8.7.00 enhancements and updates
For information about the updates included in the patches for this release, see the following pages:
- Version 8.7.00.005: Patch 5 for version 8.7
- Version 8.7.00.004: Patch 4 for version 8.7
- Version 8.7.00.003: Patch 3 for version 8.7
- Version 8.7.00.002: Patch 2 for version 8.7
- Version 8.7.00.001: Patch 1 for version 8.7
The following sections describe enhancements for BMC BladeLogic Server Automation version 8.7.00:
For information about issues corrected in this release, see 8901Known and corrected issues.
Installation and upgrade enhancements
The following enhancements have been introduced in BMC BladeLogic Server Automation 8.7.00 for Installation features:
Option for selecting an alternate tmp directory while installing the default Application Server node and additional Application Servers
During installation, the system stores temporary files in the /tmp directory. You can specify an alternate location to store the temporary files, if you do not have enough space or you do not have access to the /tmp directory.
Installing additional application servers using the SUDO and SU execution protocols
When adding additional Application Servers to the environment, you can choose to use SSH, SSH + SU, or SSH + SUDO, execution protocols for executing commands on the additional Application Server machine. You must specify this protocol, because the additional Application Server machine does not have an agent installed on it.
The SSH+ SU execution protocol elevates your privileges to a root user by issuing the
SU command. The SSH + SUDO execution protocol elevates your privileges by appending
SUDO command as a prefix to all commands executed on the host machine. The SSH execution protocol simply executes the commands on the host machine without elevating your privileges to a root user. For steps on selecting the required execution protocol, see Adding additional Application Servers.
Compliance Content, Compliance, and SCAP enhancements
The following enhancements have been introduced in BMC BladeLogic Server Automation 8.7.00 for Compliance features:
Improved performance of Compliance Jobs
The Compliance Job has been optimized and now performs better and faster. For more details, see the descriptions of Compliance-related improvements under Performance enhancements.
Updates in the processing of compliance rules
The following new developments have been introduced in BMC Server Automation 8.7.00 to enhance and improve the processing of compliance rules:
- Groups of Command asset operands, which are used in compliance rules to analyze the output of shell scripting commands, are now executed as batch scripts, resulting in improved performance.
- A new
remediateoperator has been introduced to work with Command asset LHS operands, enabling you to apply a shell command as a remediation action at the end of compliance analysis.
- A group of new assets have been added to support the use of MSS Group Policy Objects (GPOs) as parts in rules. These new assets are displayed in Live Browse under Security Settings\Local Policies\Security Options, and all begin with MSS:.
Automatic component discovery replaces the need for manually running a Component Discovery Job
You no longer need to manually run Component Discovery Jobs on component templates in order to generate components. Instead, you can now authorize a Compliance Job, Snapshot Job, or Audit Job to perform component discovery immediately before running:
- In the General panel or tab of a Compliance Job or Snapshot Job, select the new Run auto-discovery check box.
- For an Audit Job, you can now select a server, rather than a component, as the master. This authorizes the Audit Job to perform automatic discovery.
New templates in Compliance Content for supporting additional policies and platforms
BMC BladeLogic Server Automation now supports the following additional Compliance Content component templates:
|Operating system||OS Version||Benchmark version||Benchmark update||BMC version|
|Microsoft Windows Server||2012 R2||1.1.0||November, 2014||8.7.00|
|2008 R2||2.1.0||December, 2013||8.7.00|
|Red Hat Enterprise Linux||7||1.1.0||April, 2015||8.7.00|
|Oracle Solaris||11.1||1.0.0||October, 2013||8.7.00|
|Operating system||OS Version||BMC version|
|Microsoft Windows Server||2012||8.7.00|
|Red Hat Enterprise Linux||7||8.7.00|
Existing templates that are updated in version 8.7 are as follows:
|Policy||Operating system||OS version|
|DISA||Microsoft Windows Server||2012 Domain Controller|
|2012 Member Server|
|2008 R2 Domain Controller|
|2008 R2 Member Server|
|2003 Domain Controller|
|2003 Member Server|
|Red Hat Enterprise Linux ES/AS||6.x|
|Oracle Solaris||11 x86|
|CIS||Microsoft Windows Server||2008|
|HIPAA||Microsoft Windows Server||2003|
For complete list of available templates, see Compliance policy standards supported by BMC Server Automation templates.
