Software Updates

ClearPass Policy Manager regularly checks for available updates on the Policy Manager Webservice server. When new updates are available, a network administrator use the Administration > Agents and Software Updates > Software Updatespage to download and install these updates. Firmware and patch updates and downloadable user role plugins must be manually downloaded and installed. Windows hotfixes, posture signature updates, and endoint profile fingerprint updates can be automatically downloaded and installed, but this behavior not enabled by default. To set these updates to be automatic, you must enable the Automatically download Posture Signature and Windows Hotfixes Updates and Automatically download Endpoint Profile Fingerprints settings on the Cluster-Wide Parameters options for the Policy Manager server. In a Policy Manager cluster, the Import Updates option is available on the publisher only.

Figure 1 displays the Software Updates page:

Figure 1  Software Updates Page

Policy Manager queries the Webservice server for the current list of firmware and patch updates every day at a random time every day. Policy Manager queries the Webservice server for the latest Posture Signature, Windows hotfixes and Fingerprints updates at random minute every hour. Fingerprint,  firmware and patch data are refreshed as soon as new updates are available. A list of new firmware and update patches that are available for download and installation are noted by the Policy Manager server automatically and shown in the user interface. An event is generated and displayed in the Event Viewer with the list of new updates that are available. If the event affects an SMTP Simple Mail Transfer Protocol. SMTP is an Internet standard protocol for electronic mail transmission. server, Alert Notification email addresses are configured, and an email from the publisher is sent with the list of downloaded images. System Events (as seen on the Monitoring > Event Viewer page) shows records for events, such as communication failures with Webservice, successful or failed update downloads, and successful or failed update installations.

HPE Passport Credentials

This field is only available on a publisher mode. Software updates are authenticated using a token rather than username and password. Tokens are obtained by clicking the Generate Token button in the HPE PassPort Credentials section. A new browser page opens and is used to perform the Single Sign On action with the HPE Passport system using the current username/password. This prevents the problem of ClearPass Policy Manager updates attempting to authenticate with a password that has expired or been changed. If the token does not automatically renew, then approximately seven days prior to the expiration date the Administration > Agents and Software Updates > Software Updates page will display a message indicating that the token will expire at a specific date and time. Administrators must then click the Generate Token button to obtain a new token again.You must authenticate to your HPE passport account to allow the Policy Manager server to automatically contact the Webservice server to check for any available updates. If you do not enter authenticate your credentials, you will have to manually upload and install any updates.

Users should be aware that whenever appliances are taken out of a cluster, then on each resulting standalone appliance you will need to go to Administration > Agents and Software Updates > Software Updates and use the Generate Token button to generate a new software updates token specific to that appliance.

Posture, Profiler, and Windows Hotfix Updates

Use this section of the Software Updates page to view or manually download and install the posture, endpoint profiler and Windows hotfix updates from the Webservice server to a Policy Manager publisher.

 Viewing Available Posture Signature Updates

The Policy Manager server uses posture signature updates to check if the AntiVirus and the DAT files are the latest version. (for more details, refer to the  Viewing Available Posture Signature Updates ). Click the Posture Hotfixes Updates link on the Administration > Agents and Software Updates > Software Updates page to open an extensive list of all third-party antivirus products supported by Policy Manager. The top of this section displays a version number and a timestamp that identifies when it was last updated. For each product, information includes Definition Version, Definition Date, Definition Signature, and Engine Version for all supported versions.

Figure 2  Posture Signature Updates Data Displayed

Viewing Available Windows Hotfixes

The Administration > Agents and Software Updates > Software Updates page includes a list of available Windows Hotfixes for supported Windows operating systems. To view a list of these updates

1. Click the Windows Hotfixes Updates link to open a list of all supported Windows OS versions. Then click any Windows version in the list to display the full list of all hotfixes that have been issued for that version.

2. Click the link for any Windows version of interest to display detailed Windows Hotfixes information for the selected version of Windows. The information for each hotfix includes the KBID (Microsoft’s ID number for the hotfix), Operating System, Severity, and Title.

Figure 3  Complete List of Windows Hotfixes for the Selected Version of Windows

3. Click the KBID for a specific hotfix to open a Hotfix Information window that includes the following additional details:

Title

Type

Updates superseding this update

Updates superseded by this update

Reboot behavior

Description

Figure 4  Windows Hotfixes: KBID Information for Specific Hotfix

Viewing Available Endpoint Profiler Fingerprints

The  Endpoint Profiler Updates section of the Posture & Profiler Data Updates page displays details about the latest updates to fingerprints that are used by Policy Manager in profiling endpoints.

Downloading and Installing Updates

If you enabled automatic download and installation of updates in the Cluster-Wide Parameters configuration and entered your HPE passport credentials on this Software Updates page, the Policy Manager server automatically manages these tasks. Otherwise, to manually download and install a Windows hotfix, posture signature, or endpoint profiler update:

1. Navigate to https://clearpass.arubanetworks.com/cppm/appupdate/<apps_update_filename>, where <apps Short form for application. It generally refers to the application that is downloaded and used on mobile devices._update_filename> is one of the following file names:

cppm_antivirus_updates.signed.tar (Posture Signature Updates)

cppm_fingerprints.signed.tar (Endpoint Profiler Fingerprints)

cppm_windowshotfixes_updates.signed.tar (Windows Hotfixes Updates)

cppm_apps_updates.signed.tar (File contains all three updates listed above. This file is updated once per day.)

