 15:26:31 : INFO     :  Success!

 

Multiple-Package Baseline Installation

BigFix Patch provides a solution to combine the installation of updates for multiple packages in a baseline into a single task, which can reduce the execution time of the baseline.

Baselines can help you gather multiple Fixlets into groups, which you can apply immediately to any set of target computers. It is a powerful way to deploy a group of actions across an entire network. However, each Fixlet in a baseline creates a separate update transaction when the baseline is run. A single baseline can have numerous calls, which can severely impact performance as it increases the time taken to complete all the transactions.

The multiple-package baseline installation solution helps improve the performance that is due to the dependency resolution and package installation that is done separately for each Fixlet. This solution requires you to enable the feature at the start of the baseline and append the installation task to install the relevant packages from a single call.

Use the Enable the Multiple-Package Baseline Installation feature - RHEL 6 task and the Enable the Multiple-Package Baseline Installation feature - RHEL 7 task to set the flag that instructs Fixlets to add packages to a list instead of installing them. The flag is cleared after the baseline is completed. You must add the appropriate task at the start of the baseline to allow the installation of multiple packages from a single command.



A multiple-package installation task is made available for each Red Hat distribution, operating system version, service pack level, and architecture. You must add the appropriate installation task at the end of your baseline to complete the dependency resolution, download the packages, and then install them on the endpoints.



Use the appropriate task to install the relevant packages listed on the MultiPkgInstall.txt file, located in the following directory locations from a single yum call.

The task action skips packages with broken dependencies.



These tasks must be run at the end of the baseline to do dependency resolution and package installation for the entire baseline in a single instance.



Note: Ensure that the following option is unchecked for the related tasks: Baseline will be relevant on applicable computers where this component is relevant.



You can also do a dry run of the installation to preview the changes on the packages to avoid broken dependencies, which might be due to undesired packages updates. The test action outputs to the following file at /var/opt/BESClient/EDRDeployData:

PkgToInstallList.txt file



This file contains packages that are to be installed after a dependency check.

Installing multiple packages in a baseline

The multiple-package baseline installation feature helps you to save time when deploying Fixlets with multiple unique packages from a baseline.

To install or update packages for all Fixlets in the baseline, you must add the task to enable the feature and add the appropriate multiple-package baseline installation task into the baseline.



1. Create a baseline with the Patch Fixlets. Highlight the Fixlets from a Fixlet site and select Add to New Baseline from the context menu. You can also select Create New Baseline from the Tools menu.

2. Add the related tasks to the new baseline. The order of the tasks as listed in the tables is important.

RHEL 6

Fixlet IDTask
200Delete RHEL 6 Package List File for Multiple-Package Baseline Installation
300TROUBLESHOOTING: RHEL 6 Patching Deployment Logs - Cleanup
301Import RPM-GPG-KEY-redhat-release - RHEL 6
201Enable the Multiple-Package Baseline Installation feature - RHEL 6

 

RHEL 7

Fixlet IDTask
200Delete RHEL 7 Package List File for Multiple-Package Baseline Installation
300TROUBLESHOOTING: RHEL 7 Patching Deployment Logs - Cleanup
301Import RPM-GPG-KEY-redhat-release - RHEL 7
201Enable the Multiple-Package Baseline Installation feature - RHEL 7

 

 

RHEL 7 for IBM Power (Little Endian)

Fixlet IDTask
200Delete RHEL 7 Package List File for Multiple-Package Baseline Installation - PPC64LE
300TROUBLESHOOTING: RHEL 7 Patching Deployment Logs - Cleanup - PPC64LE
301Import RPM-GPG-KEY-redhat-release - RHEL 7 - PPC64LE
201Enable the Multiple-Package Baseline Installation feature - RHEL 7 - PPC64LE

 

RHEL 7 for IBM Power (Big Endian)

Fixlet IDTask
200Delete RHEL 7 Package List File for Multiple-Package Baseline Installation - PPC64BE
300TROUBLESHOOTING: RHEL 7 Patching Deployment Logs - Cleanup - PPC64BE
301Import RPM-GPG-KEY-redhat-release - RHEL 7 - PPC64BE
201Enable the Multiple-Package Baseline Installation feature - RHEL 7 - PPC64BE

 

 

Note: The following tasks are optional but it is suggested that these tasks are added to the new baseline.

3. Selectively add the patch Fixlets in the baseline.

Ensure that for all Fixlets the Baseline will be relevant on applicable computers where this component is relevant option is selected.

Note: If you add two or more Fixlets to the baseline that affect different versions of the same package, the installation task will skip the older versions of the package and install the latest one only.

4. Add the appropriate Multiple-Package Baseline Installation task at the end of the baseline. With this task, you can deploy any of the following actions:

Ensure that the Baseline will be relevant on applicable computers where this component is relevant option is not selected.

RHEL 6

Fixlet IDMultiple-package baseline installation task
112Multiple-Package Baseline Installation - RHEL 6 - x32 - Server
112Multiple-Package Baseline Installation - RHEL 6 - x32 - Client
113Multiple-Package Baseline Installation - RHEL 6 - x32 - Workstation
121Multiple-Package Baseline Installation - RHEL 6 - x86_64 - Server
122Multiple-Package Baseline Installation - RHEL 6 - x86_64 - Client
123Multiple-Package Baseline Installation - RHEL 6 - x86_64 - Workstation

 

RHEL 7

Fixlet IDMultiple-package baseline installation task
112Multiple-Package Baseline Installation - RHEL 7 - x86_64 - Server
112Multiple-Package Baseline Installation - RHEL 7 - x86_64 - Client
113Multiple-Package Baseline Installation - RHEL 7 - x86_64 - Workstation

 

RHEL 7 for IBM Power (Little Endian)

Multiple-Package Baseline Installation - RHEL 7 - PPC64LE - Server

 

RHEL 7 for IBM Power (Big Endian)

Multiple-Package Baseline Installation - RHEL 7 - PPC64BE - Server

 

What to do next

Before running the baseline, ensure that you meet the following requirements:

The repositories that are registered on the endpoint must contain the target packages and all the required dependency packages.

Allow enough time for a Fixlet, which is using the multiple-package installation method, to complete all transactions and refresh the status on the endpoints before individually deploying the same Fixlet.

Do not run multiple baselines from the same site on the same endpoint.

Follow the Baseline Best Practices documented in the following technote: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0023651

Note: When you deploy the baseline, the initial sub-action status for all the patch Fixlets will show that they failed. This is the expected behavior. The process for downloading and installing the packages in the baseline is not done at the Fixlet action level, but in the Multiple-Package Baseline Installation task. When the baseline completes, the baseline sub-action status of the Fixlets will reflect the final state of each patch installation.

Using the RHSM download cacher

The RHSM download cacher support x86 or x86_64 Red Hat patches in air-gapped environments. This tool supports the Patches for RHEL 6 - Native Tools and Patches for RHEL 7 sites.



You can run the RHSM download cacher on a Windows system or a Linux system. For information about requirements, see BigFix - System Requirements.



The RHSM download cacher is available from the BigFix Support site.

To use the tool successfully, ensure to install the following packages and their dependencies:

For illustration purposes, this section indicates the steps to run the RHSM download cacher in Windows. However, the parameters and subcommands to run the RHSM download cacher are the same for both Windows and Linux systems.



You can run the tool RHSMDownloadCacher.exe to perform additional operations. To run this tool from the command prompt, use the following command:

RHSMDownloadCacher.exe [-h] --rootCertDir <rootcertdir> [parameters...] {subcommand} [-h]  [subparameters...]

 

where:



-h

Specifies the help message of a command instead of running the command.



--rootCertDir

Specifies the root directory where the entitlement certificates and system identity certificates are located. Each set of entitlement certificates and system identity certificates must be placed in their own folder. You can configure the rootCertDir in the plugin.ini file.

 

check-baserepos

Checks if the entitlement certificates under the certs folder can access the base Red Hat repositories that BigFix supports. The results are displayed in the console and printed in the RHSMDownloadCacher.log.

 

check-allrepos

Checks if the entitlement certificates under the certs folder can access the Red Hat base repositories and its sub-repositories that BigFix supports. The results are displayed in the console and printed in the RHSMDownloadCacher.log.

 

parameters

Specifies the optional parameters to be used to configure the download cacher.

--proxyServer

Specifies the URL of the proxy server to use. It must be a well-formed URL that contains a protocol and a host name. The URL is usually the IP address or DNS name of your proxy server and its port, which is separated by a colon. For example: http://192.168.100.10:8080.



--proxyUser

Specifies the proxy user name if your proxy server requires authentication. It is usually in the form of domain\username.



--proxyPass

Specifies the proxy password if your proxy server requires authentication.



--download_dir

Specifies the directory where the files are cached.

If this parameter is not defined, the files are downloaded to the directory that is relative to the download cacher executable directory.



--redownload

Specifies the flag to re-download and overwrite existing RPM files that are in the download directory.

If this parameter is not defined, RPM files are not re-downloaded. However, metadata are, by default, downloaded and overwritten.



--verifyExistingPkgChecksum

Specifies the flag to enforce a checksum check for existing RPM files when trying to download packages using the "buildRepo", "downloadPkg", or "downloadbypatchid" subcommands.

The checksum is set to 'off' by default.

--loglevel

Specifies the log level. You can choose among DEBUG', 'INFO', 'WARNING', or 'ERROR'. By default, the value is set to 'INFO'.

 

INFO

Contains general information outlining the progress and successful downloads, with minimal tracing information.

WARNING

Contains information about failed downloads, and reasons for failure.

ERROR

Contains errors related to the execution of the download plug-in, which might indicate an impending fatal error.

DEBUG

Contains fine-grained information used for troubleshooting issues. This is the most verbose level available.

                     --help

Specifies the full description and help of a command instead of running the command.

 

 

subcommand subparameter

Specifies the subcommand and subparameters to be used to run the download cacher.

The subcommand and subparameter names are case-sensitive.



The subparameter varies for each subcommand as follows:

showKeys



Outputs the list of OS keys for the supported repositories in the <cacher directory>\logs\RHSMDownloadCacher.log file. An OS key indicates the Red Hat operating system version, architecture, and service pack of a single Red Hat repository.



The syntax to run this subcommand is:



RHSMDownloadCacher.exe -rootCertDir <rootcertdir> --download_dir <download_dir>  [parameters] showsKeys

For example, RHSMDownloadCacher.exe --rootCertDir certs --download_dir C:\downloads showKeys

buildRepo



Builds a local mirrored repository and downloads all the relevant files based on the specified OS key.

The syntax to run this subcommand is:



RHSMDownloadCacher.exe --rootCertDir <rootcertdir> --download_dir <download_dir> [parameters] buildRepo --key <OS_key1,OS_key2,…>

For example, RHSMDownloadCacher.exe --rootCertDir certs --download_dir C:\downloads buildRepo --key server-7-x86_64

where:



--key OS_key1,OS_key2,…

Specifies the Red Hat operating system version, architecture, and service pack. Entries must be separated by a comma and must not include spaces. It must use the following format:



< product>-<version_number>-<architecture>-<sp_level>



For example, --key server-7-x86_64.

downloadMetadataOnly

Downloads the metadata of the specified OS keys.



The syntax to run this subcommand is:



RHSMDownloadCacher.exe --rootCertDir <rootcertdir> --download_dir <download_dir> [parameters] downloadMetadataOnly --key <OS_key1,OS_key2,…>

For example, RHSMDownloadCacher.exe --rootCertDir certs --download_dir C:\downloads downloadMetadataOnly --key server-7-x86_64



where:

--key OS_key1,OS_key2,…

Specifies the Red Hat operating system version, architecture, and service pack. Entries must be separated by a comma and must not include spaces. It must use the following format:



< product>-<version_number>-<architecture>-<sp_level>



For example, --key server-7-x86_64.



downloadPkg

Downloads the listed RPM files for the specified OS key.

Note: If the package that you are downloading has dependencies, we suggest using buildrepo instead to avoid dependency issues.