Compliance analysis of Docker containers based on SCAP 1.2
BMC BladeLogic Server Automation now supports compliance analysis of Docker containers and images on containerized Linux servers (see also Automatic detection of containers on servers and a new containerization property). This compliance analysis is based on SCAP 1.2 content with configuration assessments in Open Vulnerability and Assessment Language (OVAL).
To perform SCAP compliance analysis of containers and images, target servers must meet the following requirements:
- Red Hat Enterprise Linux (RHEL) as the operating system.
- RSCD agents of version 8.6 or later installed.
- Docker Daemon installed.
- OpenSCAP installed.
- Docker containers on the host servers are based on RHEL or CentOS base images.
Several new depot objects and jobs are provided out-of-the-box in BMC BladeLogic Server Automation 8.7 for the compliance analysis of containers and images. Before you begin running a compliance analysis on your containers and images, you perform the following quick configuration tasks on these out-of-the-box items:
- Import relevant SCAP 1.2 content into the Container SCAP Policy (an out-of-the-box custom software package), to replace the use of the default sample SCAP content.
- Specify targets in the Container Scan Job (an out-of-the-box NSH Script Job), and optionally configure other parameters and settings in this job.
To run the Container Scan Job, the user who executes the job must be mapped to root on the target systems.
After running the Container Scan Job, results displayed in the BMC Server Automation Console connect you to a new HTML report that summarizes and aggregates the compliance statuses of all containers, and provides you with drill-down options to individual containers and images. This report is available for display in Internet Explorer (IE) and Firefox browsers.
For more information about performing container scans, see Scanning Docker containers for SCAP compliance and Walkthrough: Scanning containers for SCAP compliance.
Patch management enhancements
The following enhancements have been introduced in BMC BladeLogic Server Automation 8.7.00 for patch management features:
Improved patch troubleshooting experience
Patching error messages now include the following:
- Error codes: Used to identify errors immediately.
- Descriptive error message: More detailed error messages that provide information about variables, parameters, file names, path names, or object IDs that have caused the error.
- Troubleshooting information: Most error messages provide troubleshooting steps to the user, wherever possible.
Patching Red Hat Enterprise Linux (RHEL) based on specific security vulnerabilities and exposures
The MITRE Corporation maintains a system for publicly known information security vulnerabilities and exposures. Each security vulnerability or exposure is referenced by a Common Vulnerabilities and Exposures (CVE) ID. BMC Server Automation includes the CVE ID of a patch in its properties. This allows you to create patch smart groups based on errata CVE IDs, and apply the patches on the RHEL servers based on specific vulnerabilities and exposures.
Detailed logging messages for patch remediation jobs
BMC Server Automation 8.7 now provides the user with more detailed logging information in the results view of patch remediation jobs for Windows target servers. You can now see reboot status, shavlik status, and other information related to the status of patch remediation on the target along with other errors and warnings.
For steps on accessing the patch remediation job results view, see Viewing Remediation Job results.
Support for downloading Windows patches on a UNIX machine
For offline Windows patching, you can now download patches from Shavlik to a Linux machine using the windows_downloader.sh offline downloader. For more information about using the offline downloader on a Windows or UNIX machine, see Patch Downloader utility for Microsoft Windows.
Support for patching using errata-based filters for Red Hat Enterprise Linux (RHEL) 7
Although BMC Server Automation 8.6 supports patching for RHEL 7, the online and offline patch catalogs can only be created using channel-level filters.
BMC Server Automation 8.7 now supports errata type and errata ID filters for RHEL 7, while creating online and offline patch catalogs. For more information about the type of filters that you can use for RHEL 7, see Patch catalog - Red Hat Catalog. For steps on creating a configuration file for an offline RHEL 7 catalog with errata ID and errata type filters, see Preparing the configuration file for Red Hat Enterprise Linux.
Note that although we now support errata-based filters for RHEL 7, you still cannot use update-level filters for RHEL 7 in online and offline catalogs.
