Walkthrough: Setting up and managing an offline patch catalog for Windows

This topic is intended for system administrators or patch administrators in charge of performing patching for Windows servers in an environment that does not have access to the internet.

The video at right demonstrates the process of creating an offline patch catalog for Windows.

  https://youtu.be/B2z_ouU_nME

Introduction

This topic is intended for system and patch administrators. The goal of this topic is to demonstrate how to organize patch information by setting up a central location for storing metadata about a type of patch. BMC Server Automationcalls these locations patch catalogs. By creating patch catalogs customized to your needs, it becomes easier to select the patches you want to evaluate on servers.

What is a patch catalog?

A patch catalog provides a place to store metadata about patches and the patch payloads themselves. Patch catalogs can be designed for specific needs. For example, a patch catalog can used for a particular operating system, such as Microsoft Windows 2008 or 2012. With well designed patch catalogs, it is easier to select the patches that should be used when evaluating the patch configuration of a particular server

 What does this walkthrough show?

 This walkthrough shows how to download Windows patches from the Ivanti website to any server having internet access, using the offline downloader utility shipped with BMC Server Automation. After downloading the Windows patches, you can perform patching operations by transferring the metadata and payload information, using a removable storage, to the patch repository within the air-gapped environment.

  • Download the payload and metadata information from Shavlik to any server having internet access.

    In this walkthrough, we are using BMC Server Automation 8.7 and will download the patch payload and metadata to a Linux server.


  • Use filters to limit the amount of information added to the catalog.
  • Schedule the catalog update job to run at a particular time in future and set up notifications for the patch administrator in charge of Windows patching

What do I need to do before I get started?

For this walkthrough, you must have the following:

  • An air-gapped environment that uses BMC Server Automation 8.6 or later to manage its Windows servers.
  • Any server with access to the internet. In this walkthrough we will be using a Linux server to download the patch payload from the Ivanti site.

  • From the BMC Software Electronic Product Distribution (EPD) website, download and extract the installer package (BBSA<version>-<platform>64) to the machine on which you want to download the payload and metadata. For steps on downloading installer package files from the EPD website, see Downloading the installation files.

    Extract the BBSA<version>-<platform>64 installer package that you have downloaded from the EPD, and navigate to either of the following directories:

    • If you are planning to download the patch payload and metadata on Linux: <installer-path>/Disk1/files/installers/other_files/All-OS-Patch-Downloaders-linux-build-<bsaVersion>

    • If you are planning to download the patch payload and metadata on Windows: <installer-path>/Disk1/files/installers/other_files/All-OS-Patch-Downloaders-windows-build-<bsaVersion>

      Note

      In this walkthrough, we will use the offline downloader utilities in first directory path as we are downloading the patch payload on a Linux machine.

Step 1: How to add configuration settings and filter information to sample XML file

The first step is to prepare the configuration file, which contains XML information that is used by the Patch Downloader utility. The configuration file must contain the download settings and patch filter information as show in the image below. You can also enter proxy server information if you are using one.


The product provides sample configuration files in the installer package at <installer-path>/Disk1/files/installers/other_files/All-OS-Patch-Downloaders-linux-build-<bsaVersion>/sample-downloader-config-files/.

Edit the sample XML configuration file (sample-windows-downloader-config.xml) provided by BMC, and add the following XML tags based on your requirements:

  1. (Optional) Add proxy information using the following XML tags:

    Tag

    Description

    <protocol></protocol>

    The protocol for which to assign the proxy configuration. Valid values are:

    • http
    • https
    • ftp
    <port></port>

    The port used for communication with the proxy server.

    <host></host>

    The proxy server's host name or IP address.

    <username></username>

    The user name required for authentication to communicate with the proxy server.

    <password></password>

    An encrypted password for the specified user.

     Click here to see details on encrypting a password
    • If you are using a proxy server, use the following command to encrypt the password supplied to the proxy server by the Patch Downloader utility. You must specify the resulting encrypted password in the <password></password> parameter in the configuration XML file.

      If you are running the downloader on Microsoft Windows:

      windows_downloader.bat -encode <passwordToEncrypt>

      If you are running the downloader on UNIX:

      sh windows_downloader.sh -encode <passwordToEncrypt>
    <domain-name></domain-name>

    The proxy server domain name to be used for authentication.

