HP OpenView Patch Manager using Radia Version 3.0 Summary of Changes in Support of Microsoft Update Wayne Dalesio and Ben Sweetser HP OpenView Configuration Management 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice HP OpenView Patch Manager Version 3.0 Agenda q Reasons for Patch Manager 3.0 q Key features of Microsoft Update q New features of Patch Manager 3.0 q Patch Manager processing q Requirements and upgrade considerations q Migration process q Key benefits q Frequently asked questions q Q&A 1
HP OpenView Patch Manager Version 3.0 Reasons for Patch Manager 3.0 Microsoft Update technologies Microsoft Update catalog will soon be the only supported patch repository Central repository for all current patches Replaces MSSECURE technologies and patch repository Continued updates to MSSECURE terminate on March 31, 2006 http://www.microsoft.com/technet/security/tools/mbsa home.mspx Required for on-going patch management support for Microsoft s OS and applications HP OpenView Patch Manager Version 3.0 Key Features of Microsoft Update Microsoft Update technologies Microsoft Update Catalog contains patch data for Critical security updates, optional functionality updates, security rollups, service packs for products such as Windows, Office, and Exchange, and more MS customers may be affected by prerequisite minimum Service Pack levels (i.e. Win 2K SP3 or SP4) Customers must assess the impact of remaining on older operating systems Provide benefits to management of MS patches New technologies have been introduced by Microsoft Consistent vulnerability analysis data to subscribers 2
HP OpenView Patch Manager Version 3.0 Embracing Microsoft Update HP Patch Management enablement objectives Embrace, enhance, and leverage Microsoft Update technologies to help enable best practices Minimize impact of the upgrade process Minimize changes to administration experience Ensure extensibility of model-based architecture Easily support new products added to Microsoft Update Heterogeneous environments (Windows, Linux, UNIX) HP OpenView Patch Manager Version 3.0 New Features Automated acquisition leverages both MSSECURE and Microsoft Update Catalog patch repositories Automated publishing ensures client systems are synchronized with patch binary requirements Upgrades vulnerability assessment and patch deployment required technologies New built-in automated upgrade process for the Patch Acquisition Server for applying critical updates to the Patch Acquisition Server Supports single and double-byte environments Performance improvements 3
Patch Manager processing HP OpenView Patch Manager Version 3.0 Acquisition Then Single patch repository source MSSECURE Meta data correction Enable vulnerability assessment Correct download location of the executable Allow for silent management Manual data feed location changes 4
HP OpenView Patch Manager Version 3.0 Acquisition now Multiple sources MSSECURE Microsoft Update Meta data correction Enable vulnerability assessment Correct download location of the executable Allow for silent management Manual data feed location changes Automatic critical updates to acquisition server No change in process! HP OpenView Patch Manager Version 3.0 Vulnerability assessment then Patch agent scans for installed products Matches products with identified patches MSSECURE using HP technology Vulnerability information returned and available for reporting 5
HP OpenView Patch Manager Version 3.0 Vulnerability assessment now Patch agent scans for installed products Matches products with identified patches MSSECURE using HP technology Microsoft Update using Windows Update Agent Vulnerability information returned and available for reporting HP OpenView Patch Manager Version 3.0 Vulnerability assessment now Patch agent scans for installed products Match products with identified patches MSSECURE using HP technology Microsoft Update using Windows Update Agent Vulnerability What is information Windows Update returned Agent (WUA)? and available for reporting- WUA is the scanning agent that uses Microsoft Update technologies to scan devices for vulnerabilities and apply updates. Patch Manager 3.0 leverages this technology. 6
HP OpenView Patch Manager Version 3.0 Deployment and enforcement then Patches assigned through policy Policy entitlement and applicability determine whether patch is deployed to the device Devices monitored for compliance on an on-going basis and compliance is enforced HP OpenView Patch Manager Version 3.0 Deployment and enforcement now Patches assigned through policy Policy entitlement and applicability determine whether patch is deployed to the device Devices monitored for compliance on an on-going basis and compliance is enforced MSSECURE and Microsoft Update co-exist MSSECURE takes precedence 7
HP OpenView Patch Manager Version 3.0 Reporting then Vulnerability and compliance information posted to SQL-compliant database Reports available in Reporting Server Federated with other Configuration Management information Granular detail down to the files and registry level for compliance HP OpenView Patch Manager Version 3.0 Reporting now Vulnerability and compliance information posted to SQL-compliant database Reports available in Reporting Server Federated with other Configuration Management information Granular detail down to the files and registry level for compliance Higher level product reporting at the OS or application level 8
Requirements and upgrade considerations Requirements and Upgrade Considerations Radia Messaging Server 3.2 ZTASKEND update Affect on inventory Current inventory version/process Custom scripts? Update or configure to use RIM Store and forward Data Delivery Agents (DDA) Remove or rename existing patch.dda.cfg 9
