Fujitsu SCUP catalog cannot be imported

Posted on Updated on

In System Center Updates Publisher (SCUP) 2011 there are some catalog references present by default, i.e. under “My Catalogs” in the pane “Catalogs”. If you select such a reference you can issue the command Import, which lets you import the catalog behind the reference, meaning the catalog is downloaded and the updates mentioned in the catalog are added to SCUP (well, actually the metadata of each of those updates is added). When added, you can view them in the pane “Updates” under “Overview”\”All Software Updates”\[NEW FOLDER FOR THE CATALOG’s UPDATES]. All this seems to work great, except for the catalog “Fujitsu PRIMERGY Updates Catalog” from publisher “Fujitsu Technology Solutions GmbH” (so from the company Fujitsu)… The catalog targets Fujitsu PRIMERGY servers.

Figure 1

The problem is the download URL of the catalog (https://support.ts.fujitsu.com/GFSMS/globalflash/FJSVUMCatalogForSCCM.cab), which is a cabinet file (CAB file, with the .cab file extension), explaining why the import fails at the download stage. If you type the URL into a web browser, typically you’ll see you won’t be able to download the file immediately, because a security warning will be shown. The cause of this is the web server certificate.

Figure 2

You can see the URL is HTTPS based, meaning SSL/TLS is used and thus a web server certificate is used. Typically a few certificate checks are performed (for example, to see if the certificate hasn’t expired yet), one of them checking if a trusted certificate chain can be built, all the way up to a trusted root CA. The web server certificate used is named “*.ts.fujitsu.com” (the asterisk indicates this is a wildcard certificate), issued by the CA “GeoTrust SSL CA”. The latter is an intermediate CA, because it’s issued by another CA, called “GeoTrust Global CA”. By default Windows Server 2008 R2 (which I am using) doesn’t know about that latest CA and as the 2nd certificate doesn’t contain an AIA field (Authority Information Access) to locate and download its issuer’s certificate, no certificate chain can be built.

Figure 3

Figure 4

The good news is you can change that. If you download the certificate for “GeoTrust Global CA” (http://www.geotrust.com/resources/root-certificates) and put it in the Trusted Root Certification Authorities certificate store of Windows (user or computer level, depending on what you want), the chain to a trusted root CA can be built (yes, “GeoTrust Global CA” is a root CA). After this step the catalog can be downloaded in 1 step and thus also automatically, meaning the import runs fine. After the import you will see the folder “Fujitsu” and 2 subfolders under “Overview”\”All Software Updates” in the “Updates” pane. You can continue your work J

Figure 5

Figure 6

(Please note that there could be other possible causes for a failure and that on some systems this error perhaps doesn’t occur. I’m talking about 1 scenario and I’m not saying this is always the case. The only thing I’m sure of is that on Windows Server 2008 R2 this is the default situation, because of the fact that the root CA mentioned here is not a trusted root CA on this OS.)

(Also note you can download the catalog manually and then add a reference to it, but that’s more of a workaround than a real solution. So I prefer my solution described above J)

(You can check the web server certificate in Internet Explorer (IE) through the menu command File – Properties and then pressing the button “Certificates”. This only works AFTER you have clicked “Continue to this website (not recommended)”. When downloading a file this is a problem, but instead you can use the Fujitsu support page (https://support.ts.fujitsu.com) to achieve the same.)

Pedro

Links:

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s