Walkthrough: Setting up and managing an offline patch catalog for Windows

Introduction

This topic is intended for system and patch administrators. The goal of this topic is to demonstrate how to organize patch information by setting up a central location for storing metadata about a type of patch. TrueSight Server Automationcalls these locations patch catalogs. By creating patch catalogs customized to your needs, it becomes easier to select the patches you want to evaluate on servers.

What is a patch catalog?

A patch catalog provides a place to store metadata about patches and the patch payloads themselves. Patch catalogs can be designed for specific needs. For example, a patch catalog can used for a particular operating system, such as Microsoft Windows 2008 or 2012. With well designed patch catalogs, it is easier to select the patches that should be used when evaluating the patch configuration of a particular server

 What does this walkthrough show?

 This walkthrough shows how to download Windows patches from the Ivanti website to any server having internet access, using the offline downloader utility shipped with TrueSight Server Automation. After downloading the Windows patches, you can perform patching operations by transferring the metadata and payload information, using a removable storage, to the patch repository within the air-gapped environment.

• Download the payload and metadata information from Shavlik to any server having internet access.
• In this walkthrough, we are using TrueSight Server Automation 8.9.03 and will download the patch payload and metadata to a Windows server.
• Use filters to limit the amount of information added to the catalog.
• Schedule the catalog update job to run at a particular time in future and set up notifications for the patch administrator in charge of Windows patching

What do I need to do before I get started?

For this walkthrough, you must have the following:

• An air-gapped environment that uses TrueSight Server Automation 8.6 or later to manage its Windows servers.
• Any server with access to the internet. In this walkthrough we will be using a Linux server to download the patch payload from the Ivanti site.

• From the BMC Software Electronic Product Distribution (EPD) website, download and extract the installer package (BSA<version>-<platform>64) to the machine on which you want to download the payload and metadata. For steps on downloading installer package files from the EPD website, see Downloading-the-installation-files.

  Extract the BSA<version>-<platform>64 installer package that you have downloaded from the EPD, and navigate to either of the following directories:

  • If you are planning to download the patch payload and metadata on Linux: <installer-path>/Disk1/files/installers/other_files/All-OS-Patch-Downloaders-linux-build-<bsaVersion>
  • If you are planning to download the patch payload and metadata on Windows: <installer-path>/Disk1/files/installers/other_files/All-OS-Patch-Downloaders-windows-build-<bsaVersion>

Step 1: How to add configuration settings and filter information to sample XML file

The first step is to prepare the configuration file, which contains XML information that is used by the Patch Downloader utility. The configuration file must contain the download settings and patch filter information as show in the image below. You can also enter proxy server information if you are using one.

The product provides sample configuration files in the installer package at <installer-path>/Disk1/files/installers/other_files/All-OS-Patch-Downloaders-linux-build-<bsaVersion>/sample-downloader-config-files/.

Edit the sample XML configuration file (sample-windows-downloader-config.xml) provided by BMC, and add the following XML tags based on your requirements:

1. (Optional) Add proxy information using the following XML tags:

   Example of proxy information in configuration file

    <proxy-settings>
        <proxy>
          <protocol>http</protocol>
          <port>8080</port>
          <host>_IPAddress_</host>
          <username>patch</username>
          <password>NWKIPRTPCWEB</password>
          <domain-name></domain-name>
          <proxy-type>ntlm</proxy-type>
        </proxy>
    </proxy-settings>

   Note

   If you are not using a proxy server and decide to delete the contents of the proxy-settings section, do not delete the <proxy-settings></proxy-settings> opening and closing tags. This section is required in the XML file even if you are not using a proxy server.

Define download settings using the following XML tags:

1. Obtain a list of supported products and languages for Windows patches using the following command. You can use the list of product names and languages when updating the configuration file with patch filter information in the next step.

   sh windows_downloader.sh -listProducts

2. Specify filters to limit the patches downloaded in the catalog.

   For example, to create a filter that defines Microsoft Windows Server 2012 product category and English language, enter the product name and language of the patches within the <product-category> and <product-category-language> XML tags.

   XML code of filter information appended to the <configFile>

   <subscription>
      <products>
        <include-product>
          <product-category>Microsoft Windows Server 2012</product-category>
          <product-category-language>English</product-category-language>
        </include-product>
        <include-product>
         <product-category>Microsoft Office 2016</product-category>
          <product-category-language>English</product-category-language>
        </include-product>
      </products>
   </subscription>
   

   Note

   The same filters entered here must also be entered during catalog creation in the console.

3. Save the configuration file. Use the sample configuration file below as a reference:

   Click Expand source to see a sample configuration XML file

   <windows-downloader-config>
    <config>
      <proxy-settings>
        <proxy>
          <protocol>http</protocol>
          <port>8080</port>
          <host>_IPAddress_</host>
          <username>patch</username>
          <password>NWKIPRTPCWEB</password>
          <domain-name></domain-name>
          <proxy-type>ntlm</proxy-type>
        </proxy>
      </proxy-settings>
      <temporary-location>/tmp</temporary-location>
   <validate-payload-certificate>true</validate-payload-certificate>
   <payload-repository-location>/home/Payload_location</payload-repository-location>
   <download-request-retries>10</download-request-retries>
   <download-request-timeout>180000</download-request-timeout>
   <downloader-parallel-threads>10</downloader-parallel-threads>
    </config>
   
    <subscription>
      <products>
        <include-product>
          <product-category>Microsoft Windows Server 2003</product-category>
          <product-category-language>English</product-category-language>
        </include-product>
        <include-product>
         <product-category>Microsoft Office XP</product-category>
          <product-category-language>English</product-category-language>
        </include-product>
      </products>
    </subscription>
   </windows-downloader-config>

Step 2: How to create a Windows patch catalog

Wrapping it up

Congratulations. You have downloaded Windows patch payload and metadata on a Linux machine. You have also set up a job that creates a patch catalog for Microsoft Windows that will run at a specific time in the future.

Where to go from here

Now that you have a serviceable patch catalog it is time to use it to measure your Windows servers for patch compliance. See Walkthrough-Basic-Microsoft-Windows-patch-analysis.