Rapid Deployment

CA Patch Manager

Solution Guide Release 12.5.00

This documentation and any related computer software help programs (hereinafter referred to as the "Documentation") are for your informational purposes only and are subject to change or withdrawal by CA at any time.

This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. This Documentation is confidential and proprietary information of CA and may not be used or disclosed by you except as may be permitted in a separate confidentiality agreement between you and CA.

Notwithstanding the foregoing, if you are a licensed user of the software product(s) addressed in the Documentation, you may print a reasonable number of copies of the Documentation for internal use by you and your employees in connection with that software, provided that all CA copyright notices and legends are affixed to each reproduced copy.

The right to print copies of the Documentation is limited to the period during which the applicable license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.

TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO THE END USER OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.

The use of any software product referenced in the Documentation is governed by the applicable license agreement and is not modified in any way by the terms of this notice.

The manufacturer of this Documentation is CA.

Provided with "Restricted Rights." Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or their successors.

CA Product References

This documentation set references the following CA products: ■ CA Advantage® Data Transport® (CA Data Transport) ■ CA ARCserve® Backup for Laptops and Desktops ■ CA Asset Intelligence ■ CA Asset Management ■ CA Asset Portfolio Management (CA APM) ■ CA Common Services™ ■ CA Desktop and Server Management ■ CA Desktop Migration Manager (CA DMM) ■ CA Embedded Entitlements Manager (CA EEM, formerly eTrust® Identity and Access Management) ■ CA IT Client Manager (CA ITCM) ■ CA Mobile Device Management (CA MDM) ■ CA Network and Systems Management (CA NSM) ■ CA Patch Manager

■ CA Remote Control ■ CA Service Desk Manager ■ CA Software Delivery ■ CA Workflow for CA IT Client Manager ■ CA WorldView™ ■ CleverPath™ Reporter

Contact CA

Contact Technical Support

For your convenience, CA provides one site where you can access the information you need for your Home Office, Small Business, and Enterprise CA products. At http://ca.com/support, you can access the following: ■ Online and telephone contact information for technical assistance and customer services ■ Information about user communities and forums ■ Product and documentation downloads ■ CA Support policies and guidelines ■ Other helpful resources appropriate for your product

Provide Feedback

If you have comments or questions about CA product documentation, you can send a message to [email protected].

If you would like to provide feedback about CA product documentation, complete our short customer survey, which is also available on the CA Support website, found at http://ca.com/docs.

Contents

Chapter 1: CA Patch Manager 9

Components ...... 9 Benefits ...... 9 What You Can Do With CA Patch Manager ...... 10 Single Point of Control ...... 10

Chapter 2: Installing CA Patch Manager 13

Installation Prerequisites ...... 13 Supported Operating Environments ...... 13 Supported Databases ...... 14 Supported Web Browsers ...... 14 Hardware Specifications and Requirements ...... 14 Planning Your Installation ...... 15 Enterprise and Domain Installations ...... 15 Internet Access Consideration...... 16 Before you Begin the Installation ...... 16 Install CA Patch Manager as a Stand-alone ...... 17 Install CA Patch Manager on a Cluster ...... 18 Register CA Patch Manager with CA ITCM ...... 20 Initial Logon to CA Patch Manager ...... 21 Check the Status of DSM Service ...... 22 Upgrading CA Patch Manager from Earlier Versions...... 22 Upgrade CA Patch Manager Using a Local Microsoft SQL Server MDB ...... 23 Upgrade CA Patch Manager Using a Remote MDB ...... 24

Chapter 3: Configuring CA Patch Manager 25

FIPS 140-2 Support ...... 25 Configure FIPS-Compliant Communication and Encryption ...... 26 User Settings ...... 27 Configure Default User Settings ...... 27 Proxy Settings ...... 27 Configure Proxy Settings ...... 28 Configure Patch File Download Settings ...... 28 User Management ...... 29 Add New Users ...... 30 Delete Existing Users ...... 30

Contents 5

Change Login Password for a User ...... 30 Vendor Credentials ...... 31 Add Vendor Credentials ...... 31

Chapter 4: Working with CA Patch Manager 33

Patch Content ...... 33 Roll-Ups ...... 33 Patch Manager Lifecycle ...... 35 Acceptance ...... 36 Packaging ...... 36 Distributing ...... 36 Testing and Approval ...... 36 Deployment ...... 36 Deferral ...... 37 Fast Track ...... 37 Workflow ...... 37 Versioning and Supersession ...... 37 Relationship to CA ITCM ...... 37

Chapter 5: Accepting Patches 39

Patch Acceptance ...... 39 View Patches Pending Acceptance ...... 39 Performing an Action on Multiple or All Patches ...... 40 Patch Search ...... 40 Search for a Patch by Name ...... 41 Search for a Patch Using a Saved Filter ...... 41 View Detailed Patch Information ...... 42 Accept Patches ...... 44 Packaging ...... 44

Chapter 6: Deploying Patches for Testing 45

Deploy a Patch for Testing ...... 45

Chapter 7: Deploying Patches 49

Deployment Method ...... 49 How the Deployment Process Works ...... 50 Patch Policies ...... 51 Create New Patch Policy ...... 52 Policy Deployment ...... 53 Add Patches to Existing Patch Policies ...... 54

6 Solution Guide

Chapter 8: Rapid Patch Deployment 55

Types of Rapid Deployment ...... 55 Start Rapid Deployment ...... 56

Chapter 9: Delta Roll-Ups 59

Delta Roll-up ...... 60 Accept Full and Delta Security Roll-up Package ...... 61 Test Full and Delta Security Roll-up Package ...... 62 Logging and Detection of Full and Delta Roll-up Package ...... 63 Approve Full and Delta Security Roll-up Package ...... 64 Create Security Roll-up Policy ...... 64 Edit Roll-up Patch ...... 66 Uninstall a Patch ...... 67 Enable CA-Provided Delta Roll-up ...... 68

Chapter 10: Monitoring Deployment 71

Monitor Deployment Using the Deployment Progress Portlet ...... 71 Detailed Deployment Information ...... 72 View the Application Events Log ...... 72 Monitor the Patch Deployment Status ...... 73 Monitor the Policy Compliance ...... 74 Monitor Patches Using the Charts Portlet ...... 75 Reports ...... 76 Predefined Reports ...... 76

Chapter 11: Customizing the User Interface 81

Customize User Settings ...... 81 Customize Dashboard Summary Settings ...... 82 Portlet Settings ...... 82 Add a Link to a Portlet ...... 83 Edit a Link in a Portlet ...... 84 Customize the Height of a Portlet ...... 84 Customize Table Settings ...... 85 Filter Settings ...... 85 Create Software Filters ...... 86 Create Patch Filters ...... 87 Create Deployment Filters ...... 88 Create Policy Filters ...... 89 Create Group Filters ...... 90 Create Machine Filters ...... 91

Contents 7

Change Password for a User ...... 92

Chapter 12: Advanced Configuration 93

Patch Services ...... 93 Configure Patch Services to Improve Performance ...... 94 Integration with CA IT Client Manager ...... 94 Configure Parameters for Communicating with DSM Web Services ...... 95 Deployment Options ...... 96 Event Logging ...... 97 Configure Event Logging ...... 98 Data Pruning ...... 99 Configure Database Pruning Settings ...... 99 Database Settings ...... 100 Configure Settings to Connect to the Database ...... 100

Chapter 13: Diagnostics and Troubleshooting 103

Installation Fails With an Error Message MDB Patch Already Applied ...... 103 Online Updates are Failing ...... 105 System Status Shows DSM Service as Failed in CA Patch Manager after Failover ...... 105

Appendix A: Integration 107

CA IT Client Manager ...... 107 DSM Reporter ...... 107 Third Party Workflow and Common Component Service Events ...... 108 Enable CA Patch Manager Workflow Interface ...... 109 Approve or Reject a Patch Workflow Process from the Command Line ...... 111 Automate Workflow Approval or Rejection ...... 112 Integration with CA Service Desk ...... 112 Configure Parameters to Communicate with CA Service Desk ...... 114

Index 115

8 Solution Guide

Chapter 1: CA Patch Manager

CA Patch Manager manages software patches in heterogeneous environments and provides the necessary process framework to address the patch management challenges faced by your organization. It uses the capabilities of CA Software Delivery, CA Asset Management, or CA IT Client Manager installation to automate the identification, gathering, packaging, deployment, and continuous validation of patches, and related software configuration changes throughout your enterprise.

This section contains the following topics: Components (see page 9) Benefits (see page 9) What You Can Do With CA Patch Manager (see page 10) Single Point of Control (see page 10)

Components

There are two primary components to CA Patch Manager: ■ CA Patch Manager itself, which resides on your system and provides a web-based, wizard-driven user interface to simplify the patch management process such as, package creation, testing, enterprise deployment, and patch level assurance. ■ The CA Online Content Service (accessed through a connection to ContentUpdate (http://contentupdate.ca.com/cms)), which manages the collection of metadata for available or applicable patches. This service is provided as part of your CA Patch Manager subscription.

Benefits

CA Patch Manager provides the following benefits: ■ A single point of control from which you can manage your enterprise-wide patch management life cycle. ■ A dedicated online patch research service that monitors for available patches, gathers the available patch data, validates, and identifies dependencies, before publishing and pushing the patch information to the CA Patch Manager server.

Chapter 1: CA Patch Manager 9

What You Can Do With CA Patch Manager

■ A formal patch management test phase; packages can be deployed to test resources, enabling you to assess the impact of a patch before it is deployed enterprise-wide.

■ Newly deployed, found, or rebuilt systems are automatically brought up to patch level compliance. ■ Patch distribution is tracked real-time. ■ Preferred state compliance can be determined and patch level assurance enforced. ■ A flexible, complete web-based portal reporting system with automatic report scheduling. ■ Change management controls by integrating with CA Service Desk and CA IT Client Manager.

What You Can Do With CA Patch Manager

CA Patch Manager enables you to do the following: ■ Identify the software and patches installed on your system. ■ Establish patch level policies and ensure automatic compliance with the defined patch policies. ■ Perform impact and compliance analysis. For example, if patch ABC is required for product XYZ, you can quickly determine the following:

– The systems that use XYZ – Whether patch ABC is applied on those systems – The departments where those systems are located – The users who may be affected if the patch is not installed. – These details can help you determine the appropriate plan for distributing the patch without disrupting day-to-day business. ■ Enforce the best practices for patch testing and distribution.

Single Point of Control

CA Patch Manager enables the patch management administrator to manage the patch lifecycle for the enterprise from a single point of control, the CA Patch Manager console.

Single point of control provides the enterprise CA Patch Manager functionality that implements the enterprise-wide control of multiple domains, while allowing domain servers to retain their regional administrative roles.

10 Solution Guide

Single Point of Control

Administrators can refer to the target systems through target groups at the enterprise level rather than by domain specific names, enabling the administrator to select target systems not only in a domain, but also across all domains from the single point of administration console.

Note: In the CA Patch Manager enterprise server, the target systems are selected across all domains; where as, in the CA Patch Manager domain server, a CA Patch Manager policy affects all targeted systems in the domain.

More information:

Patch Services (see page 93) Search for a Patch Using a Saved Filter (see page 41) View Detailed Patch Information (see page 42) Create Patch Filters (see page 87) Monitor Patches Using the Charts Portlet (see page 75)

Chapter 1: CA Patch Manager 11

Chapter 2: Installing CA Patch Manager

This chapter describes the installation prerequisites and the steps to install and configure CA Patch Manager.

This section contains the following topics: Installation Prerequisites (see page 13) Supported Operating Environments (see page 13) Supported Databases (see page 14) Supported Web Browsers (see page 14) Hardware Specifications and Requirements (see page 14) Planning Your Installation (see page 15) Before you Begin the Installation (see page 16) Install CA Patch Manager as a Stand-alone (see page 17) Install CA Patch Manager on a Cluster (see page 18) Register CA Patch Manager with CA ITCM (see page 20) Initial Logon to CA Patch Manager (see page 21) Check the Status of DSM Service (see page 22) Upgrading CA Patch Manager from Earlier Versions (see page 22)

Installation Prerequisites

Note the following prerequisites when installing CA Patch Manager: ■ You must have installed the Web Console of CA ITCM. Note: You can install Web Console only through the custom installation of CA ITCM. ■ The Active scripting or JavaScript option in the web browser of the computer that accesses CA Patch Manager interface must be enabled.

■ On Internet Explorer, this setting is available under Tools, Internet Options, Security.

■ On Mozilla Firefox, this setting is available under Tools, Options, Content.

Supported Operating Environments

CA Patch Manager supports the following operating systems: ■ Microsoft Windows Server 2003 R2 SP2 (Standard Edition, Enterprise Edition, Web Edition) 32- and 64-bit ■ Microsoft Windows Server 2008 SP2 (Enterprise, Standard, Datacenter) 32- and 64-bit

Chapter 2: Installing CA Patch Manager 13

Supported Databases

CA Patch Manager supports the following databases for the Management Database (MDB): ■ Microsoft SQL Server 2005 SP3 and SP2 ■ Microsoft SQL Server 2008 SP1 (Enterprise, Standard) 32- and 64-bit Note: Microsoft 32-bit SQL Server is not supported on x64 operating environments. ■ Oracle 10g Release 2 SP4 Note: You should be aware of the following Oracle installation considerations:

■ Oracle 10g Release 2 SP4 database is supported as an MDB for CA Patch Manager, but the Oracle database must be installed as a remote MDB on a dedicated Sun Solaris operating environment

■ On Solaris platforms, installing the MDB on Oracle requires Oracle 10g Release 2 SP4 with the latest Oracle patches p7008262_10204_Solaris-64, p5718815_10204_Solaris-64, and p7706710_10204_Solaris-64

■ Oracle 10g Release 2 SP4 must be applied on any Oracle client installations

Supported Web Browsers

CA Patch Manager supports the following web browsers: ■ Microsoft Internet Explorer (IE) Versions 6, 7, and 8 ■ Firefox 3.0

Hardware Specifications and Requirements

We recommend the following hardware specifications and requirements for CA Patch Manager:

Hardware Minimum

CPU P4 (1.2 GHz minimum, 2 GHz preferred)

RAM 2 GB minimum

Hard Drive Minimum of 2 GB free

14 Solution Guide

Planning Your Installation

The installation of CA Patch Manager in your environment is dependent on your CA ITCM architecture and the restrictions on internet access in your environment. The following sections describe the installation considerations based on these two factors.

Enterprise and Domain Installations

If you have an enterprise CA ITCM installation that manages one or more domain managers, you have the following installation options for CA Patch Manager: ■ Install CA Patch Manager on the enterprise server and manage all the patches in your environment from a single point of control. Note: This is the recommended option. ■ Install CA Patch Manager on those domain managers that you want CA Patch Manager to manage. ■ Install CA Patch Manager on any computer that has the Web Console and Web Services installed. Note: You can install CA Patch Manager on any computer which does not CA ITCM Manager installed. However, to enable CA Patch Manager download software patches you must register CA Patch Manager with CA ITCM (see page 20).

If you do not have an enterprise installation that manages the domain managers in your environment, you must install CA Patch Manager on each of the domain managers that you want CA Patch Manager to manage.

Note: A mixed environment of CA Patch Manager installed on an enterprise manager and on one or more domain managers is not supported.

Chapter 2: Installing CA Patch Manager 15

Before you Begin the Installation

Internet Access Consideration

CA Patch Manager accesses the CA Online Content Service using an internet connection to receive patch information and thereby maintain an up-to-date repository of available patches. Also, CA Patch Manager uses the internet connection to download the patches from the third-party websites. In a typical installation, CA Patch Manager connects directly to the CA Online Content Service and third-party websites, through the proxy server if necessary.

If your environment does not permit a direct connection from a CA Patch Manager server to the internet, the Content Import Client downloads the patch content data and patch files from a computer that has access to the internet. The downloaded data can then be moved to the application server using a physical media.

