23.4 enhancements and patches

Review the

Some content is unavailable due to permissions.

23.4 enhancements and patches for features that will benefit your organization and to understand changes that might impact your users.

Version

Fixed issues

Updates and enhancements

23.4.01

23.4.00

For a list of recent updates and enhancements across multiple versions, see Release-notes-and-notices.

Related topics

Deprecated-and-discontinued-features

23.4.01

 

Support for Multifactor Authentication in the TrueSight Server Automation Console by using Remedy SSO

The TrueSight Server Automation Console now offers support for multifactor authentication by using the Remedy SSO authentication system. This feature significantly enhances security measures within the system and adds an additional layer of protection beyond just a user name and password, which reduces the risk of unauthorized access, data breaches, and identity theft.

This increased security instills greater confidence among users and stakeholders in the system's reliability and integrity, safeguarding sensitive information, and maintaining regulatory compliance. 

For more information, see Enabling-Multi-Factor-Authentication-MFA-support-for-console-users-using-the-Remedy-SSO-authentication-system.

image-2024-3-13_16-23-7.png

 

What else changed in this release

Update

Product behavior in versions earlier than 23.4.01

Product behavior in version 23.4.01

Improved performance by adopting table partitioning for deploy_job_run_event cleanup

The table partitioning feature in SQL Server did not include the deploy_job_run_event table. This omission led to performance issues in Offline Cleanup. Specifically, the process followed a non-partitioned table route for addressing table cleanup, resulting in significant delays in determining deletions and processing qualified data.

The scope of table partitioning has been extended to include the deploy_job_run_event table. As a result, the table now follows the table partition cleanup route, dropping partitions instead of deleting data row. This change has led to a significant performance improvement.

23.4

Support for ARM architecture

This release supports the ARM64 (AArch64) architecture on the following platforms: 

  • SuSE Linux Enterprise Server 15.x
  • Red Hat Enterprise Linux 8 x86_64
  • Red Hat Enterprise Linux 9 x86_64

For a complete list of supported architectures, see Supported-platforms.

 

Support for Rocky Linux patching

This release is compatible with the Rocky Linux 8 x86_64 and Rocky Linux 9 x86_64 for patching.

For more information, see Preparing-the-configuration-file-for-Rocky-Linux.

 

Microsoft Office 365, 2019, and 2021 online patching

TrueSight Server Automation supports Microsoft Office patching solution which requires target servers to be connected to the internet. For more information, see Setting up online patching for Microsoft Office 365 2019 and 2021.

image-2023-10-20_19-29-18.png

 

Online cleanup for list_bl_value and list_bl_value_element​

The ListBLValue cleanup module is now enabled for the DBM Online cleanup framework.

For more information, see Types-of-data-commonly-included-in-cleanups.

 

Support for additional platforms

This release supports the following additional platforms: 

  • Debian 11 x86_64 (RSCD Agent, Smart Agent, Patching)
  • Debian 12 x86_64 (RSCD Agent, Smart Agent, Patching)
  • Microsoft Windows 11 (Console)
  • Oracle Linux 8 x86_64 (Unified Product Installer, Application Server, Live Reporting)
  • Oracle Linux 9 x86_64 (Unified Product Installer, Application Server, NSH, Live Reporting)
  • Red Hat Enterprise Linux 8 AArch64 (RSCD Agent)
  • Red Hat Enterprise Linux 9 AArch64 (RSCD Agent)
  • SuSE Linux Enterprise Server 15 AArch64 (RSCD Agent)

For a complete list of supported platforms, see Supported-platforms.

 

Support for SYSTEM User Only Mapping on Microsoft Windows

You can now map all the configured or permitted roles and users to the SYSTEM user on the Microsoft Windows server. If your organization-wide security policy prohibits user impersonation, the Windows User Mapping or User Privilege Mapping (UPM) techniques cannot be used to enable a user to assume an effective user identity including a set of user permissions on remote servers. In such cases, use the SYSTEM User Only mapping technique.

When you use this user mapping, the RSCD service operates under the SYSTEM account, and during execution, establishes mappings to the configured user accounts.

 

Enhancing Yum’s performance and streamlining its efficiency by using the Include/ Exclude selection

To ensure a more efficient analysis process, the new pre-processing step in the Update Mode with the By Complete Package Name option selected to filter out RPMs that are not installed on the system before they are passed to Yum.

 

Security enhancements

Umasking enforcement in service startup scripts

For consistent and controlled permissions related to the artifacts created by TrueSight Server Automation, the umask value of 0022 is enforced in all the service startup scripts. This approach addresses the issue of unintended permissions that may arise due to a misconfigured umask in the system.

