HP Vulnerability and Patch Manager 6.0 software Installation and Configuration Guide

HP Vulnerability and Patch Manager 6.0 software Installation and Configuration Guide HP Part Number: 579548-001 Published: January 2010, First Edition

Copyright 2010 Hewlett-Packard Development Company, L.P. Legal Notices Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Acknowledgments Microsoft, Windows, Windows Server, Windows Vista, Windows NT, and Windows XP are U.S. registered trademarks of Microsoft Corporation. Linux is a U.S. registered trademark of Linus Torvalds. Intended audience This document is for the person who installs and configures servers and storage systems. HP assumes you are qualified in the servicing of computer equipment and trained in recognizing hazards in products with hazardous energy levels.

Table of Contents 1 Overview...5 Supported target systems...5 Supported applications...6 2 Requirements...7 Vulnerability and Patch Manger server requirements...7 Infrastructure...7 Hardware...8 Software...8 VPM Acquisition Utility (optional)...9 Systems Insight Manager requirements...9 3 Installation and configuration...10 Installing Vulnerability and Patch Manger...10 Installing the VPM Acquisition Utility (optional)...12 Configuring the VPM Acquisition Utility...12 Configuring Vulnerability and Patch Manager...13 4 Licensing...16 Licensing using Vulnerability and Patch Manger...16 Licensing using the Systems Insight Manager License Manager...16 Adding licenses...16 5 Troubleshooting...17 Viewing Vulnerability and Patch Manger installation logs...17 Vulnerability and Patch Manger installation updates MDAC and MSDE...17 An error occurs when installing MSDE files from a Remote Desktop session...17 Installation fails with Product RMS not installed: Service RMS error. The specified service does not exist as an installed service (0x424) message...17 Vulnerability and Patch Manger installation fails...18 Cannot modify Vulnerability and Patch Manger acquisition settings to acquire updates from a local repository...18 Required open ports...18 Modifying firewall configuration settings...19 Configuring a DNS server...19 All target systems do not have the same administrator credentials...20 Multiple Vulnerability and Patch Manger servers...20 Administrator credentials have been changed...20 6 Support and other resources...21 Information to collect before contacting HP...21 How to contact HP...21 Registering for software technical support and update service...21 How to use your software technical support and update service...21 Warranty information...21 Typographic conventions...21 Related documents...22 Index...23 Table of Contents 3

List of Tables 2-1 Hardware requirements...8 2-2 Software requirements...9 2-3 VPM Acquisition Utility requirements...9 4

1 Overview The HP Vulnerability and Patch Manager extends the functionality of HP Systems Insight Manager (HP SIM) to provide vulnerability and patch management for target systems. IMPORTANT: HP is phasing out the HP Vulnerability and Patch Manager software (VPM) from Insight Control. Technical support will be offered based on the Technical Support and Upgrade offerings for HP Insight Control sold through November 2009. HP Insight Control licenses include 1 year of Technical Support & Update, which you can upgrade to 3, 4, or 5 years. Depending on the purchase date of Insight Control licenses and technical support extension, support for Vulnerability and Patch Manager functionality will end no later than November 2012. Starting with the Insight software 6.0 DVD, Vulnerability and Patch Manger will no longer be available. However, existing users of the vulnerability and patch management capabilities can upgrade to Vulnerability and Patch Manger 6.0 by downloading the software and manually installing it on the CMS. You can download the software from Software depot. IMPORTANT: With Vulnerability and Patch Manger 3.00x and later, or with Insight Control Environment 3.0 or later, a new database entry with the name GUARDIAN appears. This database belongs to the vulnerability scanner. It replaces the older Scan Vulnerability ACCESS DB, used by the vulnerability scanning engine to store patch related information. Supported target systems Target systems are managed by Vulnerability and Patch Manger. HP recommends installing HP Management Agents on ProLiant target systems to allow Systems Insight Manager to better identify the target systems. Enable WMI or Web-Based Enterprise Management (WBEM) for other target systems. The Vulnerability and Patch Manger Patch Agent is automatically deployed when target systems are licensed to allow patches to be applied to the systems. Secure Shell (SSH) must be installed on Linux target systems. Vulnerability and Patch Manager supports the following target systems: Windows systems: Windows Server 2008, Standard Edition Windows Server 2008, Standard x64 Edition Windows Server 2008, Enterprise Edition Windows Server 2008, Enterprise x64 Edition Windows Server 2008, Standard/Enterprise R2, 32 bit Windows Server 2008, Standard/Enterprise R2, 64 bit Windows Server 2008, Web Edition Windows Server 2003, Standard Edition SP1 Windows Server 2003, Standard Edition SP2 Windows Server 2003, Standard x64 Edition SP2 Windows Server 2003, Enterprise Edition SP1 Windows Server 2003, Enterprise Edition SP2 Windows Server 2003 R2, Standard Edition SP2 Windows Server 2003 R2, Standard x64 Edition SP2 Windows Server 2003 R2, Enterprise Edition SP2 Windows Small Business Server 2003, Standard/Enterprise Edition, SP1 Windows Small Business Server 2003, Premium Edition Windows Small Business Server 2003, Premium Edition, SP1 Supported target systems 5

