Creating a patch catalog for Microsoft Windows

Related BMC Communities article

BMC Customers using Automation for Patching use cases depend on OS vendors for Patches and metadata.  To view a document that tracks the service status of the different OS Vendors as known to BMC Support, see the following BMC Communities document:

OS Patching Vendor Health Dashboard

The patch catalog is used to maintain and work with the patch repository through the BMC Server Automation Console. For both types of repositories, online and offline, you create a patch catalog through the BMC Server Automation console. Patches are added to the catalog as depot objects according to filters defined for the catalog.

This topic describes how to set up a patch catalog for Microsoft Windows, and includes the following sections:

Step 1: Review prerequisites for the catalog

  • Ensure that security policies on the repository server do not block the download of the catalog.
  • Ensure that the system you will use for the patch repository is supported by BMC Server Automation.

     Click here to see the platforms supported for storing your repository

    Oops, it seems that you need to place a table or a macro generating a table within the Table Filter macro.

    The table is being loaded. Please wait for a bit ...

      MultiExcerpt named 'repositoryMatrix' was not found
    The page: Creating a patch catalog was found, but the multiexcerpt named 'repositoryMatrix' was not found. Please check/update the page name used in the 'multiexcerpt-include macro.

  • Depending on whether you are creating an online or offline patch catalog, perform the following prerequisites steps to download and use the patch metadata files:

    1. From the Configuration menu, select Patch Global Configuration. The Patch Global Configuration dialog box opens.
    2. Click the Shavlik URL Configuration tab and enter information about the PD5.xml and HF7b.xml configuration files.  For more information about the information to be entered under the Shavlik URL Configuration tab, see Parameters on the Shavlik URL Configuration tab.

    For offline Windows patch catalog

    If the machine running the Console has internet access, perform the following steps to download the patch metadata files:

    1. From the Configuration menu, select Patch Global Configuration. The Patch Global Configuration dialog box opens.
    2. Click the Shavlik URL Configuration tab and enter information about the PD5.cab (or PD5.xml) and HF7b.cab (or HF7b.xml) configuration files. For more information about the information to be entered under the Shavlik URL Configuration tab, see Parameters on the Shavlik URL Configuration tab.

    3. Click the edit icon and then the download button to download the files from the Shavlik website. The metadata files are stored on the file server in the templates directory.

    Alternatively, if your console machine does not have access to the internet, you can use the metadata files generated after executing the offline patch downloader utility. For more information about running the patch downloader utility, see Patch Downloader utility for Microsoft Windows.

Step 2: Create the patch catalog


  1. Right-click a folder in the Depot and select New > Patch catalog > Windows Patch Catalog. The Patch Catalog wizard opens.

    Note

    After they are created, all panes in the wizard remain available for edit and review except General and Permissions.

  2. Provide information for the patch catalog panels as described in the following table:

    PanelDescription
    Patch catalog - GeneralEnter a Name for the patch catalog and a Description of its contents. Then, browse to the folder in which you want to store the catalog.
    Microsoft Windows Catalog options

    The Windows Catalog tab determines whether the catalog operates in Online or Offline Mode and defines a number of options.

    Defined options include locations (such as location of the source files, the repository, the signature file, and so on) as well as filters and whether local copies of the files are created on the target server or downloaded directly during deployment.

    Catalog Mode

    Select one of two options:

    • Source from Vendor (Online Mode): Use this mode if the BMC Server Automation Application Server is installed on a server with Internet access.
    • Source from Disk Repository (Offline Mode): Use this mode in a secured environment where download occurs on a server, with Internet access, outside of the environment.

    Repository Options

    Enter the following information:

    Field

    Description

    Payload Source Location (NSH Path)

    (Offline only) Location of existing metadata and payload files
    Metadata files stored in this location are copied to the catalog automatically. Payload files are not copied to the catalog.
    Note: Payload files are not required to create the patch catalog.

    Repository Location (NSH Path)

    NSH path to the location of the patch repository
    BMC recommends that this location have ample free space. Repositories typically contain many files, usually totaling gigabytes of data. The repository can be on either a Linux or Windows host computer.

    Patch Signature File


    (Offline only) Depot location of the signature file, hf7b.xml, originally downloaded from Shavlik Technologies

    Note: For the offline mode, you must add the signature file to the depot workspace.

    For offline mode, the Patch Signature File needs to be added to the Depot after each execution of the offline downloader utility and the Patch Catalog definition needs to be modified to point to the newly added Depot Objects.

    Package Info File


    (Offline only) Depot location of the Information file, either pd5.xml, originally downloaded from Shavlik Technologies

    Note: For the offline mode, you must add the information file to the depot workspace.

    For offline mode, the Package Info File needs to be added to the Depot after each execution of the offline downloader utility and the Patch Catalog definition needs to be modified to point to the newly added Depot Objects.

    OEM Catalog File


    (Offline only) Depot location of the Catalog file, oemcatalog.zip, originally downloaded from Shavlik Technologies

    Note: For the offline mode, you must add the OEM Catalog file to the depot workspace.

    For offline mode, the Catalog File needs to be added to the Depot after each execution of the offline downloader utility and the Patch Catalog definition needs to be modified to point to the newly added Depot Objects.

    Note

    When specifying a host within an NSH path, you can use either the host name of the IP address (IPv4 or IPv6).

    Depot Object Options

    Enter the following information:

    Field

    Description

    Network URL type for payload deployment

    • (default) Copy to agent at staging: The BMC Server Automation Application Server copies patch payloads to a staging directory on the target server during the Deploy Job staging phase.
    • Agent mounts source for direct use at deployment (no local copy): A Deploy Job instructs the agent on a target server to:
      • mount the device specified in the URL
      • deploy patch payloads directly to the agent
        If you select this option, the Deploy Job does not copy patch payloads to a staging area on the agent, so the job does not create any local copies of the patches on target servers.
     

    Note: For Windows 2012 targets only

    Before you enable the Agent mounts source for direct use at deployment (no local copy) option, you need to add the mounted device in the security zone of the target. This can be done by making the following changes to the registry of the target.

    1.  Under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscRanges\, create a key with the name Range1. If key Range1 already exists, create a key with the next available number (for example Range2, Range3, Range4 and so on).
    2. Create the following values under the Range1 key:

      Value NameValue Data
      :Range<mountedDeviceIPAddress>
      file1 hexadecimal

    Network URL for payload deployment

    The value entered here depends on your selection in the Network URL type for payload deployment box.

    • If you chose Copy to agent at staging, do not enter a value here. The value is populated based on the repository location.
    • If you chose Agent mounts source for direct use at deployment (no local copy), enter the enter the SMB URL. For more information on the URL syntax, see URL syntax for network data transmission.

    RBAC Policy

    Browse to and select a predefined ACL Policy. Permissions defined by the ACL Policy are assigned to all Depot Objects created in the catalog.

    Download from Vendor

    (Online Only) To download the payload (executables) at the same time as the metadata, select the Download from Vendor check box.
    Tip: You can also download the payload by right-clicking the catalog and selecting Download.

    Filters

    Filters limit the amount of information brought into the catalog. You define a combination of product and language (such as Microsoft Windows Server 2012— English). There is no limit on the number of filters you can create but you must have at least one. Only those hotfixes and bulletins that match the combinations you define are added to the catalog.

    Refer to Ivanti (Shavlik) documentation for a list of the latest products supported for patching. The product_categories.xml file contains patch metadata information that is downloaded from Ivanti (previously known as Shavlik). Information contained in this file is used to populate the filter selection lists found in the patch catalog wizard.

    You can also use the Windows File Configuration field to refresh the metadata information in product_categories.xml, (see Global Configuration parameter list).

    If you are working in Offline Mode, the product/language combinations you define must match those defined in the configuration file used by the download utility.

    You can define filters during catalog creation or later, when editing the catalog. Click Add Filter and enter the following:

    Field

    Description

    Product

    Select a product from the list provided.

    Language

    Select the appropriate language for the product.

    Patch catalog - Default Notifications

    The Default Notifications panel provides options for defining default notifications that are generated when a job completes. If you have set up notifications for a particular scheduled job, those notifications are generated instead of default notifications.

    Default notifications can take the form of emails or SNMP traps. When a job completes, an SNMP trap is sent to a specified server, where it can be read using software that receives and interprets SNMP traps. Default notifications are sent when you run a job immediately (that is, you do not schedule the job) or a scheduled job completes but you have not set up email or SNMP notifications for that scheduled occurrence.

