In the Subscription Service Content Download page you configure the subscription download options for the ZENworks Primary Server. These options include choosing platforms, languages, vendors, and other download options. You can select the languages that are used within your network to ensure that you only download the patches that are most applicable for your organization. The next time replication occurs, only those patches specific to the languages are downloaded, which saves time and disk space on your ZENworks Primary Server.
NOTE:Micro Focus does not recommend selecting all languages because each language can represent hundreds of patches. Downloading unnecessary languages can result in thousands of unused patch definitions within your ZENworks Primary Server database.
EXPECTED RESULTS: From version ZCM 11.1 onwards, administrators are allowed to select the Primary servers that should receive the patch bundles compared to the forced rollout to all servers in prior releases.
To configure content download for the Subscription Service, Select Configuration in the ZENworks navigation menu, and go to Configuration > Security > Subscription Service Content Download.
Refer to the descriptions below to understand and configure the Subscription Service Content Download settings according to your organization’s needs:
Item |
Description |
---|---|
Select the platforms to download |
Enables you to select the operating system platform for which you want to download patches. For example, if you select the Windows check box, only Windows patches are downloaded. |
RPM Dependency |
This option is only enabled when the LINUX platform is selected. Selecting this check box will download all the root level dependencies that will be necessary to resolve any vulnerabilities. NOTE:This option is not applicable for SLES 12 and later versions. |
Red Hat Linux Subscription Management |
Enables you to retain the current default subscription type (RHN Classic) for Red Hat systems or to migrate to the preferred subscription type by choosing RHSM, which is a much more efficient method of getting security content from Red Hat. For information on RHSM registration or migration, see Register for or Migrate to RHSM. NOTE:RHSM is currently required for RHEL 7 clients. Effective July 31, 2017 it will be required for all RHEL clients. |
Choose your Windows language options |
Enables you to select the language of patches you want to download. For example, if you select the French check box, only French language patches are downloaded. |
Mix Multiple Languages |
Enables you to combine all languages into each Patch Detection Assignment (not recommended). |
SSL |
Enables you to turn secured downloading on or off. |
Cache patch bundles to satellite servers |
Enables you to cache patch bundles to the servers or workstations that are managed by primary servers. |
Cache patch bundles to primary servers |
Enables you to cache patch bundles to primary servers only. |
Download location for patch content |
ZPM directory: Downloads patch signatures to
Bundle content directory: Temporarily downloads patch content to
When all patches in a bundle are fully downloaded, the patches are imported to
NOTE:Actual content of cached patches is downloaded to the Bundle content directory irrespective of the directory selected in the content download configuration. |
Enable not applicable patches |
Enables patches that are not applicable to your enterprise. This option may slow performance if enabled. |
Enable PD caching |
Enables local cache for faster Patch Detection results, which eliminates the decryption and decompression of Vulnerability Detections. Only use this feature if you trust end users to stay out of the ZENworks Agent directory. Ideally, workstations users should not have access to the ZENworks agent directory. |
Select vendors to use in the system |
Enables you to select the vendors to use in the system. You can choose All or the Selected option. The latter enables the check boxes for selecting individual vendors. NOTE:This list of vendors will not be populated until the initial subscription update has completed. |
Patch Policy uses only applicable patches |
Configures the system to only have applicable patches available for selection when building patch policies. |
IMPORTANT:Customers with larger network environments should select both Cache Patch Bundles to Satellites and Cache Patch Bundles to Primary Servers for optimal distribution of patches and the daily Discover Applicable Updates task within their environment. Not selecting these options could cause very slow and inefficient delivery of these patch bundles within a highly distributed WAN environment.
Within an enterprise network environment, the customer usually installs more than one ZENworks Primary Server. Although only one of these servers can be used to download patches, every Primary Server has a cache of patch bundle content for distribution to the agents that are closest to it within the zone. Thus, when an agent wants to get a bundle, it can get the bundle directly from its closest Primary Server rather than the Primary Server where the patches were downloaded.
In addition, the satellites that are installed within the customer network can also serve as a cache for bundle content. If an agent is at a remote branch office with a satellite, it can get its content directly from the satellite rather than the Primary Server where patches were downloaded.
Using the CVE and Patch Cleanup page, you can delete disabled patch content and data, as well as you can delay the disabling of superseded patches and patches that are no longer required by ZENworks.
To configure patch cleanup settings, click Configuration in the ZENworks navigation menu, and go to Configuration > Security > CVE and Patch Cleanup.
Refer to the descriptions below to understand and configure the cleanup settings according to your organization’s needs:
Item |
Description |
---|---|
Disabled Patch Cleanup |
Specify the time period after which to delete data and content for a disabled patch. This setting deletes the patch listing and any cached bundles for a patch that meets the following conditions:
IMPORTANT:Applicable bundles are not deleted until the next subscription update. To see if a patch has dependencies to a deployed bundle from a patch policy or remediation, reference the services-messages log, which shows the patches that cannot be automatically or manually deleted because of dependencies. The location of the log is provided below:
This setting provides the following options:
|
Superseded Patches Disablement |
By default, when a patch is superseded by a newer patch, it is disabled and can no longer be applied to devices. In general, this is the desired behavior because best practice dictates that you keep devices updated with the most recent patches in order to minimize security risks. However, you might have situations where you need a superseded patch to remain enabled. The following settings let you change when superseded patches become disabled:
NOTE:Both settings apply only to patches that are superseded after the setting is enabled. |
Patches Disablement |
This setting disables patch content within the system based on the criteria you select. These options are useful for filtering out obsolete content and enhancing performance. All options are selected by default. More clarifications are provided below for those settings that are often misunderstood:
|
The Red Hat Subscription Management service (RHSM) is the latest model provided by Red Hat to register for Red Hat subscriptions. RHSM is compatible with ZENworks Patch Management. It provides a much more efficient method for Red Hat patch distribution. All Red Hat client subscriptions will be required to use RHSM by July 31, 2017.
To use RHSM, a new subscriber will have to first register with Red Hat or an existing subscriber will have to migrate from the Classic service to RHSM. The ZENworks procedures for both options are provided below:
New subscription. To configure RHSM as a new subscriber:
In the ZENworks Control Center, go to Configuration > Security > Subscription Service Content Download.
Select RHSM under the Red Hat Linux Subscription Management configuration.
Scroll to the bottom of the configuration page and click Apply to save the changes.
Register the RHEL 5, 6, or 7 agent for RHSM:
On the Red Hat device, go to Applications > System Tools, and select Red Hat Subscription Manager.
Click Register, in the Subscription Manager, followed by Next.
In the System Registration page, click Register.
In the Subscription Attachment page, click Attach.
Wait for the next DAU task to execute per the schedule, or click Update Now in the Subscription Service Settings page (Configuration > Security > Patch Subscription Service Settings).
RHSM migration. To migrate to RHSM from the RHN Classic mode:
In the ZENworks Control Center, go to Configuration > Security > Subscription Service Content Download.
Select RHSM under the Red Hat Linux Subscription Management configuration.
Scroll to the bottom of the configuration page and click Apply to save the changes.
Log in to your Red Hat account at https://access.redhat.com/articles/1161543, and follow the instructions to migrate to RHSM.
Wait for the next DAU task to execute per the schedule, or click Update Now in the Subscription Service Settings page (Configuration > Patch Management > Subscription Service Settings).