Novell ZPM's New Content Architecture

  • 7004841
  • 10-Nov-2009
  • 27-Sep-2013

Environment

Novell ZENworks Patch Management 6.4 - ZPM6.4
Novell ZENworks 10 Configuration Management
Novell ZENworks Configuration Management 11
Novell ZENworks Patch Management 10
Novell ZENworks Patch Management 11

Situation

Novell ZPM is taking a proactive approach toward an era of open, standards-based systems. At its core, the ZPM platform is opening to content that has been created by the global content community. Embracing these varied sources helps ZPM deliver additional value through its products such as Security Configuration Management (SCM).

For Novell ZPM, this new content architecture opens the door to a diverse range of security and application patches, configuration states, policy mappings, application hash libraries, software distributions, and IT best practice configurations that are constantly being made available by multiple vendors and standards bodies. This new content architecture helps lays the foundation on which more value will be delivered over the next few years, a broader selection of content more quickly, and build more value into our offering in the future.

Resolution

REQUIRED CONFIGURATIONS

An update to both servers and agents
will be needed in order to enable content delivery via the new content architecture. Additionally, changes will need to be made to firewalls so that Update Servers can access vendor-specific remediation binaries and scan files. The following steps are required to take advantage of the new content architecture:

1.  Bring Update Server software up to minimum required levels.
New Content Architecture support for Windows Server 2008 requires Novell ZENworks 10 Configuration Management or Novell ZENworks Patch Management Server version 6.4 SP1 or higher. Support for Red Hat Enterprise Linux requires Novell ZENworks 10 Configuration Management or  Novell ZENworks Patch Management Server version 6.4 SP2 or higher. Earlier versions will need to upgraded to take advantage of the New Content Architecture.

2.  Bring Update Agent software up to minimum required levels.

The new content architecture requires upgrades to Update Agent software. Both ZPM and third-party software may need to be deployed to the update agents depending on the configuration of participating workstations. For example, Windows Update software must be version 3.0 or greater. A software installation package will be made available from the Update Web Management Console for quick deployment to registered Update Agents that provides the necessary ZPM and Windows Update software packages that are needed to support content delivery via the new content architecture.

3.  Modify firewall settings on behalf of Update Servers.

Administrators of Update Servers need to notify their firewall personnel that new URLs will need to be allowed to pass through the firewall. These URLs are required in order for the Update Server to function as expected with the new content architecture.
 
For Zenworks Patch Management:  
cache.patchlinksecure.net/PatchComponents/OSPXSet.xml  (http://)
cache.lumension.com/patchcomponents/  (http://)  -  Multiple files are needed from this location 
 
 
For Attachmate Novell Subscriptions:
nu.novell.com (https:)

For Microsoft Windows content, this includes the following URL:
download.windowsupdate.com

For Oracle Enterprise Linux, this includes the following URL:

linux-update.oracle.com

For CentOS, this includes the following URLs:

mirror.centos.org
vault.centos.org

For Red Hat Enterprise Linux, this includes the following URL:

rhn.redhat.com

For Sun Solaris, this includes the following URLs:

https://identity.sun.com/amserver/UI/Login
http://sunsolve.sun.com/
http://sunsolve.sun.com/show.do?target=home
http://sunsolve.sun.com/pdownload.do

For additional information on firewall configurations for Microsoft Windows content, review the article on Microsoft’s TechNet Library: http://technet.microsoft.com/en-us/library/cc708605.aspx


In the future, additional URLs may be required, depending on the content sources that will be received. An important consideration to remember is that these URLs should be specified as is and the use of IP address equivalents is discouraged since IP addresses frequently change in DNS round-robin scenarios, etc.


4. Review the set of supported locales on Update Servers.

The default locale selection will be changed to U.S. English only for new installations and will retain previously configured locale selections who are upgrading. Packages that correspond to locales that are licensed and selected within the Update Server subscription configuration are cached at Update Servers; therefore a review of this setting is an important step toward preserving the overall efficiency of Update.

5. Review new content architecture settings on Novell ZENworks 10 Configuration Management or Update Servers 6.4 SP1 and SP2.

To verify that a server is enabled to receive content via the new content architecture, navigate to the Content tab on the Subscription Service Configuration dialog box, accessible via the Options > Subscription Services > Configure > Content page.

Status

Reported to Engineering

Additional Information

FAQ

How does the new content architecture affect Update?
The current content delivery process requires the Content Development Team to retrieve detection metadata and remediation binaries from vendor Web sites and host them on the Global Subscription Servers (GSS).

With the new content architecture, GSS will continue to be used to read metadata placed there by the Content Development Team. However, as a result of the new content importing process, vendor Web sites will now be leveraged to download the remediation binaries.

What content is being provided?