SafeReboot is used to simplify patching of Java installation files on Windows
BMC Server Automation 8.7 automatically creates the required pre-installation and post-installation environment on a Windows target server for patching Java installation files. The SafeReboot file is deployed on the Windows target server, whenever a Java installation files is patched.
Note that BMC Server Automation does not decide whether to reboot the Windows target server. This option has to be manually selected by the user (if required), while creating a Deploy Job, see Deploy Job - Job Options.
The following enhancements have been introduced in BMC BladeLogic Server Automation 8.7.00 for the Provisioning feature:
- BMC BladeLogic Server Automation now supports booting from the most recent version of WinPE images, WinPE 5.1. During the creation of a WinPE image through the Image Creation wizard, new options in the Toolkit Select panel enable you to switch the type of Windows kit from AIK (for older versions of WinPE) to ADK (for the newer versions of WinPE).
- BMC BladeLogic Server Automation now supports booting using Unified Extensible Firmware Interface (UEFI), rather than BIOS. UEFI is supported on machines that run any of the following operating systems: RedHat 6 and 7, SuSE 11 SP2 and 12, and Windows 2008 R2 SP1 and 2012.
To support the use of UEFI, new EFI options have been added to the Disk Partition panel displayed during configuration of the system package used by the Provision Job.
For more information about setting up for EFI booting, see Preparing for UEFI booting.
For information about the provisioning process, see Implementation process for provisioning.
The following enhancements have been introduced in BMC BladeLogic Server Automation 8.7.00 for virtualization features:
Shared storage pool support for IBM AIX LPARs
With BMC BladeLogic Server Automation 8.7.00, you can now provision an IBM AIX LPAR that uses a shared storage pool.
New options have been added to the automatic management Storage tab of the virtual guest package (VGP) for AIX LPARs to enable this support. When creating the VGP, you can now create a virtual disk on a shared storage pool that you select, and then assign it to the LPAR.
To do so, select Add Disk from the Storage tab of the VGP. On the Virtual Disk panel, you can make the following selections:
- The new Location Type field contains a Shared Storage Pool option.
- Once you select the option, you then select a server from a drop-down list, and select the shared storage pool from the available list. The shared storage pools are displayed with a naming convention of
- You can also specify if you want the disk to be thin provisioned.
You can provision the LPAR from the BMC BladeLogic Server Automation console or by using the BLCLI. See IBM - Storage (automatic management).
Support for Microsoft Hyper-v generation 2 virtual machines
With BMC BladeLogic Server Automation 8.7.00, you can now set up and provision a Microsoft Hyper-v generation 2 virtual machine (VM) from a Hyper-V generation 2 template. For Hyper-v generation 2 VMs, the following capabilities are supported:
- Provisioning a VM from a Hyper-V generation 2 template using a VGP and Virtual Guest Job (VGJ)
- Ability to modify Memory, Disk, NIC, and CPU
- Ability to live browse the provisioned VM
- Ability to perform ad-hoc actions such as VM start, stop, and delete, from live browse
- REST API support and BLCLI support for all of the above
Note the following requirements for creating Microsoft Hyper-v generation 2 VMs:
- Only template-based VGPs are supported
- Supported guest OSs are according to the OSs supported by Microsoft for generation 2 templates: Red Hat Enterprise Linux version 7.1, Microsoft Windows 2012, and Microsoft Windows 2012 R2.
- For static IP support, BMC Server Automation uses static IP pool from SCVMM. Therefore, the input IP address in the VGP must be part of the pool defined in SCVMM. More details are available from the Microsoft online documentation.
Support for LSI Logic SAS adapter type
(RFE QM001876319) In previous versions, bare-metal provisioning in Windows 2012 R2 with VMWare 5.5 environments did not complete, and produced an SCSI load driver error. This failure occured because, by default, BMC Server Automation passes the LSI Logical Parallel SCSI type, and VMWare takes the LSI Logical SAS SCSI controller type.
In version 8.7, the VGP checks if the OS is Windows 2012 or 2012 R2, and if the adapter type is something other than LSI Logic SAS, then a warning message is sent and the adapter type is set to the LSI Logic SAS adapter type.