Windows Vista Business, 32-bit Windows Vista Business, 64-bit Windows Vista Enterprise, 32-bit Windows Vista Enterprise, 64-bit Windows XP Professional, SP2 Windows XP Professional, SP3 Windows XP Professional x64 Edition SP1 Linux systems: NOTE: You must have a valid subscription to the Red Hat Network for patch acquisitions. A valid Red Hat network license is required for each system patched. For more information, see http:// www.redhat.com. The Red Hat library, compat-libstdc++, must exist on the Red Hat target systems. Red Hat Enterprise Linux AS/ES 4.5 for x86 Red Hat Enterprise Linux AS/ES 4.6 for x86 Red Hat Enterprise Linux AS/ES 4.7 for x86 Red Hat Enterprise Linux AS/ES 4 for x64 Red Hat Enterprise Linux Server 5 for x86 and 64 bit Supported applications Vulnerability and Patch Manager supports patching of the following applications on monitored systems: All Microsoft applications for which patches are available (excluding Microsoft Office applications) All applications included with Red Hat Linux 6 Overview

2 Requirements Vulnerability and Patch Manger server requirements Infrastructure The Vulnerability and Patch Manger server, the server on which Vulnerability and Patch Manager is installed, must meet the following hardware and software requirements. Requirements listed for the Vulnerability and Patch Manger server are independent of requirements for HP SIM and any other applications that coexist on the Vulnerability and Patch Manger server. For specific hardware and software requirements for the HP SIM server, see the HP Systems Insight Manager User Guide. A server environment using the Vulnerability and Patch Manger consists of the following components: Vulnerability and Patch Manger Systems Insight Manager Target systems VPM Acquisition Utility (installed on a separate system, optional) You must install the Vulnerability and Patch Manger and Systems Insight Manager together on a single server (referred to as a shared configuration). For this release, both the Vulnerability and Patch Manger and HP SIM must operate on a Windows server. In a shared server configuration, Vulnerability and Patch Manger and Systems Insight Manager are installed on the same server. The following figure depicts a shared server configuration in which the Vulnerability and Patch Manger server has Internet access to obtain patch and vulnerability updates. The following figure depicts a shared server configuration in which the VPM Acquisition Utility is used to obtain patch and vulnerability updates from the patch update sources. Vulnerability and Patch Manger server requirements 7

Hardware The Vulnerability and Patch Manger server, the server on which the Vulnerability and Patch Manger software is installed, must meet the following hardware requirements. Requirements listed for the Vulnerability and Patch Manger server are independent of requirements for Systems Insight Manager and any other applications that coexist on the Vulnerability and Patch Manger server. For specific hardware requirements for the Systems Insight Manager server, see the HP Systems Insight Manager Installation and Configuration Guide for Microsoft Windows. Table 2-1 Hardware requirements Component Any HP x86/x64 server Memory Processor Specification At least 3072 MB RAM 3.0 GHz or faster Disk space At least 2.5 GB for Vulnerability and Patch Manger (150 MB in the TEMP directory for installation) Additional space for scan reports and patches File structure DVD-ROM drive New Technology File System (NTFS) Software The Vulnerability and Patch Manger server, the server on which the Vulnerability and Patch Manger software is installed, must meet the following software requirements. Requirements listed for the Vulnerability and Patch Manger server are independent of requirements for Systems Insight Manager and any other applications that coexist on the Vulnerability and Patch Manger server. For specific software requirements for the Systems Insight Manager server, see the HP Systems Insight Manager Installation and Configuration Guide for Microsoft Windows. 8 Requirements

