BCM - Patch KB can not be updated or Patch Inventory can not be generated because some certificates are missing or out of date (error 5)

Version 27
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    BMC Client Management


    COMPONENT:

    Client Management


    APPLIES TO:

    BCM 12.6 and higher versions



    PROBLEM:

    Patch KB update process fails or Patch inventory is not updated for Devices.

    When Patch KB update process fails you must find following information in your Patch Manager device log file :

    2019/07/19 10:13:44 PatchManagementPremium           I   [10044] Running software update (remote)
    2019/07/19 10:13:46 PatchManagementPremium           ERR [10044] Failed to update Patch knowledge base. Check first if all certificates are correctly installed.

    For Patch Inventory issue, following information must appear in log your Client log file when you request for a Patch Inventory :

    2019/07/19 10:33:50 PatchManagementPremium           I   [10044] Scanning using software update '2.0.2.7996'
    2019/07/19 10:33:50 PatchManagementPremium           ERR [10044] Scan error (5)
    2019/07/19 10:33:50 PatchManagementPremium           ERR [10044] Failed to scan machine. Check first if all certificates are correctly installed.

    You may also find following message in case of patch installation attempt :

    2017/10/27 12:17:28 PatchManagementPremium           W   [3848] Package error (5)


    CAUSE:

    Patch engine uses some system certificates. Microsoft has recently modified them to enable SHA 256 signature.


    SOLUTION:

    Solution depend on when the issue occurs :

    1) You have just installed BMC Client Management or upgraded from an older version than 12.6 to a version higher than 12.5 :

     

      A) There are couple of Methods to manually verify system certificates.
      
      Method 1: Internet Explorer 
     
    Verify in system certificates list that following certificates are present, valid and have an SHA 256 signature.  
    If one of them is missing then you have confirmed the cause of this case :  
     
    In 'Intermediate Certification Authorities' tab :  
     
      User-added image 
     
    - DigiCert SHA2 Assured ID Code Signing CA  
    - VeriSign Class 3 Code Signing 2010 CA  
     
    In 'Trusted Root Certification Authorities' tab :  
     
      User-added image 
    - DigiCert Assured ID Root CA  
    - globalsign  
    - VeriSign Class 3 Public Primary Certification Authority - G5  
    - Starfield Root Certificate Authority - G2  
     
    If one of them is missing then you can download the attached InstallCertificates_V2.zip file.It contains certificates and a Power script to install them.  
     
     
      Method 2: MMC 
     
    1. Click Start -> Run -> Enter 'MMC' and click 'OK'  
     
      User-added image 
     
    2. Click File -> Add/Remove Snap-In...  
     
      User-added image 
     
     
    3. Add Certificate  
     
      User-added image 
     
    4. Select 'Computer Account' option and click 'Next'  
     
      User-added image 
     
    5. Select Local Computer and Finish  
     
      User-added image 
     
    6. Verify certificate is added in the selected snap-ins and then click 'OK'  
      User-added image 
     
    7. Start to import Trusted Root Certificate  
     
      User-added image 
     
    8. Click Next  
     
      User-added image 
     
    9. select downloaded Certificate file  
     
      User-added image 
     
     
    10. verify the location and click Next  
     
      User-added image 
     
    11. Click Finish  
     
      User-added image 
     
    12. Import is complete click 'OK'  
     
      User-added image 
     
    13. verify the imported certificate under   
    In 'Trusted Root Certification Authorities' tab :  
    In 'Intermediate Certification Authorities' tab :   
     
    Screenshot of Intermediate Certification Authorities  
     
      User-added image 
     
    After importing all certificates restart the computer.   
     
     
      Method 3: GPO 
     
    To install certificate on domain computers we can use Group Policy 
      
       
    1. On a domain controller in the forest of the account partner organization, start the Group Policy Management snap-in.
    2.  
    3. Find an existing Group Policy Object (GPO) or create a new GPO to contain the certificate settings. Ensure that the GPO is associated with the domain, site, or organizational unit (OU) where the appropriate user and computer accounts reside.
    4.  
    5. Right-click the GPO, and then click Edit.
    6.  
    7. In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies, right-click Trusted Root Certification Authorities, and then click Import.User-added image
    8.  
    9. On the Welcome to the Certificate Import Wizard page, click Next. (Similar steps we used while importing on computers in Method 2)
    10.  
    11. On the File to Import page, type the path to the appropriate certificate files (for example,C:\Certificates\DigiCert SHA2 Assured ID Code Signing CA_CA.cer), and then click Next.
    12.  
    13. On the Certificate Store page, click Place all certificates in the following store, and then click Next.
    14.  
    15. On the Completing the Certificate Import Wizard page, verify that the information you provided is accurate, and then click Finish.
      


    Verify all the certificates are imported.
    In 'Trusted Root Certification Authorities' tab :
    In 'Intermediate Certification Authorities' tab : 

    Screenshot of Intermediate Certification Authorities

    User-added image

      

    Repeat steps 2 through 6 to add additional certificates for each of the federation servers in the farm.


    Source: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to-client-computers-by-using-group-policy

      



    B) Once you have manually verified that importing certificates solves your incident, you can use following document in order to create an operational rule that applies those certificates on your devices.

    https://communities.bmc.com/docs/DOC-109195#

      

     

      

    2) You are running BMC Client Management 12.6 or more recent and suddenly inventory are not generated anymore :

    This is not mink to your system but to the Patch KB update which is signed with a certificate that has just expired.

    You can solve this issue by :

      

    - performing a manual update of Patch KB with this procedure.

      

    - deleting the contents of directory \data\PatchManagementPremium\workspace on your Patch Manager device only (to do so you can use the attached RO-Patch-error-5.xml rule).

      

    Once this is done patch update process can be executed with no error.


    Note: July 23th, A new correctly signed Patch KB is already available and the Patch KB update should no more be in error.

     


    Article Number:

    000142671


    Article Type:

    Solutions to a Product Problem



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles