Walkthrough: Setting up and managing an offline patch catalog for Windows
This topic is intended for system administrators or patch administrators in charge of performing patching for Windows servers in an environment that does not have access to the internet.
The video at right demonstrates the process of creating an offline patch catalog for Windows.
This topic is intended for system and patch administrators. The goal of this topic is to demonstrate how to organize patch information by setting up a central location for storing metadata about a type of patch. BMC Server Automationcalls these locations patch catalogs. By creating patch catalogs customized to your needs, it becomes easier to select the patches you want to evaluate on servers.
What is a patch catalog?
A patch catalog provides a place to store metadata about patches and the patch payloads themselves. Patch catalogs can be designed for specific needs. For example, a patch catalog can used for a particular operating system, such as Microsoft Windows 2008 or 2012. With well designed patch catalogs, it is easier to select the patches that should be used when evaluating the patch configuration of a particular server
What does this walkthrough show?
This walkthrough shows how to download Windows patches from the Ivanti website to any server having internet access, using the offline downloader utility shipped with BMC Server Automation. After downloading the Windows patches, you can perform patching operations by transferring the metadata and payload information, using a removable storage, to the patch repository within the air-gapped environment.
Download the payload and metadata information from Shavlik to any server having internet access.In this walkthrough, we are using BMC Server Automation 8.7 and will download the patch payload and metadata to a Linux server.
- Use filters to limit the amount of information added to the catalog.
- Schedule the catalog update job to run at a particular time in future and set up notifications for the patch administrator in charge of Windows patching
What do I need to do before I get started?
For this walkthrough, you must have the following:
- An air-gapped environment that uses BMC Server Automation 8.6 or later to manage its Windows servers.
Any server with access to the internet. In this walkthrough we will be using a Linux server to download the patch payload from the Ivanti site.
From the BMC Software Electronic Product Distribution (EPD) website, download and extract the installer package (BBSA<version>-<platform>64) to the machine on which you want to download the payload and metadata. For steps on downloading installer package files from the EPD website, see Downloading the installation files.
Extract the BBSA<version>-<platform>64 installer package that you have downloaded from the EPD, and navigate to either of the following directories:
If you are planning to download the patch payload and metadata on Linux: <installer-path>/Disk1/files/installers/other_files/All-OS-Patch-Downloaders-linux-build-<bsaVersion>
If you are planning to download the patch payload and metadata on Windows: <installer-path>/Disk1/files/installers/other_files/All-OS-Patch-Downloaders-windows-build-<bsaVersion>
In this walkthrough, we will use the offline downloader utilities in first directory path as we are downloading the patch payload on a Linux machine.
Step 1: How to add configuration settings and filter information to sample XML file
The first step is to prepare the configuration file, which contains XML information that is used by the Patch Downloader utility. The configuration file must contain the download settings and patch filter information as show in the image below. You can also enter proxy server information if you are using one.
The product provides sample configuration files in the installer package at <installer-path>/Disk1/files/installers/other_files/All-OS-Patch-Downloaders-linux-build-<bsaVersion>/sample-downloader-config-files/.
Edit the sample XML configuration file (sample-windows-downloader-config.xml) provided by BMC, and add the following XML tags based on your requirements:
(Optional) Add proxy information using the following XML tags:
The protocol for which to assign the proxy configuration. Valid values are:
The port used for communication with the proxy server.
The proxy server's host name or IP address.
The user name required for authentication to communicate with the proxy server.
An encrypted password for the specified user.Click here to see details on encrypting a password
If you are using a proxy server, use the following command to encrypt the password supplied to the proxy server by the Patch Downloader utility. You must specify the resulting encrypted password in the
<password></password>parameter in the configuration XML file.
If you are running the downloader on Microsoft Windows:
windows_downloader.bat -encode <passwordToEncrypt>
If you are running the downloader on UNIX:
sh windows_downloader.sh -encode <passwordToEncrypt>
The proxy server domain name to be used for authentication.
The type of proxy server. Valid values are:
Example of proxy information in configuration file
- None — indicates that no proxy server is used
<proxy-settings> <proxy> <protocol>http</protocol> <port>8080</port> <host>_IPAddress_</host> <username>patch</username> <password>NWKIPRTPCWEB</password> <domain-name></domain-name> <proxy-type>ntlm</proxy-type> </proxy> </proxy-settings>
If you are not using a proxy server and decide to delete the contents of the
proxy-settingssection, do not delete the
</proxy-settings>opening and closing tags. This section is required in the XML file even if you are not using a proxy server.
Define download settings using the following XML tags:
Location where files can be stored temporarily during the download process (for example:/tmp)
Indicates whether the download utility checks the certificate of the patch payload before download
Local location of the patch payload repository where metadata and payload are downloaded and stored. The following files are stored in this location:
Number of times the download utility attempts to download if the first attempt at downloading a payload fails.
