HP OpenView Patch Manager using Radia Version 3.0

(1)

HP OpenView Patch

Manager using Radia

Version 3.0

Summary of Changes in Support

of Microsoft Update

Wayne Dalesio and Ben Sweetser

HP OpenView Configuration Management

HP OpenView Patch Manager Version 3.0

Agenda

q Reasons for Patch Manager 3.0

q Key features of Microsoft Update

q New features of Patch Manager 3.0

q Patch Manager processing

q Requirements and upgrade considerations

(2)

Reasons for Patch Manager 3.0

Microsoft Update technologies

•Microsoft Update catalog will soon be the only

supported patch repository

•Central repository for all current patches

•Replaces MSSECURE technologies and patch repository

•Continued updates to MSSECURE terminate on March 31, 2006

http://www.microsoft.com/technet/security/tools/mbsa home.mspx

•Required for on-going patch management support

for Microsoft’s OS and applications

Key Features of Microsoft Update

Microsoft Update technologies

•Microsoft Update Catalog contains patch data for

•Critical security updates, optional functionality updates, security rollups, service packs for products such as Windows, Office, and Exchange, and more…

•MS customers may be affected by prerequisite minimum Service Pack levels (i.e. Win 2K SP3 or SP4)

•Customers must assess the impact of remaining on older operating systems

(3)

Embracing Microsoft Update

HP Patch Management enablement objectives

•Embrace, enhance, and leverage Microsoft

Update technologies to help enable best practices

•Minimize impact of the upgrade process

•Minimize changes to administration experience •Ensure extensibility of model-based architecture

•Easily support new products added to Microsoft Update

•Heterogeneous environments (Windows, Linux, UNIX)

New Features

•Automated acquisition leverages both MSSECURE

and Microsoft Update Catalog patch repositories

•Automated publishing ensures client systems are

synchronized with patch binary requirements

•Upgrades vulnerability assessment and patch deployment required technologies

(4)

Patch Manager

processing

Acquisition – Then

•Single patch repository source

•MSSECURE

•Meta data correction

•Enable vulnerability assessment

•Correct download location of the executable

•Allow for silent management

(5)

Acquisition – now

•Multiple sources

• MSSECURE

• Microsoft Update •Meta data correction

• Enable vulnerability assessment

• Correct download location of the executable

• Allow for silent management

•Manual data feed location changes

•Automatic critical updates to acquisition server •No change in process!

Vulnerability assessment – then

•Patch agent scans for installed products •Matches products with identified patches

• MSSECURE using HP technology

•Vulnerability information returned and available for

(6)

Vulnerability assessment – now

•Patch agent scans for installed products •Matches products with identified patches

• Microsoft Update using Windows Update Agent •Vulnerability information returned and available for reporting

Vulnerability assessment – now

•Patch agent scans for installed products •Match products with identified patches

• Microsoft Update using Windows Update Agent •Vulnerability information returned and available for reporting

What is Windows Update Agent (WUA)?

(7)

Deployment and enforcement – then

•Patches assigned through policy

•Policy entitlement and applicability determine

whether patch is deployed to the device

•Devices monitored for compliance on an on-going

basis and compliance is enforced

Deployment and enforcement – now

•Patches assigned through policy

•Policy entitlement and applicability determine whether patch is deployed to the device

•Devices monitored for compliance on an on-going basis and compliance is enforced

•MSSECURE and Microsoft Update co-exist

(8)

Reporting – then

•Vulnerability and compliance information posted to

SQL-compliant database

•Reports available in Reporting Server

• Federated with other Configuration Management information

•Granular detail down to the files and registry level

for compliance

Reporting – now

•Vulnerability and compliance information posted to SQL-compliant database

•Reports available in Reporting Server

• Federated with other Configuration Management information

•Granular detail down to the files and registry level for compliance

•Higher level product reporting at the OS or

(9)

Requirements and

upgrade

considerations

Requirements and Upgrade Considerations

Radia Messaging Server 3.2

•ZTASKEND update

•Affect on inventory

• Current inventory version/process

• Custom scripts?

• Update or configure to use RIM •Store and forward

(10)

Radia Reporting Server 4.2

•Can co-exist with other versions of Reporting Server •Custom reports?