Table 2-2 Software requirements Component Operating system (32-bit and 64-bit versions)* Services Database Applications(must be available on the network) Specification Microsoft Windows Server 2003, Standard Edition SP2, 32-bit Windows Server 2003, Enterprise Edition SP2, 32-bit Windows Server 2003, Enterprise Edition SP2, 64 bit Windows Server 2003, Standard Edition SP2, 64 bit Windows Server 2008, Standard/Enterprise Edition SP1, 32 bit Windows Server 2008, Standard/Enterprise Edition SP1, 64 bit Windows 2003 R2, Standard/Enterprise Edition SP2, 32 bit Windows 2003 R2, Standard/Enterprise Edition SP2, 64 bit TCP/IP with DNS properly configured so that system names can be resolved to IP addresses An existing Microsoft SQL Server or Microsoft SQL Express database can be used. When changing databases during an upgrade, patch data from the previous database is not migrated. A full patch acquisition must be performed to repopulate the patch repository. Systems Insight Manager 5.3 or later, installed on a Windows server with Windows Management Interface (WMI) Mapper Mozilla Firefox 2.0 or Microsoft Internet Explorer 6.0 SP1 or 7.0 Adobe Acrobat Reader 3.x or later (to view scan results) *Systems Insight Manager might have additional restrictions for supported service pack levels. VPM Acquisition Utility (optional) The VPM Acquisition Utility can be installed on a system with Internet access to acquire patch information and patch files from selected vendor websites. This utility allows patch acquisitions and vulnerability updates without requiring the Vulnerability and Patch Manger server to be directly connected to the Internet, thereby reducing potential security risks. No other Vulnerability and Patch Manger components or database software is required to be installed on the system to download vulnerability and patch updates. The table below lists the minimum requirements for the system on which you can install the VPM Acquisition Utility. Table 2-3 VPM Acquisition Utility requirements Component Memory Processor Specification 256 MB RAM 1.5 GHz or faster Disk space At least 1 GB Internet access for downloading vulnerability patches Available space for downloading vulnerability patches Operating system (32-bit versions only) Windows Server 2003, Standard Edition SP2 (32-bit only) Windows Server 2003, Enterprise Edition SP2 (32-bit only) Windows Server 2003 R2, Standard Edition (32-bit only) Windows Server 2003 R2, Enterprise Edition (32-bit only) Systems Insight Manager requirements HP SIM 5.3 or later must be installed and running in the server environment to properly install and use Vulnerability and Patch Manager. HP SIM must be installed on a Windows server. For additional information about HP SIM, see http://www.hp.com/go/hpsim. Systems Insight Manager requirements 9

3 Installation and configuration New versions of HP Vulnerability and Patch Manager are automatically installed over a previous version. Any scheduled tasks, scan reports, and patch updates are retained. Be sure to have the following items available before beginning the installation: Location and credentials for HP SIM (user name, password, and domain) Credentials for the Microsoft SQL Server database if an existing SQL Server database will be used HP SIM 5.3 or later must be installed, properly configured, and running Installing Vulnerability and Patch Manger 1. Download the Vulnerability and Patch Manger 6.0 executable from Software depot. 2. After downloading Vulnerability and Patch Manager, double-click setup.exe to start the installation. The Welcome screen appears. 3. Click Install. The Software selection screen appears. Installing Vulnerability and Patch Manger 10

4. Select the components to install, and click Next. The HP Systems Insight Manager Credentials screen appears. 5. Enter the same credentials used to install HP SIM, and click Next. When the installation is complete, log in to HP SIM from an account with administrator privileges to access Vulnerability and Patch Manager. Installing Vulnerability and Patch Manger 11

NOTE: Vulnerability and Patch Manger installation takes between 30 and 50 minutes due to the additional time taken by the new SQL-based scanner installation. NOTE: The setup fails to begin the installation process if special characters like [ ] ( ) \, *! @ ; + \` { } space $ are used in the account password that is used to install Vulnerability and Patch Manager. IMPORTANT: If the Vulnerability and Patch Manger database is located in the current domain, you can use the Connect Using Windows Authentication installer option with valid Windows user credentials to validate the database. Otherwise, if the Vulnerability and Patch Manger database is located in another domain, do not use this option. Instead, use valid SQL user credentials to validate the database. Installing the VPM Acquisition Utility (optional) The VPM Acquisition Utility can be installed on a system with Internet access, enabling patch acquisitions and vulnerability updates without requiring the Vulnerability and Patch Manger server to be directly connected to the Internet. 1. Download the Vulnerability and Patch Manger 6.0 executable from Software depot. 2. After downloading Vulnerability and Patch Manager, double-click setup.exe to start the installation. 3. At the Welcome screen, click Install. 4. At the Software Selection screen, select VPM Acquisition Utility, and click Next. 5. Follow the onscreen instructions to complete the installation Configuring the VPM Acquisition Utility The VPM Acquisition Utility downloads patch information and patch files from selected vendor websites. You can run the VPM Acquisition Utility from any system with Internet access. After the download is complete, you can import this information to the Vulnerability and Patch Manger server in the Vulnerability and Patch Manger database. You cannot install the VPM Acquisition Utility on the Systems Insight Manager Central Management Server (CMS). To run the acquisition tool, you must install VPM Acquisition Utility on the selected system. To use the acquisition tool, you must install VPM Acquisition Utility on the selected system. To configure VPM Acquisition Utility to acquire patch and vulnerability updates: 1. Access the VPM Acquisition Utility from the selected system. NOTE: settings. Steps 2 through 7 are required during a first time setup or when you want to change acquisition 2. Select the source (one or more) to acquire the patch updates, and click Next. 3. Select the appropriate operating system platforms and platform-related applications, and click Next. 4. Select the appropriate languages for the required patches, and click Next. 5. Enter the destination path for downloaded files, and click Next. The destination can be either a local or shared directory. The designated directory must be accessible. 6. If you use a proxy, select I use a proxy, and enter the appropriate configuration information. 7. If your proxy requires authentication, select My proxy requires authentication, and enter the appropriate user credentials. Only basic (not encrypted) authentication is supported. 8. Click Next. 9. To run the patch acquisition, click Run Now. The vulnerability and patch acquisition process begins. You can monitor the progress of the acquisition at C:\Program Files\HP\VPM Acquisition Utility\logs\patch-acquire.log. To manually scroll through the log file during the acquisition, clear the Enable auto-scroll checkbox. The Acquisition Log displays the progress of the acquisition. Disregard any messages that appear on the log screen. The acquisition process might appear to stall (hang) when downloading large files. 10. When the acquisition process is complete, click Done. 12 Installation and configuration

11. On the Vulnerability and Patch Manger server, create a directory named data at C:\Program Files\HP\VPM\Radia\Integration Server. 12. Copy downloaded files from the VPM Acquisition Utility server destination directory to the Vulnerability and Patch Manger server data directory. 13. From Systems Insight Manager, configure the import setting by selecting Options Vulnerability and Patch Manager Settings. 14. To start the import process, select Options Vulnerability and Patch Manager Acquire Updates. Configuring Vulnerability and Patch Manager After Vulnerability and Patch Manager is installed for the first time, perform the following steps to complete the configuration and install the latest vulnerability updates. NOTE: An administrator can add new users and set up existing users to access Vulnerability and Patch Manager. For instructions, see the HP Systems Insight Manager Installation and Configuration Guide for Microsoft Windows. 1. Log in to HP SIM from an account with administrator privileges. 2. Configure global and sign-in credentials to enable access to target systems. 3. Perform an automatic discovery to locate and identify target systems in the network that can be used with Vulnerability and Patch Manager. For information, see the HP Systems Insight Manager Installation and Configuration Guide for Microsoft Windows. 4. Modify the Vulnerability and Patch Manager settings: 1. Select Options Vulnerability and Patch Manager Settings. 2. Select the source for the patch and vulnerability updates. If the Vulnerability and Patch Manger server has direct Internet access, select Acquire updates from Internet if you want to use the Vulnerability and Patch Manger server to obtain updates. If you use a proxy server, select the appropriate checkbox, and enter your configuration information. If the proxy requires authentication, select the appropriate checkbox, and enter your user credentials. NOTE: Only Microsoft Proxy Server is tested and supported. Only basic authentication for Internet proxy servers is supported. The use of Internet proxy server scripts and full NTLM authentication are not supported. If the Vulnerability and Patch Manger server does not have Internet access, select Acquire updates from local repository to use the VPM Acquisition Utility on another system with Internet access to acquire updates. You can relocate the update files manually to the Vulnerability and Patch Manger server or access the files from the network. Enter the directory path of the update files in the Source path field. If necessary, enter your user credentials to access the designated directory. The Vulnerability and Patch Manger server must have read access to the designated directory. 3. Click Apply. 5. If you require Red Hat patch acquisitions, you must configure your system. To configure Red Hat Enterprise Linux acquisition settings: 1. Verify that the Red Hat library, compat-libstdc++, is installed on all Red Hat target systems. 2. Verify that each Red Hat target system to be patched has a valid subscription and license for the Red Hat Network, which are required for patch acquisitions. For information about subscribing to the Red Hat Network, see http://www.redhat.com. 3. Log in to a Red Hat Enterprise or Advanced Server Linux system as root. 4. Execute the following command: rhn_register. 5. Select Existing, and then enter your user credentials. 6. Enter a unique profile name for this machine (such as the IP address or host name). 7. Exit the rhn_register application without applying any patches to the system. Configuring Vulnerability and Patch Manager 13