    <proxy-type></proxy-type>

    The type of proxy server. Valid values are:

    • None — indicates that no proxy server is used
    • NTLM
    • NTLM-v2
    • Squid
    Example of proxy information in configuration file
     <proxy-settings>
          <proxy>
            <protocol>http</protocol>
            <port>8080</port>
            <host>_IPAddress_</host>
            <username>patch</username>
            <password>NWKIPRTPCWEB</password>
            <domain-name></domain-name>
            <proxy-type>ntlm</proxy-type>
          </proxy>
      </proxy-settings>

    Note

    If you are not using a proxy server and decide to delete the contents of the proxy-settings section, do not delete the <proxy-settings></proxy-settings> opening and closing tags. This section is required in the XML file even if you are not using a proxy server.

Define download settings using the following XML tags:

Tag

Description

<temporary-location></temporary-location>

Location where files can be stored temporarily during the download process (for example:/tmp)

<validate-payload-certificate>true|false</validate-payload-certificate>

Indicates whether the download utility checks the certificate of the patch payload before download
Valid entries are either true or false. The default is true.

<payload-repository-location></payload-repository-location>

Local location of the patch payload repository where metadata and payload are downloaded and stored. The following files are stored in this location:


  • hf7b.xml
  • pd5.xml
  • OemCatalog.zip

<download-request-retries></download-request-retries>

Number of times the download utility attempts to download if the first attempt at downloading a payload fails.
The default is 10 times.

<download-request-timeout></download-request-timeout>

Number of milliseconds that the utility waits for a response before considering the attempt as failed
This parameter is useful if the http response is slow. The default is 180000 milliseconds (3 minutes).

<downloader-parallel-threads></downloader-parallel-threads>

Number of downloads that can be performed in parallel.
The default is 10 downloads.

Example of download settings in configuration file
 <temporary-location>/tmp</temporary-location>
 <validate-payload-certificate>true</validate-payload-certificate>
 <payload-repository-location>/home/Payload_location</payload-repository-location>
 <download-request-retries>10</download-request-retries>
 <download-request-timeout>180000</download-request-timeout>
 <downloader-parallel-threads>10</downloader-parallel-threads>
  1. Obtain a list of supported products and languages for Windows patches using the following command. You can use the list of product names and languages when updating the configuration file with patch filter information in the next step.

    sh windows_downloader.sh -listProducts

  2. Specify filters to limit the patches downloaded in the catalog.

    For example, to create a filter that defines Microsoft Windows Server 2012 product category and English language, enter the product name and language of the patches within the <product-category> and <product-category-language> XML tags.

    XML code of filter information appended to the <configFile>
    <subscription>
        <products>
          <include-product>
            <product-category>Microsoft Windows Server 2012</product-category>
            <product-category-language>English</product-category-language>
          </include-product>
          <include-product>
           	<product-category>Microsoft Office 2016</product-category>
            <product-category-language>English</product-category-language>
          </include-product>
        </products>
    </subscription>
    

    Note

    The same filters entered here must also be entered during catalog creation in the console.

  3. Save the configuration file. Use the sample configuration file below as a reference:

    Click Expand source to see a sample configuration XML file

Step 2: How to create a Windows patch catalog



StepExample screen
1

Navigate to the Windows offline downloader utility located in the installer package at the following location: 

<installer-path>/Disk1/files/installers/other_files/All-OS-Patch-Downloaders-Linux-build-<bsaVersion>

Where <installer-path> is the path to the extracted installer package on the Linux payload machine.




 

2

Run the offline downloader utility and pass the the location of the the configuration file as a parameter.


sh windows_downloader.sh -configFile <downloaderConfigurationFilePath>

Where <downloaderConfigurationFilePath> is the location of the configuration file used by the Patch Downloader.


3

Windows patch payload is downloaded to the payload repository location that you defined while creating the configuration file. The patch payload location should contain the following files:


  • hf7b.xml
  • pd5.xml
  • OemCatalog.zip


Important: In this walkthrough we will use the same Linux payload machine to host the repository location. However, if you are in an air-gapped environment, transfer the metadata and payload information, using a removable storage, to the patch repository server within your air-gapped environment.


 If the offline downloader did not execute successfully click here...

If your repository server is a Linux 64-bit machine and you are using BMC Server Automation 8.7, you may encounter the following error, while running the offline downloader.

java: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory

To resolve this issue, you may perform either of the following:

  • Install the glibc.i686 or glibc.i386 library and re-execute the offline downloader.
  • Download JRE 1.8 on your Linux machine and point to it in the respective offline downloader script file

To troubleshoot other issues with the offline downloader, see Troubleshooting Patch Management issues.