Before you Begin the Installation

Following are some of the installation considerations that you must check before installing CA Patch Manager: ■ CA Patch Manager does not support installation on a Solaris or Oracle cluster . ■ It is recommended that CA Patch Manager installs be conducted directly on the computer where you are installing CA Patch Manager. But if you are using a Remote Desktop Connection to the computer where the installation is to be done, it is suggested that you connect through a Remote Desktop real console rather than a virtual console. ■ When connecting with a Remote Desktop virtual console, environment variables set by the installation are not available to CA Patch Manager during that session. This can cause CA Patch Manager components to not behave as expected if you try to run them in that same session. You need to log off and then reconnect with a new Remote Desktop virtual console session in order for those environment variables to be available. The suggested alternative is to instead use a Remote Desktop real console, in which case the environment variables are immediately available to that session. ■ To use Remote Desktop Connection in real console mode, you need to pass either the /console or /admin parameter to the Remote Desktop executable. For example, in the properties of the Remote Desktop Connection icon, you can modify the target from %SystemRoot%\system32\mstsc.exe to %SystemRoot%\system32\mstsc.exe /console Note: The parameter /console is supported for computers having RDC versions prior 6.1.

16 Solution Guide

Install CA Patch Manager as a Stand-alone

CA Patch Manager provides a web-based wizard-driven user interface to simplify the patch management process. You can use CA Patch Manager for package creation, patch testing, enterprise deployment, and patch level assurance.

Note: Installation of CA Patch Manager requires a reboot of the computer. Close any open applications before you begin the installation.

To install CA Patch Manager as a stand-alone installation

1. Insert the CA Patch Manager installation media into your drive. The Choose Setup Language option appears. Note: If the wizard does not appear, run Setup.exe from the root directory on the installation media.

2. Select the desired language, and click OK. The Welcome page appears.

3. Click Next on the Welcome page and accept the terms of the Licensing Agreement. The Configure Node page appears.

4. Click Next. The Select Features page appears.

5. Select the features you want to install, and click Next. The UPMAdmin and UPMUser Passwords page appears.

6. Enter the password for the UPMAdmin, UPMUser accounts, and click Next. The MDB Database Configuration page appears.

7. Select Database Server Type as Microsoft SQL Server or Oracle, complete all required information, and click Next. The CA ITCM Webservice Configuration page appears. Note: If you select Oracle as the database server, use sys as sysdba as the Administrator User.

Chapter 2: Installing CA Patch Manager 17

Install CA Patch Manager on a Cluster

8. Enter the user ID and password to connect to CA ITCM Web Services. This is the administrator ID used to install CA ITCM. Click Next. The Install Location page appears with the default installation folder.

Note: The CA ITCM Server Name field, by default, has the local computer name. If you are installing CA Patch Manager on a computer that does not have CA ITCM, change CA ITCM Server Name to the name of the computer on which you have installed CA ITCM Manager.

9. (Optional) select a different installation folder. Click Next. The Start Copying Files page appears listing the selected options and configurations as a summary.

10. Click Next to start installation of the selected components. The selected components are installed and you are prompted to reboot the machine.

11. Click Reboot. The computer restarts and the installation is complete.

Note: If you are installing CA Patch Manager on a computer that does not have CA ITCM Manager installed, you must register CA Patch Manager with CA ITCM (see page 20) to enable CA Patch Manager download software patches.

Install CA Patch Manager on a Cluster

CA Patch Manager has no functionality in place to detect system failures and to automatically switch from the active to the passive node in a system failure.

Cluster is supported only on Windows operating environments and Microsoft SQL Server databases. CA Patch Manager can be installed in two modes: either as an Active Patch Manager or as a Passive Patch Manager. The terms "Active" and "Passive" refer to whether the CA Patch Manager is active or passive; they do not refer to the cluster node (which may itself be active or passive).

18 Solution Guide

Install CA Patch Manager on a Cluster

When installing CA Patch Manager on a cluster, one instance of the CA Patch Manager is installed as the Active Patch Manager and each of the other instances are installed as a Passive Patch Manager.

Note: Installation of CA Patch Manager requires a reboot of the computer. Close any open applications before you begin the installation.

To install CA Patch Manager on a cluster

2. Select the desired language, and click OK. The Welcome page appears.

3. Click Next on the Welcome page and accept the terms of the Licensing Agreement. The Configure Node page appears.

4. Select Enable Recovery Support, select the Node Configuration as Active or Passive, and provide a path to install the configuration data. Click Next. The Select Features page appears.

5. Select the features you want to install, and click Next. The UPMAdmin and UPMUser Passwords page appears.

6. Enter the password for the UPMAdmin and UPMUser accounts, and click Next. The MDB Database Configuration page appears.

7. Select Database Server Type as Microsoft SQL Server, complete all required information, and click Next. The CA ITCM Webservice Configuration page appears. Note: CA Patch Manager does not support installation on an Oracle cluster.

Chapter 2: Installing CA Patch Manager 19

8. Enter the userID and password to connect to CA ITCM Web Services. This is the administrator ID used to install CA ITCM. Click Next. The Install Location page appears with the default installation folder.

9. (Optional) select a different installation folder, and click Next. The Start Copying Files page appears listing the selected options and configurations as a summary.

10. Click Next to start installation of the selected components. The selected components are installed and you are prompted to reboot the machine.

11. Click Reboot. The computer restarts and the installation is complete.

More information:

Install CA Patch Manager as a Stand-alone (see page 17)

CA Patch Manager can be installed independently on any computer that has the Web Console and Web Services installed. CA ITCM is no longer an installation prerequisite.

However, to enable CA Patch Manager to download software patches, you must register CA Patch Manager with CA ITCM by executing util.bat on the computer that has CA ITCM.

To Register CA Patch Manager with CA ITCM

1. Open a Command Prompt window and change directory to \Program Files\CA\SC\CIC\bin

2. Run the following command:

util.bat -r UPM 682DCD15-5C94-4321-842D-E3944D3CA000 PMUPM-00000-00000-00001 upmuser_group CA Patch Manager registers with CA ITCM.

20 Solution Guide

Initial Logon to CA Patch Manager

Use the following default user ID and password to log on to CA Patch Manager for the first time: ■ User ID - Administrator (case sensitive). ■ Password - upm (case sensitive).

Once you log in to CA Patch Manager, the CA Patch Manager Home page appears. The CA Patch Manager Home page presents a quick view of patches by status, the latest patch information from CA in the form of an RSS feed, patch process key performance indicators, and CA Patch Manager system status.

The CA Patch Manager Home Page displays the complete patch management information:

Chapter 2: Installing CA Patch Manager 21

Check the Status of DSM Service

The status of the DSM Service connections must be active to use CA Patch Manager.

To check the status of DSM Service

1. Click the Dashboard tab. The CA Patch Manager Home page appears.

2. Check the status of the DSM service in the System Status portlet. The status of the service must be Success; else, you need to perform the following configuration tasks:

– Configure Proxy Settings – Configure Parameters for Communicating with DSM Web Services Note: The patch content import cycle runs every 30 minutes by default. The DSM Service status will not show Success until the first time CA Patch Manager has accessed CA ITCM, until that time the DSM Service status is idle. Communication to CA ITCM begins once you start accepting the patches.

Upgrading CA Patch Manager from Earlier Versions

You may upgrade CA Patch Manager from CA Patch Manager r11.2, r12, or r12 SP1 to Release 12.5.

Note: Upgrade from versions prior to 11.2 of CA Patch Manager is not supported.

22 Solution Guide

Upgrading CA Patch Manager from Earlier Versions

Upgrade CA Patch Manager Using a Local Microsoft SQL Server MDB

If you have earlier versions of CA ITCM and CA Patch Manager running on the same computer as your SQL Server MDB, you need to perform the following steps on CA ITCM before you can upgrade CA Patch Manager.

To upgrade CA Patch Manager on a local MDB

1. Upgrade to CA ITCM Release 12.5 2. From the DSM Explorer: a. Navigate to Domain Manager, Control Panel, Engines, All Engines, SystemEngine.

b. From the Tasks section, select Link Existing Task. The Select Engine Tasks window appears.

c. Select Default Software Contents Download Job and click OK. The job is now linked to the CA ITCM system engine. Note: CA ITCM Release 12.5 is compatible only with CA Patch Manager Release 12.5. When you upgrade to CA ITCM Release 12.5, you must also upgrade r11.2, r12, or r12 SP1 version of CA Patch Manager to CA Patch Manager Release 12.5.

3. Run the CA Patch Manager Release 12.5 installer on the computer. The installer detects the earlier version of CA Patch Manager and offers to upgrade it for you.

4. Follow the installation wizard to perform the upgrade.

Note: We recommend a reboot of the computer after the upgrade.

Chapter 2: Installing CA Patch Manager 23

Upgrading CA Patch Manager from Earlier Versions

Upgrade CA Patch Manager Using a Remote MDB

If you have earlier versions of CA ITCM and CA Patch Manager using a Microsoft SQL Server MDB that resides on a remote computer, you need to perform the following steps on CA ITCM before you can upgrade CA Patch Manager.

To upgrade CA Patch Manager on a remote MDB

1. Upgrade the remote Microsoft SQL Server MDB using the CA ITCM Release 12.5 installation procedure for a remote MDB.

2. On the local computer upgrade to CA ITCM Release 12.5. 3. From the DSM Explorer: a. Navigate to Domain Manager, Control Panel, Engines, All Engines, SystemEngine

b. From the Tasks section, select Link Existing Task. The Select Engine Tasks window appears.

c. Select Default Software Contents Download Job and click OK. The job is now linked to the CA ITCM system engine. Note: CA ITCM Release 12.5 is compatible only with CA Patch Manager Release 12.5. When you upgrade to CA ITCM Release 12.5, you must also upgrade r11.2, r12 or r12 SP1 version of CA Patch Manager to CA Patch Manager Release 12.5.

4. Run the CA Patch Manager Release 12.5 installer on the computer. The installer detects the earlier version of CA Patch Manager and offers to upgrade it for you.

5. Follow the installation wizard to perform the upgrade.

Note: We recommend a reboot of the computer after the upgrade.

24 Solution Guide

Chapter 3: Configuring CA Patch Manager

After the successful installation of CA Patch Manager, the administrator can configure additional options based on your internet or CA ITCM environment, or to suit the business needs of the organization. These configurations apply to all users accessing CA Patch Manager.

This section contains the following topics: FIPS 140-2 Support (see page 25) User Settings (see page 27) Proxy Settings (see page 27) Configure Patch File Download Settings (see page 28) User Management (see page 29) Vendor Credentials (see page 31)

FIPS 140-2 Support

The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB 140-2) is a U.S. government computer security standard used to accredit cryptographic modules. The standard is issued and maintained by the National Institute of Standards and Technology (NIST).

Computer products that use FIPS 140-2 accredited cryptographic modules in their FIPS-accredited mode can only use FIPS approved security functions such as AES (Advanced Encryption Algorithm), SHA-1 (Secure Hash Algorithm), and higher level protocols such as TLS v1.0 as explicitly allowed in the FIPS 140-2 standard and implementation guides.

Cryptography in CA ITCM deals with the following aspects: ■ Storage and verification of passwords ■ Communication of all sensitive data between components of CA products, and between CA products and third-party products

FIPS 140-2 specifies the requirements for using cryptographic algorithms within a security system protecting sensitive but unclassified data.

CA ITCM supports FIPS-compliant techniques for cryptography. CA ITCM incorporates the RSA BSafe and Crypto-C ME v2.1 cryptographic libraries, which have been validated as meeting the FIPS 140-2 Security Requirements for Cryptographic Modules.

Chapter 3: Configuring CA Patch Manager 25

FIPS 140-2 Support

Configure FIPS-Compliant Communication and Encryption

CA Patch Manager uses CA ITCM Web Console and web services for interacting with the CA ITCM components. To enable FIPS-compliant communication and encryption for CA Patch Manager, you must configure these communication channels to use Secure Socket Layer (SSL) or Transport Layer Security (TLS).

To configure FIPS-compliant communication and encryption

1. Configure SSL between the following components: a. Client browser and CA ITCM Web Console b. CA ITCM Web Console and CA ITCM web services Note: For more information about configuring SSL, see the green paper titled Securing the Web Admin Console Communication Using SSL.

2. Configure the web server to use FIPS-compliant cryptography. Do one of the following depending on the web server that you use:

■ (IIS) Modify the local security policy of the system that is hosting the web server. For more information, see the operating system documentation.

■ (Apache) Enable SSL or TLS support on your web server. For more information, see the Apache documentation.

3. Open the Installpath\UPM\config\Config.properties file. 4. Add the following configuration attributes:

SSL_Enabled=True TrustStoreFileFullPath=truststorepath TrustStorePassword=password 5. Save the file. CA Patch Manager is configured to use FIPS-compliant communication and encryption.

6. Restart Tomcat using the following commands:

caf stop tomcat caf start tomcat Tomcat is restarted.

7. Log in to the CA Patch Manager console with the https protocol as follows:

https://hostname/upm 8. Click the Administration tab and modify the following attribute in the DSM section:

WEBSERVICE_URL=https://hostname:443/UDSM_R11_WebService/mod_gsoap.dll Note: You must modify the port number from 80 to 443 as given in the above URL.

26 Solution Guide

User Settings

User Settings define the preferred language, date and time format, and the time zone for a user. The administrator can specify a default user setting that will be applicable to all the users and the users can further customize it to suit their requirements.

More information:

Customize User Settings (see page 81)

Configure Default User Settings

As an administrator, you can configure the default user settings that are applicable to all the new users of CA Patch Manager.

To configure default user settings

1. Select the Administration tab and click Configuration, User Defaults. The User Defaults page appears.

2. Select the preferred locale, date style, time style, and the default time zone. 3. Select Use DST to apply Daylight Saving Time to the default time zone.

4. Enter the connection timeout in minutes or select stay connected. If you specify the connection timeout, the user will be logged out after the specified minutes. Else if you select Stay Connected, the user will not be automatically logged off.

5. Click Save. The user defaults are saved and used whenever a new user is created.

Proxy Settings

Proxy settings define the parameters to connect to the internet. CA Patch Manager uses these settings to connect to the internet to import the content data from the CA Online Content Service and to download the patches from the vendor sites.

Chapter 3: Configuring CA Patch Manager 27

Configure Patch File Download Settings

Configure Proxy Settings

As CA Patch Manager connects to the internet to import content and download the patches, you must first configure the HTTP, FTP, and SOCKS proxy settings before import and download processes start.

To configure proxy settings to access internet

1. Select the Administration tab and click Configuration, System Settings, Proxies. The Proxy Configuration page appears.

2. Enter the name of the HTTP proxy server, port number, proxy user name, and password.

3. Click Use Above Proxy Settings for HTTP and FTP if you are using the same proxy details for both HTTP and FTP imports and downloads. The proxy details given in the first four fields are replicated for HTTP and FTP fields.

4. Enter the names of the computers for which you want to bypass the proxy in the No Proxy For field. By default, the CA Patch Manager server name is included in this list though not displayed in the No Proxy For field. The computer names must be separated by a semicolon or a comma. Note: If you want to have an internal web site or RSS feed on your Dashboard Summary page without going through a proxy, enter those names also here.

5. Enter the SOCKS proxy details that will be used for all downloads and click Save. The internet access is configured with the proxy details.

Configure Patch File Download Settings

You can configure the patch file download settings to control the process of downloading patch files from the external sources.

To configure the Patch File Downloads settings

1. Select the Administration tab and click Configuration, System Settings, Downloads. The Patch File Downloads page appears in the right pane.

2. Complete the following fields: Concurrent Downloads

28 Solution Guide

User Management

Defines how many patches can be downloaded concurrently. Download Interval

Specifies how often a patch is downloaded. For example, if the Download Interval is 5, CA Patch Manager checks every five minutes to determine whether a new patch needs to be downloaded. Retries Defines the number of retries if the connection to the external source is not available immediately. Retry Interval Defines the time interval in minutes between two successive retries. Storage Location Defines the location where the downloaded patches should be saved.