Content using the new content architecture will be provided for the following operating systems:
  • CentOS 5 (x86 and x86_64)
  • CentOS 4 (x86 and x86_64)
  • Microsoft Windows Web Server 2008 Edition (32 and 64 bit)
  • Microsoft Windows Server 2008 Enterprise Edition (32 and 64 bit)
  • Microsoft Windows Server 2008 Standard Edition (32 and 64 bit)
  • Microsoft Windows Server 2008 Enterprise without Hyper-V Edition (32 and 64 bit)
  • Microsoft Windows Server 2008 Standard without Hyper-V Edition (32 and 64 bit)
  • Oracle Enterprise Linux 5 (x86 and x86_64)
  • Oracle Enterprise Linux 4 (x86 and x86_64)
  • Red Hat Enterprise Linux 5 (x86 and x86_64, Client and Server core)
  • Red Hat Enterprise Linux 4 (x86 and x86_64, AS, ES, WS)
  • Red Hat Enterprise Linux 3 (x86 and x86_64, AS, ES, WS)
Content using the new content architecture will be provided for the following applications:
 
  • Adobe Acrobat Professional
  • Adobe Acrobat Standard
  • Adobe Photoshop
  • Adobe InDesign
  • Adobe Air
  • Adobe Reader
  • Adobe Flash Player
  • Adobe Shockwave
What will be seen in Novell ZENworks 10 Configuration Management or Update Server 6.4 SP1 and SP2?
The initial phase of Novell ZPM’s new content architecture consists largely of process and infrastructure changes. One change visible in the Update interface is the Subscription Service Configuration dialog box has a new Content tab.

Delivery of content via the new content architecture is not enabled by default. Administrators may verify that the steps taken to receive content via the new content architecture are successful by viewing this dialog: Users may locate the Subscription Service Configuration dialog box by selecting Options from the top menu on the Update Server home page. Select the Subscription Services tab. Proceed to the bottom menu and select Configure. Then select the Content tab. Administrators may reference this page in order to verify the web locations (URLs) where content is being retrieved. Since a firewall may be preventing access to some URLs, this dialog may be utilized as a diagnostic device to determine which URLs are connecting successfully and which are not able to connect. An option is provided to export this URL access data for reporting purposes.

Why is there Update Server Notifications for older content, including possibly content previously downloaded?
When support for a platform is released using the New Content Architecture, there can be a large influx of new content for that supported system. This may include a release of content previously downloaded, but which is downloaded again in a format that uses the new architecture.

To verify if the Update Servers support the new content architecture in Novell ZENworks 10 Configuration Management or Update 6.4 SP1 and SP2:
Navigate to the Subscription Service Configuration dialog and ensure that the Enable radio button is selected. Also, refer to the retrieval results window in that same dialog to view a history of the URLs that were attempted, along with a current status.

To verify if the Update Agents support the new content architecture:
Agents will show in the Update Management Console as being vulnerable for the package that adds a Native Scan API. Once this package is deployed, then that workstation is eligible to receive content via the new content architecture.

Must the firewall be open in order to support the new content architecture?
Yes, but remember that by doing so it is opening the way for much better remediation, policy enforcement, and standards compliance. Also, remember that Update Servers still cache all remediation binaries; agents do not retrieve patch binaries from vendors, so only open your firewall to Update Servers, and only for the URLs that are needed for the new content sources that will be used.

To verify if the firewall is configured correctly to access the new URLs?
If the firewall is not configured correctly, failure statuses will be seen associated with specific URLs that are displayed in the Content tab of the Subscription Services Configuration dialog.

Will updating Agents modify the Windows Update configuration?
No. Support for Windows content via the New Content Architecture leverages Microsoft’s Windows Update API and run-time to do native scanning, but does so independently of Microsoft’s use of Windows Update. Updating the ZPM Patch and Remediation Agent will not modify the Windows Update configuration, but administrators will need to set the Automatic Updates service to manual in order to leverage the New Content Architecture. See ZPM scans for Windows Server 2008 require Windows Automatic Updates Service (7005313) for more information.

 

The Update Server is running a version earlier than 6.3. Can it be configured to use the new content architecture?
No. Upgrade to Update Server 6.4 SP1B for Windows 2008 or higher and take specific steps to enable the new content architecture. Please review the details posted on Novell’s support for upgrade instructions:

Does this mean that Novell no longer tests content?
No. Novell will continue to test content utilizing vendor vulnerability metadata and vendor-specific scanning methods during the content importing process undertaken by the Content Development Team. The new content architecture simply improves delivery time frames and in fact increases security and accuracy of the content delivery process.

Does this mean that Novell no longer has a detection tool?
This is not the case; the detection tool remains. Novell ZPM is simply augmenting their detection process. Novell will leverage other vendor’s detection processes, but if need be, Novell can augment, modify, or replace detection processes with its own processes at any time.

Isn’t accessing vendor sites insecure as compared with downloading files from Novell?
Validation of binary file hash values by third parties is now possible with Novell’s new content architecture. Comparison of these hash values helps assure that content has not been modified after being posted by vendors.

Remediation metadata is still confirmed and tested by Novell by the Content Team during their content importing process. With the addition of metadata attributes (e.g. more than simply a file location and date stamp), the new content delivery process is actually more secure and accurate than was possible before.

How will non-Windows machines be affected by the new content architecture?
New platforms such as CentOS and Oracle Enterprise Linux are supported using new content architecture. Customers will no longer need the use of the Content Update Tool in order to patch Sun Solaris and RHEL systems.