Creating a patch catalog for Microsoft Windows

The patch catalog is used to maintain and work with the patch repository through the TrueSight Server Automation Console. For both types of repositories, online and offline, you create a patch catalog through the TrueSight Server Automation console. Patches are added to the catalog as depot objects according to filters defined for the catalog.

This topic describes how to set up a patch catalog for Microsoft Windows, and includes the following sections:

• Step 1: Review prerequisites for the catalog
• Step 2: Create the patch catalog
• Editing the options
• Where to go from here

Step 1: Review prerequisites for the catalog

• Ensure that security policies on the repository server do not block the download of the catalog from the Patch Vendor Site.
• Ensure that the system you will used for the patch repository has the 8.9.03 RSCD Agent installed on it.

• Ensure that the system you will use for the patch repository is supported by TrueSight Server Automation for storing Windows Patches.

  Click here to see the platforms supported for storing your repository

  ¹Support for this platform is deprecated. For the complete list of deprecated platforms, see Deprecated-and-discontinued-features.

• Depending on whether you are creating an online or offline patch catalog, perform the following prerequisites steps to download and use the patch metadata files:

  • Online Windows patch catalog
  • Offline patch catalog

  Invalid macro parameters used for the [tab] macro.

  Invalid macro parameters used for the [tab] macro.

Step 2: Create the patch catalog

1. Right-click a folder in the Depot and select New > Patch catalog > Windows Patch Catalog.
   The New Patch Catalog dialog panel opens.

2. Provide information for the patch catalog as described in the following table:

   Panel section	Description
   General	Enter a Name for the patch catalog and a Description of its contents. Then, browse to the folder in which you want to store the catalog.
   Microsoft Windows Catalog options	The Windows Catalog tab determines whether the catalog operates in Online or Offline Mode and defines a number of options. Defined options include locations (such as location of the source files, the repository, the signature file, and so on) as well as filters. Catalog Mode Select one of two options: Source from Vendor (Online Mode): Use this mode if the TrueSight Server Automation Application Server is installed on a server with Internet access. Source from Disk Repository (Offline Mode): Use this mode in a secured environment where download occurs on a server, with Internet access, outside of the environment. Repository Options Enter the following information: Field Description Payload Source Location (NSH Path) (Offline only) NSH path to the location of existing metadata and payload files  Metadata files stored in this location are copied to the catalog automatically. Repository Location (NSH Path) NSH path to the location of the patch repository BMC recommends that this location have ample free space. Repositories typically contain many files, usually totaling gigabytes of data. The repository can be on either a Linux or Windows host computer. Note When specifying a host within an NSH path, you can use either the host name of the IP address (IPv4 or IPv6). Filters Filters limit the amount of information brought into the catalog. You define a combination of product and language (such as Microsoft Windows Server 2012— English). There is no limit on the number of filters you can create but you must have at least one. Only those hotfixes and bulletins that match the combinations you define are added to the catalog. The product_categories.xml file contains product metadata information that is downloaded from Ivanti (previously known as Shavlik). Information contained in this file is used to populate the filter selection lists found in the patch catalog wizard. If you want to add a new product to the filter list, you must add a new product_category tag in the product_categories.xml and add a vendor node. You can also add specific information to the optional nodes (family, version, product, include_products, exclude_products). To update the product_categories.xml Navigate to the Configuration > Patch Global Configuration > Windows tab. In the Windows Filter Configuration File field, download the the product_categories.xml file by clicking the  button. Customize the products in the exported product_categories.xml file based on your requirement. For more information about how to customize using product_categories.xml, click the following link: Customizing the product_category.xml file To export patch metadata from the Shavlik to a CSV file, run the offline Patch Downloader utility for Microsoft Windows with the following command: windows_downloader.bat -configFile <DownloadConfigurationXMLFile> -exportIvantiProductCatalog <CSVFile> Using this option, a CSV file (see sample ProductCatalog.csv) containing the Ivanti product information with Product Name, Vendor Name, Patch Key, Version fields is generated.  Find your product from the CSV file that you want to add to the filter list (for creating category). Refer to the CSV file generated in step a. Customize the product_categories.xml depending on the products. The following tags are used in the product_categories.xml : product_category - This represents the name you want to display in the filter list. vendor - (Root node) This represents all software vendors which are supported by Shavlik like Microsoft, Firefox, and so on. If you want to add all the products for a specified vendor, ensure that you must mention only the vendor name. For example, to add all products for Notepad++, use the following block: <product_category name="Notepad++">    <vendor name="Notepad++"/> </product_category> family - (optional node) This represents a product line or categorization supported by vendor. Under each vendor tag, there can be one or many family tags. If you want to add all the products for a specified family of a vendor, ensure that you must mention the vendor name and the family name. For example, to add all products for Yahoo Messenger (Family) of Yahoo (Vendor), use the following block: <product_category name="SCCM">    <vendor name="Microsoft">        <family name="SCCM"/>    </vendor> </product_category> version - (optional node) This represents a major version or release of a product family. Under each family tag, there can be one or many version tags. If you want to add all the products for a specified version of a family, ensure that you must mention the vendor name, family name, and version name. For example, to add all products for SQL Server 2012, use the following block: <product_category name="SQL Server 2012">    <vendor name="Microsoft">        <family name="SQL Server">            <version name="SQL Server 2012"/>        </family>    </vendor> </product_category> product - (optional node) This represents a specific product edition or release. Under each version tag, there can be one or more produdct tags. If you want to add a specific product, ensure that you must mention the vendor name, family name, version name, and product name. For example, to add Visio 2007 MUI, use the following block: <product_category name="Microsoft Office Visio 2007 MUI">    <vendor name="Microsoft">        <family name="Office">            <version name="Visio 2007">                <include_products>                    <product name="Visio 2007 MUI"/>                </include_products>            </version>        </family>    </vendor> </product_category> include_products - (optional node) This repesents the list of products to be included in the filter list. This tag needs to be added under version tag. You can use either include_products tag or exclude_products tag. The include_products tag is useful when only a few specific products are intended to be considered under a version. The version might have more than 100 products under it, but you want to consider only a few of them in the product category. However, when you are using this tag, then any new sub-product that is released by the vendor for the specified version is not considered for catalogs. For example, to add Microsoft Office Web Apps Application Server Components 2013 x64, use the following block: <product_category name="Microsoft Office Web Apps 2013">    <vendor name="Microsoft">        <family name="Office">            <version name="Office Server 2013">                <include_products>                    <product name="Microsoft Office Web Apps Application Server Components 2013 x64"/>                </include_products>            </version>        </family>    </vendor> </product_category> exclude_products - (optional node) This repesents the list of products not to be included in the filter list. This tag needs to be added under version tag. You can use either include_products tag or exclude_products tag. The exclude_products tag is useful when only a few specific products are intended to be excluded from a version. For example, a version has 100 products under it, but you want to exclude five products from the product category. Instead of using include_products tag for 95 products, you can use exclude_products for five products. However, when you are using this tag, then any new sub-product (except the ones mentioned as part of the exclude_products tag) that is released by the vendor for the specified version is considered automatically for catalogs. For example, to add all products under Windows Server 2008 R2 except Windows Home Server 2011, use the following block: <product_category name="Microsoft Windows Server 2008">    <vendor name="Microsoft">        <family name="Windows">            <version name="Windows Server 2008" />            <version name="Windows Server 2008 R2">                <exclude_products>                    <product name="Windows Home Server 2011" />                </exclude_products>            </version>        </family>    </vendor> </product_category> Use the Windows Filter Configuration File field in the Global-Configuration-parameter-list to point to the modified file. If you no longer want to use the customized product_categories.xml file and use the default xml file, click to remove the customized file. Important BMC recommends that you keep a backup of the product_categories.xml file before upgrading. After you upgrade, go to the file server and manually move the product_categories.xml file located at <fileserver location>\patch\GlobalConstants to a folder outside the file server. After moving the file, download the latest file from Patch Global Configuration. If you are working in Offline Mode, the product/language combinations you define must match those defined in the configuration file used by the download utility. You can define filters during catalog creation or later, when editing the catalog. Click Add Filter and enter the following: Field Description Product Select a product from the list provided. Language Select the appropriate language for the product.