3. Click Save. The settings are saved.

More information:

Advanced Configuration (see page 93)

User Management

User management includes adding new users, deleting existing users, and changing the login password for users. CA Patch Manager has two categories of users: Regular User Includes the users who do not have the administrator privileges. Regular users have access to all the tabs in the CA Patch Manager interface except for the Administration tab. Administrator Includes the users who have the administrator privileges. Administrators have access to the Administration tab and can configure various options that affect all the users and the CA Patch Manager behavior as a whole.

Chapter 3: Configuring CA Patch Manager 29

User Management

Add New Users

All the users who need access to CA Patch Manager must have a valid user name and password to login. The administrator has the privileges to add both regular and administrator users.

To add a new user

1. Select the Administration tab and click User Management. The Users page appears listing the existing user details.

2. Click Add. The User screen appears.

3. Enter the user name and password.

4. Select the Administrator check box only if you want to assign Administrator status to the user you create. If selected, the user is added as an administrator; otherwise, added as a regular user.

5. Click OK. The new user is added.

Delete Existing Users

The administrator can delete the users who no longer use CA Patch Manager or who are restricted from using CA Patch Manager.

To delete existing users

1. Select the Administration tab and click User Management. The Users page appears listing the existing users.

2. Select Delete from the Actions drop down menu corresponding to the user you want to delete and click Go. The user is deleted. Note: There must be at least one administrator. So, you cannot delete the last user with the Administrator rights.

Change Login Password for a User

If a user forgets the password, the administrator can change the user's login password. The users can also change their own passwords after logging into CA Patch Manager.

30 Solution Guide

Vendor Credentials

To change the login password for a user

1. Select the Administration tab and click User Management. The Users page appears listing the existing users.

2. Select View from the Actions drop down menu corresponding to the user you want to change the login password, and click Go. The User Details page appears.

3. Enter the new password, confirm the password, and click OK. The login password for the user is changed.

Vendor Credentials

CA Patch Manager uses the vendor credentials to access vendor sites that require credentials for downloading the patch files. Vendor credentials include the URL, user name, and password for accessing the vendor web site.

Add Vendor Credentials

To enable the patch files download from the vendor sites, you must add the vendor credentials.

To add a vendor credential

1. Select the Administration tab and click Vendor Credentials. The Vendor Credentials page appears listing the vendors CA Patch Manager can access using valid credentials.

2. Click Add. The Vendor Credential Detail page appears.

3. Click the button next to the Vendor field. The Vendor List page appears listing the existing vendors.

4. Select a vendor name from the list of vendors provided and click OK. The selected vendor name is added in the Vendor Credentials page.

5. Provide the remaining vendor details and click OK. The credentials are added to the selected vendor.

Chapter 3: Configuring CA Patch Manager 31

Chapter 4: Working with CA Patch Manager

This chapter contains the concepts that you need to understand to work with patch management.

This section contains the following topics: Patch Content (see page 33) Roll-Ups (see page 33) Patch Manager Lifecycle (see page 35) Versioning and Supersession (see page 37) Relationship to CA ITCM (see page 37)

Patch Content

CA Patch Manager is a repository for information about patches rather than a repository for patches. It stores information that identifies the affected software, release, impacted files, and how a patch relates to other patches and applications in your system. For example, Patch C requires Patches A and B, and the presence of Internet Explorer v 6.0. This information about patches is also called patch content.

The CA Patch Manager content team, creates the patch content and publishes it through the CA Online Content Service. Patch content is created when CA or a third-party releases a patch or service pack to an application supported by CA Patch Manager according to a published set of goals.

Roll-Ups

Roll-up patches contain the patches released by Microsoft per their Patch Tuesday policy that includes only the security patches. The CA Patch Manager content team takes these patches and rolls them into a single patch bundle that requires one reboot per roll-up, with the ability to ensure that installed patches are not reinstalled.

Chapter 4: Working with CA Patch Manager 33

Roll-Ups

The roll-up patches created and published by the CA Content Research Team include various patches such as Microsoft Office 2000 patches, Microsoft Office 2003 patches, Microsoft Office 2007 patches, Microsoft Office XP patches, Windows Vista patches, Microsoft Windows 2000 patches, Microsoft Windows 2003 patches, Microsoft Windows 2008 patches, and so on.

CA Patch Manager provides the following types of roll-ups: Full Roll-up Includes a cumulative package designed to install all current Microsoft security patches with a single reboot. Once the package is deployed, the computer is updated with the current patches, through an unattended deployment. Localized Roll-up The localized roll-up includes the following patches:

– Localized and English office patches – Patches for stand-alone products like Publisher, Project, Visio, Word Viewer, Excel Viewer, PowerPoint Viewer, and Visual Studio

– Security patches affecting OS components, such as DirectX*, Media Player, .Net Framework, Internet Explorer, and Outlook Express are included in the rollup packages Note: Only the DirectX that is distributed by Microsoft is included in the rollup.

Delta Roll-up Includes the revised list of published patches for a single month so that you do not have to always deploy the full roll-up. If you have deployed the full roll-up once, you can deploy the delta roll-up from that point.

More information:

Delta Roll-up (see page 60) Accept Full and Delta Security Roll-up Package (see page 61)

34 Solution Guide

Patch Manager Lifecycle

CA Patch Manager implements a number of processes that represent CA's best practices for patch management. This typical process has a series of uniform sequential steps:

1. Review the list of potential patches that CA Online Content Service group provides.

2. Accept patches to download. 3. Deploy accepted patches to selected targets for testing. 4. Approve patches that have been successfully tested. 5. Deploy approved patches to additional targets or add to patch policies for automatic deployment to the enterprise or target groups.

The following graphic illustrates the various steps involved in the patch management process:

Chapter 4: Working with CA Patch Manager 35

Patch Manager Lifecycle

Acceptance

The CA Online Content Service contains definitions of thousands of patches, many more than will be relevant to your environment. CA Patch Manager automatically correlates the software inventory with the available patches and presents you only those patches that are applicable to your environment for acceptance. For each patch you can view its definition in the CA Online Content Service, which includes information on its severity, impact, size, and other features. You initiate the patch management lifecycle for each patch by accepting the patch.

Packaging

Once the patch has been accepted, CA Patch Manager initiates the standard patch management workflow, allowing the patch to be tested or deployed in your environment. The workflow involves automatically downloading the patch file from the vendor site and packaging it for deployment. While this is happening the patch will be in the Packaging state and no actions can be performed on it.

Distributing

The distributing state is an additional transitional state in the patch lifecycle and is available only when your CA Patch Manager server is running in the enterprise mode. This state indicates that a patch is registered on the enterprise server and is in the process of distribution to each of the domains in the enterprise. The distributing state follows the packaging state and precedes the testing state. You cannot perform any action in the distributing state until that patch reaches the testing state.

Testing and Approval

Once packaging is complete, the patch is moved to the testing state. The testing state lets you deploy the patch to one or more computers for testing. After the testing is successful, you can approve the patch for deployment.

Deployment

Once the patch is approved, you can either deploy the patch manually to individual computers or groups or set up for automatic deployment using patch policies. CA Patch Manager provides wizards for doing manual and automated deployments.

36 Solution Guide

Versioning and Supersession

Deferral

At any stage in the patch lifecycle, you can defer the patch to set it to the Deferred state.

Fast Track

Fast Track is an option for bypassing the patch lifecycle for critical patches. Using Fast Track, a patch that is in the Deferred state or is pending user acceptance can be deployed immediately or added to a policy without going through the testing and approval process.

Note: Only the CA Patch Manager administrators can fast track the patches.

Workflow

Each step in the patch lifecycle process can be customized through integration with CA IT Client Manager (using CA Common Services Event Console) or CA Service Desk. When the user changes the state of a patch (for example, from Testing to Approved), CA Patch Manager can send an event or open a change order or do both and wait until that change order is closed or event is acknowledged before taking further action. The change order or event processing can also cause CA Patch Manager to decline the operation selected by the user.

Versioning and Supersession

CA Patch Manager monitors changes to the patch metadata in the CA Online Content Service and takes appropriate actions. ■ If a patch released supersedes a current patch, all the policies containing the older patch will be updated with the superseding patch. ■ If a new version of a patch is released by the vendor, CA Patch Manager will automatically deactivate any policies containing that patch.

Relationship to CA ITCM

CA Patch Manager uses CA Asset Management and CA Software Delivery (components of CA ITCM) to determine patch compliance and to deliver new patches throughout the enterprise infrastructure. CA Patch Manager does not have any agent or distributed manager of its own but uses the data and services provided by these existing solutions, and shares the MDB with them.

Chapter 4: Working with CA Patch Manager 37

Relationship to CA ITCM

More information:

Integration with CA IT Client Manager (see page 94) Configure Parameters for Communicating with DSM Web Services (see page 95) CA IT Client Manager (see page 107)

38 Solution Guide

Chapter 5: Accepting Patches

This chapter describes information about identifying, selecting, and accepting patches into your computer.

This section contains the following topics: Patch Acceptance (see page 39) View Patches Pending Acceptance (see page 39) Performing an Action on Multiple or All Patches (see page 40) Patch Search (see page 40) View Detailed Patch Information (see page 42) Accept Patches (see page 44) Packaging (see page 44)

Patch Acceptance

You must accept a patch into your environment before you can manage it. You need to identify patches that are most suitable to your environment, and then select and accept them.

More information:

Acceptance (see page 36)

View Patches Pending Acceptance

Before you accept the patches, you may want to view the patches that are available for download and select the ones that you want to accept.

To view the patches pending acceptance

1. Select the Patches tab. The Patches page appears.

2. Select Saved Filter in the Filter By drop-down and list, select All Patches - Pending User Acceptance in the Filter drop-down list, and then click Go. All the patches pending user acceptance are displayed.

3. (Optional) Click Show Details. Additional patch details appear.

4. (Optional) Click on the patch name. The Patch Details page appears listing all details of the patch.

Chapter 5: Accepting Patches 39

Performing an Action on Multiple or All Patches

Note: You can also view the ten most recent patches in the Patches Pending Acceptance portlet in the Dashboard Summary tab.

Performing an Action on Multiple or All Patches

You can perform a particular action on multiple or all patches in the list, for example, you can accept multiple patches. After the patches list is displayed in the Patches tab, you can select the check box before the patch names on which you want to perform an action. You can also select the Select check box in the Title bar to select all the patches.

Note: Some actions do not allow multiple selections. In such cases, CA Patch Manager displays an error message after which you can select a single patch to perform the action.

More information:

Accept Patches (see page 44)

Patch Search

You can search for patches based on the following:

■ Patch name ■ Saved filter

Searching for patches based on the patch name is quicker because it displays the specific patch you require. This type of search is useful when you fully or partially know the patch name.

Searching for patches based on predefined filters is more powerful because it displays all patches related to the saved filter and allows you to analyze and narrow down the list of patches. Also, if you do not know the patch name, you can search for similar patches based on the saved filters.

More Information:

Filter Settings (see page 85)

40 Solution Guide

Patch Search

Search for a Patch by Name

If you know a patch name, you can search for that patch using the patch name search.

To search for a patch by name

1. Click the Patches tab. The Patches page appears.

2. Select Patch Name from the Filter By drop-down list. The Names field appears.

3. Enter the patch name in the Names field. Use a semicolon (;) to specify multiple patch names. Note: You can use wildcard characters while specifying the patch name. However, use of wildcard characters depends on the database you are using. Consult the appropriate database documentation for the correct use of wildcards. You can use single or double quotes to delimit searches with wildcard characters. You must use quotes when you want to use the specified pattern as is. For example, CA (without quotes) lists all patches that contain the word CA anywhere in the patch name; whereas, "CA" or 'CA' (with quotes) lists only that patch where the name of the patch is just CA.

4. Click Go. A list of patches matching the specified pattern appears.

Note: Click Show Details to view the severity and impact of the patches.

More information:

View Detailed Patch Information (see page 42)

Search for a Patch Using a Saved Filter

You can search for patches using a predefined filter if you wish to display a list of items by specific categories to make your search and selection more efficient.

Note: The list of predefined filters varies depending on the type of installation, enterprise or domain. You may also create additional saved filters by using the My Profile link in CA Patch Manager.

To search for a patch using a saved filter

1. Click the Patches tab. The Patches page appears.

Chapter 5: Accepting Patches 41

View Detailed Patch Information

2. Select Saved Filter from the Filter By drop-down list. The Filter drop-down list appears.

3. Select the appropriate filter from the Filter drop-down list, and click Go. A list of patches matching the predefined filter appears.

Note: Click Show Details to view the severity and impact of the patches.

More information:

View Detailed Patch Information (see page 42) Single Point of Control (see page 10)

View Detailed Patch Information

You can view the detailed patch information to identify the patch, prerequisites for installation, installation type, and more and determine whether you want to accept the patch into your environment.

To view detailed patch information

1. Click the Patches tab. The Patches page appears.

2. Search for a patch either by patch name or by Saved Filter. The patches list appears based on the search criteria.

3. Click a patch the details of which you want to view. The Patch Details page appears with the following sections in the left pane. Identification Includes the properties that identify the patch such as, name, platform, vendor, language, creation date, impact, status, and severity. User Description Includes short notes about the patch. Release Notes Includes notes about what has been updated or added in the patch. Patched Software Lists the patched software. Supersedes Lists the patches that this patch supersedes.

42 Solution Guide

View Detailed Patch Information

Superseded By Lists the patches that supersede this patch.

Files Lists the files that are included in the patch along with the download status. Clicking a file name opens the Patch File Properties page and displays various properties of the selected file such as, the download URL, stored location, download user id and protocol, download method, and size. You can also view the command used for self-extracting the patch archives and the user id and password for self-extraction. Qualification Includes the properties that qualify the computers that can apply the patch. Conditions for Targeting Lists the conditions for applying the patch. Computers that do not meet these conditions are bypassed. Prerequisites for Installation Lists the prerequisites for installing the patch. If these prerequisites are not available in the target computers, CA Patch Manager automatically installs these prerequisites before continuing with the installation of the patch. Incompatible Software

Lists the software that are not compatible with the patch. Installation Lists the different types of installation steps defined for the patch. Clicking the step link, displays the Installation Step Details. The Step Details screen for each patch step varies depending on whether the step is a script or command line. Signature Displays the patch signature. A signature is the definition of the components of a patch, the locations of the associated files, and their checksums. Patch signature also includes the registry entries that will be created or updated when the patch is applied. By referring to the signature, we can quickly determine whether a patch is already installed upon a computer, or check to ensure that a patch has been successfully installed on a computer.

Chapter 5: Accepting Patches 43

Accept Patches

More information:

Search for a Patch by Name (see page 41) Search for a Patch Using a Saved Filter (see page 41) Single Point of Control (see page 10)

Accept Patches

The first step in patch management is to accept patches into your environment. You must accept a patch to download the patch content from the vendor, which is then tested and applied in the environment.

To accept patches

1. Click the Patches tab. The Patches page appears.

2. Search for the patches pending for acceptance either by patch name or by saved filter. The patches that are pending for acceptance are displayed.

3. Select the patches that you want to accept and select Accept from the Select and drop-down list and click Go. Note: You can select multiple or all patches in the list by selecting the check box before the patch names or by selecting the Select check box in the list header respectively. You can then perform an action on all the selected patches. The patches are accepted and moved to the Accepted Status and then to the Packaging Status.

More information:

Performing an Action on Multiple or All Patches (see page 40)

Packaging

Once the patches are accepted, they move to packaging. The packaging process packages the files included in the patch. If packaging is successful, the patch is added to the Patches Pending Testing portlet in the Dashboard Summary page; otherwise, the patch moves to the Packaging Failed status. You can use the Packaging Failed filter to view the failed patches. You can click a failed package to view why the packaging failed, for example, you can click the Files link to see if the file download was canceled.