8. Copy the file created by the rhn_register tool from /etc/sysconfig/rhn/systemid to <VPM_installation_folder>\radia\IntegrationServer\etc. IMPORTANT: In a Red Hat Linux environment, configure the network connectivity between the CMS and the target systems by editing the correct /etc/hosts file. Verify that both CMS and target systems can reach each other by using the ping command execution with the host name. NOTE: The same version of the operating system should be registered on the Red Hat site for downloading the Red Hat patches. For example, if you require RHEL4 AS, RHEL4AS 64 bit, RHEL4 ES, and RHEL4 ES 64 patches downloaded from internet, you must register the above systems on the Red Hat site and create the separate SID files 9. Rename the systemid file to reflect the appropriate Red Hat distribution: If the system that created the systemid file is running Red Hat Linux 5, rename the file redhat-5client.sid or redhat-5client-x86_64.sid. If the system that created the systemid file is running Red Hat Linux 5, rename the file redhat-5server.sid or redhat-5server-x86_64.sid. If the system that created the systemid file is running Red Hat Enterprise Server Linux 4 32 bit and 64 bit, rename the file as redhat-4es.sid and redhat-4es-x86_64.sid respectively. If the system that created the systemid file is running Red Hat Advanced Server Linux 4 32 bit and 64 bit, rename the file as redhat-4as.sid and redhat-4as-x86_64.sid respectively. 6. Acquire the latest Vulnerability and Patch Manager updates, either from the Vulnerability and Patch Manger server or using the VPM Acquisition Utility installed on another system. The first update process after the initial software installation might take a long time, depending on the number of patch sources selected and the quantity of updates available from each source. To acquire the latest patch updates, do one of the following: Use the Vulnerability and Patch Manger server: 1. Select Options Vulnerability and Patch Manager Acquire Updates. 2. Follow the on-screen instructions, selecting the appropriate update information for your server environment when prompted. 3. Click Schedule, and then select a time to acquire daily Vulnerability and Patch Manger updates. Updates might not be available daily, but scheduling the event daily ensures that you obtain critical updates promptly. Updates to scan definitions are usually available a few days after new patches are released. 4. Select Run now checkbox and click Done. The first update process after the initial software installation can take a long time, depending on the number of patch sources selected and the quantity of updates available from each source. You can monitor the progress of the acquisition at C:\Program Files\HP\VPM\Radia\IntegrationServer\logs\patch-acquire.log. Use the VPM Acquisition Utility: 1. Access the VPM Acquisition Utility from the selected system. 2. Follow the on-screen instructions, selecting the appropriate update information for your server environment when prompted. 14 Installation and configuration

3. Click Schedule, and then select a time to acquire daily Vulnerability and Patch Manger updates. Updates might not be available daily, but scheduling the event daily ensures that you obtain critical updates promptly. Updates to scan definitions are usually available a few days after new patches are released. 4. To run the patch acquisition, click Run Now. The vulnerability and patch acquisition process begins. You can monitor the progress of the acquisition at C:\Program Files\HP\VPM Acquisition Utility\logs\patch-acquire.log. To manually scroll through the log file during the acquisition, clear the Enable auto-scroll checkbox. The Acquisition Log displays the progress of the acquisition. Disregard any messages that appear on the log screen. The acquisition process might appear to stall (hang) when downloading large files. After installing and configuring Vulnerability and Patch Manager, you are ready to implement vulnerability and patch management on your target systems. For more information, see the HP Vulnerability and Patch Manager User Guide or the HP Vulnerability and Patch Manager help system. Configuring Vulnerability and Patch Manager 15