    Job Run Notifications

    FieldDescription

    Send email to

    Lists email addresses of the accounts to notify when a job completes with the status that you specify. Separate multiple email addresses with semicolons, such as sysadmin@bmc.com;sysmgr@bmc.com. After entering email address information, check the statuses that cause an email to be generated. The statuses can be Success, Failed, or Aborted.

    Send SNMP trap to

    Provides name or IP address of the server to notify when the job completes. After entering server information, select the statuses that should cause an SNMP trap to be generated. The statuses can be Success, Failed, or Aborted.

    BMC Server Automation provides a management information base (MIB) that describes its SNMP trap structure. You can use this MIB to create scripts that integrate traps into your trap collection system. The MIB is located on the Application Server host computer at installDirectory/Share/BladeLogic.mib.

    List failed servers in email notification

    Indicates that email notifications should list all servers on which a job has failed.

    Patch catalog - Schedules
    The Schedules panel lets you schedule a job to execute immediately, schedule a job at a specific time in the future, schedule a job on a recurring basis, and define notifications that are issued when a job runs.

    When scheduling a job, you can perform any of the following tasks:

    • Scheduling a job that executes immediately — To schedule a job that executes immediately, select Execute job now.
    • Scheduling a job — The Schedule tab lets you schedule a job so it can run one time, recur hourly, daily, weekly, or monthly, or recur at some arbitrary interval. For more information, see Patch catalog - Scheduling.
    • Defining job notifications — The Job Notifications tab lets you set up notifications that are generated when a scheduled job runs. For more information, see Patch catalog - Scheduled Job Notifications.
    Patch catalog - Properties

    The Properties panel provides a list of properties automatically assigned to a Snapshot Job. In this list, you can modify the value of any properties that are defined as editable.

    For any property that has a check in the Editable column, select the property and click in the Value column.

    • To set a property value back to its default value, click Reset to Default Value .
      The value of the property is reset to the value it inherits from a built-in property class. The Value Source column shows the property class from which the value is inherited.
    • Depending on the type of property you are editing, you can take different actions to set a new value, such as entering an alphanumeric string, choosing from an enumerated list, or selecting a date.
      To insert a parameter into the value, enter the value, bracketed with double question mark delimiters (for example, ??MYPARAMETER??) or click Select Property .

    Patch catalog - Permissions

    The Permissions list is an access control list (ACL) granting roles access to any objects created in the system, such as jobs, servers, or depot objects. ACLs control access to all objects, including the sharing of objects between roles.

    Using the Permissions panel, you can add individual permissions to an object. You can also set permissions by adding ACL templates or ACL policies. For more information, see the following table:

    TaskDescription

    Adding an authorization

    An authorization grants permission to a role to perform a certain type of action on this object.

    To add an authorization to this object, click Add Entry  in the Access Control List area. Then use the Add New Entry dialog box to specify the role and authorization you want to add.

    Adding an ACL template

    An ACL template is a group of predefined authorizations granted to roles. Using an ACL template, you can add a group of authorizations to the object.

    To add an ACL template to the object, click Use ACL Template  in the Access Control List area. Then use the Select ACL Template dialog box to specify an ACL template that you want to add to this object.

    To set the contents of the selected ACL templates so they replace all entries in the access control list, check Replace ACL with selected templates. If you do not check this option, the contents of the selected ACL templates are appended to existing entries in the access control list.

    Adding an ACL policy

    An ACL policy is a group of authorizations that can be applied to this object but can be managed from one location.

    To add an ACL policy to this object, click Use ACL Policy  in the ACL Policies area. Then use the Select ACL Policy dialog box to specify an ACL policy that you want to add to the object.

    To set the contents of the selected ACL policies so they replace all entries in the access control list, check Replace ACL with selected policies. If you do not check this option, the contents of the selected ACL policies are appended to existing entries in the access control list.

  3. Click Finish

    A Patch Catalog is stored in the appropriate Depot folder.


Editing the options

  1. In the Depot, right-click the Microsoft Windows Patch Catalog you just created.
  2. Select Open.
  3. Set or update any information for the patch catalog options.

  4. When finished, save the catalog.

Where to go from here

Downloading patch payloads to the catalog

Was this page helpful? Yes No Submitting... Thank you

Comments