44 Solution Guide

Chapter 6: Deploying Patches for Testing

After you have accepted a patch for downloading, the next step in the patch lifecycle is to test the deployment of the patch to verify the impact its application may have in your specific environment. CA Patch Manager provides procedures for deploying an accepted patch to selected target computers, or computer groups for further testing. Once you have satisfactorily deployed a patch, and verified that it functions correctly within your test environment, you may change its status to Approved.

This section contains the following topics: Deploy a Patch for Testing (see page 45)

Deploy a Patch for Testing

You can deploy the patches in a test environment to know the potential problems with applying the patch. You can deploy only those patches that you have accepted.

Note: The ten most recent patches ready for testing are listed in the Patches Pending Testing portlet in the Dashboard Summary page.

To deploy a patch for testing

1. Select the Patches tab. The Patches page appears.

2. Select Saved Filter in the Filter By drop-down list and select All Patches - Testing. The list of patches that are ready for testing appears.

3. Select the patch you want to deploy, select Deploy from the Select and drop-down list, and click Go. The Deploy Patch: Select Targets screen appears listing the available target computers and computer groups.

Chapter 6: Deploying Patches for Testing 45

Deploy a Patch for Testing

4. Select the target computers or groups from this list and continue with step 5, or you can create a new target group. To create a group, follow the steps a to d and then continue with step 5.

a. Click Add Group. The Create Target Group page appears.

b. Specify a name and description for the new group. c. From the Available Targets section, select the target groups and computers that you want to add to your new group. Click the arrow to add the selected targets to your group. The selected target computers and computer groups are added to the new Target Group.

d. Click OK. The Target Group is created. The new target group is also added to CA Asset Management and, therefore, is available to both CA Patch Manager and CA Asset Management users for later tasks. Note: You can create targets using the Targets tab also.

5. Select the targets for deployment and click the arrow to add the target to Selected Targets list box and click Next. The Schedule Deployment page appears.

6. Specify whether you want to deploy the patch immediately or at a later date and time, and click Next.

The Deployment Options page appears with the default deployment options.

7. (Optional) Select the Override default DSM deployment parameters with these settings check box and change the Execution, Reboot, and Job Timeout parameters and then Click Next. Note: You can click the Load CAPM Defaults button to revert to the default deployment settings. The Confirm Deployment page appears.

8. Review the collected information and click Finish to approve the deployment, Cancel to cancel it or Back to review and modify the deployment parameters. When the deployment is approved, the patch is deployed at the scheduled time.

Note: When the deployment starts, the status is displayed in the Deployment Progress portlet in the Dashboard Summary page or on Dashboard Status, Deployment page.

46 Solution Guide

Deploy a Patch for Testing

More information:

Performing an Action on Multiple or All Patches (see page 40) Deployment Method (see page 49) Deployment Options (see page 96)

Chapter 6: Deploying Patches for Testing 47

Chapter 7: Deploying Patches

This chapter describes deployment of patches in live environment. You can deploy only those patches that have been tested and approved.

This section contains the following topics: Deployment Method (see page 49) How the Deployment Process Works (see page 50) Patch Policies (see page 51)

Deployment Method

In your live environment, you can deploy patches using the following methods: ■ Manually–by selecting target computers or groups. The procedure for manual deployment is the same as the procedure for deploying for testing. This deployment can occur immediately, on demand, or at a scheduled date and time. ■ Automatically–through the use of policies. Policies enable you to link a software patch to a specific software package and a target group.

More information:

Deploy a Patch for Testing (see page 45) Deployment Options (see page 96) Configure Deployment Options to Provide Flexible Deployment (see page 97)

Chapter 7: Deploying Patches 49

How the Deployment Process Works

When a patch is ready for deployment, it goes through various phases; each phase being reflected in the deployment status of the patch.

The patch goes through the following process in a domain deployment:

1. The patch stays in the Building status until the deployment is built and ready for deployment.

2. If deployment workflow is enabled, the patch goes into the Pending Workflow status until the deployment is approved or rejected.

a. If the user accepts the deployment, individual target monitoring starts and the counts are displayed.

b. If the user rejects it, the status is set to Rejected.

3. If deployment workflow is not enabled, individual target monitoring starts and the counts are displayed.

In a enterprise deployment, the patch goes through the following deployment process:

1. The patch stays in the Building status until the deployment is built and ready for deployment.

2. If deployment workflow is enabled, the patch goes into the Pending Workflow status until the deployment is approved or rejected.

a. If the user accepts the deployment, the patch status is set to Success. b. If the user rejects it, the status is set to Rejected. 3. If deployment workflow is not enabled, the deployment distribution status is displayed and the patch status is set to Success.

50 Solution Guide

Patch Policies

Patch policies are one of the fundamental building blocks of the CA Patch Manager solution. Patch policies include the list of patches for a specific software component to be applied or pushed to a group of computers. Target computers defined in a particular patch policy are continuously checked to determine if they have the indicated software patches installed. If not, the patches may be automatically deployed to those targets according to defined policies.

Patch policies ensure that the computers in your environment are compliant with the available and required patches. By adding a specific patch to a patch policy, you can ensure that the patch is automatically pushed out to all the target computers that have been defined within that policy.

CA Patch Manager ensures that all computers in a patch policy group automatically have all the patches identified in the patch policy. Patch policies establish standards that can be automatically complied with. For example, computers X, Y, and Z have software component ABC, and all require patches 1, 2, and 3. If the user of computer Y removes one of the patches, CA Patch Manager automatically redeploys the patch on computer Y.

Patch policies can be created only on the tested and approved patches. So, you cannot create patch policies for testing the patches; you have to test it manually. You can either deploy manually or create patch policies when you are deploying the tested and approved patches in your live environment.

Once a patch has been approved, you can either create a new patch policy or add that patch to an existing patch policy.

Chapter 7: Deploying Patches 51

Patch Policies

Create New Patch Policy

You must create a patch policy for each software or release for which you want to establish policy compliance.

To create a new patch policy

1. Select the Policies tab and click Add. The Policy Detail page appears.

2. Enter a name for the patch policy and click the Select button next to the Software field. The Software List page appears.

3. Select Show All in the Filter By drop-down list and click Go. All the software with approved patches are listed.

4. Select the required software and click OK. The Policy Detail page appears.

5. Click the Patches link in the left pane. The Policy Detail page appears with the Patches section.

6. Click Add. The Patches page appears listing the approved patches for the selected software.

7. Select the patches for this patch policy and click one of the following buttons: Add and Select More Adds the selected patch to the policy and then remains on the Patches page where you can move to subsequent pages to add any other patch. Note: Clicking Add and Select More adds the patches selected in the current page only. So, before moving to the next page, click Add and Select More; otherwise, your selections will be cleared. OK Adds the selected patch to the policy and exits the page, bringing you back to the Policy Detail page. The selected patches are added to the Patches section.

8. Click OK when you have finished selecting the patches. The Policy Detail page appears.

9. Click the Targets link in the left pane. The available target groups are listed.

52 Solution Guide

Patch Policies

Note: You can also click Add Group to create a new target group. The groups added to a policy are not stored as a new group and hence are only available for that patch policy.

10. Select the targets groups you want to associate with the patch policy, click the right arrow button to add the groups to the list, and then click OK. The targets are added to the patch policy.

11. Click the Deployment Options link in the left pane. The Options page appears with the default deployment options.

12. (Optional) Select the Override default DSM deployment parameters with these settings check box and change the Execution, Reboot, and Job Timeout parameters. Note: You can click the Load CAPM Defaults button to revert to the default deployment settings.

13. Click OK. The policy is created.

More information:

Create Policy Filters (see page 89) Monitor Deployment Using the Deployment Progress Portlet (see page 71) Monitor the Patch Deployment Status (see page 73) Monitor the Policy Compliance (see page 74)

Policy Deployment

A patch may fix more than one version of software. For example, the Patched Software list in Patch Details may show that a patch corrects several versions (for example, SoftwareX 4.0, SoftwareX 4.0 SP1, and SoftwareX 4.0 SP2) and is relevant for a number of machines displayed in the Machines requiring this patch list.

But when you create a policy, it is designated for a specific version of software, such as for SoftwareX 4.0 SP1, using this example. So even though you may see that a patch is applicable to multiple machines, the policy will only apply to and be deployed to those machines having the specific version of software for which the policy was designated.

For example, machine1 has SoftwareX 4.0, machine2 has SoftwareX 4.0 SP1, and machine3 has SoftwareX 4.0 SP2. All three machines will show in the Machines requiring this patch list. But if you create a policy for SoftwareX 4.0 SP1, it will only deploy to machine2. Thus, you must create additional policies for SoftwareX 4.0 and SoftwareX 4.0 SP2 to ensure that all machines that have any of those versions receive the policy deployment.

Chapter 7: Deploying Patches 53

Patch Policies

Add Patches to Existing Patch Policies

If new patches are released for an existing patch policy, you can add these patches to the existing policies.

To add patches to existing patch policies

1. Select the Policies tab. The Policies page appears.

2. Identify the applicable policy, select View from the Actions drop-down list and click Go. The Policy Detail page appears.

3. Click the Patches link in the left pane and then click Add in the Patches section.

The Patches page appears listing the patches that are approved for the selected software.

4. Select the patches for this patch policy and click one of the following buttons: Add and Select More Adds the selected patch to the policy and then remains on the Patches page where you can move to subsequent pages to add any other patch. Note: Clicking Add and Select More adds the patches selected in the current page only. So, before moving to the next page, click Add and Select More; otherwise, your selections will be cleared. OK Adds the selected patch to the policy and exits the page, bringing you back to the Policy Detail page. The selected patches are added to the Patches section.

5. Click OK when you have finished selecting the patches. The Policy Detail page appears listing all the patches in the patch policy. Note: You can also modify the target and deployment options of the policy by clicking the Targets and Deployment Options links in the left pane.

More information:

Monitor Deployment Using the Deployment Progress Portlet (see page 71) Monitor the Patch Deployment Status (see page 73) Monitor the Policy Compliance (see page 74)

54 Solution Guide

Chapter 8: Rapid Patch Deployment

Rapid deployment lets administrators fast track the patch deployment process by overriding any defined workflow or end user deployment decisions or actions. Fast tracking a patch thus bypasses the standard patch lifecycle and workflows and does not require any user interaction.

Rapid deployment is helpful for accelerating the deployment of business critical patches, as it minimizes the time it takes for a patch to go from the Pending User Acceptance state to the Approved state and then get added to the policies.

Note: Only the administrators of CA Patch Manager can fast track a patch deployment.

This section contains the following topics: Types of Rapid Deployment (see page 55) Start Rapid Deployment (see page 56)

Types of Rapid Deployment

You can perform the following types of rapid deployment:

Fast Track - Approval Accelerates the patch life cycle of the selected patch to the Approved state bypassing the testing state and workflow approvals. The patch is left in the approved state; ready for deployment and to be added to any policy. Following policies are updated by this process:

– Policies containing a patch that is superseded by the fast tracked patch are updated to have the fast tracked patch.

– Policies containing an older version of the fast tracked patch are updated to have the fast tracked patch. Fast Track - New Policies Performs the Fast Track - Approval process first, updates the existing policies that are affected by the fast tracked patch, and then creates new policies for each software release that is patched by the fast tracked patch. Each policy targets all the computers that are members of the CAPM Fast Track group. CA Patch Manager creates this group if it does not already exist, to control the targets affected by this type of deployment. The CAPM Fast Track group is the target for all requests to Fast Track - New Policies.

Chapter 8: Rapid Patch Deployment 55

Start Rapid Deployment

Fast Track - Update Policies Performs the Fast Track - Approval process first and then updates all the existing policies for the software that are patched by the fast tracked patch. The fast tracked patch is added to following policies:

– Existing policies for software releases that are patched by the fast tracked patch Note: If a policy contains patches that are incompatible with the fast tracked patch, the policy is not modified.

Start Rapid Deployment

Rapid deployment lets you perform the following processes: ■ Fast Track - Approval ■ Fast Track - Update Policies ■ Fast Track - New Policies

To start rapid deployment

1. Select the Patches tab. The Patches page appears.

2. Search for the patches using the Filter By and Filter or Names fields. The filtered patches appear.

3. Select the patches that you want to fast track. You can select multiple patches with the Fast Track - Approval and Fast Track - New Policies options. For the Fast Track - Update Policies option, you must select a single patch only.

4. Select the required fast track process in the Select and field, and click Go. Note: Alternatively, you can click the patch you want to fast track, view its details in the Patch Details page, and then select the required fast tracking option from the Actions drop-down in the Patch Details page. A confirmation message appears.

5. Click OK. If you have selected a single patch, a confirmation screen appears listing the policies that will require updates, if any.

6. Click OK. The rapid deployment process starts. The patch goes through the normal lifecycle without user intervention from the time the request is submitted until the approved state. So, it may take a while before the patch moves to the Approved state.

56 Solution Guide

Start Rapid Deployment

Depending on the success or failure of the operation, a confirmation or error message appears listing the patches that succeeded or failed. If rapid deployment is successful, the patch disappears from the Patches page or any other page from where rapid deployment was started. Note: The policies affected by the rapid deployment process are updated automatically. If a policy contains a patch that supersedes the fast tracked patch, a confirmation message appears asking you to confirm whether you want to replace that patch with the fast tracked patch. New policies are created if you have selected the Fast Track - New Policies option.

More information:

Search for a Patch by Name (see page 41) Search for a Patch Using a Saved Filter (see page 41)

Chapter 8: Rapid Patch Deployment 57

Chapter 9: Delta Roll-Ups

The combination of a continuous feed of patch definitions and processes for implementing patch lifecycles provides the potential for powerful patch management strategies.

CA Patch Manager content team creates the roll-up patches each time Microsoft releases patches per their "patch Tuesday" every month. These patches are security patches only. The content team takes the associated patches and "rolls" them into one single patch bundle for our customers - One reboot per roll-up, with the ability to ensure that installed patches are not re-installed.

Localized roll-up patches include the following: ■ Localized and English Office patches ■ Stand-alone products like Publisher, Project, Visio, Word Viewer, Excel Viewer, PowerPoint Viewer, and Visual Studio.

■ Security patches affecting OS components, such as DirectX, Media Player, .Net Framework, Internet Explorer, and Outlook Express are included in the roll-up packages.

Note: Only the DirectX that is distributed by Microsoft is included in the roll-up.

The Full roll-up package is a cumulative package designed to install all current Microsoft security patches with a single reboot. Once the package is deployed, the computer is brought up to date unattended.

This section contains the following topics: Delta Roll-up (see page 60) Accept Full and Delta Security Roll-up Package (see page 61) Test Full and Delta Security Roll-up Package (see page 62) Approve Full and Delta Security Roll-up Package (see page 64) Create Security Roll-up Policy (see page 64) Edit Roll-up Patch (see page 66) Uninstall a Patch (see page 67) Enable CA-Provided Delta Roll-up (see page 68)

Chapter 9: Delta Roll-Ups 59

Delta Roll-up

Over time, the size of an existing roll-up can grow large to include numerous patches. Running a large patch every month on every desktop in an enterprise environment may lead to the following problems: ■ Amount of time to execute. ■ Cost in terms of time. ■ Cost in terms of performance. ■ Cost in terms of bandwidth usage.

The CA Content Research Team introduced the Delta roll-up package in this release to address the foregoing issues. This package is designed to install only the security patches released by Microsoft on the second Tuesday of every month (Patch Tuesday). The Delta roll-up package includes a single month's published patches, which are required for the maintenance of a given software release. It comprises all the platform patches that were published in the last month. To update a computer with the latest patches, each Delta roll-up needs one of the following conditions as a prerequisite: ■ Previous month's Full roll-up ■ Previous month's Delta roll-up

These prerequisites ensure that the patches are delivered in the correct order, and allow a computer to utilize any single roll-up, followed by all the subsequent Delta roll-ups to date. This results in smaller distributions to end users who have already received relevant updates. Thus, the Delta roll-up package reduces the package size that is deployed to the managed computer. Using the Full and subsequent Delta roll-up packages in combination ensures that the managed computer is up to date with all the required patches.

