3.3 Configuring Subscription Service Content Download

In the Subscription Service Content Download page you configure the subscription download options for the ZENworks Primary Server. These options include choosing platforms, languages, vendors, and other download options. You can select the languages that are used within your network to ensure that you only download the patches that are most applicable for your organization. The next time replication occurs, only those patches specific to the languages are downloaded, which saves time and disk space on your ZENworks Primary Server.

NOTE:Micro Focus does not recommend selecting all languages because each language can represent hundreds of patches. Downloading unnecessary languages can result in thousands of unused patch definitions within your ZENworks Primary Server database.

EXPECTED RESULTS: From version ZCM 11.1 onwards, administrators are allowed to select the Primary servers that should receive the patch bundles compared to the forced rollout to all servers in prior releases.

To configure content download for the Subscription Service, Select Configuration in the ZENworks navigation menu, and go to Configuration > Security > Subscription Service Content Download.

Refer to the descriptions below to understand and configure the Subscription Service Content Download settings according to your organization’s needs:

Item

Description

Select the platforms to download

Enables you to select the operating system platform for which you want to download patches. For example, if you select the Windows check box, only Windows patches are downloaded.

RPM Dependency

This option is only enabled when the LINUX platform is selected. Selecting this check box will download all the root level dependencies that will be necessary to resolve any vulnerabilities.

NOTE:This option is not applicable for SLES 12 and later versions.

Red Hat Linux Subscription Management

Enables you to retain the current default subscription type (RHN Classic) for Red Hat systems or to migrate to the preferred subscription type by choosing RHSM, which is a much more efficient method of getting security content from Red Hat.

For information on RHSM registration or migration, see Register for or Migrate to RHSM.

NOTE:RHSM is currently required for RHEL 7 clients. Effective July 31, 2017 it will be required for all RHEL clients.

Choose your Windows language options

Enables you to select the language of patches you want to download. For example, if you select the French check box, only French language patches are downloaded.

Mix Multiple Languages

Enables you to combine all languages into each Patch Detection Assignment (not recommended).

SSL

Enables you to turn secured downloading on or off.

Cache patch bundles to satellite servers

Enables you to cache patch bundles to the servers or workstations that are managed by primary servers.

Cache patch bundles to primary servers

Enables you to cache patch bundles to primary servers only.

Download location for patch content

ZPM directory: Downloads patch signatures to

  • Windows: installpath\zenworks\zpm

  • Linux: /var/opt/novell/zenworks/zpm

Bundle content directory: Temporarily downloads patch content to

  • Windows: installpath\zenworks\work\content-repo\tmp\zpm

  • Linux: /var/opt/novell/zenworks/content-repo/tmp/zpm

When all patches in a bundle are fully downloaded, the patches are imported to

  • Windows: \installpath\zenworks\work\content-repo\content

  • Linux: /var/opt/Novell/zenworks/content-repo/content

NOTE:Actual content of cached patches is downloaded to the Bundle content directory irrespective of the directory selected in the content download configuration.

Enable not applicable patches

Enables patches that are not applicable to your enterprise. This option may slow performance if enabled.

Enable PD caching

Enables local cache for faster Patch Detection results, which eliminates the decryption and decompression of Vulnerability Detections. Only use this feature if you trust end users to stay out of the ZENworks Agent directory. Ideally, workstations users should not have access to the ZENworks agent directory.

Select vendors to use in the system

Enables you to select the vendors to use in the system. You can choose All or the Selected option. The latter enables the check boxes for selecting individual vendors.

NOTE:This list of vendors will not be populated until the initial subscription update has completed.

Patch Policy uses only applicable patches

Configures the system to only have applicable patches available for selection when building patch policies.

IMPORTANT:Customers with larger network environments should select both Cache Patch Bundles to Satellites and Cache Patch Bundles to Primary Servers for optimal distribution of patches and the daily Discover Applicable Updates task within their environment. Not selecting these options could cause very slow and inefficient delivery of these patch bundles within a highly distributed WAN environment.

Within an enterprise network environment, the customer usually installs more than one ZENworks Primary Server. Although only one of these servers can be used to download patches, every Primary Server has a cache of patch bundle content for distribution to the agents that are closest to it within the zone. Thus, when an agent wants to get a bundle, it can get the bundle directly from its closest Primary Server rather than the Primary Server where the patches were downloaded.

In addition, the satellites that are installed within the customer network can also serve as a cache for bundle content. If an agent is at a remote branch office with a satellite, it can get its content directly from the satellite rather than the Primary Server where patches were downloaded.

3.3.1 Cleaning up Patch Content

Using the CVE and Patch Cleanup page, you can delete disabled patch content and data, as well as you can delay the disabling of superseded patches and patches that are no longer required by ZENworks.

To configure patch cleanup settings, click Configuration in the ZENworks navigation menu, and go to Configuration > Security > CVE and Patch Cleanup.

Refer to the descriptions below to understand and configure the cleanup settings according to your organization’s needs:

Item

Description

Disabled Patch Cleanup

Specify the time period after which to delete data and content for a disabled patch. This setting deletes the patch listing and any cached bundles for a patch that meets the following conditions:

  • The patch is disabled.

  • The patch does not have any dependencies to deployed bundles.

  • The patch has been disabled longer than the time duration selected from the drop-down.

IMPORTANT:Applicable bundles are not deleted until the next subscription update.

To see if a patch has dependencies to a deployed bundle from a patch policy or remediation, reference the services-messages log, which shows the patches that cannot be automatically or manually deleted because of dependencies. The location of the log is provided below:

  • Linux: /var/opt/novell/log/zenworks/services-messages.log

  • Windows: %ZENWORKS_HOME%\logs\services-messages.log

This setting provides the following options:

  • Delete disabled patch content after: Specify when the disabled patch content should be deleted. The default value is 6 months.

  • Delete disabled patch data after: Specify when the disabled patch data should be deleted from ZENworks. The default value is 5 years.

Superseded Patches Disablement

By default, when a patch is superseded by a newer patch, it is disabled and can no longer be applied to devices. In general, this is the desired behavior because best practice dictates that you keep devices updated with the most recent patches in order to minimize security risks. However, you might have situations where you need a superseded patch to remain enabled. The following settings let you change when superseded patches become disabled:

  • Delay disabling of superseded patches xx days: Use this setting to keep superseded patches enabled in your system for up to 90 days. This allows you to continue to deploy the patches to devices either through patch remediations or policies.

    NOTE:

    • You can configure a value other than 30, 60 or 90 days be configuring the PATCH_DELAY_SUPERSEDED_DISABLE system variable. For more information about this system variable, see PATCH_DELAY_SUPERSEDED_DISABLE

  • Do not disable superseded patches that are included in a policy: By default, a superseded patch is not removed from a policy and replaced by the superseding patch until the policy is rebuilt and republished. This behavior can result in a period of time where the policy does not apply the superseded patch (because it is disabled) or the new superseding patch (because it is not in the policy).

    You can use this setting to ensure that patches that are included in a policy are never disabled as long as they are in the policy. Patches that are included in the policy via a rule remain enabled until they are removed when the policy is rebuilt. Patches that are included via the Members list remain enabled until they are manually removed from the list and the policy is rebuilt.

    Also, if a user enables a superseded patch that is within a policy, but there are no applicable devices, then, on the next subscription update, the patch will get disabled, even though this option is selected.

NOTE:Both settings apply only to patches that are superseded after the setting is enabled.

Patches Disablement

This setting disables patch content within the system based on the criteria you select. These options are useful for filtering out obsolete content and enhancing performance. All options are selected by default.

More clarifications are provided below for those settings that are often misunderstood:

  • Disable legacy patches that were updated with a newly issued duplicate patch

    Legacy patches are patches replaced by the vendor with a newly issued patch, generally in a shorter time frame than a superseded patch. They are not superseded patches.

  • Disable obsolete security patches

    Obsolete patches are patches discontinued by the vendor, but not replaced. They are not superseded patches.

  • Detect only the current supported Service Packs

    This setting enhances the timeliness of deploying the latest service pack patches to managed devices, as opposed to scanning for non-applicable patches in the DAU.

  • Disable older patches by age

    This setting enables you to delete patches based when they were released by the OS Vendor or a Third-party Vendor.

  • Disable patches for specific cultures

    This setting enables you to disable patches that are specific to cultures such as United Kingdom (English) and South African (English).

  • Disable Windows Embedded patches

    This setting enables you to disable Windows Embedded patches.

3.3.2 Register for or Migrate to RHSM

The Red Hat Subscription Management service (RHSM) is the latest model provided by Red Hat to register for Red Hat subscriptions. RHSM is compatible with ZENworks Patch Management. It provides a much more efficient method for Red Hat patch distribution. All Red Hat client subscriptions will be required to use RHSM by July 31, 2017.

To use RHSM, a new subscriber will have to first register with Red Hat or an existing subscriber will have to migrate from the Classic service to RHSM. The ZENworks procedures for both options are provided below:

  • New subscription. To configure RHSM as a new subscriber:

    1. In the ZENworks Control Center, go to Configuration > Security > Subscription Service Content Download.

    2. Select RHSM under the Red Hat Linux Subscription Management configuration.

    3. Scroll to the bottom of the configuration page and click Apply to save the changes.

    4. Register the RHEL 5, 6, or 7 agent for RHSM:

      1. On the Red Hat device, go to Applications > System Tools, and select Red Hat Subscription Manager.

      2. Click Register, in the Subscription Manager, followed by Next.

      3. In the System Registration page, click Register.

      4. In the Subscription Attachment page, click Attach.

    5. Wait for the next DAU task to execute per the schedule, or click Update Now in the Subscription Service Settings page (Configuration > Security > Patch Subscription Service Settings).

  • RHSM migration. To migrate to RHSM from the RHN Classic mode:

    1. In the ZENworks Control Center, go to Configuration > Security > Subscription Service Content Download.

    2. Select RHSM under the Red Hat Linux Subscription Management configuration.

    3. Scroll to the bottom of the configuration page and click Apply to save the changes.

    4. Log in to your Red Hat account at https://access.redhat.com/articles/1161543, and follow the instructions to migrate to RHSM.

    5. Wait for the next DAU task to execute per the schedule, or click Update Now in the Subscription Service Settings page (Configuration > Patch Management > Subscription Service Settings).