UPM Policies do not evaluate successfully when Patch Management is installed on an Enterprise Server and the Policy is based on an edited CA Rollup Patch.

Document ID : KB000051264
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Patch Manger is installed on ITCM Enterprise Manager which is linked with one / more Domain Managers.

A full security rollup which is in approved state in Patch Manager is edited within Patch Management.

Figure 1

A Patch Management Policy is created to automate the deployment of this edited patch.

Once the policy is evaluated and distributed from Enterprise Manager across Domain Managers, policy violations are not shown in respective Domain Managers and therefore the patch is not distributed.

Figure 2

Root Cause

When a patch is edited it creates a new signature for this patch. As the patch is a CA Rollup this signature is not distributed to the Domain Manager from the Enterprise Manager (Each Domain is responsible to download its own content from the CA Content Download Server).

As a result the UPM Groups and Policies that are populated onto the Domain Manager for this patch cannot evaluate as the SQL query fails due to the missing signature.

Solution:

CA designed the content utility to allow the export of content from one Manager and import to another. This is used when firewalls prevent a Manager from accessing the Content Download Server and when content is needed to be replicated from the Enterprise Manager to a Domain Manager.

Follow the below steps to run the content utility after edited rollup patch moves to "Testing State".

  • On the Domain machine, run the C:\Program Files\CA\DSM\bin\content_utility.exe which will create a content_utility.xml file.
                                                                    <manager>                                <hostname>EM.xx.com</hostname>                                <enabled>yes</enabled>                                <ca_provided>yes</ca_provided>                                <custom_created>no</custom_created>                                </manager>                                </export>                                <import>                                <manager>                                <hostname>DM.xx.com</hostname>                                <enabled>yes</enabled>                                <ca_provided>yes</ca_provided>                                <custom_created>no</custom_created>                                </manager>                                </import>
  • Edit the content_utility.xml file and replace the highlighted text.

  • Now save and close the xml file. Run the C:\Program Files\CA\DSM\bin\ContentUtility.exe to replicate the software definition created from enterprise to domain manager.

After the agent next runs a software inventory it will then display as a violator

Figure 3

The Content Utility can be automated by scheduling it to be run as an Asset Job

  1. Open ITCM Explorer and go to Jobs -> Asset jobs -> New job.

    Figure 4

  2. Select the job type as External utility.

    Figure 5

  3. Provide the job name and the description.

    Figure 6

  4. Select the contentutility executable using the browse button. This file can be found at <dsm_home>/bin/contentutility.exe

    Figure 7

  5. Select <dsm-home>/bin as the working directory and click on Next.

    Figure 8

  6. Schedule the job as per the requirements. Be Sure to Select the "This job is allowed to run unattended" box on the Miscellaneous tab.

    Figure 9

    Figure 10

  7. Link this Asset Job to the Domain Manager

    Figure 11

    Figure 12

  8. When the agent runs on the domain manager next time, this job will be executed.

  9. Make sure to verify the asset job status to see for the success message.

    Figure 13