BCM - Error 5 on Patch Inventory process

Version 10
    Share:|

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    BMC Client Management


    COMPONENT:

    Client Management


    APPLIES TO:

    BCM 12.6



    PROBLEM:

    Patch inventory is not uploaded by BMC Client Management 12.6 agent.

    In mtxagent.log file you can see that Patch inventory scan has started, but has generated an error 5 :

    2017/09/19 09:48:52 PatchManagementPremium           I   [6492] Scanning using software update '2.0.2.xxxx'
    ...
    2017/09/19 09:48:53 PatchManagementPremium           W   [6492] Scan error (5)


    You may  also see this package error 


    2017/10/27 12:17:28 PatchManagementPremium           W   [3848] Package error (5)


    CAUSE:

    Patch inventory scan uses some system certificates. Microsoft has recently modified them to enable SHA 256 signature.


    SOLUTION:

    There are couple of Methods to verify system certificates.

    Method 1: Internet Explorer

    Verify in system certificates list that following certificates are present, valid and have an SHA 256 signature.
    If one of them is missing then you have confirmed the cause of this case :

    In 'Intermediate Certification Authorities' tab :

    User-added image

    - DigiCert SHA2 Assured ID Code Signing CA
    - VeriSign Class 3 Code Signing 2010 CA

    In 'Trusted Root Certification Authorities' tab :

    User-added image
    - DigiCert Assured ID Root CA
    - globalsign
    - VeriSign Class 3 Public Primary Certification Authority - G5
    - Starfield Root Certificate Authority - G2

    If one of them is missing then you can download the attached InstallCertificates_V2.zip file.It contains certificates and a Power script to install them.

    Method 2: MMC

    1. Click Start -> Run -> Enter 'MMC' and click 'OK'

    User-added image

    2. Click File -> Add/Remove Snap-In...

    User-added image


    3. Add Certificate

    User-added image

    4. Select 'Computer Account' option and click 'Next'

    User-added image

    5. Select Local Computer and Finish

    User-added image

    6. Verify certificate is added in the selected snap-ins and then click 'OK'
    User-added image

    7. Start to import Trusted Root Certificate

    User-added image

    8. Click Next

    User-added image

    9. select downloaded Certificate file

    User-added image


    10. verify the location and click Next

    User-added image

    11. Click Finish

    User-added image

    12. Import is complete click 'OK'

    User-added image

    13. verify the imported certificate under 
    In 'Trusted Root Certification Authorities' tab :
    In 'Intermediate Certification Authorities' tab : 

    Screenshot of Intermediate Certification Authorities

    User-added image

    After importing all certificates restart the computer. 

    Note: To install certificate on domain computers we can use Group Policy
     

       
    1. On a domain controller in the forest of the account partner organization, start the Group Policy Management snap-in.

    2.  
    3. Find an existing Group Policy Object (GPO) or create a new GPO to contain the certificate settings. Ensure that the GPO is associated with the domain, site, or organizational unit (OU) where the appropriate user and computer accounts reside.

    4.  
    5. Right-click the GPO, and then click Edit.

    6.  
    7. In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies, right-click Trusted Root Certification Authorities, and then click Import.
      User-added image

    8.  
    9. On the Welcome to the Certificate Import Wizard page, click Next. (Similar steps we used while importing on computers in Method 2)

    10.  
    11. On the File to Import page, type the path to the appropriate certificate files (for example,C:\Certificates\DigiCert SHA2 Assured ID Code Signing CA_CA.cer), and then click Next.

    12.  
    13. On the Certificate Store page, click Place all certificates in the following store, and then click Next.

    14.  
    15. On the Completing the Certificate Import Wizard page, verify that the information you provided is accurate, and then click Finish.

      Verify all the certificates are imported.
      In 'Trusted Root Certification Authorities' tab :
      In 'Intermediate Certification Authorities' tab : 

      Screenshot of Intermediate Certification Authorities

      User-added image

    16.  
    17. Repeat steps 2 through 6 to add additional certificates for each of the federation servers in the farm.


      Source: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to-client-computers-by-using-group-policy

     


    Article Number:

    000142671


    Article Type:

    Solutions to a Product Problem



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles