Creating a patch catalog for Red Hat Enterprise Linux


Success

Related BMC Communities article

BMC customers using Automation for Patching use cases depend on OS vendors for Patches and metadata.  To view a document that tracks the service status of the different OS Vendors as known to BMC Support, see the following BMC Communities document:

OS Patching Vendor Health Dashboard

The patch catalog is used to maintain and work with the patch repository through the TrueSight Server Automation Console. For both types of repositories, online and offline, you create a patch catalog through the TrueSight Server Automation Console. Patches are added to the catalog as depot objects according to filters defined for the catalog.

Information
Important

In 8.8.00.002, you could download patches from the Continuous Delivery Network (CDN reposync) Red Hat network. From 8.8.00 Patch 2 or later, use this procedure to create a patch catalog for RHEL 5, 6, and 7 versions.

This topic describes how to set up a patch catalog for RHEL, and includes the following sections:

Step 1: Review prerequisites for the catalog

  • The repository server or system running the offline downloader requires outbound internet access to RedHat (that is, to cdn.redhat.com), either directly or via a HTTPS or HTTP proxy. For more information, see Patch-Vendor-Site-Access.
  • You must pre-install the following packages on the server that hosts the patch repository:
    • reposync (part of the yum-utils rpm) - For RHEL, you perform RHEL patching using the more advanced CDN (reposync) interface.
    • createrepo
    • (only for RHEL 6 and 7) python-urlgrabber
    • bzip2 - This is required on repository server  to create any RHEL Catalog Update Job using CDN. This is applicable for TrueSight Server Automation 8.9.02 and later versions for any RHEL catalog.

      Warning

      From TrueSight Server Automation 8.9.02, all the filters use the CDN (reposync) interface.

  • If you plan to use a Proxy server for the RHEL patch catalog in TrueSight Server Automation, review the Proxy Server options described in Global-Configuration-parameter-list.
  • Ensure that the repository server runs on RHEL 8 for the RHEL 8 patch catalog. Patch Analysis jobs fail for the RHEL 8 catalog when the repository server runs on earlier RHEL systems, such as RHEL 7 or 6.


Step 2: Register with Red Hat

Use one of the following methods to register with Red Hat. The preferred method is to use the Red Hat Subscription Management tool.

In Red Hat Enterprise Linux version 7, the recommended method for registering a system is to use the Red Hat Subscription Management tool, which is a command line driven tool.

To use the tool, you must log on as root. The tool uses the same user name and password as the Red Hat Customer Portal.

The following procedure describes how to both register the system and attach subscriptions at the same time.

  1. Enter the following command to register your system:    subscription-manager register  
  2. When prompted, enter your Red Hat Customer Portal user name and password.
  3. From a shell prompt, enter the following to display a list of the available subscriptions:   subscription-manager list --available    
  4. From the resulting list, locate the pool ID for the subscription you need.
  5. Using the pool ID you located previously, enter the following to attach the appropriate subscription to your system:   subscription-manager attach --pool=pool_id  
  1. Enter the following to verify the list of subscriptions attached to your system: 
      subscription-manager list --consumed

For more information about using the Red Hat Subscription Management tool, see the Red Hat online technical documentation.

You are now ready to add certificates (see Obtain the required certificates).

Use this procedure to register an account on the Red Hat Customer Portal, if you do not already have an account.

  1. Log on to the Red Hat Customer Portal and click Subscriptions at the top of the page.
  2. In the menu bar, click the Systems link.
  3. On the Systems page, click New, if you have not already registered your system.
  4. Enter the details of your system and click CREATE.
    RegisterRedHat.png
  5. Go to Step 3: Obtain the required certificates.

Step 3: Obtain the required certificates

Depending on your registration method, use one of the following to obtain certificates. The preferred method is to obtain certificates from a subscribed server.

Use this option if you have a server registered by running Red Hat Subscription Management tool (subscription-manager), and attached to a license.  (For more information, see: Red Hat online technical documentation)

In this procedure, you obtain the certificates by accessing a subscribed server from the Patch Global Configuration parameter list.