Requirements and Upgrade Considerations Radia Reporting Server 4.2 Can co-exist with other versions of Reporting Server Custom reports? Updated reports, new look Requirements and Upgrade Considerations Client and Patch Agent Maintenance Client Nvdkit.exe using Tcl 8.4 Patch Agent Publish and Distribute 10
Requirements and Upgrade Considerations Tcl 8.4 and Metakit Conversion Required only if Patch and Management Portal on same Integration Server instance Requirements and Upgrade Considerations Management Portal 2.1 Required only if Patch and Management Portal on same Integration Server instance Updates to three core portal files rmp.tkd rma.tkd nvdcrt.tkd 11
Migration process HP OpenView Patch Manager Version 3.0 Migration Process Perform the following steps before migrating from Patch Manager 1.2 and later Backup both the Patch and Configuration Server databases Export the existing Patch Manager Domain from the Configuration Server database Stop the Configuration Server service From a command line, navigate to the Configuration Server s bin directory and run ZEDMAMS VERB=EXPORT_INSTANCE, FILE=PRIMARY, DOMAIN=PATCHMGR, INSTANCE=*, OUTPUT=PATCHMGR_UPGRADE.XPI, PREVIEW=NO ZEDMAMS VERB=EXPORT_RESOURCE, FILE=PRIMARY, DOMAIN=PATCHMGR, INSTANCE=*, OUTPUT=PATCHMGR_UPGRADE.XPR, PREVIEW=NO 12
Migration Process Pre-Patch Manager Version 1.2.3 Do you want to maintain device status data currently in the Patch database? If no, drop the table nvd_zobjstat If yes: Stop the Messaging Server service Stop the Integration Server service running Patch Run check_duplicates.sql against the database from Migration folder on Patch Manager CD If script returns results, run remove_duplicates.sql from Migration folder on Patch Manager CD Continue with steps for migration from Patch 2.0 Migration Process Migrating from Patch Manager 2.0 Do you want to maintain device status data currently in the Patch database? If no, drop the table nvd_zobjstat If yes: Stop the Messaging Server service Stop the Integration Server service running Patch Run split_zobjstat.sql (SQL Server) or split_zobjstat.ora (Oracle) against the database from Migration folder on Patch Manager CD Script can be verified by looking for the following tables in the database: nvd_device, nvd_de2pr, nvd_de2re, nvd_de2sp, nvd_de2pa, nvd_de2fc, nvd_de2rc, and nvd_de2fs 13
Migration Process Final Steps Download Patch Manager Version 3.0 Infrastructure component pre-requisite software (RADRPMWIN32_00008) Install Messaging Server 3.2 Install Reporting Server 4.2 Import Client self-maintenance Updated nvdkit Copy files to RCS bin directory Stop RCS On command line, run ZEDMAMS ZFILE import.txt Start RCS Migration Process Final Steps Run OpenView Infrastructure 8.4 Metakit conversion utility Stop Integration Server service Copy files (nvdkit.exe and mk-conv.tkd) to Integration Server directory On command line, run nvdkit./mk-conv.tkd View mk-conv.log to verify successful completion Start Integration Server service 14
HP OV Patch Manager using Radia 3.0 Migration Process Run the Patch Manager 3.0 installation and select Migration during the installation process Recreates PATCHMGR domain Automatically imports PATCHMGR_UPGRADE XPR and XPI files, if found Imports PATCHMGR_REX XPR and XPI files to ensure latest install.rex and update.rex files are installed Key benefits 15
HP OpenView Patch Manager Version 3.0 Key Benefits Centralizes administration using existing infrastructure and interfaces Windows Server Update Services server not required Specific, policy-based patch targeting Immediate availability and deployment capability Reconciliation for Microsoft Update hosted patches is not required Automated acquisition leverages both MSSECURE and Microsoft Update Catalog patch repositories Single, web-based console supports heterogeneous patch and federated Radia data reporting Frequently asked questions 16
HP OV Patch Manager using Radia 3.0 FAQ - WUA and Group Policy Does the Windows Update Agent need to be enabled in Group Policy? Yes, you will need to ensure WUA is enabled in Group Policy this does not enable users to access the Microsoft Update site If concerned, Microsoft Update site can be prohibited through http proxies HP OV Patch Manager using Radia 3.0 Office vulnerabilities Will I be able to determine Office vulnerabilities and patch them with Patch Manager 3.0? By default, Office excluded on new install No protection if Office installed from AIP Microsoft Update supports Office XP Office 2003 Remove Office exclusion with care 17
HP OV Patch Manager using Radia 3.0 Patch descriptor files Can I still create custom patch descriptor files for my MSSECURE associated patches? Yes, MSSECURE custom descriptor files are still supported HP OV Patch Manager using Radia 3.0 Depth of reporting Will I still see the same level of reporting for Microsoft patches (file/registry level)? The level of reporting will vary, but won t be as granular as reporting that was available through MSSECURE Can I still create State files for my patches for analysis in the Configuration Analyzer? Yes, this is still available 18
HP OV Patch Manager using Radia 3.0 Windows platform coverage What Windows platforms are covered by Microsoft Update? Windows 2000 SP3 and above Windows XP Windows XP 64-bit edition not currently supported Windows Server 2003 Windows Server 2003 64-bit edition not currently supported Also apps Exchange Server 2000/2003, SQL Server 2000 SP4 and above, Office XP and above What about older platforms? MSSECURE can be used for existing patches HP OpenView Patch Manager Version 3.0 Availability When will Patch Manager 3.0 be available? Patch Manager 3.0 is available now from Software Update Manager Prerequisites can be found at http://support.openview.hp.com/cpe/patches/radia_patm/3.0/win.jsp 19
Questions & Answers 20