The naming convention for a roll-up or Delta roll-up is as follows:

CA - - [FULL or DELTA] Security Hot-fix Rollup Package v[YYMM.VV]

where VV is the version; for example, .01; .02; .03; and so on.

You can accept, test, and approve the roll-up packages in your environment. You can also create a security roll-up policy using the Full and Delta roll-up packages. The following topics describe the steps to accept, test, and approve both the Full and Delta roll-up packages.

60 Solution Guide

Accept Full and Delta Security Roll-up Package

You must accept the Full and Delta security roll-up patches into your environment before you test and apply these security patches in the environment.

Note: If you try to accept a Delta roll-up patch, and the previous month's Delta or Full roll-up patch is not already accepted, you will get an error.

To accept the Full and Delta security roll-up package

1. Click the Patches tab. The Patches page appears.

2. Select Saved Filter from the Filter By drop-down list, and then select a filter for the CA Content Team Patches - Windows Security Roll-up - Pending User Acceptance roll-up packages from the Filter drop-down list. Click Go. A list of all security roll-up packages is displayed.

3. Select and View the appropriate Full security roll-up package. This Full roll-up package will start the baseline.

4. Click Release Notes to review the release notes for each package. 5. Review the downloaded files in the Detailed Patch Information page. Note: If for any reason the roll-up package fails to package, the Download Status displays the status as Cancel for the failed patch. It normally means that the downloaded file is no longer available or a network interruption has occurred.

6. Click Identification and select Accept from the Actions drop-down list. Click Go to continue.

7. Select the appropriate Delta security roll-up package from the list of packages and repeat the process of accepting packages. Note: If packaging fails, make sure that the proxy user ID or password is correct.

8. Once each file is downloaded and packaging completes, the packages will go into the Testing status. The completed packages appear in the Patch Pending Testing portlet on the Dashboard page. You can also filter for patches in the Testing state in the Patches tab to list all that are ready for testing.

Chapter 9: Delta Roll-Ups 61

Test Full and Delta Security Roll-up Package

Before deploying the security roll-up packages on all computers in your environment, you must test these roll-up packages in a production-like environment to confirm their validity.

To test the Full and Delta security roll-up package

1. Click Dashboard, Summary. The Dashboard Summary page appears.

2. Click the Full roll-up package that you have already accepted; from the Patches Pending Testing portlet.

3. Click Test Patch in the Advanced Options window. 4. Select a target computer (or a target group) on which to run the test. 5. Click Next twice to continue through the Schedule Deployment and Deployment Options pages, and then click Finish to start the test deployment. The deployment will initiate minimized on the test computer. Maximize the task to see installation on the target test computer.

6. The installation of the Full roll-up package will request a reboot when completed.

The process is repeated for the Delta roll-up package.

1. Click Dashboard, Summary. The Dashboard Summary page appears.

2. Click the Delta roll-up package that you have already accepted; from the Patches Pending Testing portlet.

3. Click Test Patch in the Advanced Options window. 4. Select the same test computer used in the deployment of the Full roll-up package test.

5. Click Next twice to continue through the Schedule Deployment and Deployment Options pages, and then click Finish to start the test deployment. The deployment will initiate minimized on the test computer. Maximize the task to see installation on the target test computer.

6. The installation of the Delta roll-up package will request a reboot when completed.

The logging and detection are same for both Full and Delta roll-up packages.

62 Solution Guide

Test Full and Delta Security Roll-up Package

Logging and Detection of Full and Delta Roll-up Package

You can use the Software Delivery Job Output available in CA IT Client Manager for detecting any error in the installation of the roll-up package. The Software Delivery Job Output contains a list of patches in the package, and indicates if each patch requires installation. It also contains the total patch count and the total required installation count for the package, and reports on the overall success of the installation roll-up package.

Note: View the log file created on the CA IT Client Manager server (C:\Windows\Temp\RUPYYMMVV.log). This log file logs the patch name and error code if any patch fails to install.

To access the Software Delivery Job Output using CA IT Client Manager, follow these steps:

1. Click Start, Programs, CA, CA IT Client Manager, DSM Explorer. DSM Explorer opens.

2. Click DSM Explorer, Hostname - Domain, Computers and Users, All Computers, computer name, Jobs, Software Jobs. The Software Jobs pane appears.

3. Select the appropriate node in the right pane and right-click to select the Properties option. The Job Properties dialog appears.

4. Select the Job output tab and review the information. 5. Click OK.

You can also detect patches on a computer using CA IT Client Manager. However, the roll-up package signature will only be detected if all the patches are installed successfully. To detect patches using CA IT Client Manager, follow these steps:

1. Click Start, Programs, CA, CA IT Client Manager, DSM Explorer. DSM Explorer opens.

2. Click DSM Explorer, Hostname - Domain, Computers and Users, All Computers, computer name, Software, Discovered. Note: Make sure that you select only the Patches check box in the Filter on Type area. The Discovered Software pane appears listing all the patches on the selected computer.

Note: For more information on the Job Output and detection, see the DSM Explorer Help for CA IT Client Manager.

Chapter 9: Delta Roll-Ups 63

Approve Full and Delta Security Roll-up Package

To view the status from CA Patch Manager, click Status from the Dashboard page, then select Patch Deployment from the Status menu. A deployment list appears detailing the status, date, and deployment ID.

Approve Full and Delta Security Roll-up Package

After successful testing of the Full and Delta security roll-up packages, move these roll-up packages to the Approved state.

To approve the Full and Delta security roll-up package

1. Click the Patches tab. The Patches page appears.

2. Select Saved Filter from the Filter By drop-down list, and then select the All Patches – Testing filter from the Filter drop-down list.

3. Click the Full roll-up package name link. 4. Select Approve from the Actions drop-down list, and click Go. 5. Repeat the process for the Delta roll-up package. All roll-up packages are now in the Approved status. These roll-up packages are now ready for production.

Create Security Roll-up Policy

To ensure that all the computers in your environment automatically contain the latest security patches, you must create a roll-up policy utilizing the Full and Delta roll-up packages.

To create a security roll-up policy

1. Click the Policies tab. The Policies page appears.

2. Click Add, and enter a descriptive policy roll-up name in the Name field. Click Select. The Software List page appears.

3. Click Go to view all software with approved packages. 4. Based on your policy for applying the security roll-up package, select the appropriate software from the filtered list, and click OK.

5. Click the Patches link in the Detailed Policy Information page. Then, click the Add button and link the approved Full and Delta roll-up package to the policy. Click OK.

64 Solution Guide

Create Security Roll-up Policy

6. Click the Target link in the Detailed Policy Information page and select the appropriate target groups.

7. (Optional) Click the Deployment Options link in the Detailed Policy Information page. The Options page appears with the default deployment options.

8. (Optional) Select the Override default DSM deployment parameters with these settings check box, and specify appropriate parameters in the Execution, Reboot, and Job Timeout options. Note: You can click the Load CAPM Defaults button to revert to the default CA Patch Manager deployment settings.

9. Click OK to finish generating the roll-up policy and start the building process. Note: The list of patches may not appear in the correct order, but CA Patch Manager deploys the Full roll-up package first and then the Delta roll-up package. The deployment of the roll-up package is automatically deployed to the computers in violation.

More Information

Deployment Options (see page 96)

Chapter 9: Delta Roll-Ups 65

Edit Roll-up Patch

Roll-up patch contains the patches released by Microsoft per their "Patch Tuesday" policy that includes only the security patches. The CA Patch Manager content team takes these patches and rolls them into a single patch bundle.

If one of the patches in the roll-up patch results in failure of an application on a computer in your test environment, you can edit the roll-up patch and exclude the patch.

Note: You can only edit full roll-up patches, which are in either Testing or Approved state.

To edit a roll-up patch

1. Click Start, Programs, CA, CA Patch Manager, Launch CA Patch Manager. The CA Patch Manager login window appears.

2. Log in as CA Patch Manager administrator, and select the Patches tab. The Patches page appears.

3. Select Saved Filter from the Filter By drop-down list, and select either the All Patches – Testing filter or All Patches – Approved option. The list of patches appears.

4. Select the patch you want to edit, and click Edit. The Custom Roll-up Page appears.

5. Enter any name in the Enter Unique Name Field, select the patch files to be included, and click Next. The Summary Roll-up Page appears.

6. Review your selection, and click Finish. A copy of the roll-up patch is created and made available for testing under Patch Pending Testing portlet on the Dashboard page.

66 Solution Guide

Uninstall a Patch

CA Patch Manager allows you to uninstall a patch that is outside your patch policy. This option is limited to individual patches that are either in Approved or Testing state, were deployed using the DSM manager, and have an uninstall patch associated with it.

Note: You cannot uninstall roll-up patches because not all patches in the roll-up patch have an uninstall script.

To uninstall a patch

1. Click Start, Programs, CA, CA Patch Manager, Launch CA Patch Manager. The CA Patch Manager login window appears.

2. Log in as CA Patch Manager administrator, and select the Patches tab. The Patches page appears.

3. Select Saved Filter from the Filter By drop-down list, and select either the All Patches – Testing filter or All Patches – Approved option. The list of patches appears.

4. Select the patch you want to uninstall. The Patch Details page appears listing all details of the patch.

5. Click Uninstall Patch under Advanced Options in the left pane. The Select Targets page appears listing the available target computers and computer groups.

6. Select the targets for deployment, click the arrow to add the target to Selected Targets list box, and click Next. The Schedule Deployment page appears.

7. Specify whether you want to deploy the patch immediately or at a later date and time, and click Next. The Deployment Options page appears with the default deployment options.

8. (Optional) Select the Override default DSM deployment parameters with these settings check box and change the Execution, Reboot, and Job Timeout parameters, and click Next. Note: You can click the Load CAPM Defaults button to revert to the default deployment settings. The Confirm Deployment page appears.

9. Review the collected information and click Finish to approve the deployment. When the deployment is approved, the patch is deployed at the scheduled time.

Chapter 9: Delta Roll-Ups 67

Enable CA-Provided Delta Roll-up

You can use the CA provided Delta roll-up package in an existing roll-up policy. Use the following procedure to enable the new CA provided Delta roll-up package.

Note: Ensure that a new Delta roll-up package is validated in the test environment before it is used in production and incorporated into the roll-up policy, this validation helps to ensure compatibility with the computers in your environment.

To enable a new CA provided Delta roll-up

1. Select the Patches tab. The Patches page appears.

2. Select Saved Filter from the Filter By drop-down list, and then select the CA Content Team Patches - Windows Security Roll-up - Pending User Acceptance filter from the Filter drop-down list. Click Go. A list of patches appears.

68 Solution Guide

Enable CA-Provided Delta Roll-up

3. Select Accept from the Select drop-down list, and select next month's Delta roll-up package. Click Go. All the patches included in the package are downloaded.

4. Click the link for the new Delta roll-up package within the Patches Pending Testing portlet on the Dashboard tab.

5. Review the Release Notes and validate the Delta roll-up package in the test environment.

6. Approve the Delta roll-up package after validating it successfully. An alert appears stating that the new package will be used in the roll-up policy.

7. Click Continue and then click Done to complete the task. The roll-up policy automatically checks for violators and deploys the package to all the computers in violation.

The Delta roll-up package containing a pre-requisite requires a reboot. So, if the roll-up policy contains eight months of delta packages, a new computer will install these delta packages in order and will require reboot after each installation. The following graphics illustrates this information:

Chapter 9: Delta Roll-Ups 69

Enable CA-Provided Delta Roll-up

We recommend that you maintain a long delta string policy for a remote computer with slow network computers. This ensures that the already managed computers do not receive the full roll-up package. However, if bandwidth is not an issue and you want to ensure that the managed computers contain all the security patches, break the long delta string and modify the policy by adding a new full roll-up package. This is easily accomplished by adding the new full roll-up to the existing policy. The new roll-up package supersedes the previous one and automatically updates the policy accordingly. The following graphic illustrates this information:

Note: For more information about the Delta roll-up, see the Best Practices for Managing Security Updates Guide available on the SupportConnect (http://supportconnect.ca.com).

70 Solution Guide

Chapter 10: Monitoring Deployment

This chapter describes the various options to monitor the deployments you have made. You can obtain a quick status summary of the most recent deployments or view the detailed information on all deployments based on your requirements.

This section contains the following topics: Monitor Deployment Using the Deployment Progress Portlet (see page 71) Detailed Deployment Information (see page 72) Monitor Patches Using the Charts Portlet (see page 75) Reports (see page 76)

Monitor Deployment Using the Deployment Progress Portlet

You can use the Deployment Progress portlet for a quick review of the status of your deployments. This portlet lists all the patches that you have deployed recently and displays their deployment status.

To monitor deployment using the Deployment Progress portlet

1. Select the Dashboard tab and click Summary The Summary page appears.

2. Review the deployment status for all patches that you have deployed recently in the Deployment Progress portlet. Done Indicates the number of computers for which patch deployment is completed. Failed Indicates the number of computers for which patch deployment failed. Pending Indicates the number of computers for which patch deployment is pending.

Note: This portlet lists patches that you have deployed for testing as well as deployment of approved patches in your environment. However, when running in the enterprise mode, this portlet displays the Deployment Distribution Progress status for each deployment.

Chapter 10: Monitoring Deployment 71

Detailed Deployment Information

You can view detailed information about the deployments you have made using the Status subtab on the Dashboard page. Use the Status subtab to perform the following functions: ■ View information on the application events ■ Monitor the status for patch deployment ■ Monitor the policy compliance

Note: The Policy Compliance option is available only when CA Patch Manager is running in the domain mode. This option is not available in the enterprise mode.

View the Application Events Log

The Application Events log displays all the application events logged by CA Patch Manager. View the application events log to identify and troubleshoot the problems right from patch acceptance to patch deployment.

Note: The Application Events log displays the information from the upm.log file that you can configure to set the severity level.

To view the application events log

1. Select the Dashboard tab and click Status, Application Events. The Application Events page appears.

2. Select the severity type - Informational, Warning, Error, or Fatal - using the check boxes under the Show Severity option, and click Go. The list of application events based on the selected severity appears. Note: Select all the severity types to view all application events.

3. Select All, Marked as Read, or Marked as Unread from the Show Status drop-down list. The list of events based on the status appears.

4. Review information in the following columns for each of the application events: Severity Indicates the severity of the event. The severity can be Informational, Warning, Error, or Fatal. Message Displays any message related to the event.

72 Solution Guide

Detailed Deployment Information

Posted Displays the date and time when the event was posted.

Read Displays whether the event has been read. Note: Use the Show Details link to view detailed information on each of the events.

5. Select Mark as Read from the Select drop-down list after you finish reviewing the events to record that you have viewed the information. The action is recorded and the Read column displays the status Yes.

Monitor the Patch Deployment Status

The Patch Deployment Status page lets you monitor the progress of a patch as it is deployed - either for testing or for general distribution. Using this page you can manage your patch deployments and drill down into individual deployments to monitor a specific computer deployment status.

To monitor the patch deployment status

1. Select the Dashboard tab and click Status, Patch Deployments. The Patch Deployment Status portlet appears.

2. Select a filtering option from the Filter By drop-down list and the number of rows to display from the Number Of Rows drop-down list. The list of patch deployments using the filtering criteria appears.

3. Review information in the following columns for each deployment: Deployment ID Identifies the specific deployment. Patch Name Identifies the patch. Status Identifies the current status of the deployment. Date Indicates the date on which the deployment was initiated.

