Bigfix Patch Suse Ug

IBM Endpoint Manager
Version 9.2
Patch Management for SUSE Linux

Enterprise
User's Guide
IBM Endpoint Manager

Version 9.2
Patch Management for SUSE Linux

Enterprise
User's Guide
Note
Before using this information and the product it supports, read the information in Notices on page 61.
This edition applies to version 9, release 2, modification level 0 of IBM Endpoint Manager (product number
5725-C45) and to all subsequent releases and modifications until otherwise indicated in new editions.
Copyright IBM Corporation 2003, 2015.
US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Chapter 1. Overview . . . . . . . . . 1
What's new in this update release
Supported platforms and updates
Supported packages . . . . .
Site subscription . . . . . .
Download plug-ins . . . . .
SUSE Download cacher . . . .
Patching methods. . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1
2
3
4
4
4
5
Chapter 2. Manage Download Plug-ins

dashboard overview . . . . . . . . . 9
Registering the SUSE download plug-in .
Unregistering the SUSE download plug-in
Configuring the SUSE download plug-in
Migrating the SUSE download plug-in .
Upgrading the SUSE download plug-in .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
10
13
14
16
18
Chapter 3. Custom repositories

management . . . . . . . . . . . . 21
SLE Custom Repository Management dashboard .
Adding a repository or SMT. . . . . . . .
Registering endpoints to a repository or SMT . .
Unregistering endpoints from a repository or SMT
Deleting repositories or SMTs . . . . . . .
Importing repositories or SMTs . . . . . . .
Installing packages from a custom repository . .
Copyright IBM Corp. 2003, 2015
. 22
. 23
. 25
26
. 27
. 27
. 28
Chapter 4. Using Patch Management

for SUSE Linux Enterprise . . . . . . 31
Patching using Fixlets . . . . . . . . .
Viewing deployment results . . . . . . .
Manage Preference Lists . . . . . . . .
Using the Preference Lists Dashboard . . .
Retrieving installed RPM package information.
.
.
.
.
.
.
.
.
.
.
31
35
37
37
43
Chapter 5. SLE Btrfs snapshot

management . . . . . . . . . . . . 45
SLE Btrfs Snapshot Management dashboard
overview . . . . . . . . . . . .
Rolling back a snapshot . . . . . . .
.
.
.
.
. 45
. 47
Appendix A. Support. . . . . . . . . 49
Appendix B. Troubleshooting . . . . . 51
Appendix C. Frequently asked
questions . . . . . . . . . . . . . 55
Notices . . . . . . . . . . . . . . 61
Trademarks . . . . . . . . . . . . .
Terms and conditions for product documentation.
. 63
. 64
iii
iv
IBM Endpoint Manager: Patch Management for SUSE Linux Enterprise User's Guide
Chapter 1. Overview
The IBM Endpoint Manager for Patch Management solution, which includes
deploying a multi-purpose, lightweight agent to all endpoint devices, supports a
wide variety of device types ranging from workstations and servers to mobile and
point-of-sale (POS) devices.
What's new in this update release

This release of IBM Endpoint Manager for Patch Management contains several new
features and enhancements.
Table 1. What's new
Enhancement or Feature
Description
Resources
Package installation task
Custom repositories can give you the flexibility to control

what you can deploy on the endpoints in your
environment. For example, you can deploy custom
software that you are hosting in your custom repositories.
Chapter 3, Custom
repositories management,
on page 21
Use the Install packages by using zypper task to install

software that is in your custom repositories. This task is
enhanced to allow you to update all the packages on the
endpoint and to install packages based on CVE number.
Installing packages from

a custom repository on
page 28
The Install packages by using zypper task is available on

the Patching Support site.
SLE Btrfs Snapshot
Management
Manage Btrfs filesystem snapshots for endpoints that are

using SUSE Linux Enterprise versions 11 SP2 and later.
Chapter 5, SLE Btrfs

snapshot management,
on page 45
IBM Endpoint Manager provides the SLE Btrfs Snapshot

Management dashboard to allow you to manage root
SLE Btrfs Snapshot
snapshots with the rollback feature to restore to a previous Management dashboard
system state.
overview on page 45
SLE Custom Repository

Management dashboard
enhancements
The SLE Btrfs Snapshot Management dashboard is

available on the Patching Support site.
Rolling back a snapshot

on page 47
The repository registration feature in the SLE Custom

Repository Management dashboard now allows you to
enable autorefresh and URI checks.
Registering endpoints to
a repository or SMT on
page 25
Chapter 3, Custom
on page 21
Previous updates
Table 2. Previous updates
Enhancement or Feature
Description
Resources
Custom repository support
IBM Endpoint Manager now supports custom repositories Chapter 3, Custom

and the Subscription Management Tool (SMT) for
patching SUSE Linux Enterprise Desktop and SUSE Linux on page 21
Enterprise Server version 11 endpoints.
Support for custom repositories for patch management
uses existing local repository mirrors and extended
support channels to download patches. This solution can
also be used to deliver custom software through IBM
Endpoint Manager. For more information, see Chapter 3,
Custom repositories management, on page 21.
Package manager native

command-line interface
support
Zypper, which is the default package manager for SLE,

replaces the Endpoint Dependency Resolver (EDR)
utilities that Patch Management for SLE previously used.
Patching methods on
page 5
Zypper gives you more flexibility in terms of patch

deployment and provides results that are in parallel with
SLE solutions. Use the Patches for SLE 11 Native Tools
site to patch SLE 11 systems because Zypper reduces
dependency issues, improves performance, and is more
reliable in terms of installing security patches. For more
information, see Patching methods on page 5.
Supported platforms and updates

IBM Endpoint Manager for Patch Management supports a wide range of SUSE
Linux Enterprise platforms and updates.
Endpoint Manager provides Fixlet content for Novell updates that are under
general support. If you acquired the Long Term Service Pack Support (LTSS) and
require such content, contact IBM Professional Services.
Table 3. Supported platforms and patches for the Patch Management for SUSE
Fixlet Site Name
Supported Platform
Type of Update
Patches for SLE10
SUSE Linux Enterprise Desktop

10 SP3 and SP4 (x86, x86_64)
v Mandatory
v Recommended
SUSE Linux Enterprise Server 10 v Optional
SP3 and SP4 (x86, x86_64)
Patches for SLE11

11 SP1, SP2, and SP3 (x86,
x86_64)
SUSE Linux Enterprise Server 11
SP1, SP2, and SP3 (x86, x86_64)
Patches for SLE10

System Z

SP3 and SP4 (s390x)
Patches for SLE11

System Z

SP1, SP2, and SP3 (s390x)
Table 3. Supported platforms and patches for the Patch Management for SUSE (continued)
Fixlet Site Name
Supported Platform
Type of Update
Patches for SLE 11

Native Tools

11 SP1, SP2, and SP3 (x86,
x86_64)
See Supported packages to

view the list of Novell
repositories that contain the
supported packages.

SP1, SP2, and SP3 (x86, x86_64)
Linux RPM Patching
Previously listed supported

platform versions.
Previously listed updates.
Note: Endpoint Manager no longer releases new content Fixlets for SUSE Linux
Enterprise Desktop (SLED) 10 and SUSE Linux Enterprise Server (SLES) 10 since
Novell ended their general support on July 31, 2013. However, Endpoint Manager
still supports the content Fixlets that were released before this date. If you acquired
extended support with Novell and require Fixlets for the SLES and SLED 10
updates, contact IBM Professional Services.
To install x86 or x86_64 SUSE patches, subscribe to the Patches for SLE10, Patches
for SLE11, and Linux RPM Patching sites. To install SUSE patches for System Z
(s390x) endpoints, subscribe to the Patches for SLE10 System Z, Patches for SLE11
System Z and Linux RPM Patching sites.
Important: A download plug-in for SUSE must be registered before deploying
patches from the Endpoint Manager console. For more information about
registering the download plug-in, see Registering the SUSE download plug-in on
page 10.
Supported packages
Patch Management for SUSE Linux Enterprise supports the packages in several
Novell repositories.
The following table lists the repositories that contain the supported packages for
the Patches for SLE 11 Native Tools site.
Table 4. Supported Novell repositories and packages
Operating System and Service Pack Level
Repository Name
SUSE Linux Enterprise Server 11 SP3
SLES11-SP3-Pool
SLES11-SP3-Updates
SLES11-SP1-Pool
SLES11-SP1-Updates
SLES11-SP2-Core
SLES11-SP2-Updates
SLES11-SP1-Pool
SLES11-SP1-Updates
SLES11-Pool
SLES11-Updates
SLES11-Extras
SUSE Linux Enterprise Desktop 11 SP3
SLED11-SP3-Pool
SLED11-SP3-Updates
Chapter 1. Overview
Table 4. Supported Novell repositories and packages (continued)

Operating System and Service Pack Level
Repository Name
SLED11-SP1-Pool
SLED11-SP1-Updates
SLED11-SP2-Core
SLED11-SP2-Updates
SLED11-SP1-Pool
SLED11-SP1-Updates
SUSE Linux Enterprise Desktop 11
SLED11-Pool
SLED11-Updates
SLED11-Extras
Site subscription
Sites are collections of Fixlet messages that are created internally by you, by IBM,
or by vendors.
Subscribe to a site to access the Fixlet messages to patch systems in your
deployment.
You can add a site subscription by acquiring a masthead file from a vendor or
from IBM or by using the License Overview Dashboard. For more information
about subscribing to Fixlet sites, see the IBM Endpoint Manager Installation Guide.
For more information about sites, see the IBM Endpoint Manager Console Operator's
Guide.
Download plug-ins
Download plug-ins are executable programs that download a specified patch from
the website of the patch vendor. To ease the process of caching, Fixlets have an
incorporated protocol that uses download plug-ins.
For the Fixlet to recognize the protocol, the related download plug-in must be
registered. You must use the Manage Download Plug-ins dashboard to register the
download plug-in. After you register the plug-in, you can run the Fixlets to
download, cache, and deploy patches from the IBM Endpoint Manager console.
If you already registered the plug-in, you can use the Manage Download Plug-ins
dashboard to run the update. You must use the dashboard also to unregister and
configure the download plug-in. For more information about the dashboard, see
the topic on Manage Download Plug-ins dashboard overview.
Note: If you install the download plug-in on relays, it is recommended that you
also install it on the server.
SUSE Download cacher

The SUSE Download Cacher is command-line tool that is designed to
automatically download and cache SUSE patches on the IBM Endpoint Manager
server to facilitate the deployment of SUSE Fixlets.
Important: Use the download cacher tool only if you are using an air-gapped
environment or if the total number of packages is too large. You can also use the
tool if you want to cache all the downloads for faster execution of actions.
Otherwise, use the download plug-in. The preferred method of SUSE patch
caching is to register the SUSE Download Plug-in from the Manage Download
Plug-ins dashboard. For more information about registration, see Registering the
SUSE download plug-in on page 10.
The tool uses FTP to download large .zip files and by default, stores them in the
sha1 cache folder. You can also choose to store the files in a different existing
directory. Your environment must be configured to accept FTP use.
You can access the tool by downloading and running it manually. For more
information, see the technote in http://www-01.ibm.com/support/
docview.wss?uid=swg21506059.
Patching methods
IBM Endpoint Manager offers more flexibility to the patch management solution
by providing patching options that cater to your needs.
IBM Endpoint Manager provides several different methods to manage patches for
SUSE Linux Enterprise.
Patching by using the Endpoint Dependency Resolution (EDR)

method
Endpoint dependency resolution (EDR) is an approach to UNIX patching where
dependencies for bulletins are calculated dynamically during an action run time.
Packages are patched regardless of which packages are already installed on the
endpoints.
The following sites use the EDR method:
v Patches for SLE10
v Patches for SLE11
v Patches for SLE10 System Z
v Patches for SLE11 System Z
The EDR method uses a dependency resolution tool that requires dependencies of
all of the installed packages on the system to be satisfied. To view the EDR results,
see the EDR_DeploymentResults.txt file that is located in the directory <client
folder>\EDRDeployData\.
With this approach, you can deploy preference lists to endpoints from the
Preference Lists Dashboard in the Linux RPM Patching site. For more information
about preference lists, see Manage Preference Lists on page 37.
When dependencies are resolved on the endpoints, there might be multiple valid
sets of dependencies that satisfy the requirements of the targets. Preference lists
help to decide which requirements to satisfy in these situations. For more
information about the dashboard, see Using the Preference Lists Dashboard on
page 37.
Patching by using the native tools (Zypper) method

Note: This method applies to patch management for SUSE Linux Enterprise Server
11 and SUSE Linux Enterprise Desktop 11 environments only.
Chapter 1. Overview
Zypper is the default package manager for SUSE Linux Enterprise. It gives you
more flexibility in terms of patch deployment and in providing results that are
suitable for SUSE Linux Enterprise solutions. It uses a command-line interface and
simplifies the process of installing, uninstalling, updating, and querying software
packages. It is based on ZYpp, also known as libzypp. For more information about
Zypper, see the documentation at http://www.suse.com or see the Novell Support
website at https://www.novell.com/support/.
Zypper reduces dependency issues, improves performance, and is more reliable in
terms of installing security patches. This method also enables you to use custom
repositories for patching. For more information on custom repository support, see
Chapter 3, Custom repositories management, on page 21.
The Zypper approach is introduced to replace the EDR utilities that Patch
Management for SUSE Linux Enterprise previously used. Subscribe to the Patches
for SLE 11 Native Tools site to use the Zypper method.
The Zypper native tools implementation has an external dependency on the expect
utility. Endpoint Manager provides a task to install the expect utility on systems
that are configured with Zypper repositories. Task ID 101: Install expect is
available from the Patches for SLE 11 Native Tools site.
Zypper utility configuration settings
The Patches for SLE 11 Native Tools site uses all the settings in
/etc/zypp/zypp.conf.
The following Zypper configuration settings are set to values that come
from another file, which is dynamically created during Fixlet execution:
v cachedir
v configdir
v metadatadir
v packagesdir
v reposdir
v repo.add.probe
v repo.refresh.delay
v solvfilesdir
Identifying file relevance with Native tools content
The native tools captures file relevance in the same way as EDR. Both
methods check for the relevance clause exist lower version of a
package, but not exist higher version of it. If both tools are applied to
the same deployment, the relevance results are the same.
Patching method matrix

The following table lists the applicable sites and features for each of the patching
methods that are available for managing your SUSE Linux Enterprise endpoints.
Patching method
Applicable sites
Applicable features
Endpoint Dependency
Resolution (EDR)
v Linux RPM Patching
v Download Plug-ins
v Patches for SLE10
v RPM Deployment
v Patches for SLE11
v Preference List
Patching method
Applicable sites
Applicable features
Native tools (Zypper)
v Patching Support
v Download Plug-ins
v Patches for SLE 11 Native

Tools
v Custom Repository
Support
Chapter 1. Overview
Chapter 2. Manage Download Plug-ins dashboard overview

Use the Manage Download Plug-ins dashboard to oversee and manage download
plug-ins in your deployment.
You can use the Manage Download Plug-ins dashboard to register, unregister,
configure, and upgrade the download plug-ins for different patch vendors. For
more information about these features, see the following topics.
Note: For Windows 2008 and Windows 2012 R2, you must install the latest version
of Shockwave Flash Object to ensure that the dashboard displays properly.
You must subscribe to the Patching Support site to gain access to this dashboard.
To view the Manage Download Plug-ins dashboard, go to Patch Management
domain > All Patch Management > Dashboards > Manage Download Plug-ins.
Figure 1. Patch Management navigation tree
The dashboard displays all the servers and windows-only relays in your
deployment. Select a server or relay to view all the plug-ins for that computer. The
dashboard shows you also the version and status for each plug-in in one
consolidated view.
Figure 2. Manage Download Plug-ins dashboard
A plug-in can be in one of the following states:

v Not Installed
v New Version Available
v Up-To-Date
v Not Supported
Note: CentOS and SUSE Linux download plug-ins are not supported in relays.
The dashboard has a live keyword search capability. You can search based on the
naming convention of the servers, relays, and plug-ins.
Registering the SUSE download plug-in

Use the Manage Download Plug-ins dashboard to register the download plug-in
for SUSE Linux.
Before you begin

