This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.
BladeLogic Server Automation Suite
TrueSight Server Automation
TSSA 8.9 SP4 Patch1, TSSA 20.02
After upgrading to TSSA 8.9 SP4 patch1, Windows patch analysis jobs fail with the following error:
- Appserver: 8.9 SP4 patch1
- Target agent: 8.9 SP4 patch1
- Target OS: Windows server 2008 R2 SP1, 2012 R2 etc
<job run log>
Error 06/24/2018 13:14:20 STDERR: Error: Encountered error 0x800710dd initializing scanner - The operation identifier is not valid.Possible cause is: Signature verification certificates may not have been installed on this server. Re-run the patching job in debug mode and check log file AnalysisTrace.log for further details. Error: Unable to initialize analysis engine.Error: Analysis failed.
Info 06/24/2018 13:14:20 Analyzer execution complete on server: <target> , exitCode: -3
Missing certain PKI certificates on the Windows Target Server. New Shavlik content is SHA2-signed, whose signature verification requires certain PKI certificates to be present on the target.
This 9.3 SDK is SHA-2 signed and the error implies that certain required certificates are not present on the Target Server.
Preferred Method of solving issue:
A TSSA Compliance Template with remediation has been developed by BMC to automatically detect and resolve the issue. The template is attached as WindowsPatchCert.zip
Please import the template according to the readme.txt file as version neutral, run discovery and compliance followed by remediation.
P.S. Change the rule for Discovery based on your target agent version. The template attached is for 8.9.03 and has below rule:
??TARGET.OS?? = "Windows" AND ( ??TARGET.AGENT_MAJOR_VERSION*?? = 8 AND ??TARGET.AGENT_MINOR_VERSION*?? <= 9 AND ??TARGET.AGENT_PATCH_VERSION*?? <= 3 )
If you are facing this issue in 8.9.04 patch1 then change it as below:
??TARGET.OS?? = "Windows" AND ( ??TARGET.AGENT_MAJOR_VERSION*?? = 8 AND ??TARGET.AGENT_MINOR_VERSION*?? <= 9 AND ??TARGET.AGENT_PATCH_VERSION*?? <= 4 )
Below are manual steps to resolve the issue on the Target Server:
1) Copy the attached zip file ('certificates.zip' containing two certificate files) and extract it to a temp folder on target server
2) Go to the target server, go to Start > Run > mmc.exe
3) select File > Add/remove Snap-in
4) Select Certificates from the list of available snap ins and add >> choose "Computer account" & next >> choose "Local computer" >> Finish & OK
5) Under "Trusted Root Certification Authorities\Certificates", check for 'DigiCert Assured ID Root CA'
If not there, please import it using the attached certificate file as screenshot.
Then it should show as below:
6) Under "Intermediate Certification Authorities\Certificates", check for 'DigiCert SHA2 Assured ID Code Signing CA'
if not there, please import it using the attached certificate file as screenshot2
Once the above steps have been completed, re-run the Windows Patch Analysis job and confirm the issue is resolved.
If the issue persists even after applying the certs or this started happening after 17-JUL-2019, pease update the Windows Patch Catalog and re-run the analysis. The certificate Ivanti signed the patch metadata with expired on 17-JUL-2019. Ivanti has since posted new metadata signed by a valid certificate. Running a Catalog Update Job will pull the new metadata into the catalog and resolve the issue with the expired certificate.