IBM Support

How can I troubleshoot the Core Protection Module (CPM) automatic update process?

Technote (troubleshooting)


Problem(Abstract)

The following describes troubleshooting CPM Automatic Updates.

Resolving the problem

On the TEM Server

1. Check in BESAdmin that the CPM custom operator was created. If the default username was used in the setup script, this will be 'cpm_admin'.
2. Check that the propagation credentials and site authorization is created for the custom operator:

  • Propagation credentials folder for the custom cpm operator
  • Location: C:\Program Files\BigFix Enterprise\TrendMirrorScript\Credentials
  • publisher.crt
  • publisher.pvk
3. Check existence and correctness of automatic update related registry entries.
Note
: PropagationUser and PropagationPassword are the default values.
  • [HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\CPM\server]
  • "PropagateManifest"=dword:00000001
  • "ManifestSiteName"="FileOnlyCustomSite_CPMAutoUpdate"
  • "PropagationUser"="cpm_admin"
  • "PropagationPassword"="trendmicro"
  • "PropagationDSN"="bes_bfenterprise"
  • "CredentialsPVK"="C:\\Program Files\\BigFix Enterprise\\TrendMirrorScript\\Credentials\\publisher.pvk"

After the above criteria are satisfied, a pattern-set will be published to the CPM custom site the next time a recurring policy action from task 'Set ActiveUpdate Server Pattern Update Interval' runs. To verify that new pattern-sets are successfully published check the following:
1. CPM Automatic Update custom site folder Location: C:\Program Files\BigFix Enterprise\BES Server\wwwrootbes\bfsites\CustomSite_FileOnlyCustomSite_CPMAutoUpdate_10
Files contained in the CPM custom site folder:
  • filelist_srv.txt: referenced in the 'Apply Automatic Updates' task to determine if the CPM client has any out-of-date patterns
  • server.ini: used by the CPM client updater component
  • manifest.ini: metadata containing information about this pattern-set
2. Each time a new pattern-set is downloaded, a corresponding folder named 'CustomSite_FileOnlyCustomSite_CPMAutoUpdate' is created. There may exist multiple versions of the same folder, each appended with an incremental number. Each folder corresponds to the number of times the CPM custom site has been published. The folder with the highest number contains the most recently published pattern-set information.
3. We can use the information contained in the manifest.ini to verify what pattern-set version is currently served for automatic updates at the TEM Server.
a. If there is more than one CustomSite_FileOnlyCustomSite_CPMAutoUpdate_## folder, open the most recent one (signified by the highest incremental value appended to the folder name).
b. View the manifest.ini in a text editor and examine the 'version' field: version="20090803_170903"
This value corresponds to the pattern-set version that is currently available for automatic updates.
c. Cross-check the automatic update pattern-set version with the most recently available pattern-set stored in the pattern-set cache on the TEM Server. You can check this in two places.
Note
: This pattern-set cache is the same source that is used to deploy manual updates.
i. Pattern Updates Wizard:
CPM Dashboard > Updates > Update/Rollback Patterns > New Pattern Update/Rollback
When the wizard loads, the most recent pattern-set will display at the top of the pattern-set list.
ii. TEM Server file system:
C:\Program Files\BigFix Enterprise\BES Server\wwwrootbes\cpm\patterns\20090803_170903

On the TEM Client
How can we tell if the client machine has automatic updates enabled?

After the automatic update process is validated on the TEM Server, we can check whether the TEM Client has the most recent pattern-set information available.

After deploying task 'Core Protection Module - Enable Automatic Updates - Endpoint', it will subscribe the TEM Client to the CPM automatic update custom site

Similar to any other TEM site, you can find it at the following location:
C:\Program Files\BigFix Enterprise\BES Client\__BESData\CustomSite_FileOnlyCustomSite_CPMAutoUpdate

When automatic updates are setup properly, this folder will contain the same contents as the most recent version of the custom site on the TEM Server.

  • filelist_srv.txt: Referenced in the 'Apply Automatic Updates' task to determine if the CPM client has any out-of-date patterns
  • server.ini: Used by the CPM client updater component
  • manifest.ini: metadata containing information about this pattern-set

On the TEM Client view the manifest.ini file and search for the version field. This value should be the same and represent the latest pattern-set that is available on the server. You can cross check this value with that on the TEM Server. Please refer to Step 3 in the previous section.

Now that automatic updates are enabled on the TEM Client, how can we tell if it is setup properly?

The task 'Core Protection Module - Apply Automatic Updates' references information in the 'filelist_srv.txt' file in its applicability relevance to determine if the CPM client has outdated components or pattern files. Specifically, Relevance statement 6 of the 'Apply Automatic Updates' task that ultimately determines the clients applicability. There are client session inspectors used within that relevance that restrict it from evaluation within the Relevance Debugger.

A sample tool that allows manual testing of the relevance locally on the client machine is the TEM Session Relevance Editor. Copy and paste Relevance statement 6 into the Client API tester. If it evaluates true, then the CPM client has outdated components whereas false indicates all components and patterns are up-to-date with respect to that pattern-set that is currently available.

Historical Number

886

Document information

More support for: IBM BigFix family

Software version: Version Independent

Operating system(s): Platform Independent

Reference #: 1506179

Modified date: 02 August 2012


Translate this page: