Use subscription certificates from the repository server for Red Hat Enterprise Linux

In earlier versions, whenever Red Hat reissued any subscription certificates, you had to update the Patch Global Configuration settings (online mode) and the offline downloader's XML configuration file (offline mode) so that the patch catalogs could use the latest certificates.

Starting with this version, TrueSight Server Automation provides support for using certificates from the repository server in addition to the Patch Global Configuration settings and the XML configuration file. While creating a patch catalog if you select the Use Certificates From Repository Server option (online mode), TrueSight Server Automation uses certificates from the repository server instead of the Patch Global Configuration settings. If you set the <use-repo-server-cert> element to 1 in the XML configuration file, TrueSight Server Automation uses certificates from the repository server instead of the file. If the repository server does not have the latest certificates or if those certificates are not working, TrueSight Server Automation makes an attempt to refresh the certificates on the repository server by using the subscription-manager refresh command. 

Access subscription certificates from a non-standard location on the repository server

By default, the repository server stores subscription certificates for the Red Hat Enterprise Linux patch catalogs in a standard directory. TrueSight Server Automation accesses certificates from this directory while creating a patch catalog. Now you can store certificates in a non-standard directory and configure the psu-patch.properties file so that TrueSight Server Automation can access certificates from the non-standard directory. For more information about configuring the file, see Creating-a-patch-catalog-for-Red-Hat-Enterprise-Linux (online mode) and Preparing-the-configuration-file-for-Red-Hat-Enterprise-Linux (offline mode).

Verification of Smart Hub and Smart Hub Gateway by Application Servers and Smart Agents

A TrueSight Server Automation Application Server and Smart Agent can now verify whether they are communicating with a legitimate Smart Hub and Smart Hub Gateway. For more information about the verification process, see Smart-Hub-to-Application-Server-and-Smart-Agent.

Secure TLS communication between the Application Server and RSCD Agents using server-side, CA-signed certificates

You can now secure the TLS communication between RSCD Agents and an Application Server by using the server-side, CA-signed certificates on the RSCD Agents.

To use the CA-signed certificates for the server-side verification process, complete the following tasks:

1. Configure the Application Server for the CA bundle, which contains root and intermediate CA certificates.
2. Generate a CA-signed certificate for the RSCD Agent.
3. Provision the RSCD Agent with the CA-signed certificate and enable certificate verification.

For more details about these tasks, see TLS-with-server-side-CA-signed-certificates-Securing-a-Windows-Application-Server (Windows) or TLS-with-server-side-CA-signed-certificates-Securing-a-UNIX-Application-Server (UNIX).

Analyze RPMs flagged as security updates for Red Hat Enterprise Linux patch catalogs

While creating or modifying a Red Hat Enterprise Linux Patching Job, you can now perform an analysis only for those RPMs that are flagged as security updates.

The new option, Security Mode - Analyze for security updates available for installed RPMs on target server for performing analysis is available for the Red Hat Enterprise Linux versions 7 and 8 Patching Jobs. For more information, see the Patching Job - Analysis Options panel on Creating a Patching Job.

After you upgrade to version 21.3, ensure that you update the existing patch catalogs for the new option to take effect.

Database cleanup performance improvement

The underlying structure of how object overflow data is stored in the COMPLIANCE_RULE_RESULT and JOB_RUN_EVENT tables has been changed and new columns have been added to these tables in version 21.3. The number of rows in the OBJECT_OVERFLOW_DETAIL table has reduced. These changes might result in a cleanup performance improvement in certain environments.

BMC recommends that you perform upgrade in a test environment first, using a copy of the production database, to better estimate the downtime window.

Operations Dashboard UI enhancements

The Operations Dashboard has been enhanced with the following features:

• On the TrueSight Server Automation tab, the legends to indicate deployments have been moved to the right pane. So you can now navigate through a large number of deployments easily.
  . In addition, the color scheme has been improved, and each deployment has been assigned a unique color.
• On the Configuration tab, the Dashboard Refresh interval has been reduced to 60 seconds. 
• The position of the tooltip for a deployment has been changed for better readability.

For more information, see Operations-dashboard.

Password updates for the Live Reporting dashboard

Starting from this release, when you launch the Live Reporting dashboard from the TrueSight Server Automation console for the first time, you are prompted to set the dashboard password. Once you set the password, you will not be prompted for a password on subsequent launches.

You will also need to use this password the first time you launch the dashboard from a browser as you can no longer use the default password. For more information, see Launching the Live Reporting dashboard.

Installer updates

This release contains the following installer updates.

Ability to compare subjects of CA-signer and Smart Hub server certificates

When installing or upgrading the Smart Hub, the subjects of the CA-signer and Smart Hub server certificates are compared. If the subjects match, you are prompted to regenerate the Smart Hub server certificate.

When installing or upgrading the Smart Hub using the installation script, you can regenerate the server certificate by providing different inputs on the Smart Hub server certificate panel.