  1. Log on to the TrueSight Server Automation console.
  2. From the Configuration menu, select Patch Global Configuration
    The Patch Global Configuration dialog box is displayed.
  3. Select the Red Hat tab.
  4. Select the Subscription Certs tab, as shown below:
    New_PatchGLobalConfig.png
  5. Locate the section that is appropriate for your architecture.
  6. Click the browse button to the right of the SSL CA Cert File field.
  7. Expand the entry for the subscribed server, and browse to the /etc/rhsm/ca/ directory.
  8. Select the reduep.pem file, and click OK.
    rhel7_certs_ueppem.GIF
  9. Click the browse button to the right of the SSL Client Cert File field.
  10. Expand the entry for the subscribed server, and browse to the /etc/pki/entitlement/ directory.
  11. Select the <19 digit identifier> .pem file (do not select the key file), as shown below, and click OK.
    rhel7_certs_pem.GIF
  12. Click the browse button to the right of the SSL Client Key File field.
  13. Expand the entry for the subscribed server, and browse to the /etc/pki/entitlement/ directory, the same directory you used in the previous step.
  14. In this case, you want to select the <19 digit identifier>-key.pem file, and click OK.
    rhel7_certs_keypem.GIF
  15. Click Apply to save your changes, and then click OK to close the dialog box.

You are now ready to create the catalog.

Success

Tip

The certificate names are changed whenever they are re-issued. Before you run a Catalog Update Job, verify that the certificate names are valid by opening the Patch Global Configuration parameter list and and clicking Apply.  If the names have changed, you will see an error, which means you need to repeat the above procedure and point to the new files. 

After your system is registered, use this procedure to obtain certificates using the Red Hat Customer Portal:

  1. Click the Subscriptions tab on the Red Hat Customer Portal.
  2. Click Systems, and select the system for which you want to obtain certificates. 
    RHN3.PNG
  3. Click the Download button at the bottom-right of the screen, an identity key certificate file is downloaded.
    RHN4.PNG
  4. Rename the file to client-key.pem and copy it to a location on the repository server.
  5. Click the Subscriptions tab and then click Download Certificates button, to download a package containing the entitlement certificates of the subscriptions attached to the system.
    RHN7.PNG

    Warning

    Note

    Ensure that the required subscriptions are attached to the system. If no subscriptions are attached to the system, click on Attach Subscriptions to select the required subscriptions.

  6. Extract the package. The entitlement certificates are located in the following path: <pathToExtractedContents>consumer_export\export\entitlement_certificates\
  7. Rename the entitlement certificate file to client-cert.pem and copy it to the same location on the repository server.
  8. Log on the repository server and copy the CA certificate file ( uep.pem) from the /etc/rhsm/ca/ directory to the same directory as the Client Key (client-key.pem) and Client cert (client-cert.pem) files.
  9. (For online mode only) In the Patch Global Configuration parameter list, enter the locations of the certificate files in the SSL CA Cert File (uep.pem), SSL Client Cert File (client-cert.pem), and SSL Client Key File (client-key.pem) parameters. For information on accessing these parameters, see Global-Configuration-parameter-list.

You are now ready to create the catalog.


Step 4: Create the patch catalog

  1. Right-click a folder in the Depot and select New > Patch catalog > Red Hat Linux Patch Catalog.
     The New Patch Catalog dialog panel opens.
  2. Provide information for the patch catalog as described in the following table:

    Panel section

    Description

    General

    Enter a Name for the patch catalog and a Description of its contents. Then, browse to the folder in which you want to store the catalog.

    Red Hat Catalog options

    Defines a number of options including locations (such as the location of the source files and the repository), as well as filters and whether local copies of the files are created on the target server or downloaded directly during deployment.

    Catalog Mode

    Select one of two options:
    • Source from Red Hat Network (Online Mode): Use this mode if the patch repository server has Internet access.
    • Source from Disk Repository (Offline Mode): Use this mode in a secured environment where download occurs on a server, with Internet access, outside of the environment.