4 Licensing The VPM Patch Agent is automatically deployed when systems are licensed to allow patches to be applied to the systems. VPM Patch Agent updates might be acquired as part of the normal acquisition process. Agents installed on target systems are automatically updated the next time patches are applied or validated. Licensing using Vulnerability and Patch Manger You can add and apply licenses from within Vulnerability and Patch Manger as a distinct step whenever a licensed operation, such as a vulnerability scan or patch deployment, is initiated and one or more target systems selected for the operation is unlicensed or licensed with a time-limited license. You are prompted to license these systems to successfully complete the requested action. The number of available licenses and the number of selected target systems not licensed or licensed with a time-limited license are displayed. To apply licenses to these target systems: 1. If licenses are available, select any unlicensed system in the list to license, not exceeding the number of available licenses, and click Apply License. The Apply License button is only enabled if sufficient licenses are available to license the selected systems. If systems listed as Unknown or Unmanaged in Systems Insight Manager are selected for licensing. HP recommends modifying the Systems Insight Manager settings to properly identify systems before licensing. Any unlicensed systems not licensed at this time is not included in the task. 2. If additional licenses are available, click Add Key to enter one or more new key strings, which you can cut and paste as a single string into any one of the subfields, and click OK. 3. Click Next to continue the task. Any selected target systems that are not licensed appear in the systems list on the license validation page. The license page reappears, displaying the updated licensing status, each time a license is added or applied to a system. You can change time-limited licenses to permanent licenses at this time by selecting the system and applying a permanent license. When all selected target systems are licensed, the process moves to the next step of the selected operation. If all target systems initially selected for the task are licensed with permanent licenses, the license validation page does not appear. Licensing using the Systems Insight Manager License Manager You can use the Systems Insight Manager License Manager to manage Vulnerability and Patch Manger licenses. All license keys seen by the License Manager display when the function starts, as well as the key details and summary status. Select any key and a new table is displayed. Systems assigned to that key, details about the system, and the status of the key on that system are displayed. Adding licenses To use Systems Insight Manager License Manager to add Vulnerability and Patch Manger licenses to the licensing database, do the following: 1. Select Deploy License Manager Manage Keys. 2. Click Add Key to enter one or more new key strings, which you can cut and paste a single string into any of the subfields. 3. Click Open. If the license key is not valid or is a duplicate of an existing key in the database, an error message appears, and the license key is not added to the database. The Vulnerability and Patch Manger does not support the Systems Insight Manager License Manager File>Add Key feature. Licensing using Vulnerability and Patch Manger 16

5 Troubleshooting This chapter identifies and provides solutions for commonly encountered Vulnerability and Patch Manger installation issues. Viewing Vulnerability and Patch Manger installation logs The Vulnerability and Patch Manger installation logs, which list the details of the installation of each Vulnerability and Patch Manger component, are located at &HOMEDRIVE&:\vpmsetuplogs, where HOMEDRIVE is usually the C drive. You can view the following logs: vmpsetup.log Contains log information from the main installer, including calls and result codes from the execution of component installers. vmpsrvsetup.log Contains log information about the creation of the Vulnerability and Patch Manger directories and menus in the Vulnerability and Patch Manger server. vmpsimsetup.log Contains log information from the Systems Insight Manager component installation. RCS.log Contains information about the installation of the Radia Configuration Server, which manages vulnerabilities based on policies established by Systems Insight Manager. RPS.log Contains information about the installation of the Radia Proxy Server, which is used as the central patch repository. RMS.log Contains information about the installation of the Radia Messaging Server, which is a messaging service used to communicate Vulnerability and Patch Management Pack status information. RPM.log Contains information about the installation of the Radia Patch Manager (Server), which acquires security patches from the Internet, loads them into the Radia Configuration Server, and synchronizes this information in the database. RMP.log Contains information about the installation of the Radia Management Portal, which is used to initiate the installation of the VPM Patch Agent and perform Vulnerability and Patch Manger actions on remote systems. Radiawrp.log Contains an installation summary of the previous five components. Vulnerability and Patch Manger installation updates MDAC and MSDE If MSDE or files used by MSDE are not up-to-date, files are updated during the Vulnerability and Patch Manger installation process. The server is rebooted after updated files are installed. In this situation, the Vulnerability and Patch Manger installation must be restarted. An error occurs when installing MSDE files from a Remote Desktop session Install Vulnerability and Patch Manger using the system console instead of a Remote Desktop session. For additional information, see http://support.microsoft.com/default.aspx?scid=kb;en-us;246694&sd=tech. Installation fails with Product RMS not installed: Service RMS error. The specified service does not exist as an installed service (0x424) message If the password of the account used to install Vulnerability and Patch Manger contains curly braces, { or }, the Radia component installation fails. To correct this, either complete the following steps to temporarily change the install account password or create a new local account with administrator privileges to use to perform the installation. 1. Change the password to remove the invalid characters. 2. Select Start Control Panel Administrative Tools Services. 3. Right-click HP Systems Insight Manager, and then select Properties. 4. Click the Log On tab, and then update with the new password. 5. Click the General tab, and then click Stop>Start to restart the Systems Insight Manager service. Viewing Vulnerability and Patch Manger installation logs 17