Note: SUSE Linux download plug-ins are not supported in relays.
You must complete the following tasks:
10
v Subscribe to the Patching Support site to gain access to the Manage Download
Plug-ins dashboard.
v Enable the Encryption for Clients Fixlet on servers and relays for which you
want to register the download plug-in.
v Activate the Encryption Analysis for Clients analysis and Download Plug-in
Versions analysis.
When you register the download plug-in on a computer without the plug-in, the
plug-in is automatically installed and the configuration file is created.
If a download plug-in is already installed on the computer, the configuration file is
overwritten.
Procedure
1. From the Patch Management domain, click All Patch Management >
Dashboards > Manage Download Plug-ins dashboard.
2. From the Servers and Relays table, select the server or relay on which the
download plug-in is to be registered.
3. From the Plug-ins table, select SUSE Plug-in.
4. Click Register. The Register SUSE Plug-in wizard displays.
11
Figure 3. Register SUSE download plug-in wizard
5. Enter the Novell credentials that you use to log on to the Novell Customer
Center.
Novell Username
Your Novell account user name to the Novell Customer Center. It
must have a valid support identifier to download patches.
Novell Password
Your Novell account password to the Novell Customer Center.
Confirm Novell Password
Your Novell account password for confirmation.
Large amounts of downloads through this channel might lock you out of your
Novell account. Use the mirror server to prevent a temporary lock out from
happening.
6. Optional: Enter the mirror parameters if you want the plug-in to download
from a mirror server.
12
Mirror URL
The URL of your mirror server. It must be a well-formed URL, which
contains a protocol and a host name. Leave the field blank to use the
Novell mirror server: https://nu.novell.com.
Note: Ensure that you enter your Novell mirror server credentials. If you
leave the following fields blank, the download plug-in uses the credentials for
the Novell Customer Center instead.
Mirror Username
Your proxy user name if your mirror server requires authentication. It
is usually in the form of domain\username.
Mirror Password
Your proxy password if your mirror server requires authentication.
Confirm Mirror Password
Your mirror password for confirmation.
7. Optional: Enter the proxy parameters if the downloads must go through a
proxy server.
Proxy URL
The URL of your proxy server. It must be a well-formed URL, which
contains a protocol and a host name. The URL is usually the IP
address or DNS name of your proxy server and its port, which is
separated by a colon. For example: http://192.168.100.10:8080.
Proxy Username
Your proxy user name if your proxy server requires authentication. It
Proxy Password
Your proxy password if your proxy server requires authentication.
Confirm Proxy Password
Your proxy password for confirmation.
8. Click OK. The Take Action dialog displays.
9. Select the target computer.
10. Click OK.
Results
You successfully registered the SUSE download plug-in.
Unregistering the SUSE download plug-in

Use the Manage Download Plug-ins dashboard to unregister the download plug-in
for SUSE Linux.
Procedure
download plug-in is to be unregistered.
4. Click Unregister.
13
Figure 4. Unregister the SUSE download plug-in
The Take Action dialog displays.

6. Click OK.
Results
You successfully unregistered the SUSE download plug-in.
Configuring the SUSE download plug-in

Use the Manage Download Plug-ins dashboard to configure the download plug-in
for SUSE.
About this task

You might want to take note of your existing configuration for the download
plug-in. Existing configurations are overwritten when you configure the download
plug-in.
Procedure
download plug-in is to be configured.
4. Click Configure. The Configure SUSE Plug-in wizard displays.
14
Figure 5. Configure SUSE download plug-in wizard
5. Enter the Novell credentials that you use to log on to the Novell Customer
Center.
Novell Username
Your Novell account user name to the Novell Customer Center. It
must have a valid support identifier to download patches.
Novell Password
Your Novell account password to the Novell Customer Center.
Large amounts of downloads through this channel might lock you out of your
Novell account. Use the mirror server to prevent a temporary lock out from
happening.
15
Mirror URL
Novell mirror server: https://nu.novell.com.
Note: Ensure that you enter your Novell mirror server credentials. If you
leave the following fields blank, the download plug-in uses the credentials for
the Novell Customer Center instead.
Mirror Username
Mirror Password
proxy server.
Proxy URL
Proxy Username
Proxy Password
10. Click OK.
Results
You successfully configured the SUSE download plug-in.
Migrating the SUSE download plug-in

You must migrate the SUSE Linux download plug-in if the plug-in version is
earlier than 2.0.0.0. You only need to do this once. The download plug-in is
upgraded to the latest version after migration.
About this task

You might want to take note of your existing configuration for the download
plug-in. Existing configurations are overwritten when you migrate the download
plug-in.
16
Procedure
download plug-in is to be migrated.
4. Click Migrate. The Migrate SUSE Plug-in wizard displays.
Figure 6. Migrate SUSE download plug-in wizard
5. Enter the Novell credentials that you use to log on to the Novell Support site.
Novell Username
Your Novell account user name to the Novell Support site. It must
have a valid support identifier to download patches.
17
Novell Password
Your Novell account password to the Novell Support site.
Mirror URL
Novell mirror servers.
Mirror Username
Mirror Password
proxy server.
Proxy URL
Proxy Username
Proxy Password
9. Select the target computer on which the download plug-in is to be upgraded.
10. Click OK.
Results
You successfully migrated and upgraded the SUSE download plug-in.
Upgrading the SUSE download plug-in

Use the Manage Download Plug-ins dashboard to upgrade the download plug-in
for SUSE Linux.
Procedure
download plug-in is to be upgraded.
18
3.
4.
5.
6.
From the Plug-ins table, select SUSE Plug-in.

Click Upgrade. The Take Action dialog displays.
Select the target computer.
Click OK.
Results
You now have the latest version of the SUSE download plug-in installed.
19
20
Chapter 3. Custom repositories management

You can set up your custom repositories and Subscription Management Tool (SMT)
to manage patches for SUSE Linux Enterprise version 11 and later. This solution
allows for multiple repositories and SMTs on the entire deployment.
With the custom repository support, the Fixlets in the Patches for SLE 11 Native
Tools site can use Zypper to directly download packages from custom repositories
instead of going through the Novell Customer Center. Bandwidth throttling is not
supported in a custom repository architecture.
Using custom repositories can give you the flexibility to control what can be
deployed to the endpoints in your deployment. For example, you can deploy
custom software that you are hosting in your custom repositories. Use the Install
packages by using Zypper task from the Patching Support site to install software
that are in your custom repositories. For more information, see Installing
packages from a custom repository on page 28.
Integrating your custom repository or SMT solutions is made easy with the use of
the SLE Custom Repository Management dashboard.
Differentiating between repository types

The custom support covers both repository and SMT. You can register endpoints to
a repository or to an SMT server.
Note: The SLE Custom Repository Management dashboard refers to SMT as one
of the repository types for identification purposes only. The dashboard does not
affect how SMT works.
Ensure that both types of repository are updated. Actions might fail if the packages
are not available.
Repository
This type refers to standard software repositories, which are storage
locations that contain a collection of packages and metadata. These
repositories can be on online servers, CDs, DVDs, or on other media.
The SLE Custom Repository Management dashboard does not add physical
repositories; you must do this action separately.
SMT
With the SMT, enterprise customers can optimize the management of SUSE
Linux Enterprise software updates and subscription entitlements. SMT
provides a repository and registration target that is synchronized with the
Novell Customer Center.
For more information about SMT, see the SUSE documentation at
https://www.suse.com/documentation/smt11/.
21
SLE Custom Repository Management dashboard

Use the SLE Custom Repository Management dashboard to easily integrate your
existing custom repository or Subscription Management Tool (SMT) solutions with
the IBM Endpoint Manager patch management solution. Only endpoints on SUSE
Linux Enterprise Desktop and Linux Enterprise Server versions 11 and 12 are
supported in this dashboard.
The SLE Custom Repository Management dashboard allows the Fixlets in the
Patches for SLE 11 Native Tools site to use Zypper for downloads instead of using
the standard IBM Endpoint Manager downloading infrastructure. The dashboard
also allows you to register your custom repositories to use the Zypper commands
when installing packages on the endpoints.
To access the dashboard, subscribe to the Patching Support site. From the Patch
Management domain, click All Patch Management > Dashboards > SLE Custom
Repository Management. Activate the Repository Configuration - SUSE Linux
Enterprise analysis to view the content in the dashboard.
Important: Your custom repositories must be pre-configured with the required
metadata and headers before you use the dashboard.
Use the SLE Custom Repository Management dashboard to perform the following
actions for patch management:
v Register and unregister endpoints to a repository (custom repositories or SMT
servers)
v Add, delete, and import custom repositories and SMT servers to the repository
dashboard list
22
Figure 7. SLE Custom Repository Management dashboard
Note: The SLE Custom Repository Management dashboard does not support the
creation of a physical repository server or SMT. You must create the repository
separately. For more information about creating repositories, see the following
resources:
v SUSE Linux Enterprise Desktop 11 SP3 Deployment Guide at https://
www.suse.com/documentation/sled11/book_sle_deployment/data/
sec_y2_sw_instsource.html
v SUSE Linux Enterprise Server 11 SP3 Deployment Guide at https://www.suse.com/
documentation/sles11/book_sle_deployment/data/sec_y2_sw_instsource.html
v SUSE Linux Enterprise Desktop 12 Deployment Guideat https://www.suse.com/
documentation/sled-12/book_sle_deployment/data/book_sle_deployment.html
v SUSE Linux Enterprise Server 12 Deployment Guide at https://www.suse.com/
documentation/sles-12/book_sle_deployment/data/book_sle_deployment.html
Adding a repository or SMT