•Updated reports, new look

Client and Patch Agent Maintenance

•Client

• Nvdkit.exe using Tcl 8.4 •Patch Agent

(11)

Tcl 8.4 and Metakit Conversion

•Required only if Patch and Management Portal on

same Integration Server instance

Management Portal 2.1

•Required only if Patch and Management Portal on

same Integration Server instance

•Updates to three core portal files

• rmp.tkd

• rma.tkd

(12)

Migration process

Migration Process

Perform the following steps before migrating from Patch Manager 1.2 and later

•Backup both the Patch and Configuration Server

databases

•Export the existing Patch Manager Domain from

the Configuration Server database

• Stop the Configuration Server service

(13)

Migration Process

Pre-Patch Manager Version 1.2.3

Do you want to maintain device status data currently in the Patch database?

•If no, drop the table nvd_zobjstat •If yes:

• Stop the Messaging Server service

• Stop the Integration Server service running Patch

• Run check_duplicates.sql against the database from Migration folder on Patch Manager CD

• If script returns results, run remove_duplicates.sql from Migration folder on Patch Manager CD •Continue with steps for migration from Patch 2.0

Migration Process

Migrating from Patch Manager 2.0

Do you want to maintain device status data currently in the Patch database?

•If no, drop the table nvd_zobjstat •If yes:

• Stop the Messaging Server service

• Stop the Integration Server service running Patch

• Run split_zobjstat.sql (SQL Server) or

(14)

Migration Process

Final Steps

•Download “Patch Manager Version 3.0

Infrastructure component pre-requisite software”

(RADRPMWIN32_00008) •Install Messaging Server 3.2 •Install Reporting Server 4.2 •Import Client self-maintenance

• Updated nvdkit

• Copy files to RCS bin directory

• Stop RCS

• On command line, run ZEDMAMS ZFILE import.txt

• Start RCS

Migration Process

Final Steps

•Run OpenView Infrastructure 8.4 Metakit

conversion utility

• Stop Integration Server service

• Copy files (nvdkit.exe and mk-conv.tkd) to Integration Server directory

• On command line, run nvdkit ./mk-conv.tkd

• View mk-conv.log to verify successful completion

(15)

HP OV Patch Manager using Radia 3.0

Migration Process

Run the Patch Manager 3.0 installation and select Migration during the installation process

•Recreates PATCHMGR domain •Automatically imports

PATCHMGR_UPGRADE XPR and XPI files, if found

•Imports PATCHMGR_REX XPR and XPI files to ensure latest install.rex and update.rex files are installed

(16)

Key Benefits

•Centralizes administration using existing

infrastructure and interfaces

•Windows Server Update Services server not required •Specific, policy-based patch targeting

•Immediate availability and deployment capability

•Reconciliation for Microsoft Update hosted patches is not required

•Automated acquisition leverages both MSSECURE

and Microsoft Update Catalog patch repositories

•Single, web-based console supports

heterogeneous patch and federated Radia data reporting

(17)

FAQ - WUA and Group Policy

Does the Windows Update Agent need to be enabled in Group Policy?

•Yes, you will need to ensure WUA is enabled in

Group Policy – this does not enable users to access the Microsoft Update site

• If concerned, Microsoft Update site can be prohibited through http proxies

Office vulnerabilities

Will I be able to determine Office vulnerabilities and patch them with Patch Manager 3.0?

•By default, Office excluded on new install •No protection if Office installed from AIP •Microsoft Update supports

• Office XP

(18)

Patch descriptor files

Can I still create custom patch descriptor files for my MSSECURE associated patches?

•Yes, MSSECURE custom descriptor files are still

supported

Depth of reporting

Will I still see the same level of reporting for Microsoft patches (file/registry level)?

•The level of reporting will vary, but won’t be as

granular as reporting that was available through MSSECURE

Can I still create State files for my patches for analysis in the Configuration Analyzer?

(19)

Windows platform coverage

What Windows platforms are covered by Microsoft Update?

•Windows 2000 SP3 and above •Windows XP

•Windows XP 64-bit edition –not currently supported

•Windows Server 2003

•Windows Server 2003 64-bit edition – not currently supported

•Also apps Exchange Server 2000/2003, SQL Server 2000

SP4 and above, Office XP and above What about older platforms?

•MSSECURE can be used for existing patches

Availability

When will Patch Manager 3.0 be available?

•Patch Manager 3.0 is available now from

•Software Update Manager •Prerequisites can be found at

(20)