The following enhancements have been made to VMware support in version 8.7:
- Support for VMware vSphere version 6.0
- Ability to use LSI SCSI controllers in VMware VGPs for Microsoft Windows 2012. You can also modify the SCSI controller type using a BLPackage. Note that if you are creating the BLPackage via Live Browse, you must create the package on the SCSI controller node, not on the hard disk node.
- Support for vCenter Linux Appliance
User experience enhancements
Nested smart groups
You can now create nested smart groups to help you organize servers, jobs, depot items, and other assets more efficiently. For example, you can create a smart group for Windows servers and then, within that smart group, you can nest smart groups for Windows 2008 and 2012.
There is no limit to the number of levels you can nest. However, you may experience a performance degradation when you create deep structures, for example, nesting more than six levels deep.
For more information, see Walkthrough: Dynamically organizing assets with smart groups.
Automatic detection of containers on servers and a new containerization property
For every Red Hat Linux server that you enroll, BMC BladeLogic Server Automation now automatically scans the server host for the existence of containers. Currently only Docker containers on Red Hat Enterprise Linux (RHEL) are supported. The containers can be based on RHEL or CentOS base images. If containers are detected, the new property SERVER_CONTAINER_TYPE in the built-in Server property class is populated with a value (currently the only value is RHEL Docker Container). You can then use this property to create smart groups of containerized servers.
Enhancements to product performance have been introduced into various areas of the product. The following product areas, in particular, now exhibit improved performance:
- Catalog update jobs for online and offline Red Hat Enterprise Linux catalog. especially if the catalog is modified with minor changes.
Compliance Jobs now perform better and execute faster due to the following enhancements:
- Evaluation of conditions within rules is now done at a more granular level.
Parts associated with the Compliance Job are collected dynamically at job run time, so that only relevant parts need to be collected.
- In Compliance Content templates, complex compliance rules that evaluate extended objects (EO) were updated to work with native objects instead.
The version-neutral import mechanism for importing component templates can now handle the import of multiple component templates in parallel.
Connections to Application Servers of type NSH_Proxy, minimizing the number of handshakes necessary for connections between client and NSH proxy.
As part of this enhancement, a new mechanism of SSL sessions was introduced for connections from RSCD agents to the NSH proxy. In addition, a new blasadmin command, NshProxyApplicationSessionTimeOut, enables you to control the timeout for these connection sessions to the NSH proxy.
This mechanism generates temporary files that contain encrypted session information. These temporary files accumulate in the RSCD/sessions folder on the agent. You can use a script provided by BMC to clean up these temporary files; obtain this script from BMC Communities. This cleanup script is necessary only in product version 8.7.00. As of version 8.7.00.001 (Patch 1 for 8.7.00), the temporary files from NSH proxy sessions are automatically deleted when the NSH session times out or is closed and a new session is activated.
- NSH file transfers and NSH Script Jobs
New icons in the user interface
Several key icons in the user interface have been updated. In particular, note the following changes:
- Wherever used in the UI, the BMC logo has been updated to .
- The icon for BLPackages has changed from to .
Controlling the size of job logs
You can now control the amount of data stored in job run logs, using the new blasadmin component
jreLog. This new blasadmin component enables you to perform the following configuration tasks:
- Restrict target-related log messages to a certain severity (or log level), using the new
LogLevelparameter of the
jreLogcomponent. You configure the log level separately for each job type or group of job types.
- Set the maximum number of messages to store in the log, using the new
LogLimitparameter of the
jreLogcomponent. Configuration of this log limit depends on the type of messages:
- To limit target-related log messages, you configure the log limit separately for each job type or group of job types.
- To limit messages with job run data, you configure a single limit for all job types.
The job log settings that you configure through blasadmin are saved in the BMC Server Automation database and are applied to all Application Servers during job execution. You do not need to restart the Application Server after performing these tasks.
For more information, see Controlling the size of job logs.
The following enhancements have been introduced in BMC BladeLogic Server Automation 8.7.00 for integration:
Integrating BMC BladeLogic Server Automation with Chef-solo
This new integration, available in version 8.7, enables you to leverage Chef-solo content without having to provision a full-fledged Chef infrastructure in you environments. This feature enables you to:
- Create content (depot objects and jobs) for deploying the Chef-solo agent
- Create content (depot objects and jobs) for deploying Chef cookbooks, roles, environment, and databags.