4. Click the applicable Deployment ID to view additional details regarding a specific deployment.

Chapter 10: Monitoring Deployment 73

Detailed Deployment Information

The General Deployment Information page appears. This page provides additional details such as patch name, patch status, patch creation date, date when the patch is scheduled to run, and the date when the deployment is completed. Note: Drill down to an individual target by clicking the Targets link to determine the status of the deployment for that specific computer or group. This information is available only when the CA Patch Manager server is running in the domain mode.

5. Click Done when you finish viewing the details on the General Deployment Information page. The Patch Deployments page appears.

Monitor the Policy Compliance

Note: The Policy Compliance option is available only when CA Patch Manager is running in the domain mode. This option is not available in the enterprise mode.

You can monitor policy compliance to identify those targets that do not currently adhere to the guidelines set by their corresponding patch policy. For example, if a particular patch policy included five target machines and only three of those target machines had the software patches identified in the patch policy, two of those targets are considered non-compliant.

To monitor the policy compliance

1. Select the Dashboard tab and click Status, Policy Compliance. The Policy Compliance page appears.

2. Select a filtering option from the Filter By drop-down list and the number of rows to display from the Number Of Rows drop-down list. The list of policies with non-compliant targets appears.

3. Review information in the following columns pertaining to patch policy compliance: Policy Name Identifies the patch policy name. # of Violations Identifies the number of target machines in this patch policy that do not conform to the patches defined in the patch policy. These machines will be targeted for deployment to ensure compliance. Status Time Identifies the time when the most recent patch policy evaluation was conducted.

74 Solution Guide

Monitor Patches Using the Charts Portlet

Details Displays a link to additional details of the policy violation.

4. Select a policy and click the Details link. These details include those target computers that were determined to be non-compliant with the established patch policy. Note: Click the individual target links to view details for that particular computer.

More information:

Create New Patch Policy (see page 52) Add Patches to Existing Patch Policies (see page 54)

Monitor Patches Using the Charts Portlet

You can use the Charts portlet to review and track the patch status. The Charts portlet displays the status of the patches in the form of a chart based on the category you select.

To monitor patches using the Charts portlet

1. Select the Dashboard tab and click Summary The Summary page appears.

2. Select an option from the Select Chart drop-down list: Active Patches By Status Displays a chart that represents all active patches based on their status. Note: The enterprise mode includes additional status such as Distributing. Active Patches By Severity Displays a chart that represents all active patches based on their severity. Deferred Patches By Severity Displays a chart representing all deferred patches based on their severity.

Chapter 10: Monitoring Deployment 75

Reports

Inactive Patches By Severity Displays a chart representing all inactive patches based on their severity.

Downloads By Status Displays a chart representing all downloads completed based on the status. Downloads By Day Displays a chart representing all downloads completed based on the day. Last Day's Events Displays a chart representing events occurred in the previous day. Events By Type Displays a chart representing events based on their type.

3. Review the appropriate chart.

More information:

Single Point of Control (see page 10)

Reports

CA Patch Manager uses the DSM Reporter for generating reports. You can generate reports related to CA Patch Manager from the DSM Reporter console after you install CA Patch Manager.

More Information:

DSM Reporter (see page 107)

Predefined Reports

The DSM Reporter has predefined reports for CA Patch Manager. The following section describes the predefined reports:

Active Patches, Listed By Severity

The Active Patches, Listed By Severity report identifies a list of all active patches and groups them by severity. This report is displayed in the following order:

1. By patch severity 2. By patch name

76 Solution Guide

Reports

Count of Patches Needed and Applied, Listed By Patch

The Count of Patches Needed and Applied, Listed By Patch report provides a list of current patches and identifies how many copies of those patches have been applied. This report is grouped by patch name and displayed in the following order:

1. By patch name 2. By patch version label 3. By machine name

Count of Patches Needed And Not Applied, Listed By Patch

The Count of Patches Needed And Not Applied, Listed By Patch report provides a list of current patches and identifies how many copies of those patches have not been applied. This report is grouped by patch name and displayed in the following order:

1. By patch name 2. By patch version label 3. By machine name

Deferred Patches, Listed By Severity

The Deferred Patches, Listed By Severity report shows a list of all deferred patches grouped by severity. This report is displayed in the following order:

1. By patch severity 2. By patch name

Downloads, Listed By Day

The Downloads, Listed By Day report displays a list of downloads that have been scheduled, grouped by the date the download was completed. This report is displayed in the following order:

1. By the completed date (in descending order) 2. By the name of the download file

Downloads, Listed By Status

The Downloads, Listed By Status report displays a list of downloads that have been scheduled, grouped by the status of the download. This report is displayed in the following order:

1. By the status of the download 2. By the date the download was completed (in descending order)

Chapter 10: Monitoring Deployment 77

Reports

Events, Listed By Status

The Events, Listed By Status report displays a list of CA Patch Manager events that have occurred, grouped by event status. This report is displayed in the following order:

1. By event status 2. By the date and time the event was posted

Events, Listed By Type

The Events, Listed By Type report displays a list of CA Patch Manager events that have occurred, grouped by event type. This report is displayed in the following order:

1. By event type 2. By the date and time the event was posted (in descending order)

Inactive Patches, Listed By Severity

The Inactive Patches, Listed By Severity report shows a list of all inactive patches, grouped by severity. This report is displayed in the following order:

1. By patch severity 2. By patch name

Last Day's Events, Listed By Type

The Last Day's Events, Listed By Type report displays a list of CA Patch Manager events that occurred in the previous day grouped by event type and displayed in the following order:

1. By event type 2. By the date and time the event was posted (in descending order)

Patches Needed And Patches Applied, Listed By Patch

The Patches Needed And Patches Applied, Listed By Patch report provides a list of current patches and identifies which systems already have the patch installed. This report is grouped by patch name and displayed in the following order:

1. By patch name 2. By patch version label 3. By machine name

78 Solution Guide

Reports

Patches Needed And Patches Applied, Listed By Software

The Patches Needed And Patches Applied, Listed By Software report provides a list of software applications detected in your enterprise and identifies which patches for each of those applications have already been applied. This report is grouped in the following order:

1. By software 2. By patch within that software

This report is displayed in the following order:

1. By software name 2. By patch name 3. By patch version label 4. By machine name

Patches Needed But Not Applied, Listed By Patch

The Patches Needed But Not Applied, Listed By Patch report provides a list of current patches and identifies which machines still require the patch to be installed. This report is grouped by patch name and displayed in the following order:

1. By patch name

2. By patch version label 3. By machine name

Patches Needed But Not Applied, Listed By Software

The Patches Needed But Not Applied, Listed By Software report provides a list of software applications detected in your enterprise and identifies which patches for each of those applications have not been applied. This report is grouped in the following order:

1. By software 2. By patch within that software

This report is displayed in the following order:

1. By software name 2. By patch name 3. By patch version label 4. By machine name

Chapter 10: Monitoring Deployment 79

Reports

Policy Violations

The Policy Violations report displays the policies that have violations and the specific computers in violation. That is, the computer is part of a patch policy that requires one or more patches to be installed, and this computer does not have one or more of those patches installed.

This report is grouped and displayed in the following order:

1. By software 2. By patch policy within that software 3. By machine within that patch policy 4. By patch within that machine

Note: This report is available only when the CA Patch Manager server is running in the domain mode.

80 Solution Guide

Chapter 11: Customizing the User Interface

This chapter describes how to customize various aspects of the CA Patch Manager user interface such as User Settings, Dashboard Summary, Portlet Settings, Table Settings, and Filter Settings. You can customize these settings based on your requirements.

This section contains the following topics: Customize User Settings (see page 81) Customize Dashboard Summary Settings (see page 82) Portlet Settings (see page 82) Customize Table Settings (see page 85) Filter Settings (see page 85) Change Password for a User (see page 92)

Customize User Settings

You can customize the user settings with your preferred locale, date and time style, and the default time zone.

To customize the user settings

1. Click the My Profile link in the upper right corner of the user interface. The My Profile page appears.

2. Click User Settings. The User Settings page appears.

3. Specify your preferred locale, date and time style, and default time zone in the appropriate fields. You can also set the connection timeout option to specify whether you want the CA Patch Manager session to time out after a specified time or stay connected always. Note: The Stay Connected option overrides the Connection timeout option.

4. Click Save. The information is stored in your profile.

Note: The User Detail menu at the bottom of every page under My Profile lets you change your login password.

Chapter 11: Customizing the User Interface 81

Customize Dashboard Summary Settings

The Dashboard Summary settings let you determine which portlets to include in the display, as well as the order in which they will be placed. You can customize the layout and content of your Dashboard Summary page.

To customize the Dashboard Summary settings

1. Click the My Profile link in the upper right corner of the user interface. The My Profile page appears.

2. Click Dashboard Summary. The Dashboard Summary page appears.

3. Select the number of columns to display from the Number of Columns drop-down list. Each column includes a list of available portlets.

4. Use the arrows below the relevant Available Portlets box to select the portlets to include on your display. Portlets are added to the Selected Portlets box.

5. Use the up and down arrows to the right of the box to arrange the order in which the portlets will appear in the column after the portlet is added to the Selected Portlet box.

6. Click Save. The information is saved in your profile.

Portlet Settings

CA Patch Manager lets you configure details for specific portlets such as specifying height of portlets or adding related links to specific portlets. Using these settings you can organize the information in the portlets as you like.

You can configure the settings for the following portlets under the Portlet Settings menu: Favorites Portlet Defines the height of the portlet and maintains a list of favorite links at one place. You can add, edit, and delete a link in the Favorites portlet. You can also move the links up and down as desired. RSS Feeds Portlet Defines the height of the portlet and provides links to RSS feeds. You can customize the links to be included in the portlet. You can add, edit, and delete a link. You can also move the links up and down as desired.

82 Solution Guide

Portlet Settings

Charts Portlet Defines the height and the source location for the charts included in the Charts portlet. You can customize the links to be included in the portlet. You can add, edit, and delete a link. You can also move the links up and down as desired. Patches and Deployments Portlet Defines the height of the portlets related to patch deployment on the Dashboard Summary page. You can specify the height for the Patches Pending Acceptance, Patches Pending Workflow Action, Deployment Progress, Patches Pending Test, and Approved Patches portlets using this page. Portlet size is measured in pixels. Portlet width is determined automatically, based on the number of columns on the page. System Status Portlet Defines the height of the portlet. Portlet size is measured in pixels. Portlet width is determined automatically, based on the number of columns on the page.

Note: The steps for specifying the portlet height, adding a link to a portlet, and editing a link in a portlet are same for all portlets.

Add a Link to a Portlet

You can add a link to the Favorites, RSS Feeds, and Charts portlet available under Portlet Settings. Adding this link helps you organize all the links related to that specific portlet in one place.

To add a link

1. Click the My Profile link in the upper right corner of the user interface. The My Profile page appears.

2. Click the appropriate portlet under Portlet Settings. The corresponding portlet configuration page appears.

3. Click the Add button to add a link to the portlet. The related portlet's URL page appears allowing you to specify the information about the link.

4. Enter the URL for the link you want to add to the portlet and provide a description and display name in the relevant fields. The display name you enter here is listed in the portlet in the Dashboard Summary page and the description text is provided as tooltip text.

Chapter 11: Customizing the User Interface 83

Portlet Settings

5. Click OK. The new link appears on the page.

6. Click Save. All the settings are stored in your profile.

Edit a Link in a Portlet

You can edit an existing link in the Favorites, RSS Feeds, and Charts portlet available under Portlet Settings. By editing an existing link, you can update the link and eliminate the need to create it.

To edit a link

1. Click the My Profile link in the upper right corner of the user interface. The My Profile page appears.

2. Click the appropriate portlet under Portlet Settings. The corresponding portlet configuration page appears.

3. Click the edit icon (pencil) in the Actions column for the link you want to edit. The relevant portlet's URL page appears.

4. Update information in the appropriate fields, and click OK. The updated information appears on the page.

5. Click Save. All the settings are stored in your profile.

Customize the Height of a Portlet

You can customize the height for all the portlets based on your requirements. You can specify a higher value for a portlet when you expect to have a large amount of information to display and a lower value when you do not expect much information.

To customize the height of a portlet

1. Click the My Profile link in the upper right corner of the user interface. The My Profile page appears.

2. Click the appropriate portlet under Portlet Settings. The corresponding portlet configuration page appears.

84 Solution Guide

Customize Table Settings

3. Enter the value for the height of the portlet in the Portlet Height field, and click Save. Note: In the Patches & Deployments portlet, you specify the height in the Patches Pending Acceptance, Patches Pending Workflow Action, Deployment Progress, Patches Pending Test, and Approved Patches fields. These fields represent the height of the respective portlets available on the Dashboard Summary page. The portlet height is stored in your profile.

Customize Table Settings

You can customize the table settings to designate default filters and scrolling parameters for each of the data lists displayed in the user interface.

To customize the table settings

1. Click the My Profile link in the upper right corner of the user interface. The My Profile page appears.

2. Click Table Settings under Preferences and Settings. The Table Settings page appears.

3. Click the edit icon (pencil) in the Actions column for the table you want to edit.

The Table Detail page appears.

4. Update information in the appropriate fields, and click OK. The updated information appears on the Table Settings page.

5. Click Save. The information is saved in your profile.

Filter Settings

Filters allow you to sort a list of items by specific categories to make your search and selection more efficient. You can set filters for the following: ■ Software ■ Patches ■ Deployments ■ Policies ■ Groups ■ Machines

Chapter 11: Customizing the User Interface 85

Filter Settings

More Information:

Patch Search (see page 40)

Create Software Filters

You can use the Software Filters page to create filters for software lists. These filters are selectable on any table that displays a list of software items. Choose these filters to limit the number of records returned.

To create a custom software filter

1. Click the My Profile link in the upper right corner of the user interface. The My Profile page appears.

2. Click Software under Filter Settings. The Software Filters page appears.

3. Click Add. The Software Filter Detail page appears.

4. Specify a filter name in the Filter Name field. This filter name will be available in the Filter drop-down list used in all software tables.

5. Select the filter criteria and specify relevant information in the appropriate fields. You can filter software using the following categories:

■ Application Name ■ Manufacturer ■ Language These filter options make your filter criteria more efficient.

6. Specify the order in which you want to display the results - by Name, Manufacturer, Version Label, or Version Number. These columns determine the order of the returned results.

7. Click OK when you have finished designing the filter. The new filter is added to the Software Filters page.

8. Click Save. The new filter is now available.

86 Solution Guide

Filter Settings

Create Patch Filters

You can use the Patch Filters page to create custom filters for patches. These filters are selectable on any table that displays a list of patches. Choose these filters to limit the number of records returned.

To create a custom patch filter

1. Click the My Profile link in the upper right corner of the user interface. The My Profile page appears.

2. Click Patches under Filter Settings. The Patch Filters page appears.

3. Click Add to add a new filter. The Patch Filter Detail page appears.

4. Specify a filter name in the Filter Name field. This filter name will be available in the Filter drop-down list used in all patch tables.

5. Select the filter criteria and specify relevant information in the appropriate fields. You can filter patches using the following categories:

■ Manufacturer ■ Language

■ Attributes - Available attributes are severity, impact and status, which let you view, for example, only those patches that were marked critical and have security implications. Note: The list of available status varies depending on the type of installation - domain or enterprise.

■ Date - The date that the patch was created These filter options make your filter criteria more efficient.

6. Specify the order in which you want to display the results - by Name or Manufacturer. These columns determine the order of the returned results.

7. Click OK when you have finished designing the filter. The new filter is added to the Patch Filters page.

8. Click Save. The new filter is now available.

More Information

Single Point of Control (see page 10)

Chapter 11: Customizing the User Interface 87

Filter Settings

Create Deployment Filters

You can use the Deployment Filters page to create custom filters for patch deployments. These filters are selectable on any table that displays a list of patch deployments. Choose these filters to limit the number of records returned.