    Red Hat Network Credentials

    If you selected Source from Red Hat Network (Online Mode) enter the user name and password supplied by the vendor and required to access the Red Hat Network website. If you have already entered your Red Hat Network credentials in the Global-Configuration-parameter-list, those credentials will appear by default while creating a patch catalog. However, note that you can modify the credentials for a particular Patch catalog and override the default credentials.
    Warning
    NoteThe Red Hat Network (RHN) mode has been deprecated in TrueSight Server Automation 8.9.02. Now, while creating a Red Hat Patch catalog, CDN mode is used by default. You do not have to enter credentials in the new CDN mode.

    Repository Options

    Enter the following information:
    • Payload Source Location (NSH path)
      (Offline Only) Location of existing metadata and payload files. Metadata files stored in this location are copied to the catalog automatically. Payload files are not copied to the catalog.
    • Repository Location (NSH Path)
      NSH path of the patch repository location. BMC recommends that this location have ample free space. Repositories typically contain many files, usually totaling gigabytes of data.
      Click here to see the platforms supported for storing your repository
    In online mode, you can copy pre-existing Errata and RPMs manually into this directory. TrueSight Server Automation does not download duplicate files from the Red Hat Network site.
    The Payload Source Location and the Repository Location can point to the same directory.Red Hat recommends that the version of the operating system of the patches in the patch repository and the repository server should match. For example, if your catalog contains Red Hat Enterprise Linux 7, then the repository server should be Red Hat Enterprise Linux 7.When specifying a host within an NSH path, you can use either the host name of the IP address (IPv4 or IPv6).

    Certificate options

    Select from one of the following options:
    • Use Certificates From Patch Global Configuration: Select this option if you want to use certificates from the location configured in the Global Patch Configuration parameters.
      Whenever Red Hat reissues certificates, you need to obtain them from the subscribed server again and update the parameters to point to new certificates. 
    • Use Certificates From Repository Server: Select this option if you want to use certificates from the repository server. The repository server should be registered and subscribed.
      If the repository server does not have the latest certificates or certificates are not working, TrueSight Server Automation attempts to refresh the certificates on the repository server once by using the subscription-manager refresh command.
      Warning
      ImportantIn version 21.3, the option to use the entitlement certificate from the repository server supports only a single entitlement certificate. This option is not available if your Red Hat entitlements are spread across multiple certificates.
      • By default, the CA certificate is copied from the /etc/rhsm/ca/ directory of the repository server, and has the .pem extension. However, if you have configured the repository server to store the certificate file on a different path, update the patch-psu.properties file.
        Click here to see the steps
        1. Navigate to the \All-OS-Patch-Downloaders-linux-build-<TSSAversion>/All-OS-Patch-Downloaders-linux-build-<TSSAversion/resources directory on the repository server and open the patch-psu.properties file with a text editor.2. Locate the following property: redhat.reposync.ssl.ca.certificate.dir.3. Change the property value to the path on which you have configured the repository server to store the certificate file.
      • By default, the subscription certificate file is copied from the /etc/pki/entitlement/ directory of the repository server. However, if you have configured the repository server to store certificate file on a different path, update the patch-psu.properties file.
        Click here to see the steps
        1. Navigate to the \All-OS-Patch-Downloaders-linux-build-<TSSAversion>/All-OS-Patch-Downloaders-linux-build-<TSSAversion/resources directory on the repository server and open the patch-psu.properties file with a text editor.2. Locate the following property: redhat.reposync.ssl.certificate.dir.3. Change the property value to the path on which you have configured the repository server to store the certificate file.
      • By default, the system ID file is copied from the /etc/pki/entitlement/ directory of the repository server, and follows the xxx-key.pem as the naming convention. However, if you have configured the repository server to store certificate file on a different path, update the patch-psu.properties file.
        Click here to see the steps
        1. Navigate to the \All-OS-Patch-Downloaders-linux-build-<TSSAversion>/All-OS-Patch-Downloaders-linux-build-<TSSAversion/resources directory on the repository server and open the patch-psu.properties file with a text editor.2. Locate the following property: redhat.reposync.ssl.certificate.dir.3. Change the property value to the path on which you have configured the repository server to store the system ID file.