3. In the bottom right corner, select Job options. (You can also edit the catalog at a later time to set these options).

4. Provide information for the patch catalog options as described in the following table:

   Tab	Description
   Schedules	The Schedules panel lets you schedule a job to execute immediately, schedule a job at a specific time in the future, schedule a job on a recurring basis, and define notifications that are issued when a job runs. When scheduling a job, you can perform any of the following tasks: Scheduling a job that executes immediately — To schedule a job that executes immediately, select Execute job now. Scheduling a job — The Schedule tab lets you schedule a job so it can run one time, recur hourly, daily, weekly, or monthly, or recur at some arbitrary interval. For more information, see Patch-catalog-Scheduling. Defining job notifications — The Job Notifications tab lets you set up notifications that are generated when a scheduled job runs. For more information, see Patch-catalog-Scheduled-Job-Notifications.
   Job Run Notifications	The Default Notifications panel provides options for defining default notifications that are generated when a job completes. If you have set up notifications for a particular scheduled job, those notifications are generated instead of default notifications. Default notifications can take the form of emails or SNMP traps. When a job completes, an SNMP trap is sent to a specified server, where it can be read using software that receives and interprets SNMP traps. Default notifications are sent when you run a job immediately (that is, you do not schedule the job) or a scheduled job completes but you have not set up email or SNMP notifications for that scheduled occurrence. Job Run Notifications Field Description Send email to Lists email addresses of the accounts to notify when a job completes with the status that you specify. Separate multiple email addresses with semicolons, such as sysadmin@bmc.com;sysmgr@bmc.com. After entering email address information, select the statuses that cause an email to be generated. The statuses can be Success, Failed, or Aborted. Send SNMP trap to Provides name or IP address of the server to notify when the job completes. After entering server information, select the statuses that should cause an SNMP trap to be generated. The statuses can be Success, Failed, or Aborted. TrueSight Server Automation provides a management information base (MIB) that describes its SNMP trap structure. You can use this MIB to create scripts that integrate traps into your trap collection system. The MIB is located on the Application Server host computer at installDirectory/Share/BladeLogic.mib.
   Depot Object Options	Network URL Type for Payload Deployment (default) Copy to agent at staging: The TrueSight Server Automation Application Server copies patch payloads to a staging directory on the target server during the Deploy Job staging phase. Agent mounts source for direct use at deployment (no local copy): A Deploy Job instructs the agent on a target server to mount the device specified in the URl and deploy patch payloads directly to the agent. The Deploy Job does not copy patch payloads to a staging area on the agent, so the job does not create any local copies of the patches on target servers. Important This option of using a remotely mounted share for patch execution is deprecated. We recommend using the default Copy to agent at staging option. Network URL for Payload Deployment For the Copy to agent at staging option, do not specify a value. The value is populated automatically based on the repository location. RBAC Policy Browse to and select a predefined ACL Policy. Permissions defined by the ACL Policy are assigned to all Depot objects created in the catalog. Max Deport Object Work Items to Process in Parallel Maximum number of work items that can be performed in parallel.
   Job Properties	The Properties panel provides a list of properties automatically assigned to the job being created. In this list, you can modify the value of any properties that are defined as editable. For any property that has a check in the Editable column, select the property and click in the Value column. To set a property value back to its default value, click Reset to Default Value . The value of the property is reset to the value it inherits from a built-in property class. The Value Source column shows the property class from which the value is inherited. Depending on the type of property you are editing, you can take different actions to set a new value, such as entering an alphanumeric string, choosing from an enumerated list, or selecting a date. To insert a parameter into the value, enter the value, bracketed with double question mark delimiters (for example, ??MYPARAMETER??) or click Select Property .
   Permissions	Using the Permissions panel, you can add individual permissions to an object. You can also set permissions by adding ACL templates or ACL policies. The Permissions list is an access control list (ACL) granting roles access to any objects created in the system, such as depot objects. ACLs control access to all objects, including the sharing of objects between roles. For more information, see the following table: Task Description Adding an authorization An authorization grants permission to a role to perform a certain type of action on this object. To add authorization to this object, click Add Entry  in the Access Control List area. Then use the Add New Entry dialog box to specify the role and authorization you want to add. Adding an ACL template An ACL template is a group of predefined authorizations granted to roles. Using an ACL template, you can add a group of authorizations to the object. To add an ACL template to the object, click Use ACL Template  in the Access Control List area. Then use the Select ACL Template dialog box to specify an ACL template that you want to add to this object. To set the contents of the selected ACL templates so that they replace all entries in the access control list, select Replace ACL with selected templates. If you do not select this option, the contents of the selected ACL templates are appended to existing entries in the access control list. Adding an ACL policy An ACL policy is a group of authorizations that can be applied to this object but can be managed from one location. To add an ACL policy to this object, click Use ACL Policy  in the ACL Policies area. Then use the Select ACL Policy dialog box to specify an ACL policy that you want to add to the object. To set the contents of the selected ACL policies so they replace all entries in the access control list, select Replace ACL with selected policies. If you do not select this option, the contents of the selected ACL policies are appended to existing entries in the access control list.

5. Click Finish. 
   A Patch Catalog is stored in the appropriate Depot folder.

Editing the options

1. In the Depot, right-click the Microsoft Windows Patch Catalog you just created.
2. Select Open.
3. Set or update any information for the patch catalog options.
4. When finished, save the catalog.

Where to go from here

Downloading-patch-payloads-to-the-catalog