To create a custom deployment filter

1. Click the My Profile link in the upper right corner of the user interface. The My Profile page appears.

2. Click Deployments under Filter Settings. The Deployment Filters page appears.

3. Click Add to add a new filter. The Deployment Filter Detail page appears.

4. Specify a filter name in the Filter Name field. This filter name will be available in the Filter drop-down list used in all deployment tables.

5. Select the filter criteria and specify relevant information in the appropriate fields. You can filter patches using the following categories:

■ Deployment Status - created, scheduled, or completed ■ Date on which deployment was scheduled

■ Deployment patch name These filter options make your filter criteria more efficient.

6. Specify the order in which you plan to display the results - by Name, Deployment Date, or Deployment status. These columns determine the order of the returned results.

7. Click OK when you have finished designing the filter. The new filter is added to the Deployment Filters page.

8. Click Save. The new filter is now available.

88 Solution Guide

Filter Settings

Create Policy Filters

You can use the Policy Filters page to create custom filters for patch policies. These filters are selectable on any table that displays a list of policy items. Choose these filters to limit the number of records returned.

To create a custom policy filter

1. Click the My Profile link in the upper right corner of the user interface. The My Profile page appears.

2. Click Policies under Filter Settings. The Policy Filters page appears.

3. Click Add to add a new filter. The Policy Filter Detail page appears.

4. Specify a filter name in the Filter Name field. This filter name will be available in the Filter drop-down list used in all policies tables.

5. Select the filter criteria and specify relevant information in the appropriate fields. You can design filters based on the policy name. This option makes your filter criteria more efficient.

6. Specify the order in which you plan to display the results - by Policy Name, Policy Status, or Software Name.

These columns determine the order of the returned results.

7. Click OK when you have finished designing the filter. The new filter is added to the Policy Filters page.

8. Click Save. The new filter is now available.

Chapter 11: Customizing the User Interface 89

Filter Settings

Create Group Filters

You can use the Group Filters page to create custom filters for target groups. These filters are selectable on any table that displays a list of group items. Choose these filters to limit the number of records returned.

To create a custom group filter

1. Click the My Profile link in the upper right corner of the user interface. The My Profile page appears.

2. Click Groups under Filter Settings. The Group Filters page appears.

3. Click Add to add a new filter. The Group Filter Detail page appears.

4. Specify a filter name in the Filter Name field. This filter name will be available in the Filter drop-down list used in all group tables.

5. Select the filter criteria and specify relevant information in the appropriate fields. You can design filters based on group names. This option makes your filter criteria more efficient.

6. Specify the order in which you plan to display the results - by Group Name or Creation Date.

These columns determine the order of the returned results.

7. Click OK when you have finished designing the filter. The new filter is added to the Group Filters page.

8. Click Save. The new filter is now available.

90 Solution Guide

Filter Settings

Create Machine Filters

You can use the Machine Filters page to create custom filters for target computers. These filters are selectable on any table that displays a list of machine items. Choose these filters to limit the number of records returned.

To create a custom machine filter

1. Click the My Profile link in the upper right corner of the user interface. The My Profile page appears.

2. Click Machines under Filter Settings. The Machine Filters page appears.

3. Click Add to add a new filter. The Machine Filter Detail page appears.

4. Specify a filter name in the Filter Name field. This filter name will be available in the Filter drop-down list used in all machine tables.

5. Select the filter criteria and specify relevant information in the appropriate fields. You can filter machines using the following categories:

■ Machine name ■ Group

■ Software ■ Platform 6. Click OK when you have finished designing the filter. The new filter is added to the Machine Filters page.

7. Click Save. The new filter is now available.

Chapter 11: Customizing the User Interface 91

Change Password for a User

You can reset your password by using the option available for changing your password on the My Profile page.

To change a password for a user

1. Click the My Profile link in the upper right corner of the user interface. The My Profile page appears.

2. Click the Change Password link under User Detail. The Change Password page appears

3. Enter your current password, new password, and confirm your new password.

4. Click OK. The password is changed for the user.

More information:

Change Login Password for a User (see page 30)

92 Solution Guide

Chapter 12: Advanced Configuration

CA Patch Manager provides the following features to improve the performance of CA Patch Manager servers and services.

This section contains the following topics: Patch Services (see page 93) Integration with CA IT Client Manager (see page 94) Event Logging (see page 97) Data Pruning (see page 99) Database Settings (see page 100)

Patch Services

CA Patch Manager patch services are multi-threaded; the execution and completion of one task is not dependant on another as each task is executed and managed independently. This results in optimum use of system resources and thus, improves performance. You can also configure the system maintenance task to run at off-peak hours. The list of patch services is as follows: New Patch Processes newly imported patches.

Accepted Patch Processes accepted patches. Downloaded Patch Downloads the accepted patch files. Deployment Status Checks for the deployment status. Policy Performs policy validation and enforcement. Workflow Processes patches, deployments, and policies that are handled by workflow.

Distributed Patch Processes patches that are being distributed to the domains. This service applies only when the CA Patch Manager server is running in the enterprise mode.

Chapter 12: Advanced Configuration 93

Integration with CA IT Client Manager

More information:

Single Point of Control (see page 10)

Configure Patch Services to Improve Performance

You can configure patch services to specify the frequency of various CA Patch Manager task threads and the system maintenance task to improve performance. You can configure the system maintenance task to run at off-peak hours so that the business hours are not affected. System maintenance tasks include, checking for patch applicability, data pruning and so on.

To configure patch services to improve performance

1. Select the Administration tab and click Configuration, System Settings, Services. The Patch Services and Maintenance page appears in the right pane.

2. Specify the time interval in minutes for each task in the Patch Services section. These settings control the execution of the task threads.

3. Specify the time of the day when you want the system maintenance task to run. This setting controls the system maintenance task.

4. (Optional) Click Run Now. The system maintenance task runs immediately. You can click Run Now at any time to invoke the system maintenance task.

5. Click Save. The settings are saved in the database.

Integration with CA IT Client Manager

CA Patch Manager integrates with the CA ITCM suite to determine patch compliance and to deliver new patches throughout the enterprise infrastructure. CA Patch Manager maintains a session pool for communicating with the DSM web services and reuses the connections when possible. This reduces the number of connections to the web services.

94 Solution Guide

Integration with CA IT Client Manager

Configure Parameters for Communicating with DSM Web Services

You must configure the parameters for connecting to the DSM Web Services to communicate with the CA Asset Management and CA Software Delivery components.

To configure parameters for communicating with DSM Web Services

1. Select the Administration tab and click Configuration, System Settings, DSM. The DSM Connection page appears.

2. Specify the credentials such as the Server, User Name, Password, and Web Service URL. These credentials are used to connect to the DSM Web Services. Note: By default, CA Patch Manager installation sets the values for these credentials, which need not be changed.

3. Specify the following parameters to control session pooling. You must specify a value between the specified range in each of these fields: Max Pool Sessions Defines the maximum number of concurrent web service sessions that CA Patch Manager will use. If all sessions are in use, CA Patch Manager waits until one of the sessions becomes available. Default: 3

Limits: Minimum 1, Maximum 20 Max Idle Sessions Defines the maximum number of idle sessions. The idle sessions in excess of this limit will be closed and evicted from the session pool as soon as they become unused. Default: -1 Unlimited (Recommended) Limits: Minimum 1, Maximum Unlimited Evict Idle Time Defines the maximum amount of time a session may be idle, before being evicted from the session pool. Sessions that are idle beyond the idle time are closed and evicted from the session pool irrespective of Max Idle Sessions limit. Default: 10 minutes Limits: Minimum 1 minute, Maximum 30 minutes Evict Interval Defines the interval at which the eviction task runs to close and evict the session that are idle for more than the Evict Idle Time period. Default: 1 minute

Chapter 12: Advanced Configuration 95

Integration with CA IT Client Manager

Limits: Minimum 1 minute, Maximum 5 minutes

4. Click Save. The changes are saved in the database.

Deployment Options

CA Patch Manager integrates with CA Software Delivery for deploying the patches on the target computers. CA Patch Manager packages the software patches for deployment as sealed software packages using CA Software Delivery. Deployment options in CA Patch Manager lets the administrators add some special parameters to these sealed software packages that control patch deployment on the target computers.

CA Patch Manager administrators can configure the following deployment options: ■ Maximum delay interval for execution ■ Prompt user before execution

– Prevent user from canceling the deployment – Deploy if prompt times out ■ Maximum number of delays for reboot ■ Reboot delay interval

■ Job timeout interval

You can configure the deployment options at three levels: Default Defines the deployment options applicable to all the patches and policies in CA Patch Manager. The deployment options set at this level can be overridden at the individual patch and policy levels. Patch Defines the deployment options applicable to an individual patch. By default, all the patches inherit the values set at the default level. Policy Defines the deployment options applicable to an individual policy. By default, all the policies inherit the values set at the default level.

96 Solution Guide

Event Logging

More information:

Create Security Roll-up Policy (see page 64) Deploy a Patch for Testing (see page 45) Create New Patch Policy (see page 52) Add Patches to Existing Patch Policies (see page 54)

Configure Deployment Options to Provide Flexible Deployment

You can configure the deployment options to provide the users the flexibility to decide when they want the patch to be deployed and the computer to be rebooted, if reboot required. The default deployment options are applicable to all the patches and policies. However, the individual patches and policies can override the default options.

To configure deployment options at the default level

1. Select the Administration tab and click Configuration, System Settings, DSM. The DSM Connection and Options sections appear.

2. In the Options section, select the Override default DSM deployment parameters with these settings checkbox. The options in the Execution, Reboot, and Job Timeout sections get enabled.

3. Specify the options in the Execute, Reboot, and Job Timeout sections and click Save.

The default deployment options are saved.

More information:

Deployment Method (see page 49) Deploying Patches for Testing (see page 45) Create New Patch Policy (see page 52) Add Patches to Existing Patch Policies (see page 54)

Event Logging

CA Patch Manager records all the events and saves them in a log file. By default, the log file is saved in the installation path with the debug information. You can check this log file to troubleshoot the workflow of CA Patch Manager.

Chapter 12: Advanced Configuration 97

Event Logging

Configure Event Logging

You can configure the event logging parameters to change the log file name, size, number of backups, and the severity level of the log file.

To configure event logging

1. Select the Administration tab and click Configuration, Events. The System Logging page appears in the top-left corner of the right pane displaying the default values.

2. Configure the fields in the page. Following are descriptions of fields that are not self-explanatory: Size Defines the size of the log file. CA Patch Manager creates a backup file when the size of the log file reaches the specified limit. Number of Backups Defines the number of backups of the log file that you want to maintain. These backup files have incremental numbers in the file name, for example, the latest backed up log file is named as upm.log.1 and the previously backed up file names are incremented by one. CA Patch Manager deletes the backup file with the highest incremental number when the number of backups reaches the specified limit. Severity Level

Specifies the level of information you want to view in the log file.

3. Click Save. The event logging settings are saved.

Important! Restart CA Patch Manager for the modified settings to take effect.

98 Solution Guide

Data Pruning

Data pruning enables automatic pruning of old data from the MDB and the file system thus, clearing space in the MDB and the hard disk. You can perform data pruning on the following: ■ Completed workflow records ■ Acknowledged event records ■ Completed download records ■ Downloaded patch files

In the case of workflow, event, and download records, the records are deleted from the database whereas, the downloaded patch files are deleted from the file system.

Configure Database Pruning Settings

You must configure the database pruning settings to enable pruning of the workflow, event, and download records that are older than the number of days specified.

Note: By default, data pruning is disabled.

To configure database pruning settings

1. Select the Administration tab and click Configuration, System Settings, Data Pruning. The Data Pruning page appears.

2. Select the check box before each item and specify the number of days (between 1 and 365) after which the records must be considered obsolete and deleted from the database. Data pruning is enabled for the selected items.

3. Specify 0 or clear the check box to disable pruning. 4. For the downloaded patch file records, select Prune download records first and then select Prune downloaded patch files to enable pruning. The settings are configured for data pruning. Enable data pruning only for the records you want to prune. For example, if you want to prune the Workflow records only, select the Prune workflow records check box and specify the number of days parameter.

Chapter 12: Advanced Configuration 99

Database Settings

CA Patch Manager uses the database settings to connect and manage connections to the database. Database settings also include parameters for maintaining the session pool for connecting to the database.

Configure Settings to Connect to the Database

The default database settings are specified during installation. You can configure these settings at any time to change the parameters to connect to the database.

To configure settings to connect to the database

1. Select the Administration tab and click the Configuration, Database Settings. The MDB Settings page appears.

2. Enter the user name and password for connecting to the MDB. 3. Complete the fields in the page. Following are descriptions of fields that are not self-explanatory: Class Name Displays the class name of the database JDBC driver. Connection String Defines the string that lets CA Patch Manager establish a JDBC connection with the database. Max Pool Sessions Defines the maximum number connections to the database that you want to allow. Default: 10 Limits: Minimum 3, Maximum 30

Max Idle Sessions Defines the maximum number of idle sessions that you want to allow. The idle sessions in excess of this limit will be closed and evicted from the session pool as soon as they become unused. Default: -1 Unlimited (Recommended) Limits: Minimum 1, Maximum -1 (unlimited) Note: Do not change the default interval unless requested by CA Support Personnel.

100 Solution Guide

Database Settings

Evict Interval Time Defines the interval (in milliseconds) at which the eviction task runs to close and evict the session that are idle for more than the Evict Idle Time period. Default: 60000 (1 minute) Limits: Minimum 60000 (1 minute), Maximum -1 (no eviction) Note: Do not change the default interval unless requested by CA Support Personnel. Evict Idle Time Defines the maximum amount of time (in milliseconds) a session may be idle, before being evicted from the session pool. Sessions that are idle beyond the idle time are closed and evicted from the session pool irrespective of Max Idle Sessions limit. Default: 300000 Limits: Minimum 60000 (1 minute), Maximum -1 (no eviction) Note: Do not change the default interval unless requested by CA Support Personnel.

4. Click Save. The modified database settings are saved.

Important! Restart CA Patch Manager for the modified settings to take effect.

Chapter 12: Advanced Configuration 101

Chapter 13: Diagnostics and Troubleshooting

This chapter provides the diagnostics and troubleshooting information for CA Patch Manager.

This section contains the following topics: Installation Fails With an Error Message MDB Patch Already Applied (see page 103) Online Updates are Failing (see page 105) System Status Shows DSM Service as Failed in CA Patch Manager after Failover (see page 105)

Installation Fails With an Error Message MDB Patch Already Applied

Symptom: CA Patch Manager installation failed with MDB Patch already applied error message in the log file.

Solution: ■ Check the log file for the failed MDB patch application. The log file named install_mdb.log is located in C:\Documents and Settings\%USERNAME%\Local Settings\Temp\{E7135B45-D2D0-42BA-A8B8-EBBD7CA64B7B}\mdb15703 451. Examine this file to determine which patch failed and contact CA Technical Support. ■ Verify if the MDB Patch is already applied. Perform the following procedures to fix this error:

To verify the existence of the patch

1. Login to the SQL Query Analyzer and select MDB from the database list. Note: Ensure that the default user is UPMADMIN.

Chapter 13: Diagnostics and Troubleshooting 103

Installation Fails With an Error Message MDB Patch Already Applied

2. Depending on the database provider, run the following SQL statement:

Select * from MDB_PATCH The query results are displayed.

3. Search the query results for the patch number given in the log file. If the patch number exists, the patch is already applied.

If the patch already exists

1. Clean the environment including the %temp% folder. Make sure any instances of \Program Files\CA\CA Patch Manager are deleted and references to CA Patch Manager or any full installations paths for the product are removed from the registry.

2. Uninstall all three CleverPath applications from Windows Add or Remove Programs.

3. Remove UPMUSER and UPMADMIN from the Windows local accounts listing. 4. Remove UPMUSER and UPMADMIN from SQL Security listings also. 5. Start the CA Patch Manager installation and click Next until you reach the page to enter passwords for the UPMUSER and UPMADMIN accounts.