Enhanced security with the rootonly option in the RSCD agent

The RSCD Agent installer now includes a new option called rootonly. TrueSight Server Automation administrators can enable this option selectively, limiting it to situations where mapping all role:user pairs to the root user account is intended. When you enable this option on the servers, the common directories are protected from being writable by all users and additionally prevents the SUID (Set User ID) bit from being set on certain executables.

 

Enhancing RESTful API Security

You can now enhance your security by transmitting your login credentials, specifically the username and password, within the Header of your HTTP request by using authorize API. This method allows you to obtain the session ID and effectively mitigate any security concerns, which is a safer and a more secure way of interacting with RESTful services.

For more information, see Using-TrueSight-Server-Automation-RESTful-Web-Services

EG.png

 

REST API enhancements

This version provides the following REST API enhancements:

Patching API enhancement

The REST API support is now available for Patching Jobs on Debian.

It is recommended to utilize the Debian filter option as a replacement for Ubuntu filter option, as it offers identical functionality.

For more information, see REST-API-endpoints.

BLPackage API enhancement

Use the following REST API to create the BLPackage:

POST /api/v1/blpackages: Creates a BLPackage for the Depot object type.

For more information, see REST-API-endpoints.

Leveraging REST API for efficient job retries

You can now execute the failed targets in the specific job run for a variety of jobs including Batch jobs, Compliance-jobs, File-deploy jobs, Deploy-jobs, nsh-script jobs, and Patching.

For example, to re-execute a file-deploy job against failed targets, use the PATCH method at this endpoint: 

PATCH /api/v1/batch-jobs/{id}/jobruns/{run_id}/: Executes the batch job against failed targets.

For more information, see REST-API-endpoints.

Simplified job execution for specific targets

You can use the simplified API to execute specific jobs including servers and groups, Batch jobs, Compliance jobs, File-deploy jobs, Deploy jobs, NSH-script jobs, and Patching. Use the following endpoint to execute a specific job ID:

PATCH /api/v1/batch-jobs/{id}

Accessing file-deploy-jobs easily by using the simplified API

  • Accessing all the file-deploy-job runsUse GET/api/v1/file-deploy-jobs/{id}/jobruns to retrieve a comprehensive list of all file deploy job runs for a specific job ID.
  • Fetching specific job run resultsUtilize GET/api/v1/file-deploy-jobs/{id}/jobruns/{run_id}/results to fetch the file deploy job run results for a specific job ID and the associated job run ID.

 

Support for additional Compliance Content templates

This release supports the following additional Compliance Content templates:

This release also supports the new benchmark version for Center for Internet Security (CIS) template for Windows Server 2016  - Security Configuration Benchmark Version 2.0.0

 

Java version upgrade from Java 11 to Java 17

The JRE version in

Some content is unavailable due to permissions.

23.4 is upgraded from 11.0.17+8 to 17.0.8+7, which offers advantages such as performance improvements, security updates, extended support, enhanced language features, and improved library compatibility.

 

Support for stronger ciphers to enhance communication between the Application Server, Smart Hub, Smart Hub Gateway, and RSCD Agent

This release uses stronger cipher suites for communication between various architecture components. The new stronger cipher suites are used for the following communication options:

Communication from

Some content is unavailable due to permissions.

application server to the RSCD Agent

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_CBC_SHA256

Communication from

Some content is unavailable due to permissions.

Console (RCP client) to the application server

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Communication from

Some content is unavailable due to permissions.

application server to the Smart Hub

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA

Communication from

Some content is unavailable due to permissions.

application server to the Smart Hub Gateway

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA

 

Discontinued support for the Process Spawner component

The Process Spawner component that was only used for spawning processes externally to the application server process has been discontinued in

Some content is unavailable due to permissions.

 23.4. The process spawner service is no longer available in a disabled state on a new application server. Additionally, you will not be able to manually enable and start it. 

 

What else changed in this release

Update

Product behavior in versions earlier than 23.4

Product behavior in version 23.4

Upon changing your password on the Application Server, any previously established sessions using RCP, BLCLI, SOAP, or REST will be invalidated.

Prior sessions remain active until either a timeout occurs or you log out.

If you currently have an active session using RCP, BLCLI, SOAP, or REST to run your APIs, and either you or RBACAdmin has recently changed your password on the Application Server, your existing session becomes invalid. To continue, you'll need to re-establish your session using the new password. For more details, see Changing-passwords.

A pre-processing step is added before passing the RPMs to yum: This step removes the RPMs that are not installed on the system from the list.

The system passes all the RPMs to yum, which increases the load on yum.

The RPMs that are not installed on the system are filtered out by the new pre-processing step in the Update Mode with the By Complete Package Name option, before they are passed to yum.

For more information, see Patching-Job-Analysis-Options-for-Red-Hat-Enterprise-Linux-Oracle-Enterprise-Linux-and-SUSE-Linux-Enterprise.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*