During silent installation or upgrade of the Smart Hub, the following parameters enable you to regenerate the certificates with different values:

• ca-cert-subject: Indicates the values used for generating the CA-signer certificate. 
• server-cert-subject: Indicates the values used for generating the Smart Hub server certificate.

Availability of 64-bit installers on Windows for various components

TrueSight Server Automation provides 64-bit installers for the following components on Windows:

• PXE Server
• Network Shell

During upgrade to 21.3, the installation directory for these components remains the same even when using the 64-bit installers. For example, if Network Shell (32-bit) was installed in the C:\Program Files (x86) directory, Network Shell is upgraded in the same directory.

TrueSight Server Automation no longer provides 32-bit installers for the following components on Windows:

• Application Server
• Network Shell  
• Console

RPM-based installer for the Linux, ppc64le architecture

This release provides RPM-based installer for the Linux, ppc64le architecture. For the complete list of installers available in TrueSight Server Automation, see Supported platforms for native installers.

Third-party software updates

This release contains the following third-party software updates.

Support for updated version of Java Runtime Environment (JRE)

This version is shipped with 64-bit JRE, AdoptOpenJDK version 11.0.12+7.

Support for PsExec version 2.34

TrueSight Server Automation now supports PsExec version 2.34.

Note that PsExec versions 2.32 and 2.33 are not supported.

Enabling Smart Agent in RSCD Agents

If you are using RSCD Agents that don't have the Smart Agent feature enabled, ensure that you enable this feature while upgrading to 21.3. Enabling this feature now will prepare your deployed agents for automatic upgrade in a future version.

For instructions on enabling this feature, see Upgrading-the-RSCD-agent-on-Windows or Upgrading-the-Network-Shell-or-the-RSCD-agent-using-RPM.

PKI authentication updates

TrueSight Server Automation no longer supports 32-bit DLLs when using ActivClient or 90meter for PKI authentication. Therefore, after you upgrade the TrueSight Server Automation console to 21.3, update the sunpkcs11.cfg file to store the path to the 64-bit DLLs. For instructions, see Implementing-PKI-authentication.

Additional Compliance Content templates

This version adds support for the following Compliance templates:

• Center for Internet Security (CIS) for Oracle Linux 8 - Template version 1.0.1
• CIS for Amazon Linux 2

Assign multiple managed servers to an existing server group using a text file

Now you can assign multiple managed servers to an existing server group simultaneously through a text file by using the Add only existing servers to the group option in the Import Servers wizard. For more information, see Assigning-multiple-managed-servers-to-a-server-group-using-a-text-file.

Improved job run logging for Patching and Deploy Jobs

The job run logs are improved for the Patching and Deploy Jobs:

• The command exit code for the Patching and Deploy Jobs now shows the full executable path. For example, "C:\temp\stage\c8258c8160668a62\bldeploycmd-1.bat": Item '<Item name>' returned exit code 0.
• The Deploy end status event is now logged at ERROR level instead of DEBUG. For example, 08/14/21 11:48:10.086 DEBUG bldeploy - [1][Q4093119 Deploy Job2021-04-22 17-32-24-599+0530] Sending deploy end status event: The service cannot be started. 

Configure additional number of errors and warnings in logs for a target and job run

You can set the additional number of errors and warnings that can be stored in the logs for a target and job run by using the following attributes in the jrelog component of the blasadmin utility:

• PerTargetErrorWarningBufferLimit: Sets the number of errors and warnings that can be stored for a target in addition to the limit specified in blasadmin by using the LogLimit attribute.
• JobRunErrorWarningBufferLimit: Sets the numbers of errors and warnings that can be stored for a job run in addition to the limit specified in blasadmin by using the LogLimit attribute.

For more information about these attributes, see Controlling-the-size-of-job-logs.

Change in the system authorization notification mechanism for audit trails

In earlier releases, no audit trail notification was sent if the notification was configured on the .* (parent) authorization. For example, if the notification was configured on the Server.* authorization and a user live browsed a server object, no notification was sent.

Starting with this release, to enable audit trail notifications on the parent authorizations, use the following blasadmin command:

Now if the notification is configured on the Server.* authorization and a user live browses a server, notification is sent as configured.

The default value for this setting is false.

For more information, see Defining-audit-trails.

REST API enhancements

This version provides the following REST API enhancements:

• The REST API support is available for Patching Jobs on the Ubuntu platform. 
• You can add a server to the system by using the POST method. For more information about this method, see servers.
• You can decommission a server with the specified ID by using the DELETE method. For more information about this method, see servers.

• The REST API logs display the unique session ID for each API call invoked and the time taken to complete the call (in milliseconds). The following example displays session id and total time taken for the POST call.

  [04 Aug 2021 16:50:27,746] [https-jsne-jio-9843-exec-6] [INFO] [BLAdmin:BLAdmins:10.133.76.186] Response Status:- POST ->  https://tssa-qa:9843/rest/api/v1/patching-jobs, status code 400, session id [4463AD18C034XA6F09F8A7BD7507UI], total time taken [391]ms

For the complete list of supported operating systems and API details, see REST-API-endpoints.