2. When prompted for authentication credentials, enter your Subscription A business model where a customer pays a certain amount as subscription price to obtain access to a product or service. ID or or the Subscription ID 95jqdf-x6xvc4-gvvgy7-x288zb-vd7fjq for both the username and password. (The name of the downloaded file is cppm_apps_updates.signed.tar.)

3. Once you have downloaded the file, you can import it to the publisher by clicking the Import Updates button in the Posture & Profiler Data Updates section of the Software Updates page. The Import from file window opens.

4. Click Choose File to browse to and select the downloaded file.

5. Enter the shared secret for the file, (if any) then click Import to import the file.

6. Once the file is imported, click Install to install the update.

The Install Update window can include buttons that perform the following actions:

Reboot: Initiate a reboot of the server. The Reboot button appears only for updates that require a reboot to complete the installation.

Clear and Close: Deletes the log messages and closes the dialog box.

Close: Closes the dialog box

If the Install Update dialog is closed, you can bring it up again by any one of the following actions:

While the installation is in progress, click the Install in progress… link.

Click the Installed > Install Error link.

When the installation is completed, click the Needs Restart link.

Downloadable User Role Plugin Updates

The procedure to install an downloadable user role plugin varies, depending upon whether your Policy Manager server can contact theClearPass Webservice server. If you have entered your HPE passport credentials and Policy Manager is able to reach the Webservice server,any applicable Downloadable User Role plugins are available for download using the following procedure:

1. Click the Download button to download the Downloadable User Role (DUR) Plugin from the Webservice server.

2. Once the DUR Plugin Update is downloaded, click Install to install the update on your Policy Manager server.

3. Once the update is installed, you can click the Installed link by the update to display the Install Update dialog box shown in Figure 5 and view log messages generated during installation.

If Policy Manager is not able to reach the Webservice server,

1. Click Import Updates to import a downloadable user role plugin obtained via support or other means.

2. You will be prompted to browse to and select the file, and to enter the shared secret for the file (if any).

3. Once the DUR Plugin Update is imported, click Install to install the update on your Policy Manager server.

4. Once the DUR Plugin Update is installed, you can click the Installed link by the update to display the Install Update dialog box shown in Figure 5 and view log messages generated during installation.

Figure 5  Install Update Dialog Box

Firmware and Patch Updates

The Firmware & Patch Updates table shows only the data that is known to Webservice or imported using the Import Updates button. Patch residual files located in the /var/avenda/platform/backup, /var/avenda/platform/patches, or /var/avenda/platform/store/updates folders that are seven (or more) days old are automatically deleted daily.

Installing a Firmware or Patch Update Using the WebUI

The procedure to install an firmware or patch update varies, depending upon whether Policy Manager can contact the Webservice server. If you have entered your HPE passport credentials and Policy Manager is able to reach the Webservice server, the Download button appears by any new firmware or patch updates.

If Policy Manageris able to reach the Webservice server,

1. Click the Download button to download the file.

2. Once the file is downloaded, click Install to install the file on your Policy Manager server.

3. Once the update is installed, you can click the Installed link by the update and open and the Install Update dialog box shown in Figure 5 and view the log messages generated during installation.

If Policy Manager is not able to reach the Webservice server,

1. Click Import Updates to import a firmware or patch update file obtained via support or other means.

2. You will be prompted to browse to and select the file, and to enter the shared secret for the file (if any).

3. Once the file is imported, click Install to install the update.

 

If a patch requires a prerequisite patch, that patch's Install button will not be enabled until the prerequisite patch is installed.

4. Once the update is installed, you can click the Installed link by the update and open and the Install Update dialog box shown in Figure 5 and view the log messages generated during installation.

The Firmware & Patch Updates section also includes the following information:

Needs Restart: The Needs Restart link appears when an update needs a reboot of the server in order to complete the installation. Clicking this link displays the Install Update dialog box, which shows the log messages generated during the installation.

Installed: The Installed link appears when an update has been successfully installed. Clicking this link displays the Install Update dialog box, which shows the log messages generated during the installation.

Install Error: This link appears when an update install encounters an error. Clicking this link displays the Install Update dialog box, which shows the log messages generated during the install.

Installing a Firmware or Patch Update Using the CLI

When logged in as appadmin, you can manually install the upgrade and patch binaries imported via the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. using the following commands:

system update (for patches)

system upgrade (for upgrades)

Reinstalling a Patch

The Reinstall Patch feature allows the administrator to reinstall a patch in the event the previous attempt to install fails. You can only reinstall the last installed patch, which is indicated by a “!” symbol next to it in the Firmware & Patch Updates table on the Administration > Agents and Software Updates > Software Updates page.

To reinstall a patch or software update:

1. From the Firmware & Patch Updates section of the Administration > Agents and Software Updates > Software Updates page, click the Install Error or Needs Restart link.

2. Click Re-Install.The Install Update screen closes and the reinstallation process begins. A window displays, showing the installation progress via log messages.

Uninstalling a Skin

To uninstall a skin:

1. Navigate to Administration > Agents and Software Updates > Software Updates.

2. In the Firmware & Patch Updates section, select the installed skin that you want to uninstall.

Figure 6  Viewing the Installed Link for a Skin

3. Click the Installed link. The Install Update dialog opens.

Figure 7  Install Update Dialog

4. To uninstall the skin, click Uninstall. The Install Update screen closes and the software is uninstalled.