Configuring options for the TNC Patch Management server

The Trusted Network Connect Patch Management (TNCPM) server integrates with the SUMA and cURL to provide a comprehensive patch management solution.

The TNCPM server must be configured on the Network Installation Management (NIM) server so the TNC clients can be updated.

To enable automatic IBM® Security Advisory and interim fix downloads, you can specify an interim fix interval. This feature provides automatic notification of newly-published security interim fixes and associated Common Vulnerabilities and Exposures (CVE) identifiers. All security advisories and interim fixes are verified prior to registration with the TNC. The IBM AIX® vulnerability public key, which is required to download interim fixes automatically, is available at the IBM AIX Security website. Automatic service pack and interim fix downloads are disabled by setting both the download interval and interim fix interval to 0.

You can also update service pack and interim fix registration manually:

To manually register an IBM Security Advisory along with its corresponding interim fixes, enter the following command:
```
pmconf add -y <advisory file> -v <signature file>  -e <ifix tar file>
```
To manually register a stand-alone interim fix, enter the following command:
```
pmconf add -p <SP> -e <ifix file>
```
To register a new technology level and to download its latest service pack, enter the following command:
```
pmconf add -l <TL list>
```
To download a service pack that is not the most current version, or to download a technology level to be used for verification and client updates, enter the following command:
```
pmconf add -l <TL list>
pmconf add -p <SP List>
```
- Manually add LPP resources created by NIM to the export directory.
- Manually add /tmp to the export directory.
To remove the SP list from TNCPM, enter the following command:
```
pmconf delete -p <SP list>
```
Note: Remove the resource from export list prior to deleting the Service Pack from TNCPM.
To register a service pack or technology level fix repository that exists on the system, enter the following command:
```
pmconf add -s <SP> -p <user_defined_fix_repository>
pmconf add -l <TL> -p <user_defined_fix_repository>
```
To configure a system to serve as a patch management server, enter the following command:
```
pmconf mktncpm [pmport=<port>] tncserver=ip_list[:port]
```
An example of this command follows:
```
pmconf mktncpm pmport=20000 tncserver=1.1.1.1:100000
```
The TNC Patch Management server supports the management of security Authorized Problem Analysis Reports (APARs). Enter the following command to configure the TNC Patch Management to manage other types of APARs:
```
pmconf modify -t <APAR_type_list>
```
In the previous example, <APAR_type_list> is a comma-separated list that contains the following types of APARs:
- HIPER
- PE
- Enhancement
To manage the TNCPM Open Package Repositories enter one or more of the following commands:
```
pmconf add -o <package name> -V <version> -T [installp|rqm] -D <User defined path>
pmconf delete -o <package name> -V <version>
pmconf list -o <package name> -V <version>
pmconf list -O [-c] [-q]
```
Open Packages are added to this default directory: /var/tnc/tncpm/fix_repository/packages. <User defined path> is the package location on the system.
To display descriptive information addressed by security fixes for a specific Service Pack Level, without downloading or applying the fixes to the repository, enter the following command:
```
 pmconf get -L -p <SP>
```
For example:
```
pmconf get -L -p 7200-01-01
```
To download security fixes for a specific Service Pack Level, without applying the fixes to the repository, enter the following command:
```
pmconf get -p <SP> -D <download directory>
```
Note: The download directory must exist before executing this command.
For example:
```
pmconf get -p 7200-01-01 -D /tmp/ifixes_7200-01-01
```

The TNC Patch Management server supports the syslog command for logging the downloading of service packs and technology levels, and for client update events. The facility is user and severity level is info. An example of this is user.info.

The TNC Patch Management server also maintains a log with all of the client updates in the /var/tnc/tncpm/log/update/<ip>/<timestamp> directory.

Downloading ifix data from FLRT JSON files

PowerSC generally downloads advisory and ifixes fromhttps://aix.software.ibm.com/aix/efixes/security/. However, for some packages such as openssl, the advisories can be vague and not provide enough information to process and generate XML files with metadata. For these products, PowerSC can use Fix Level Recommendation Tool (FLRT) JSON files for patch management accuracy via TNC. FLRT provides cross-product compatibility information and fix recommendations for IBM products.

To use this feature, create a file named /etc/custom_pkgs.conf and enter open source package names such as openssl, bind and so forth, one package name per line.


bind
openssl
:
:

If /etc/custom_pkgs.conf is configured, PowerSC downloads ifix data from FLRT JSON files for the packages defined in the conf file.

Downloading HIPER fixes

You can edit the tncpm.conf file to download High Impact PERvasive (HIPER) fixes.

Install the libstdc++11-11.3.0-1 library from the AIX toolbox on the TNC Patch Management server. You can use yum or dnf to install the library.
Change directory (cd) to /opt/freeware/lib.
```
cd /opt/freeware/lib
```

Create a needed symbolic link.

mv libstdc++.a libstdc++.a.10
ln -s gcc/powerpc-ibm-aix7.2.0.0/11/libstdc++.a

For AIX, use the following ln command:

ln -s gcc/powerpc-ibm-aix7.3.0.0/11/libstdc++.a

Edit /etc/tncpm.conf and change hiper_download to yes. hiper_download is set to no by default.
```
hiper_download : yes
```
Save the change.
The /usr/sbin/tncpm_hiper_download script uses a predefined json file that contains a list of HIPER ifixes, and parses that file to download the ifix and metadata related to that fix. You do not need to change the /usr/sbin/tncpm_hiper_download script.