Add a custom repository or a Subscription Management Tool (SMT) server into the
dashboard repository list so that you can register and connect it to endpoints.
Before you begin

v Activate the Repository Configuration - SUSE Linux Enterprise analysis.
v Run the Enable custom repository support - SUSE Linux Enterprise task.
Procedure
1. From the SLE Custom Repository Management dashboard, click the
Repositories tab.
23
2. Click Add.
3. From the Add a New Repository dialog, select the repository type that you
want to add.
Note: Ensure that the repository settings match the repository server
configuration.
v If you are adding a standard repository, enter values for the following fields:
Repository Name
Repository URL
Figure 8. Adding a repository
v If you are adding an SMT server, enter values for the following fields:
SMT Server Name
SMT Server URL
clientSetup4SMT script URL
Figure 9. Adding an SMT
Note: When you enter the SMT Server URL, the clientSetup4SMT script URL is
generated automatically. This script is provided with SMT to configure
endpoints to use the SMT server or to reconfigure it to use a different SMT
server.
24
4. Click Save.
What to do next
To connect the added repository to an endpoint, see Registering endpoints to a
repository or SMT.
If you want to add all the known existing repositories of an endpoint, both SMTs
and standard repositories, to the dashboard list, use the Import feature. For more
information, see Importing repositories or SMTs on page 27.
Registering endpoints to a repository or SMT

Use the SLE Custom Repository Management dashboard to connect your
repositories and SMTs to endpoints.
Before you begin

v Ensure that the repository settings match the repository server configuration.
Procedure
Endpoints tab.
2. Select the endpoints that you want to register to a repository or SMT from the
first table. The repositories or SMTs of the selected endpoints are listed in the
second table.
Note: When a repository is named as unspecified, it means that it is not listed
in the Repository list of the dashboard.
3. Click Register a new repository.
4. From the Register a New Repository dialog, select a repository or an SMT and
click Next.
Figure 10. Registering an endpoint to a repository
Note: An endpoint can be registered to only one SMT at a time. If an endpoint

is already registered to an SMT, registering a different SMT overrides the
registration with the existing SMT.
v If you selected a repository, you can add more configuration information
from the available options.
Probe given URI
Checks the given repository upon registration.
25
Enable autorefresh of the repository

Automatically refreshes the repository before reading the metadata
from the database.
Additional Fields
Use the field to add more configuration information for the
repository. For example, if you use a repository that is not a mirror
of the vendor site, enter gpgcheck=0 to prevent a patch from failing
because the files cannot be opened.
Figure 11. Additional configuration fields when registering endpoints to a repository
v If you selected an SMT, enter the location of the clientSetup4SMT Script.

5. Click Save. This information is saved in the Zypper configuration files.
6. From the Take Action dialog, select the computers and click OK to deploy the
action.
Unregistering endpoints from a repository or SMT

Use the SLE Custom Repository Management dashboard to unregister endpoints
from repositories or SMTs that are no longer relevant.
Before you begin

About this task

When you unregister a repository, the Zypper services and repositories from the
endpoint that you selected are removed.
The Zypper configuration file is not deleted, but disabled when an endpoint is
unregistered from a standard or SMT repository.
If you unregister an endpoint from an SMT repository, you must log in to the SMT
server and delete the selected computer manually.
26
Procedure
Endpoints tab.
2. Select the endpoints that you want to unregister a repository from.
3. Click Unregister a new repository.
4. From the Unregister a New Repository dialog, select a repository and click
Save.
5. From the Take Action dialog, select the computers and click OK to deploy the
action.
Deleting repositories or SMTs

To manage the dashboard repository list more easily, delete the repositories or
SMTs that no longer exist in your deployment.
About this task

Procedure
Repositories tab.
2. Select the repositories that you want to delete and click Delete. A delete
confirmation dialog displays.
3. Click Yes to confirm and proceed with the deletion of the selected repositories.
Results
The selected repositories are removed from the list.
Importing repositories or SMTs

Use the Import feature of the SLE Custom Repository Management dashboard to
add all the known existing repositories of an endpoint to the list of repositories in
the dashboard.
Before you begin

Activate the Repository Configuration - SUSE Linux Enterprise analysis.
Procedure
Repositories tab.
2. Click Import.
3. From the Import Existing Repositories dialog, select the repositories or SMTs
that you want to add in the dashboard repository list.
4. Enter a name for the repository.
5. Click Save.
Results
The repositories or SMTs are now imported and added to the list in the dashboard.
27
Installing packages from a custom repository

IBM Endpoint Manager provides a task to easily install and update packages on
SUSE Linux Enterprise version 11 and later endpoints that are registered to custom
repositories.
Before you begin

v Subscribe to the Patching Support site to access the installation task named as
Install packages by using zypper.
v Configure a custom repository from the SLE Custom Repository Management
dashboard. For more information, see Chapter 3, Custom repositories
management, on page 21.
v Ensure that the configured repository is up-to-date and contains the required
packages and metadata.
About this task

Use the Install packages by using zypper task to install or update the packages on
endpoints.
You can use the package name or Common Vulnerabilities and Exposures (CVE)
ID number to specify the selected packages for installation.
You can also update all the installed packages on the endpoint with later available
versions that are in your custom repository.
The Zypper commands for each of the available actions are as follows:
zypper install <package_name1> <package_name2>
Updates or installs a package with a specific name. Multiple package update or
installation is acceptable. Use a space to separate the package names.
zypper update
Updates all the installed packages on the endpoint.
zypper patch --cve=<cve_number>
Updates a package with a specific CVE ID number. The task fails if no CVE ID
number is specified and it only accepts a single CVE reference.
This action requires Zypper version 1.5.3-3.2.
Command options are supported as extra flags for the zypper install and zypper
update commands only. For detailed usage information, see the zypper man page.
This task also provides actions to test the packages for installation, without
installing the packages on the endpoints.
Procedure
1. From the Patch Management domain, click All Patch Management > Fixlets
and Tasks.
2. Select the Install packages by using zypper task to install custom packages on
endpoints.
3. In the Task pane, review the description and follow the instructions in the
Actions box to deploy an action.
4. Depending on the action that you selected, provide the necessary information
and click OK.
28
Note: To update all installed packages on the endpoint, select the action to
install packages, but do not specify any package name.
5. In the Take Action pane, select the endpoints on which the packages are to be
installed or updated.
6. Click OK.
29
30
Chapter 4. Using Patch Management for SUSE Linux

Enterprise
Use the Fixlets on the Linux RPM Patching and the various Patches for SUSE
Linux Enterprise Fixlet sites to apply patches to your deployment.
For information about the available Fixlet sites for SUSE Linux Enterprise, see
Supported platforms and updates on page 2.
Patch content caching must be done through the download plug-in unless you are
using an air-gapped environment or a custom repository. For more information, see
the following topics:
v Download plug-in registration
v Download cacher
IBM Endpoint Manager provides several different methods to manage patches for
SUSE Linux Enterprise. For more information, see Patching methods on page 5.
Patching using Fixlets

You can apply SUSE Linux patches to your deployment by using the Fixlets on the
Linux RPM Patching and Patches for SLE sites.
Before you begin

v Register the SUSE download plug-in. For more information about download
plug-ins, see Download plug-ins.
v Subscribe to the appropriate sites.
v Activate the necessary analysis from the subscribed sites.
v If you are not using the Patches for SLE 11 Native Tools site to patch your
systems, activate the Endpoint Dependency Resolution - Deployment Results
analysis to view the patch deployment results. For more information, see
Viewing deployment results on page 35.
v If you are using the Patches for SLE 11 Native Tools site to patch your systems,
run the Install expect task (ID #101) to install the expect utility on systems that
are configured with the Zypper utility.
Note: This only applies to the endpoints that do not have the expect utility
installed.
About this task

The possible actions that you can make on a Fixlet depend on the patch type. For
example, patch Fixlets provide an option to deploy a test run prior to applying the
patch. Kernel updates provide the option to upgrade or install all kernel packages.
The default behavior for kernel updates is to install packages side by side.
Additionally, each kernel update Fixlet provides the ability to test each of these
options.
Note: The upgrade option in Kernel updates replaces existing kernel packages
with later versions. The install option installs the later kernel packages next to the
previous versions.
31
Procedure
1. From the Patch Management domain, click OS Vendors > SUSE Linux
Enterprise, and navigate to the patch content using the domain nodes.
Figure 12. Patch Management navigation tree
2. In the content that is displayed in the list panel, select the Fixlet that you want
to deploy. The Fixlet opens in the work area.
3. Click the tabs at the top of the window to review details about the Fixlet.
4. Click Take Action to deploy the Fixlet.
v You can start the deployment process.
32
Figure 13. Take action to start the deployment process
v You can deploy a test run prior to applying the patch. View the Deployment
Results analysis to determine if the dependencies have been successfully
resolved and if an installation is successful.
Chapter 4. Using Patch Management for SUSE Linux Enterprise
33
Figure 14. Take action to deploy a test
v You can view the Novell bulletin for a particular Fixlet, select the Click here
to view the patch page action to view the patch page.
34
Figure 15. Take action to view patch page
You can also click the appropriate link in the Actions box
5. You can set more parameters in the Take Action dialog.
For detailed information about setting parameters with the Take Action dialog,
see the IBM Endpoint Manager Console Operator's Guide.
6. Click OK.
7. Enter your Private Key Password when necessary.
Viewing deployment results