Number of milliseconds that the utility waits for a response before considering the attempt as failed
Number of downloads that can be performed in parallel.
<temporary-location>/tmp</temporary-location> <validate-payload-certificate>true</validate-payload-certificate> <payload-repository-location>/home/Payload_location</payload-repository-location> <download-request-retries>10</download-request-retries> <download-request-timeout>180000</download-request-timeout> <downloader-parallel-threads>10</downloader-parallel-threads>
Obtain a list of supported products and languages for Windows patches using the following command. You can use the list of product names and languages when updating the configuration file with patch filter information in the next step.
Specify filters to limit the patches downloaded in the catalog.
For example, to create a filter that defines Microsoft Windows Server 2012 product category and English language, enter the product name and language of the patches within the <product-category> and <product-category-language> XML tags.XML code of filter information appended to the <configFile>
<subscription> <products> <include-product> <product-category>Microsoft Windows Server 2012</product-category> <product-category-language>English</product-category-language> </include-product> <include-product> <product-category>Microsoft Office 2016</product-category> <product-category-language>English</product-category-language> </include-product> </products> </subscription>
The same filters entered here must also be entered during catalog creation in the console.
Save the configuration file. Use the sample configuration file below as a reference:Click Expand source to see a sample configuration XML file Expand source
<windows-downloader-config> <config> <proxy-settings> <proxy> <protocol>http</protocol> <port>8080</port> <host>_IPAddress_</host> <username>patch</username> <password>NWKIPRTPCWEB</password> <domain-name></domain-name> <proxy-type>ntlm</proxy-type> </proxy> </proxy-settings> <temporary-location>/tmp</temporary-location> <validate-payload-certificate>true</validate-payload-certificate> <payload-repository-location>/home/Payload_location</payload-repository-location> <download-request-retries>10</download-request-retries> <download-request-timeout>180000</download-request-timeout> <downloader-parallel-threads>10</downloader-parallel-threads> </config> <subscription> <products> <include-product> <product-category>Microsoft Windows Server 2003</product-category> <product-category-language>English</product-category-language> </include-product> <include-product> <product-category>Microsoft Office XP</product-category> <product-category-language>English</product-category-language> </include-product> </products> </subscription> </windows-downloader-config>
Step 2: How to create a Windows patch catalog
Navigate to the Windows offline downloader utility located in the installer package at the following location:
Where <installer-path> is the path to the extracted installer package on the Linux payload machine.
Run the offline downloader utility and pass the the location of the the configuration file as a parameter.
Windows patch payload is downloaded to the payload repository location that you defined while creating the configuration file. The patch payload location should contain the following files:
If the offline downloader did not execute successfully click here...
If your repository server is a Linux 64-bit machine and you are using BMC Server Automation 8.7, you may encounter the following error, while running the offline downloader.
java: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
To resolve this issue, you may perform either of the following:
To troubleshoot other issues with the offline downloader, see Troubleshooting Patch Management issues.
Add the following files to a location in the Depot after each execution of the offline downloader utility. For information about adding files to the depot, see Adding files to the Depot.
|5||Perform the following:|
The New Patch Catalog wizard opens. On the General panel perform the following:
On the Windows Catalog panel, select Source From Disk Repository (Offline Mode).
In the Repository Options section, provide information in the following required fields:
Note: The payload source location and the repository location can be the same.
In the Repository Options section, browse to and select the metadata and payload files added to the depot location (see this step).
Define the types of patches that you want to include in the catalog by selecting the same filters you have entered in the configuration file that contains the XML information used by the Patch Downloader utility.
The Default Notifications panel appears.
|12||The Properties panel provides a list of properties automatically assigned to a Catalog Job. For any property that has a check in the Editable column, select the property and click in the Value column.|
The Schedules panel allows you to schedule a job to execute immediately, schedule a job at a specific time in the future, schedule a job on a recurring basis, and define notifications that are issued when a job runs.
Select the Execute job now option in the top-left corner of the Schedules panel to execute the catalog update job immediately after the wizard exits.
If you want to schedule the execution of the catalog update job at a future time, click here ...
|14||The Permissions list is an access control list (ACL) granting roles access to any objects created in the system, such as jobs, servers, or depot objects. ACLs control access to all objects, including the sharing of objects between roles.|
Using the Permissions panel, you can add individual permissions to an object. You can also set permissions by adding ACL templates or ACL policies. For more information, see Patch catalog - Permissions.
In this walkthrough we are using the default permissions. Click Finish.
Wrapping it up
Congratulations. You have downloaded Windows patch payload and metadata on a Linux machine. You have also set up a job that creates a patch catalog for Microsoft Windows that will run at a specific time in the future.
Where to go from here
Now that you have a serviceable patch catalog it is time to use it to measure your Windows servers for patch compliance. See Walkthrough: Basic Microsoft Windows patch analysis.