The syntax to run this subcommand is:

RHSMDownloadCacher.exe --rootCertDir <rootcertdir> --download_dir <download_dir>  [parameters] downloadPkg --key <OS_key1,OS_key2…> --pkg <pkg1,pkg2,…>



For example, RHSMDownloadCacher.exe --rootCertDir certs --download_dir C:\temp --redownload downloadPkg --key server-7-x86_64 --pkg python-qrcode-core-5.0.1-1.el7.noarch.rpm



where:

--key OS_key1,OS_key2,…

Specifies the Red Hat operating system version, architecture, and service pack. Entries must be separated by a comma and must not include spaces. It must use the following format:

< product>-<version_number>-<architecture>-<sp_level>



For example, --key python-qrcode-core-5.0.1-1.el7.noarch.rpm.



--pkg pkg1,pkg2,…

Indicates the package name.

Each entry must be separated by a comma and must not include spaces. For example, --pkg liblcms1-1.17-77.12.1.x86_64.rpm,liblcms1-32bit-1.17-77.12.1.x86_64.rpm.



downloadByPatchId

Downloads files based on the patch ID for one or more OS keys. The RHSM cacher replaces the reference to the bulletins with the patch_id. The first two digits of the patch_id typically refers to the year. For example, the RHSA-2016-2573 bulletin is replaced with patch_id 162573, with '16' referring to the year.

 

Note: If the package that you are downloading has dependencies, we suggest using buildrepo instead to avoid dependency issues.



The syntax to run this subcommand is:

RHSMDownloadCacher.exe --rootCertDir <rootcertdir>  --download_dir <download_certdir>[parameters] downloadByPatchId --key <OS_key1,OS_key2…> --patch_id <patch_id1,patch_id2,…>



For example, RHSMDownloadCacher.exe --rootCertDir certs --download_dir C:\downloads downloadByPatchId --key server-7-x86_64 --patch_id 162516



where:

--key OS_key1,OS_key2,…

Specifies the Red Hat operating system version, architecture, and service pack. Entries must be separated by a comma and must not include spaces. It must use the following format:

<product>-<version_number>-<architecture>-<sp_level>



For example, --key server-7-x86_64.



--patch_id patch_id1,patch_id2,…

Indicates the patch ID of a Fixlet, which is the first six digits in the Fixlet title.



Each entry must be separated by a comma and must not include spaces. For example, --patch_id 162516.

 

Using the RHSM download cacher for airgapped enviroments

You can use the RHSM download cacher for airgap environments by using the buildRepo subcommand to download all patches for a repository to a specified directory. Repositories can be a local directory, on NFS mount (for Linux), or have the network drive mapped (for Windows).

1. Use the buildRepo subcommand with the RHSMDownloadCacher.exe to download all patches for a repository to a specified directory.

For example,

>>>RHSMDownloadCacher.exe --rootCertDir certs --download_dir C:\downloads buildRepo --key server-7-x86_64,client-7-x86_64

This downloads all patches for both the "server-7-x86_64" and "client-7-x86_64" repositories into the specified download directory, which is C:\downloads in this example.

2. Transfer the entire download directory to the airgapped server.

3. Open the plugin.ini file of the RHSMDownloadPlugin. Configure the plugin.ini file with the following settings so that the RHSM download plug-in retrieves the required packages from the directory instead of trying to retrieve the packages online.



******************************************

localCache = <download_directory>

localCacheOnly = yes

******************************************

Applying this configuration settings, the RHSMPlugin.exe looks into this directory to get the required packages instead of trying to retrieve it online when deploying patches.

Tip:

 Use the showKeys command with RHSMDownloadCacher.exe to show all the  currently supported keys:

> RHSMDownloadCacher.exe --rootCertDir certs showKeys

 

Note: The RHSMDownloadPlugin does not support patch deployment to RHEL 5. The earlier version of the RHEL plug-in and download cacher can be used for patch deployment until the end of life (EOL) of RHEL 5 in March 2017. For more information, see https://access.redhat.com/errata/RHSA-2016:0561.

Troubleshooting

To learn about troubleshooting the RHSM enhancements, see https://help.hcltechsw.com/bigfix/10.0/patch/Patch/Patch_RH/c_troubleshooting.html 

 

RHSMDownload Plugin Internals