The results of a successful action for Fixlet content with endpoint dependency
resolution are written in a log file on the endpoint. You must activate an analysis
to view the results.
Procedure
1. From the Patch Management domain, click OS Vendors > SUSE Linux
Enterprise.
2. Navigate to the analysis by clicking the Analyses node and select Endpoint
Dependency Resolution - Deployment Results.
35
Figure 16. Analyses in the navigation tree
3. Click Activate.
Figure 17. List of analyses
4. Click the Results tab in the Analysis window that is displayed after you
activate the analysis.
36
Figure 18. Results tab
5. Optional: You can limit the length of the output by running the Endpoint
Dependency Resolution Set deployment results analysis report length task.
To access this task, click OS Vendors > SUSE Linux Enterprise >
Configuration.
Note: The default analysis report length is 100 entries.
What to do next
When you review the properties of an endpoint, you can view the current
deployment information on that system. To view this data, navigate on the All
Content domain and select the Computers node. Select the computer that you
want to inspect in the work area. Scroll down to the Deployment Results.
Figure 19. Endpoint Dependency Resolution - Deployment Results
Manage Preference Lists

Preference lists are lists of packages that affect the dependencies that are installed
for systems patched by content with endpoint dependency resolution.
Preference lists have the following characteristics:
v Packages included in forbidden preference lists are forbidden when dependencies
are resolved.
v Packages included in preferred preference lists are preferred over packages not in
the list when dependencies are resolved.
v Packages included higher in the preference lists are preferred over packages
lower in the lists. You can manage these preference lists by using the Preference
Lists Dashboard.
Using the Preference Lists Dashboard

Use the Preference List Dashboard to create preference lists.
37
You can navigate to the dashboard by expanding the Linux RPM Patching node
and selecting the Endpoint Dependency Resolution - Preference Lists dashboard.
Figure 20. Endpoint Dependency Resolution - Preference Lists dashboard in the navigation
tree
To create new Forbidden package lists, click New Forbidden Package List.
Figure 21. New Forbidden Package List
In the next dialog, you select a site for the preference lists. Endpoints subscribed to
this site are relevant to this preference list. Choose a site and click next.
38
Figure 22. Create new Forbidden Package List
After entering a name for the list, you can begin populating your preference list
with packages. Type the name in the Package to Add field and click Add. As you
type, autocomplete suggestions are shown. These suggestions are populated using
target packages from the selected site. After completing your list, click Save, click
OK, and enter your Private Key Password. A task that deploys this preference list
is displayed in the navigation tree.
Figure 23. Add package
To edit a preference list, click edit for that particular list.
39
Figure 24. Edit button
This opens the same dialog as before and allows you to edit the name and
packages in the list. Click Save. To edit the task, click Edit. To redeploy the latest
version of this list to all systems that already have the list, click Edit and Redeploy.
Then click OK and enter your Private Key Password.
Figure 25. Edit dialog
To create a copy of a preference list, click copy for that particular list.
Figure 26. Copy button
A dialog is created with a nearly identical set of data populated throughout the
fields. The Name field has the word copy at the end. Click Save to create the new
task. To delete a preference list, click delete for that particular list.
40
Figure 27. Delete button
To delete the task, click Delete. To delete the task and issue an action to remove the
preference list from all endpoints that have the list, click Delete and Update.
Figure 28. Delete dialog
Preferred package lists can be created and managed in the same way as forbidden
packages lists. The controls are listed under the Preferred Package Lists tab of the
Preference Lists Dashboard.
Figure 29. Preferred Package Lists tab
Packages are ordered from top to bottom in preference lists. Drag and drop
packages to specify priority.
41
Figure 30. Sort priority
You can view deployed preference lists and their associated metadata by activating
an analysis. Navigate to the analysis by clicking the Analyses node and selecting
Endpoint Dependency Resolution - Preference Lists. Click the analysis and select
Activate from the right-click menu.
Figure 31. List of analyses
Click the Results tab in the Analysis window that is displayed after you activate
the analysis.
42
Figure 32. Results tab
When you review an endpoint's properties, you can view the current preference
list information on that system.
To remove a preference list from an endpoint, run either the Remove Endpoint
Dependency Resolution Remove preferred list or the Remove Endpoint Dependency
Resolution Remove forbidden list tasks.
Figure 33. Available Fixlets to remove a preference list
Retrieving installed RPM package information

The list of installed RPM packages on SUSE Linux Enterprise endpoints can be
retrieved by activating analysis on the IBM Endpoint Manager console.
About this task

The Installed RPM Package List - SuSE Linux Enterprise analysis provides the
number of packages that are installed and the actual names of the packages. It is
available on the Linux RPM Patching site.
Viewing the installed RPM packages from the console helps to reduce the need for
a system administrator to log on to the actual endpoints.
Procedure
1. From the Patch Management domain, All Patch Management > Analyses.
2. Click the Installed RPM Package List - SuSE Linux Enterprise analysis.
3. Click Activate.
4. View the package information from the Results tab.
43
44
Chapter 5. SLE Btrfs snapshot management

View and manage SLE Btrfs snapshots from the IBM Endpoint Manager console.
Snapshot management uses Snapper's ability to roll back Btrfs file system
snapshots. This feature works with SUSE Linux Enterprise version 11 SP2 and later.
Btrfs is a new copy-on-write file system that supports file system snapshots of
subvolumes. Subvolumes can be in the form of one or more separately-mountable
file systems within each physical partition. A snapshot is a copy of the state of a
subvolume at a certain time. It is essentially a clone of the subvolume. For more
information about Snapper, see the SUSE product documentation at
https://www.suse.com/documentation/sles11/book_sle_admin/data/
cha_snapper.html.
Note: For SUSE Linux Enterprise version 11 SP2 systems, snapshots can be taken
only if the partitions are subvolumes and contain the snapper configuration.
SLE Btrfs Snapshot Management dashboard overview

Use the SLE Btrfs Snapshot Management dashboard to manage Btrfs file system
snapshots for SLE endpoints in your deployment.
Note: You must use IBM Endpoint Manager client version 9.2.1 or later to be able
to use this dashboard.
Endpoint Manager provides the SLE Btrfs Snapshot Management dashboard to
view the list of Btfrs file system snapshots of an endpoint from the console. The
rollback feature allows you to reset the system to the state at which a snapshot was
taken.
Consider the following scenario to better understand what the rollback feature
does. Patching the application server on the endpoint that hosts your web
application is a good practice. After a typical day of patching, you started noticing
some issues with the system. These issues occurred only after a particular patch
was deployed. Using the dashboard, you can easily roll back the system to an
earlier state that does not have such issues.
To access the dashboard, subscribe to the Patching Support site. From the Patch
Management domain, click All Patch Management > Dashboards > SLE Btrfs
Snapshot Management.
Activate the SLE Btrfs Snapshots analysis to retrieve the endpoints and the Btrfs
file system snapshot information and display them on the dashboard. This analysis
is also used to generate a log, which records the results of the rollbacks that are
taken in the SLE Btrfs Snapshot Management dashboard. The log is located in the
directory /var/opt/BESClient/EDRDeployData.
The dashboard lists endpoints and their corresponding snapshot history. Each
snapshot displays the following metadata:
Snapshot ID
Unique ID number of the snapshot.
45
Snapshot Date and Time

Start date and time of the snapshot in coordinated universal time (UTC).
Type
The type of snapshot. There are three different types of snapshots: pre,
post, and single.
Pre Snapshot Number

This metadata is applicable only to post snapshot type. It specifies the
number of the corresponding pre snapshot.
Cleanup
Algorithm to clean up old snapshots. There are three different cleanup
algorithms: number, time line, and empty-pre-post.
Description
A description of the snapshot.
Note: Ensure that you provide a meaningful description during the
snapshot creation. This helps to identify the purpose of the snapshot.
For information about the snapshot metadata, see the topic about Manually
Creating and Managing Snapshots in the SUSE product documentation.
Figure 34. SLE Btrfs Snapshot Management dashboard
The dashboard also offers filtering options to ease searching by using the computer
name.
46
To enable the rollback feature, ensure that /var/opt/BESClient/* directories are

excluded from the snapshots by running the Exclude Client Directories From
Snapshots task.
Rolling back a snapshot

Use the rollback option in the SLE Btrfs Snapshot Management dashboard to
restore endpoints to a previous system state. The rollback feature allows you to
reset system files of an endpoint that were not configured correctly by rolling back
to a different snapshot.
Before you begin

Ensure that you meet the following requirements:
v Use Endpoint Manager server and console version 9.0 or later.
v Use Endpoint Manager client version 9.2.1 or later.
v Use SUSE Linux Enterprise Desktop and Server 11 SP2 or later.
v Subscribe to the Patching Support site.
v Exclude /var/opt/BESClient/* directories from the snapshots. To exclude data
directories when taking snapshots, run the Exclude Client Directories From
Snapshots task. This task creates the necessary directories and files to exclude
the /var/opt/BESClient/* directories when taking snapshots.
About this task