    Filters

    Filters limit the amount of information brought into the catalog. There is no upper limit to the number of filter combinations you can make but there must be at least one. Only RPMs and Errata that match the combinations you define (and their dependent RPMs and Errata) are added to the catalog. Note that you cannot create multiple filters for the same combination of operating system and architecture.Available types of filters are:
    • Errata Type
    • Errata Advisory
    • Update Level
    You can define filters either when the catalog is created or later, when you edit the catalog. To begin, click Add Filter and select from the following:Online Mode (Red Hat Network is selected automatically)
    Field
    Description
    Channel
    Select the channel from the list provided. The operating system (OS) and architecture are supplied automatically in read-only boxes. If you want to download child channels, select Offline Mode, and use the Patch Downloader utility for Red Hat Enterprise Linux, as described in Downloading-child-channels-using-the-Patch-Downloader-utility.
    By Errata Type
    For Errata Type, choose:
    • Bug Fix Advisory
    • Product Enhancement Advisory
    • Security Advisory
    For Errata Severity, choose:
    • Critical
    • Important
    • Moderate
    • Low
    By Errata Advisory
    Create an Include List by entering the names of individual Errata Advisories.
    By Update Level
    Select the Update Level from the list provided.
    Offline Mode (Disk Repository is selected automatically)In Offline Mode, you must create the filters definitions in the configuration file that is used by the patch downloader utility.
    Field
    Description
    Enable Update Level
    Select an Update Level that you previously downloaded.
    Update Level
    Select an Update Level identifier; only one can be included for each filter.

  3. In the bottom right corner, select Job options . (You can also edit the catalog at a later time to set these options).
  4. Provide information for the patch catalog options as described in the following table:

    Tab

    Description

    Schedules

    The Schedules panel lets you schedule a job to execute immediately, schedule a job at a specific time in the future, schedule a job on a recurring basis, and define notifications that are issued when a job runs.

    When scheduling a job, you can perform any of the following tasks:

    • Scheduling a job that executes immediately — To schedule a job that executes immediately, select Execute job now.
    • Scheduling a job — The Schedule tab lets you schedule a job so it can run one time, recur hourly, daily, weekly, or monthly, or recur at some arbitrary interval. For more information, see Patch-catalog-Scheduling.
    • Defining job notifications — The Job Notifications tab lets you set up notifications that are generated when a scheduled job runs. For more information, see Patch-catalog-Scheduled-Job-Notifications.

    Job Run Notifications

    The Default Notifications panel provides options for defining default notifications that are generated when a job completes. If you have set up notifications for a particular scheduled job, those notifications are generated instead of default notifications.

    Default notifications can take the form of emails or SNMP traps. When a job completes, an SNMP trap is sent to a specified server, where it can be read using software that receives and interprets SNMP traps. Default notifications are sent when you run a job immediately (that is, you do not schedule the job) or a scheduled job completes but you have not set up email or SNMP notifications for that scheduled occurrence.

    Job Run Notifications

    Field

    Description

    Send email to

    Lists email addresses of the accounts to notify when a job completes with the status that you specify. Separate multiple email addresses with semicolons, such as sysadmin@bmc.com;sysmgr@bmc.com. After entering email address information, select the statuses that cause an email to be generated. The statuses can be Success, Failed, or Aborted.

    Send SNMP trap to

    Provides name or IP address of the server to notify when the job completes. After entering server information, select the statuses that should cause an SNMP trap to be generated. The statuses can be Success, Failed, or Aborted.

    TrueSight Server Automation provides a management information base (MIB) that describes its SNMP trap structure. You can use this MIB to create scripts that integrate traps into your trap collection system. The MIB is located on the Application Server host computer at installDirectory/Share/BladeLogic.mib.

    Depot Object Options

    Network URL Type for Payload Deployment

    • (default) Copy to agent at staging: The TrueSight Server Automation Application Server copies patch payloads to a staging directory on the target server during the Deploy Job staging phase.
    • Agent mounts source for direct use at deployment (no local copy): A Deploy Job instructs the agent on a target server to: mount the device specified in the URl and deploy patch payloads directly to the agent. The Deploy Job does not copy patch payloads to a staging area on the agent, so the job does not create any local copies of the patches on target servers.