4

Add the following files to a location in the Depot after each execution of the offline downloader utility. For information about adding files to the depot, see Adding files to the Depot.
  • hf7b.xml
  • pd5.xml
  • OemCatalog.zip


5Perform the following:
  1. In the console Folders view, expand the Depot folder.
  2. Navigate to an existing folder or create a new folder for the patch catalog. The example screenshot on the right uses a folder named Patch Catalog.
  3. Right-click the folder in which you want to store the new catalog and select New > Patch Catalog > Windows Patch Catalog
6

The New Patch Catalog wizard opens. On the General panel perform the following:

  1. In the Name field, provide a name for the new catalog.
  2. In the Description field, optionally, provide a description of the new catalog.
  3. In the Save in field, verify that the displayed path name is the folder in which you want to save the catalog. If necessary, you can browse to another location.
  4. Click Next.
7

On the Windows Catalog panel, select Source From Disk Repository (Offline Mode).

8

In the Repository Options section, provide information in the following required fields:

  • Payload Source Location: Browse to the location where the metadata and payload files are stored. It must be stored on a server, with an RSCD agent installed on it. The following payload files are referred:

    • hf7b.xml
    • pd5.xml
    • OemCatalog.zip
  • Repository Location: Browse to an appropriate location to serve as a patch repository. The repository can reside on any server that has an RSCD agent installed on it.

    BMC Server Automation processes the payload and metadata files from the payload source location and populates the repository location with Windows patches that are used by the catalog.

Note: The payload source location and the repository location can be the same.

9

In the Repository Options section, browse to and select the metadata and payload files added to the depot location (see this step).

  • Patch Signature File Location (hf7b): Browse to the signature file added to the depot. The file name is hf7b.xml and it contains metadata information.
  • Package Info File Location (pd5): Browse to the information file added to the depot. The file name is pd5.xml and it contains metadata information.
  • OEM Catalog File: Browse to the information file added to the depot. The file name is OemCatalog.zip.
 
10

Define the types of patches that you want to include in the catalog by selecting the same filters you have entered in the configuration file that contains the XML information used by the Patch Downloader utility.

  1. In the Filters section, click . The Add Windows Filter panel appears.
  2. In the Product drop-down list, select a product, application, or OS for which you want to add patches into the catalog. For example, select the Microsoft Windows Server 2003 product.
  3. Verify that the Language selection is correct for your site.
  4. Repeat the above steps, and select items from the Product drop-down list until your filter list is complete.
  5. Click OK.
  6. The second screenshot on the right, shows a completed Windows Catalog panel for Offline mode with two filter selections.
  7. Click Next.

 
11

The Default Notifications panel appears.

  1. Define the type of notifications and under which circumstances (status of the Catalog update job) the notifications are sent.
    Note: If you set up notifications for a particular scheduled job, the default notifications set here will be overridden.
  2. Click Next.
 
12The Properties panel provides a list of properties automatically assigned to a Catalog Job. For any property that has a check in the Editable column, select the property and click in the Value column.

Click Next.

 
13

The Schedules panel allows you to schedule a job to execute immediately, schedule a job at a specific time in the future, schedule a job on a recurring basis, and define notifications that are issued when a job runs.

Select the Execute job now option in the top-left corner of the Schedules panel to execute the catalog update job immediately after the wizard exits.

 If you want to schedule the execution of the catalog update job at a future time, click here ...
  1. Click . The Add New Schedule dialog box appears.
  2. Because we want the Patch Catalog Job to execute once at a particular time in future, we will select the Once option in the Occurrence panel. To select a recurring schedule you can select the appropriate option.
  3. Select the time and date that you want the job to execute.
  4. Select the appropriate time zone you want to follow.
  5. Define a priority for the job execution.
  6. Click the Scheduled Job Notifications tab.
  7. Define the type of notification that the scheduled job should send and under which circumstances (status of the catalog update job) the notifications are sent. This will override the settings defined in the Default Notifications panel.
  8. Click OK.
  9. Continue adding more schedules based on your requirement.

Click Next.

 

 

 

 

14The Permissions list is an access control list (ACL) granting roles access to any objects created in the system, such as jobs, servers, or depot objects. ACLs control access to all objects, including the sharing of objects between roles.

Using the Permissions panel, you can add individual permissions to an object. You can also set permissions by adding ACL templates or ACL policies. For more information, see Patch catalog - Permissions.

In this walkthrough we are using the default permissions. Click Finish.

 



Wrapping it up

Congratulations. You have downloaded Windows patch payload and metadata on a Linux machine. You have also set up a job that creates a patch catalog for Microsoft Windows that will run at a specific time in the future.

Where to go from here

Now that you have a serviceable patch catalog it is time to use it to measure your Windows servers for patch compliance. See Walkthrough: Basic Microsoft Windows patch analysis.

Was this page helpful? Yes No Submitting... Thank you

Comments