Two new wizards enable you to execute NSH Scripts and NSH Script Jobs that are installed out of the box with BMC Server Automation version 8.7.
The scripts import Chef cookbook(s), roles, environment, databags and pre-requisites (such as Ruby) and generate Depot Objects such as Software Depot Objects and BLPackages as well as the corresponding Deploy Jobs to help users deploy a Chef cookbook (and if needed, its prerequisites) on servers managed by BMC Server Automation.
Also, BMC Server Automation system administrators can perform additional activities after execution of Chef cookbooks on the nodes without having knowledge of the Ruby code, which is required to write additional cookbooks and recipes. Additionally, if the same BMC Server Automation system administrators are performing regulatory compliance and patching activities on these servers and if they perform the application deployment activities through BMC Server Automation, the entire process provides stronger control of servers in your environment. Further, cookbooks can be reused into your production environment.
For more information, see Integrating BMC Server Automation with Chef-solo..
New Deploy module for online database cleanup
The online database cleanup mechanism, which enables you to delete old database rows while the Application Server is running and the database is online, was enhanced with a new module to support the cleanup of historical database rows from Deploy Jobs. The BLCLI command Delete cleanupHistoricalData now includes a new object type, Deploy, to enable this functionality.
Health and Value Dashboard enhancements
In previous versions, the BladeLogic Health and Value Dashboard provided only the current view of the BMC Server Automation environment status, which did not include any historic data.
In version 8.7, the Health and Value dashboard provides the overall status of all Infrastructure components (such as Application Servers, agents, the file server, and the database) over a period of time. You also now have the ability to monitor status with respect to key product usage trends. New features for the dashboard include:
- A new Product Usage Trends tab is being added to the Health Dashboard in version 8.7. This tab enables you to view the BMC Server Automation license usage against the various licensing that you have purchased.
- Ability to export support to CSV, PDF, as well as image formats for graphs
- Improved Error Reporting - Ability to set the threshold on each parameter, which triggers warnings and errors that are displayed on the new Time Series graphs
- New options for the Jobs tab. The following new options have been added in this version:
- Option to identify the number of jobs without a timeout
- Option to identify jobs with high verbosity (that is, a high number of logs)
- New options for the Database Server tab. The following new options have been added in this version:
- Last analyzed stats
- Up to date / Stale stats
- Tables by identity capacity
- Historical run cleanup
- Database cleanup
- Hard delete shared object cleanup
- Tables with high fragmentation
New walkthrough topics added in this release
Walkthrough topics introduce you to a key BMC Server Automation use case (for example, compliance), and provide step by step, cookbook-style examples that demonstrate a specific aspect of that use case. The following walkthrough topics were adeed in 8.7:
- Walkthrough: Dynamically organizing assets with smart groups
- Walkthrough: Scanning containers for SCAP compliance
- Walkthrough: Running Chef cookbooks from the BMC Server Automation console
For a full list of available walkthrough topics, see FAQs and additional resources.
New BLCLI commands in 8.7.00
|AuthorizationProfile||listAllAuthorizationProfiles||Lists all Authorization Profiles in the system, one profile on each line.|
|ExecutionTask||deleteExecutionTaskByGroupAndName||Deletes an Execution Task by group and name.|
|Job||executeJobAndReturnScheduleID||Executes a job and returns the schedule ID.|
|PropertyInstance||applyAclPolicy||Applies an ACL Policy to a Property Instance and returns the DBKey of the updated instance.|
|RBACRole||deleteRole||Deletes an existing role.|
|Template||listPropertyInstanceNamesByGroupAndName||Lists the names of all local property instances for a Component Template.|
|Utility||exportDeployRunStatusWithUndoByGroup||Exports the server/phase status of the latest run of all Deploy Jobs in a specified group including undo. It places this status information in a CSV file.|
Updated BLCLI commands in 8.7.00
|ComponentException||createComponentExceptionWithOneRule||Updated to include the rule reference number in the input.|
|Delete||cleanupHistoricalData||Option added for deleting historical data from Deploy Jobs.|
Option added to return the permissions contained in the policy along with the policy name.