Proceed with the Vulnerability and Patch Manger installation. If necessary, the installation account credentials can be changed back after the installation completes. Repeat steps 2 through 6 after the password has been changed, and then to update the Vulnerability and Patch Manger password. Vulnerability and Patch Manger installation fails Be sure the Vulnerability and Patch Manger server can effectively communicate with other networking components, such as the database and Systems Insight Manager server (if separate). If the Vulnerability and Patch Manger server has multiple IP addresses, be sure Name Resolution is used for all IP addresses If IPv6 is enabled, uninstall from the network interface card being utilized for Vulnerability and Patch Manger communication. If the Vulnerability and Patch Manger installation was attempted multiple times, reboot before attempting the installation again. Cannot modify Vulnerability and Patch Manger acquisition settings to acquire updates from a local repository A patch acquisition must have already been run using the VPM Acquisition Utility and saved to the designated directory before Vulnerability and Patch Manger acquisition settings can be modified to acquire updates from a local repository. Required open ports IMPORTANT: If a proxy server is used, it must be configured to allow both HTTP and FTP traffic. NOTE: These ports are opened automatically when VPM is installed on a Windows XP SP2 system. By default, Internet Connection Firewall closes some of these ports. Be sure that the ports listed are open. The following ports must be open on target systems to allow successful scanning with Vulnerability and Patch Manger: TCP 22 SSH TCP 135, 137, 138, 139, 443, and 445 NetBIOS and SSL, used by the Vulnerability and Patch Manger scanning components TCP 2301 and 49400 HP Management Agents TCP 3463, 3464, 3466, and 3465 Used by VPM patching components The following ports must be open on the Vulnerability and Patch Manger server: TCP 80 HTTP Web server, if an HTTP connection is used between the Vulnerability and Patch Manger and Systems Insight Manager servers (TCP 443 must be open if an HTTPS connection is used) TCP 445 MSDE named pipes communications UDP 1433, 1434 MSDE Shared Instance Support TCP (variable) MSDE TCP/IP communications. This port, assigned at random by MSDE during installation, can be identified by selecting Start>Run, entering svrnetcn.exe, and clicking OK. From the Server Instances menu, select Computername. In the Enabled Protocols list, select TCP/IP Properties. The port number appears. The port number can be changed at this time, if necessary. The following ports are used by Systems Insight Manager and must be open: TCP 22 SSH UDP 161 SNMP UDP 162 SNMP trap TCP 280 HTTP 18 Troubleshooting

TCP 5989 WBEM/WMI Mapper secure TCP 50000 HTTPS TCP 50001 Secure SOAP TCP and UDP 53 DNS The following ports are used by the Virtual Machine Management Pack and must be open: 1125 1126 40420 Modifying firewall configuration settings To ensure that Vulnerability and Patch Manger can obtain updates, be sure that your firewall is configured for access to ftp://ftp.hp.com/pub/essentials/vpm/. Configuring a DNS server If no DNS server exists in the server network, update the host files on both the Systems Insight Manager and Vulnerability and Patch Manger (CMS) server with the IP address and Network Naming. These files are located at C:\Windows\system32\Drivers\etc. The target systems must be able to resolve the Vulnerability and Patch Manger server name to an IP address. The server host name where Systems Insight Manager and Vulnerability and Patch Manger are installed must be correctly configured for name resolution and reverse lookup. To determine if DNS is properly configured, use the nslookup command, passing both the host IP address and the fully qualified hostname. If using DHCP, verify the following configurations in the advanced TCP/IP properties: Be sure that the DNS suffix for this connection field has the correct DNS suffix and that both the Register this connection s addressees in DNS and Use this connection s DNS suffix in DNS registration checkboxes are selected. Modifying firewall configuration settings 19