Consider the following limitations of the rollback feature:
v Configuration changes in the directory on the bootloader cannot be rolled back.
v Kernel installations require manual deletion of the boot entry for a Kernel.
Hence, complete rollback is not possible for Kernel installations.
v Excluded mount points and ext3 file systems cannot be rolled back.
Procedure
Dashboards > SLE Btrfs Snapshot Management.
2. Select the endpoint whose snapshot history you want to view.
3. Select the snapshot that you want to roll back and click Rollback.
Note: Completely reverting to the pre-snapshot affects the changes made by
processes other than YaST or Zypper. Therefore, review the changes between
the current system state and a snapshot before starting the rollback.
The Rollback Up To Snapshot window opens.
4. Optional: You can specify file names as additional parameters for the rollback.
Click Apply.
Note: If you do not specify any file names, all changed files are restored.
5. From the Take Action window, select the computer and click OK to run the
action.
What to do next
To verify the rollback, check the snapper_rollback.log file located at
/var/opt/BESClient/EDRDeployData.
Chapter 5. SLE Btrfs snapshot management
47
48
Appendix A. Support
For more information about this product, see the following resources:
v IBM Knowledge Center
v IBM Endpoint Manager Support site
v IBM Endpoint Manager wiki
v Knowledge Base
v Forums and Communities
49
50
Appendix B. Troubleshooting
When problems occur, you can determine what went wrong by viewing messages
in the appropriate log files that provide information about how to correct errors.
Log files
The following log files can be found in the client folder in the directory
/var/opt/BESClient/EDRDeployData.
EDR_DeploymentResults.txt
Lists the results of the EDR deployment and the Zypper output. The log file
indicates if the normal Zypper process is used for either a standard repository
or SMT.
register-repo.log
Lists the results of the repository registration action of the SLE Custom
Repository Management dashboard.
register-SMT.log
Lists the results of the SMT registration action of the SLE Custom Repository
Management dashboard.
unregister-repo.log
Lists the results of the unregister repository action of the SLE Custom
Repository Management dashboard.
unregister-SMT.log
Lists the results of the unregister SMT action of the SLE Custom Repository
Management dashboard.
snapper_rollback.log
Lists Btrfs snapshot rollback feature that is available from the SLE Btrfs
Snapshot Management dashboard.
pkg_upgrade_output.txt
Lists the results of the Check Available Package updates - Solaris 11 task.
Understanding dependency failures

Some dependency requirements cannot be determined by Fixlet relevance. In some
cases, multiple levels of dependencies or conflicting third-party packages can
prevent the installation of a Fixlet content.
You can manually review these details by using the EDR_DeploymentResults.txt
file, which is written locally on an endpoint in the client folder by the EDR
Plug-in. You can also review the analysis Endpoint Dependency Resolution Deployment Results (ID# 14) in the Linux RPM Patching site.
The EDR_DeploymentResults.txt file is a text file that contains several lines for each
Fixlet that runs on the system. Each line contains a date or time stamp and the
associated Fixlet ID number. The log shows the type and status of the installation,
whether or not it was a test run and if it was successful or failed.
If the deployment was successful, the log lists out the packages that were
successfully installed or upgraded during the action.
51
If the deployment failed, the log shows the error output from the EDR Plug-in.
Common <type> tag errors found in the

EDR_DeploymentResults.txt file
The most common <type> tag errors that are found in the
EDR_DeploymentResults.txt file are as follows:
No solution (noSolution)
This error means that the requested target packages cannot be installed on the
system, because there are conflicts between the target packages and the
existing packages on the system.
Incomplete baseline (incompleteBaseline)
This error might appear if third-party packages are fulfilling dependencies and
are not recognized by the resolver.
If the <type>incompleteBaseline</type> tag is found in the
EDR_DeploymentResults.txt file and <name>name of RPM</name> tag is NOT in
the /var/opt/BESClient/EDR_UnsupportedPackages.txt file, then you must
install the RPM separately.
However, if the RPM is in the EDR_DeploymentResults.txt file, you must
downgrade to a version that is supported. You can use the <sanityCheckError>
tag from the EDR_DeploymentResults.txt file to identify what version of RPM
is supported. You can only proceed with patching the system when the
supported RPM version is installed.
Forbidden package list error (packageInForbiddenList)
This error is caused by a package on the target, which is listed in the forbidden
package list. You must remove the package from the forbidden package list to
successfully run the Fixlet.
Empty solution (EmptySolution)
This error means that the resolver cannot find a solution with the given set of
information. For example, the packages that are installed on the system or the
packages that it is trying to install. To resolve this error, it is often better to
have the system as standard as possible. Installing additional third-party
software and removing packages from the base operating system can make this
more difficult for the resolver to resolve all dependencies. It is suggested to
move toward using the Native Tools site instead.
Bash script error

If you get an error similar to the following error message:
Hard failure exit code execute prefetch plug-in "/bin/bash"
"{parameter "sitefolder"}/ResolveDependencies.sh" ......."
(action 159317) Exited with exit code of 2
You must complete the following steps:

1. Open the mentioned bash script and add the following after line 2 of the script:
set -x
logpath=</path/of/your/choice>
exec >$logpath 2>&1
2. Deploy the action immediately after you update the script.

Note: The client might override the file, so do not to wait too long between
updating the script and deploying the action.
52
This procedure creates the file that is mentioned in the log path, with a line-by-line
detailed output for the script.
Issues when the custom repository is not a mirror of the vendor

When you use a custom repository that is not a mirror of the vendor site, it is
possible that the default gpgcheck is being done as part of the installation. The
GPG signature files might not be included in the repository. The files are not
checked for authenticity and might cause the installation to fail.
To resolve this issue, ensure that when you register the endpoints in the SLE
Custom Repository Management dashboard, you add gpgcheck=0 to Additional
Fields.
Mirror server is not working

To check whether the issue is due to an incorrect URL or mirror server credentials,
check the plugin.ini file in the directory<BES Server directory>/
DownloadPlugins/SuseProtocol.
Novell account lockout

One possible reason for an account lock out is due to invalid credentials.
Ensure that you use the mirror server configuration from Novell when you register
or configure the download plug-in. Account lockouts are common but temporary.
Contact Novell Support if you get locked out of your account.
Error deploying Fixlets from custom sites

The Fixlet site name is hardcoded in the relevance of the Fixlets because the
relevance can only accept one value. When you deploy Fixlets from a custom site,
the Fixlets would fail because they are still referencing to the original Fixlet site. To
resolve this issue, ensure that your endpoints are subscribed to the original Fixlet
site so that they can grab all the relevant site files.
If you do not want to stay subscribed to the original Fixlet site, but be able to
deploy custom Fixlets successfully, do the following steps:
1. Make a custom copy of the necessary site files.
2. Host the site files either in your own custom site or online.
3. Modify the custom Fixlet appropriately.
Appendix B. Troubleshooting
53
54
Appendix C. Frequently asked questions

To better understand Patch Management for SUSE Linux Enterprise, read the
following questions and answers.
What are superseded patches?
Superseded Fixlets are Fixlets that contain outdated packages. If a Fixlet is
superseded, then a newer Fixlet exists with newer versions of the
packages. The newer Fixlet ID can be found in the description of the
superseded Fixlet.
How do I deal with missing patches?
IBM only provides patches for bulletins that are listed on the Novell
website for supported configurations. These bulletins can be found in
Novell Patch Finder: Patch Finder
Why is my action reporting back as a failed download?
Make sure you update the download plug-in to the latest version and
register it with the correct credentials.
If I have registered the latest plug-ins, why do downloads still fail?
For product versions 8.0.627, upgrade to the latest version of IBM Endpoint
Manager to resolve the issue on dynamic downloads whitelist.
For product versions later than 8.0.627, verify your existing download
plug-in configuration. Verify that the Novell credentials, proxy settings,
and mirror server settings are valid.
What do I do when action reports back with an EDR Plugin failure, Invalid set
of initially installed packages?
There is at least one conflict between the packages that exist on the system.
The resolver will not work until the conflicting packages are removed.
Why is there XML in the deployment results?
The XML is from the error output of the resolver when the resolver fails to
produce a solution. You can look at the description in the errorType tag
to gain a better understanding of why the failure occurred.
What do I do when the deployment results display a Dependency Resolver
Failure, noSolution?
If the resolver finds that there is no solution, the system cannot install all
targets and dependencies because of a conflict between these files and the
endpoint files.
If the resolver finds that there is no solution, the system cannot install all targets
and dependencies because of a conflict between these files and the endpoint
files. Dependency graphs are generated every Monday, Wednesday, and Friday.
What do I do when an action reports back with an installation failure?
Check to see if the conflict is caused by a vendor-acquired package. These
must be removed for the installation to occur.
Why does the resolver function select a lower priority package over a higher
priority one?
The resolver does not select a preferred package if by selecting that
package creates a conflict with another package. Therefore, it is possible for
a lower priority package to be selected.
55
How do I verify if the download plug-in was registered correctly?

Run a Fixlet with an action task to verify if the download plug-in is
registered correctly. Verify that the patch download is successful.
Otherwise, you might need to unregister the download plug-in and
register it again.
How do I register a download plug-in? Do I use the register download plug-in
task or the Manage Download Plug-in dashboard?
To register a download plug-in, you must use the Manage Download
Plug-in dashboard in the Patching Support site. Existing register download
plug-in tasks are being deprecated. To learn more about plug-in
registration, see Registering the SUSE download plug-in on page 10.
Note: You must also use the Manage Download Plug-in dashboard to
unregister, configure, and upgrade download plug-ins. The existing
unregister and edit download plug-in tasks are being deprecated. For more
information about the dashboard, see the topic on Manage Download
Plug-ins dashboard in the IBM Endpoint Manager Knowledge Center.
I was expecting the password to be obfuscated, but it's still in clear text. Why is
that? Check if your download plug-in version is earlier than 2.0. If so, you are
still using an old version of the download plug-in that stores credentials in
clear text. To encrypt credentials, upgrade your download plug-in to
version 2.0 or later from the Manage Download plug-ins dashboard in the
Patching Support site.
Is there a certain level of Zypper that is needed to use SLE 11 with the Native
tool site?
No - any version of the installed Zypper works.
An action failed and the EDR logs do not give any information about the failing
action. How do I troubleshoot?
The last six lines of the deployment and test actions are intended to delete
the temporary files that were created during the action execution. If the
deployment logs do not give information about the reason for the failure,
delete the following two lines to troubleshoot:
v To see the Zypp configuration that is used during the action, delete
{parameter "EDR_ZyppConfig"}
v To see the Zypper output that is generated during the dependency
resolution, delete {parameter "EDR_ZypperResolveOutput"}
When these two lines are deleted, the following files are placed in the site
folder for the Patches for SLE 11 Native Tools site:
v EDR_ZyppConfig_<Fixlet_id>
v EDR_ZypperResolveOutput_<Fixlet_id>
An action failed and the logs contain Zypper-specific errors. How do I
troubleshoot?
For more information about Zypper and errors that are related to it, see the
Zypper documentation at http://www.suse.com and the Zypper-related
articles in the Novell Customer Center.
How can I improve the download speed when I download packages with the
download plug-in?
You can improve the package download speed in the following ways:
v Your local mirror must follow this URL
structure: <localmirror_server>/repo/$RCE/<name_of_the_repo>
56
For more information about how to create mirrors, see

https://www.suse.com/documentation/smt11/book_yep/data/
smt_mirroring.html
v Use the Novell mirror server, which is at the nu.novell.com directory.
Credentials for this mirror server can be obtained from Novell Customer
Center. For more information, see https://www.suse.com/
documentation/smt11/book_yep/data/
smt_mirroring_getcredentials.html
What are the configuration settings that Zypper use?
The Patches for SLE 11 Native Tools site uses all the Zypper settings in
/etc/zypp/zypp.conf.
The following Zypper configuration settings are set to values that come
from another file, which is dynamically created during Fixlet execution:
v cachedir
v
v
v
v
v
configdir
metadatadir
packagesdir
reposdir
repo.add.probe
v repo.refresh.delay
v solvfilesdir
Which versions of IBM Endpoint Manager support custom repositories for
SUSE?
IBM Endpoint Manager V8.2 and later support custom repositories for
SUSE Linux Enterprise Desktop and SUSE Linux Enterprise Server version
11.
What is a custom repository?
The term custom repository refers to any software repository that is not
natively supported by the Novell Customer Center. Custom repositories
give you the benefit of being able to control exactly what is in the
repository. In the SLE Custom Repository Management dashboard, the
term custom repository can refer to a repository or the Subscription
Management Tool (SMT).
What is the purpose of a repository?
A repository is a storage location that contains a collection of packages and
metadata for the available packages. These repositories can be on online
servers, CDs, DVDs, or on other media.
What is SMT?
SMT stands for Subscription Management Tool. It provides a repository
and registration target that is synchronized with Novell Customer Center.
With the SMT, enterprise customers are able to optimize the management
of SUSE Linux Enterprise software updates and subscription entitlements.
For more information about SMT, see https://www.suse.com/
documentation/smt11/.
What version of Zypper is required to use the SLE Custom Repository
Management dashboard?
No minimum requirement. All Zypper versions that are used in SUSE
Linux Enterprise version 11 works.
How do I create a repository?
To learn about creating repositories, see the SUSE documentation:
57
v SUSE Linux Enterprise Desktop 11 SP3 Deployment Guide at

https://www.suse.com/documentation/sled11/book_sle_deployment/
data/sec_y2_sw_instsource.html
v SUSE Linux Enterprise Server 11 SP3 Deployment Guide at
https://www.suse.com/documentation/sles11/book_sle_deployment/
data/sec_y2_sw_instsource.html
Can I deploy patches using the existing method and the custom repository at the
same time? Can the two methods co-exist?
The two methods can exist together. However, when you deploy patches
for single clients, you must choose between using the native tools or
through the custom repository method. The two methods cannot co-exist
on a single client.
Can I reconfigure a repository that I previously configured?
Yes, you can reconfigure a previously configured repository by using the
clientSetup4SMT.sh script. It is provided with SMT to configure endpoints
to use the SMT server or to reconfigure it to use a different SMT server.
From the logs, can I tell if I am using the normal Zypper process to the SMT or
repository in the log?
Yes, the log indicates if the normal Zypper process is used for either a
standard repository or SMT.
What is the difference between registering a repository and importing a
repository?
Use the import feature if you have existing repositories that are not
included in the Repositories list in the dashboard. Use the register feature
if you already have a repository in the Repository list, but you still need to
link the repository with the endpoint.
What happens when the repository does not contain the package?
When a package is not found, the Fixlet fails. You can troubleshoot from
/var/opt/BESClient/EDRDeployData/EDR_DeploymentResults.txt, which is
where the Zypper output is logged.
What happens if there are issues with the custom repository solution?
You can revert to the standard IBM Endpoint Manager server solution by
running the Disable custom repository support SUSE Linux Enterprise
task.
How are dependencies resolved?
Dependencies are resolved by Zypper.
Are the repositories that are listed in the second table of the Endpoints tab in
the SLE Custom Repository Management dashboard used in sequence?
There is no sequence in the repositories that are listed in the Endpoints tab,
even if you specified the priority as an extra note when you registered the
repository. When Zypper queries the repositories, the repository that first
gets the fetch query replies, including the package and its dependencies.
Through the SLE Custom Repository Management dashboard, I deployed a
patch by using a custom repository that is not a mirror of the vendor site. The
deployment action failed and the logs indicate that the files cannot be opened.
What must I do?
When you use a custom repository that is not a mirror of the vendor site,
it is possible that the default gpgcheck is being done as part of the
installation. The GPG signature files might not be included in the
repository. The files are not checked for authenticity and might cause the
58
installation to fail. To resolve this issue, ensure that when you register the
endpoints in the SLE Custom Repository Management dashboard, you add
gpgcheck=0 to Additional Fields.
Which file could tell me why the mirror server is not working?
To check whether the issue is due to an incorrect URL or mirror server
credentials, check the plugin.ini file at <BES Server directory>/
DownloadPlugins/SuseProtocol.
I am locked out from my Novell account. What do I do?
One possible reason for an account lock out is due to invalid credentials.
Ensure that you use the mirror server configuration from Novell when you
register or configure the download plug-in. Account lockouts are common
but temporary. Contact Novell Support if you get locked out of your
account.
Can I install several custom packages using the installation tasks?
Yes, you can install several custom packages with the available tasks. Use a
space to separate the package names.
Is bandwidth throttling available in a custom repository architecture?
Unfortunately, bandwidth throttling is not supported in a custom
repository architecture since it is outside of the IBM Endpoint Manager
infrastructure.
I tried deploying Fixlets from a custom site, but it failed. Why is that? What
should I do?
The Fixlet site name is hardcoded in the relevance of the Fixlets because
the relevance can only accept one value. Therefore, if you want to deploy
custom Fixlets, ensure that your endpoints are subscribed to the original
Fixlet site so that they can grab all the relevant site files.
If you do not want to stay subscribed to the original Fixlet site but be able
to deploy custom Fixlets successfully, do the following steps:
1. Make a custom copy of the necessary site files.
2. Host the site files either in your own custom site or online.
3. Modify the custom Fixlet appropriately.
How can I install custom packages that are on the custom repository?
You can use the Install packages by using Zypper task that is in the
Patching Support site.
For more information, see Installing packages from a custom repository
on page 28.
What versions of SUSE Linux Enterprise are supported in the SLE Custom
Repository Management dashboard?
The SLE Custom Repository Management dashboard supports SUSE Linux
Enterprise Desktop and Linux Enterprise Server versions 11 and 12.
Can I perform a rollback on systems with mixed file systems such as ext3 and
btrfs? The SLE Btrfs Snapshot Management dashboard supports Btrfs file
systems only. Mixed files systems such as .ext3 and btrfs cannot be rolled
back.
Where can I find information about the Exclude /var/opt/BESClient/* Directory
From Snapshots task?
The log file is located in the directory /etc/snapper/filters/logfiles.txt.
59
Which log can I use to troubleshoot the snapshot rollback feature?