6. In the Windows explorer, browse to %temp% folder and search for the InstallMDBPatch.bat file (including subfolders).

7. Open InstallMDBPatch.bat file with notepad.

8. Scroll to the end of the file and change the line Exit %errorlevel% to Exit 0. 9. Continue with the installation.

If the patch does not exist

1. Open the command prompt. 2. Browse to the folder where „InstallMDBPatch.bat‟ is located. 3. Execute the patch manually by copying and pasting the failed command in the log file.

4. Verify the existence of the patch. 5. Follow the steps to fix the error if the patch number already exists.

104 Solution Guide

Online Updates are Failing

Symptom:

My online updates are failing.

Solution: Ensure that you have the following set in your environment: ■ Port 5250 or 443 is open bidirectionally between the Internet Proxy and contentupdate.ca.com. ■ The connection supports HTTPS when you are using port 443. ■ An initial packet size of 4096 is viable through the proxy. ■ Port 80 is open bidirectionally between CA Patch Manager and the proxy. ■ Checking that the Import proxy settings are correct in CA Patch Manager when using a proxy.

System Status Shows DSM Service as Failed in CA Patch Manager after Failover

Symptom: My computer crashed and I manually switched the CA Patch Manager passive node to active. When I logged into the CA Patch Manager console, I noticed that the System Status showed the status of DSM Service resource as failed. What should I do?

Solution: To change the status of the DSM Service, do the following:

1. Click Start, Programs, CA Patch Manager, Launch CA Patch Manager. The CA Patch Manager login window appears.

2. Log in as CA Patch Manager administrator, and select the Administrator tab. The Administrator page appears.

3. Navigate to Configuration, System Settings, DSM. The DSM Connection page appears.

4. Change the Web Service URL field to the show the active node and click Save. The DSM Connection settings are saved and DSM Service status changes.

Chapter 13: Diagnostics and Troubleshooting 105

Appendix A: Integration

CA Patch Manager provides integration with the following: ■ CA IT Client Manager ■ CleverPath™ Reporter ■ Third Party Workflow and Common Component Services Events

The following topics discuss these integrations.

CA IT Client Manager

CA IT Client Manager is an integrated product that combines three solutions - CA Asset Management, CA Software Delivery, and CA Remote Control.

CA Patch Manager is not a stand-alone solution, but integrates with CA Asset Management and CA Software Delivery seamlessly and transparently for complete patch management.

CA Patch Manager uses CA Asset Management and CA Software Delivery to determine patch compliance and to deliver new patches throughout the enterprise infrastructure. CA Patch Manager does not have any agents or distributed managers of its own but uses the data and services provided by these existing solutions, and shares the MDB with them.

The integration with CA Asset Management and CA Software Delivery is automatic and you are not required to manipulate anything manually.

As stated earlier, you must have a working copy of CA Asset Management and CA Software Delivery before you can start using CA Patch Manager.

Note: You cannot alter the settings of CA IT Client Manager from CA Patch Manager.

DSM Reporter

CA Patch Manager uses the DSM Reporter for generating reports. You can generate reports related to CA Patch Manager from the DSM Reporter console after you install CA Patch Manager.

More Information:

Reports (see page 76)

Appendix A: Integration 107

Third Party Workflow and Common Component Service Events

CA Patch Manager allows processing workflow to be effected externally either using the CAPMEMS Web Service or the CAPMEMSAck command.

A workflow event is sent to the CA Common Services (CCS) Event Console for each workflow action selected based on the following conditions: ■ Workflow is enabled ■ Common Services Event Console is accessible

Using CA Patch Manager's built in functionality, a CA Service Desk Change Order can be created based on the following conditions: ■ A CA Service Desk server exists ■ This server is accessible from the CA Patch Manager server.

Note: If workflow is enabled, the Change Order description includes details about the workflow event.

CA Patch Manager can create a Change Order in the service desk system, every time one of the selected actions is attempted. In order to do this, CA Patch Manager requires the following to be set in the CA Patch Manager settings: ■ a valid CA Service Desk web service URL, username, password

■ a Change Order template for each action that generates a Change Order

A valid CA Service Desk system consists of a server install that includes the installation of the web services.

CA Patch Manager gathers information from the Change Order template to populate generic information.

Note: For more information on Change Order templates, see the CA Service Desk Administrator Guide.

108 Solution Guide

Third Party Workflow and Common Component Service Events

Enable CA Patch Manager Workflow Interface

To enable CA Patch Manager Workflow Interface

1. Click Start, Programs, CA, CA Patch Manager, Deploy Workflow Integration. This deploys the CA Patch Manager Workflow web service to the Axis servlet running under the CAPM Web Application. The deployment of the service allows workflow to be driven remotely by executing a command that acknowledges a workflow UUID positively or negatively.

2. Login to CA Patch Manager as an Administrator and select the Administration tab. The Configuration menu appears.

3. Click the Events link and enable the workflow for the required patch processes. The following illustration depicts enabling the workflow for the patch deferral process.

This creates a workflow UUID and sends a message to the CA Patch Manager log, and the CA Commons Services EM Console every time a patch is deferred. By default, the EM Console is accessed from Program Files\Computer Associates\CA Common Services\Enterprise Management\EM Classic. The EM Console displays the UUID sent by workflow.

Appendix A: Integration 109

Third Party Workflow and Common Component Service Events

Note: If integration with CA Service Desk is enabled and a template is associated, the created Change Order description will contain the same text as is found in the CA Patch Manager Dashboard Status Application Events message. The same text, including Workflow information (if Workflow is enabled), is sent to both the CCS Event Console and the Application Events message.

110 Solution Guide

Third Party Workflow and Common Component Service Events

4. Reference the workflow UUID e6872b51-f3c3-03d9-b1df-c639d9eb7f4b. This drives the workflow. Note: CA Patch Manager server installation includes the event.jar file which contains the workflow acknowledgement command line utility. You can use this utility to contact the CA Patch Manager server remotely (by wrapping the calls to the CAPMEMS web service) and approve or reject the process. This moves the patch associated with the workflow to the next phase or previous phase, depending on the response from the server.

Approve or Reject a Patch Workflow Process from the Command Line

To approve or reject a patch workflow process from the command line

1. Get the workflow_uuid string from the CAPM Event message generated when a patch enters workflow. Note: In the example in the previous procedure this string is e6872b51-f3c3-03d9-b1df-c639d9eb7f4b2.

2. Run the following command in the command prompt: set CLASSPATH=%CLASSPATH%;\event.jar This sets the classpath environment variable.

3. Execute the Acknowledgement class with the following command: java com.ca.unicenter.upm.eventmanager.UPMEMSAck "http:///upm/services/UPMEMS" e6872b51-f3c3-03d9-b1df-c639d9eb7f4b true/false

Appendix A: Integration 111

Integration with CA Service Desk

The Acknowledgment class is executed. Use true to approve; false to reject. Note: You can also execute the following java command without setting the classpath. This is an alternative to the steps 2 and 3 explained above:

java -Djava.class.path= \event.jar com.ca.unicenter.upm.eventmanager.UPMEMSAck "http:///upm/services/UPMEMS" e6872b51-f3c3-03d9-b1df-c639d9eb7f4b true/false

Automate Workflow Approval or Rejection

Automation of the workflow process can be accomplished through CA Service Desk and/or CA Common Services Event Message Actions. The purpose of the Service Desk template associated with the CA Patch Manager Change Order creation is to ensure that the correct administrator or group is notified when a patch enters workflow. CA Service Desk allows you to associate the CA Patch Manager event.jar command to a CA Workflow or CA Service Desk Workflow that can be selected to either approve or reject the promotion of the patch that is in workflow. You can use Unicenter Event to create sendkeep messages based on the receipt of the CA Patch Manager Workflow message. Acknowledgement of the sendkeep drives the workflow, by executing the CAPMEMSAck command to send a message to the CA Patch Manager server.

Integration with CA Service Desk

CA Service Desk installation enables a web services interface for remote administration allowing CA Patch Manager administrators to create service desk Change Orders. To enable integration between CA Patch Manager and CA Service Desk, the CA Service Desk web service URL and Change Order template must be specified in the administrative settings of CA Patch Manager.

CA Patch Manager is compatible with CA Service Desk version 6.0 (formerly called Unicenter ServicePlus Service Desk) and r11 web services. However the versions offer different web service URL strings.

CA Service Desk 6.0 implements a .NET web service with the following default URL:

http://:80/USD_WS/usd_ws.asmx

CA Service Desk r11 offers two web services. CA Patch Manager integrates with only the following default r11 web service that is backward compatible with CA Service Desk 6.0 web service clients:

112 Solution Guide

Integration with CA Service Desk

http://:8080/axis/services/USD_WebServiceSoap

The integration with CA Service Desk enables CA Patch Manager to create a Change Order for the selected patch processes with the configured CA Service Desk server based on the specified template. The Change Order contains the summary and description of the process.

If workflow is enabled, the summary and description also include the workflow information. In addition, the CA Patch Manager Workflow ID is stored in the hidden “string6” field. The CA Patch Manager Workflow Web Service URL is stored in hidden field “string5”. These hidden fields can be referenced to automate the approval or rejection of CA Patch Manager patch workflow processes.

Note: CA Service Desk customizes Change Order members to include extra fields. If the user chooses to use fields other than “string5” and “string6”, the config.properties file can be updated to specify different field names: event.config.upmWebServiceURL=upmWS event.config.uspsdUPMWSField=upmWFId

With the above settings, the Change Order generated by CA Patch Manager populates the fields “upmWS” and “upmWFId” with the necessary workflow information.

Appendix A: Integration 113

Integration with CA Service Desk

Configure Parameters to Communicate with CA Service Desk

To create a change order in CA Service Desk every time a patch enters a particular state, you must configure the parameters to connect to CA Service Desk and select the events that should trigger the creation of the change order.

To configure the parameters to integrate with CA Service Desk

1. Select the Administration tab and click Configuration, Events. The CA Service Desk section appears in the bottom-left corner of the right pane.

2. Specify the CA Service Desk webservice URL to connect to, the user name, and the password. These credentials are used to connect to the webservice.

3. In the Event Notification section, select the events and the service desk template that should be used while creating the change order.

4. Click Save. The settings are saved.

Important! Restart CA Patch Manager for the modified settings to take effect.

114 Solution Guide

Index

A Configure Settings to Connect to the Database • 100 Accept Full and Delta Security Roll-up Package • Configuring CA Patch Manager • 25 61 Contact CA • iv Accept Patches • 44 Count of Patches Needed and Applied, Listed By Acceptance • 36 Patch • 77 Accepting Patches • 39 Count of Patches Needed And Not Applied, Active Patches, Listed By Severity • 76 Listed By Patch • 77 Add a Link to a Portlet • 83 Create Deployment Filters • 88 Add New Users • 30 Create Group Filters • 90 Add Patches to Existing Patch Policies • 54 Create Machine Filters • 91 Add Vendor Credentials • 31 Create New Patch Policy • 52 Advanced Configuration • 93 Create Patch Filters • 87 Approve Full and Delta Security Roll-up Package Create Policy Filters • 89 • 64 Create Security Roll-up Policy • 64 Approve or Reject a Patch Workflow Process Create Software Filters • 86 from the Command Line • 111 Customize Dashboard Summary Settings • 82 Automate Workflow Approval or Rejection • 112 Customize Table Settings • 85 B Customize the Height of a Portlet • 84 Customize User Settings • 81 Before you Begin the Installation • 16 Customizing the User Interface • 81 Benefits • 9 D C Data Pruning • 99 CA IT Client Manager • 107 Database Settings • 100 CA Patch Manager • 9 Deferral • 37 CA Product References • iii Deferred Patches, Listed By Severity • 77 Change Login Password for a User • 30 Delete Existing Users • 30 Change Password for a User • 92 Delta Roll-up • 60 Check the Status of DSM Service • 22 Delta Roll-Ups • 59 Components • 9 Deploy a Patch for Testing • 45 Configure Database Pruning Settings • 99 Deploying Patches • 49 Configure Default User Settings • 27 Deploying Patches for Testing • 45 Configure Deployment Options to Provide Deployment • 36 Flexible Deployment • 97 Deployment Method • 49 Configure Event Logging • 98 Deployment Options • 96 Configure FIPS-Compliant Communication and Detailed Deployment Information • 72 Encryption • 26 Diagnostics and Troubleshooting • 103 Configure Parameters for Communicating with Distributing • 36 DSM Web Services • 95 Downloads, Listed By Day • 77 Configure Parameters to Communicate with CA Downloads, Listed By Status • 77 Service Desk • 114 DSM Reporter • 107 Configure Patch File Download Settings • 28 Configure Patch Services to Improve E Performance • 94 Edit a Link in a Portlet • 84 Configure Proxy Settings • 28

Index 115

Edit Roll-up Patch • 66 P Enable CA Patch Manager Workflow Interface • 109 Packaging • 36, 44 Enable CA-Provided Delta Roll-up • 68 Patch Acceptance • 39 Enterprise and Domain Installations • 15 Patch Content • 33 Event Logging • 97 Patch Manager Lifecycle • 35 Events, Listed By Status • 78 Patch Policies • 51 Events, Listed By Type • 78 Patch Search • 40 Patch Services • 93 F Patches Needed And Patches Applied, Listed By Patch • 78 Fast Track • 37 Patches Needed And Patches Applied, Listed By Filter Settings • 85 Software • 79 FIPS 140-2 Support • 25 Patches Needed But Not Applied, Listed By Patch H • 79 Patches Needed But Not Applied, Listed By Hardware Specifications and Requirements • 14 Software • 79 How the Deployment Process Works • 50 Performing an Action on Multiple or All Patches • I 40 Planning Your Installation • 15 Inactive Patches, Listed By Severity • 78 Policy Deployment • 53 Initial Logon to CA Patch Manager • 21 Policy Violations • 80 Install CA Patch Manager as a Stand-alone • 17 Portlet Settings • 82 Install CA Patch Manager on a Cluster • 18 Predefined Reports • 76 Installation Fails With an Error Message MDB Proxy Settings • 27 Patch Already Applied • 103 Installation Prerequisites • 13 R Installing CA Patch Manager • 13 Rapid Patch Deployment • 55 Integration • 107 Register CA Patch Manager with CA ITCM • 20 Integration with CA IT Client Manager • 94 Relationship to CA ITCM • 37 Integration with CA Service Desk • 112 Reports • 76 Internet Access Consideration • 16 Roll-Ups • 33 L S Last Day's Events, Listed By Type • 78 Search for a Patch by Name • 41 Logging and Detection of Full and Delta Roll-up Search for a Patch Using a Saved Filter • 41 Package • 63 Single Point of Control • 10 M Start Rapid Deployment • 56 Supported Databases • 14 Monitor Deployment Using the Deployment Supported Operating Environments • 13 Progress Portlet • 71 Supported Web Browsers • 14 Monitor Patches Using the Charts Portlet • 75 System Status Shows DSM Service as Failed in Monitor the Patch Deployment Status • 73 CA Patch Manager after Failover • 105 Monitor the Policy Compliance • 74 Monitoring Deployment • 71 T O Test Full and Delta Security Roll-up Package • 62 Testing and Approval • 36 Online Updates are Failing • 105 Third Party Workflow and Common Component Service Events • 108

116 Solution Guide

Types of Rapid Deployment • 55 U Uninstall a Patch • 67 Upgrade CA Patch Manager Using a Local Microsoft SQL Server MDB • 23 Upgrade CA Patch Manager Using a Remote MDB • 24 Upgrading CA Patch Manager from Earlier Versions • 22 User Management • 29 User Settings • 27 V Vendor Credentials • 31 Versioning and Supersession • 37 View Detailed Patch Information • 42 View Patches Pending Acceptance • 39 View the Application Events Log • 72 W What You Can Do With CA Patch Manager • 10 Workflow • 37 Working with CA Patch Manager • 33

Index 117