All target systems do not have the same administrator credentials For target systems that have individual administrator credentials, configure WBEM credentials individually to enable access to these target systems. 1. From within Systems Insight Manager, select Options Discovery Configure global credentials. 2. Select the system to configure, and then click Apply. 3. Enter the appropriate WBEM credentials, and then click Run Now. Multiple Vulnerability and Patch Manger servers Target systems cannot be scanned and patched by multiple Vulnerability and Patch Manger servers. The deployed VPM Patch Agent is set up to respond to only one Vulnerability and Patch Manger server. Administrator credentials have been changed If the administrator credentials have been changed for target systems, the WBEM credentials must be reconfigured. To reconfigure Configure global credentials, select Options Discovery Configure global credentials. 20 Troubleshooting

6 Support and other resources Information to collect before contacting HP Be sure to have the following information available before you contact HP: Software product name Hardware product model number Operating system type and version Applicable error message Third-party hardware or software Technical support registration number (if applicable) How to contact HP Use the following methods to contact HP technical support: In the United States, see the Customer Service / Contact HP United States website for contact options: http://welcome.hp.com/country/us/en/contact_us.html In the United States, call 1-800-HP-INVENT (1-800-474-6836) to contact HP by telephone. This service is available 24 hours a day, 7 days a week. For continuous quality improvement, conversations might be recorded or monitored. In other locations, see the Contact HP Worldwide website for contact options: http://welcome.hp.com/country/us/en/wwcontact.html Registering for software technical support and update service HP Insight software includes one year of 24 x 7 HP Software Technical Support and Update Service. This service provides access to HP technical resources for assistance in resolving software implementation or operations problems. The service also provides access to software updates and reference manuals, either in electronic form or on physical media as they are made available from HP. Customers who purchase an electronic license are eligible for electronic updates only. With this service, Insight software customers benefit from expedited problem resolution as well as proactive notification and delivery of software updates. For more information about this service, see the following website: http://www.hp.com/services/insight Registration for this service takes place following online redemption of the license certificate. How to use your software technical support and update service After you have registered, you will receive a service contract in the mail containing the Customer Service phone number and your Service Agreement Identifier (SAID). You need your SAID when you contact technical support. Using your SAID, you can also go to the Software Update Manager (SUM) web page at http:// www.itrc.hp.com to view your contract online and elect electronic delivery for product updates. Warranty information HP will replace defective delivery media for a period of 90 days from the date of purchase. This warranty applies to all Insight software products. Typographic conventions Book Title Linked Title http://www.hp.com Title of a book or other document. Title that is a hyperlink to a book or other document. A Web site address that is a hyperlink to the site. Information to collect before contacting HP 21

Command user input computer output Enter term variable value Related documents Command name or qualified command phrase. Commands and other text that you type. Text displayed by the computer. The name of a keyboard key. Note that Return and Enter both refer to the same key. A sequence such as Ctrl+A indicates that you must hold down the key labeled Ctrl while pressing the A key. Defined use of an important word or phrase. The name of an environment variable, for example PATH or errno. A value that you may replace in a command or function, or information in a display that represents several possible values. In addition to this guide, the following resources are available: HP Insight Vulnerability and Patch Manager software 6.0 Release Notes HP Insight Vulnerability and Patch Manager software software 6.0 User Guide 22 Support and other resources

Index A acquiring updates, 12 acquisition utility, 12 administrator credentials, 20 administrator credentials changed, 20 C configuration problems, 17 configure a DNS server, 19 D DNS settings, 19 F firewall settings, 19 H hardware requirements, 8 I infrastructure, 7 installation failure, 18 installation logs, 17 installation problems, 17 installing MSDE, 17 L licensing Vulnerability and Patch Manger, 16 M Microsoft Data Engine (MSDE) troubleshooting, 17 Microsoft Data Engine (MSDE) updating, 17 multiple Vulnerability and Patch Manger servers, 20 P patches updating, 12 R required ports, 18 RMS service error, 17 S software requirements, 8 T troubleshooting, 17 administrator credentials, 20 modifying settings, 18 target systems, 20 TCP IP settings, 18 V VPM Acquisition Utility, 9 23