Use the snapper_rollback.log file located in the directory
var/opt/BESClient/EDRDeployData.
Which directories need to be excluded from the snapshots to enable rollback?
To enable the rollback feature from the SLE Btrfs Snapshot Management
dashboard, the /var/opt/BESClient/* directories must not be included
when taking snapshots.
Where can I find more information about snaphots?
See the SUSE Documentation at https://www.suse.com/documentation/
sles11/book_sle_admin/data/cha_snapper.html.
SUSE Linux Enterprise 12 endpoints are not displayed in the SLE Btrfs Snapshot
Management dashboard. Why is that?
The agents for SUSE Linux Enterprise Server or Desktop version 12 are
currently available only in IBM Endpoint Manager v9.2. Ensure that you
are using the specified version.
Is there a minimum version of Zypper to install security patches using the CVE
number?
Yes, you must at least use Zypper version 1.5.3-3.2.
If I update Zypper to 1.5.3-3.2 or later on SUSE Linux Enterprise 11.0, can I
install patches using the CVE number?
Yes, if you are using zypper-1.5.3-3.2 then you can install patches using the
CVE number.
60
Notices
This information was developed for products and services that are offered in the
USA.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user's responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not grant you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive, MD-NC119
Armonk, NY 10504-1785
United States of America
For license inquiries regarding double-byte character set (DBCS) information,
contact the IBM Intellectual Property Department in your country or send
inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan Ltd.
19-21, Nihonbashi-Hakozakicho, Chuo-ku
Tokyo 103-8510, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or
implied warranties in certain transactions, therefore, this statement may not apply
to you.
This information could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM websites are provided for
convenience only and do not in any manner serve as an endorsement of those
61
websites. The materials at those websites are not part of the materials for this IBM
product and use of those websites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged, should contact:
IBM Corporation
2Z4A/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms and conditions,
including in some cases, payment of a fee.
The licensed program described in this document and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments may
vary significantly. Some measurements may have been made on development-level
systems and there is no guarantee that these measurements will be the same on
generally available systems. Furthermore, some measurements may have been
estimated through extrapolation. Actual results may vary. Users of this document
should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available sources.
IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change or
withdrawal without notice, and represent goals and objectives only.
All IBM prices shown are IBM's suggested retail prices, are current and are subject
to change without notice. Dealer prices may vary.
This information is for planning purposes only. The information herein is subject to
change before the products described become available.
This information contains examples of data and reports used in daily business
operations. To illustrate them as completely as possible, the examples include the
names of individuals, companies, brands, and products. All of these names are
fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
COPYRIGHT LICENSE:
62
This information contains sample application programs in source language, which

illustrate programming techniques on various operating platforms. You may copy,
modify, and distribute these sample programs in any form without payment to
IBM, for the purposes of developing, using, marketing or distributing application
programs conforming to the application programming interface for the operating
platform for which the sample programs are written. These examples have not
been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or
imply reliability, serviceability, or function of these programs. The sample
programs are provided "AS IS", without warranty of any kind. IBM shall not be
liable for any damages arising out of your use of the sample programs.
Each copy or any portion of these sample programs or any derivative work, must
include a copyright notice as follows:
Portions of this code are derived from IBM Corp. Sample Programs.
Copyright IBM Corp. _enter the year or years_. All rights reserved.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions worldwide.
Other product and service names might be trademarks of IBM or other companies.
A current list of IBM trademarks is available on the web at www.ibm.com/legal/
copytrade.shtml.
Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered
trademarks or trademarks of Adobe Systems Incorporated in the United States,
other countries, or both.
IT Infrastructure Library is a registered trademark of the Central Computer and
Telecommunications Agency which is now part of the Office of Government
Commerce.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,
Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or
registered trademarks of Intel Corporation or its subsidiaries in the United States
and other countries.
Linux is a trademark of Linus Torvalds in the United States, other countries, or
both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
ITIL is a registered trademark, and a registered community trademark of The
Minister for the Cabinet Office, and is registered in the U.S. Patent and Trademark
Office.
UNIX is a registered trademark of The Open Group in the United States and other
countries.
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Oracle and/or its affiliates.
Notices
63
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the

United States, other countries, or both and is used under license therefrom.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are
trademarks of HP, IBM Corp. and Quantum in the U.S. and other countries.
Terms and conditions for product documentation

Permissions for the use of these publications are granted subject to the following
terms and conditions.
Applicability
These terms and conditions are in addition to any terms of use for the IBM
website.
Personal use
You may reproduce these publications for your personal, noncommercial use
provided that all proprietary notices are preserved. You may not distribute, display
or make derivative work of these publications, or any portion thereof, without the
express consent of IBM.
Commercial use
You may reproduce, distribute and display these publications solely within your
enterprise provided that all proprietary notices are preserved. You may not make
derivative works of these publications, or reproduce, distribute or display these
publications or any portion thereof outside your enterprise, without the express
consent of IBM.
Rights
Except as expressly granted in this permission, no other permissions, licenses or
rights are granted, either express or implied, to the publications or any
information, data, software or other intellectual property contained therein.
IBM reserves the right to withdraw the permissions granted herein whenever, in its
discretion, the use of the publications is detrimental to its interest or, as
determined by IBM, the above instructions are not being properly followed.
You may not download, export or re-export this information except in full
compliance with all applicable laws and regulations, including all United States
export laws and regulations.
IBM MAKES NO GUARANTEE ABOUT THE CONTENT OF THESE
PUBLICATIONS. THE PUBLICATIONS ARE PROVIDED "AS-IS" AND WITHOUT
WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING
BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY,
NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE.
64

Product Number: 5725-C45
Printed in USA

Bigfix Patch Suse Ug

Uploaded by

Copyright:

Available Formats

Bigfix Patch Suse Ug

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Bigfix Patch Suse Ug

Uploaded by

Copyright:

Available Formats

IBM Endpoint Manager

Patch Management for SUSE Linux

IBM Endpoint Manager

Patch Management for SUSE Linux

Chapter 2. Manage Download Plug-ins

Chapter 3. Custom repositories

Copyright IBM Corp. 2003, 2015

Chapter 4. Using Patch Management

Chapter 5. SLE Btrfs snapshot

What's new in this update release

Package installation task

Custom repositories can give you the flexibility to control

Use the Install packages by using zypper task to install

Installing packages from

The Install packages by using zypper task is available on

Manage Btrfs filesystem snapshots for endpoints that are

Chapter 5, SLE Btrfs

IBM Endpoint Manager provides the SLE Btrfs Snapshot

SLE Custom Repository

The SLE Btrfs Snapshot Management dashboard is

Rolling back a snapshot

The repository registration feature in the SLE Custom

Copyright IBM Corp. 2003, 2015

Custom repository support

IBM Endpoint Manager now supports custom repositories Chapter 3, Custom

Package manager native

Zypper, which is the default package manager for SLE,

Zypper gives you more flexibility in terms of patch

Supported platforms and updates

Patches for SLE10

SUSE Linux Enterprise Desktop

Patches for SLE11

SUSE Linux Enterprise Desktop

Patches for SLE10

SUSE Linux Enterprise Server 10

Patches for SLE11

SUSE Linux Enterprise Server 11

Patches for SLE 11

SUSE Linux Enterprise Desktop

See Supported packages to

SUSE Linux Enterprise Server 11

Previously listed supported

Previously listed updates.

SUSE Linux Enterprise Server 11 SP3

SUSE Linux Enterprise Server 11 SP2

SUSE Linux Enterprise Server 11 SP2

SUSE Linux Enterprise Server 11

SUSE Linux Enterprise Desktop 11 SP3

Table 4. Supported Novell repositories and packages (continued)

SUSE Linux Enterprise Desktop 11 SP2

SUSE Linux Enterprise Desktop 11 SP1

SUSE Linux Enterprise Desktop 11

SUSE Download cacher

Patching by using the Endpoint Dependency Resolution (EDR)

Patching by using the native tools (Zypper) method

Patching method matrix

v Linux RPM Patching

v Patches for SLE10

v Patches for SLE11

Native tools (Zypper)