    Network URL for Payload Deployment

    The value entered here depends on your selection in the Network URL Type for Payload Deployment box:

    • If you chose Copy to agent at staging, do not enter a value here. The value is autopopulated based on the repository location.
    • If you chose Agent mounts source for direct use at deployment (no local copy), enter the NFS-accessible path to the location of the payload.
      If you specify the host in this path as an IPv6 address, enclose the IPv6 address in square brackets.

    RBAC Policy

    Browse to and select a predefined ACL Policy. Permissions defined by the ACL Policy are assigned to all Depot objects created in the catalog.

    Max Deport Object Work Items to Process in Parallel

    Maximum number of work items that can be performed in parallel.

    Job Properties

    The Properties panel provides a list of properties automatically assigned to the job being created. In this list, you can modify the value of any properties that are defined as editable.

    For any property that has a check in the Editable column, select the property and click in the Value column.

    • To set a property value back to its default value, click Reset to Default Value g_V95_reset_icon.gif.
      The value of the property is reset to the value it inherits from a built-in property class. The Value Source column shows the property class from which the value is inherited.
    • Depending on the type of property you are editing, you can take different actions to set a new value, such as entering an alphanumeric string, choosing from an enumerated list, or selecting a date.
      To insert a parameter into the value, enter the value, bracketed with double question mark delimiters (for example, ??MYPARAMETER??) or click Select Property g_V95_SelectPropertyIcon.gif.

    Permissions

    Using the Permissions panel, you can add individual permissions to an object. You can also set permissions by adding ACL templates or ACL policies. The Permissions list is an access control list (ACL) granting roles access to any objects created in the system, such as depot objects. ACLs control access to all objects, including the sharing of objects between roles. For more information, see the following table:

    Task

    Description

    Adding an authorization

    An authorization grants permission to a role to perform a certain type of action on this object.

    To add authorization to this object, click Add Entry g_V95_AddIcon.gif in the Access Control List area. Then use the Add New Entry dialog box to specify the role and authorization you want to add.

    Adding an ACL template

    An ACL template is a group of predefined authorizations granted to roles. Using an ACL template, you can add a group of authorizations to the object.

    To add an ACL template to the object, click Use ACL Template g_V95_TemplateIcon.gif in the Access Control List area. Then use the Select ACL Template dialog box to specify an ACL template that you want to add to this object.

    To set the contents of the selected ACL templates so that they replace all entries in the access control list, select Replace ACL with selected templates. If you do not select this option, the contents of the selected ACL templates are appended to existing entries in the access control list.

    Adding an ACL policy

    An ACL policy is a group of authorizations that can be applied to this object but can be managed from one location.

    To add an ACL policy to this object, click Use ACL Policy g_V95_ACLPolicyIcon.gif in the ACL Policies area. Then use the Select ACL Policy dialog box to specify an ACL policy that you want to add to the object.

    To set the contents of the selected ACL policies so they replace all entries in the access control list, select Replace ACL with selected policies. If you do not select this option, the contents of the selected ACL policies are appended to existing entries in the access control list.

  5. Click Finish
    A Patch Catalog is stored in the appropriate Depot folder.

Editing the additional options

  1. In the Depot, right-click the Red Hat Patch  Catalog you just created.
  2. Select Open.
  3. Set or update any information for the patch catalog options.
  4. When finished, save the catalog.

Updating the certificates (video)

The certificate names are changed whenever they are re-issued. If you are using certificates from the Patch Global Configuration parameter list, before you run a Catalog Update Job, verify that the certificate names are valid by opening the list and and clicking Apply.  If the names have changed, you will see an error, which means you need to repeat the above procedure and point to the new files.

The following video walks you through the process for updating certificates.

The [embed] macro is a standalone macro and it cannot be used inline.
https://youtu.be/blGZliMpHiw

Where to go from here

Downloading-patch-payloads-to-the-catalog

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

TrueSight Server Automation 21.3