Software Updates
ClearPass Policy Manager regularly checks for available updates on the Policy Manager Webservice server. When new updates are available, a network administrator use the page to download and install these updates. Firmware and patch updates and downloadable user role plugins must be manually downloaded and installed. Windows hotfixes, posture signature updates, and endoint profile fingerprint updates can be automatically downloaded and installed, but this behavior not enabled by default. To set these updates to be automatic, you must enable the and settings on the Cluster-Wide Parameters options for the Policy Manager server. In a Policy Manager cluster, the option is available on the publisher only.
Figure 1 displays the page:
Figure 1 Software Updates Page
Policy Manager queries the Webservice server for the current list of firmware and patch updates every day at a random time every day. Policy Manager queries the Webservice server for the latest Posture Signature, Windows hotfixes and Fingerprints updates at random minute every hour. Fingerprint, firmware and patch data are refreshed as soon as new updates are available. A list of new firmware and update patches that are available for download and installation are noted by the Policy Manager server automatically and shown in the user interface. An event is generated and displayed in the Event Viewer with the list of new updates that are available. If the event affects an SMTPSimple Mail Transfer Protocol. SMTP is an Internet standard protocol for electronic mail transmission. server, Alert Notification email addresses are configured, and an email from the publisher is sent with the list of downloaded images. System Events (as seen on the Monitoring > Event Viewer page) shows records for events, such as communication failures with Webservice, successful or failed update downloads, and successful or failed update installations.
HPE Passport Credentials
This field is only available on a publisher mode. If your deplyment is running Policy Manager 6.9.6 or earlier releases, enter your HPE Passport username and password to allow the Policy Manager server to automatically contact the Webservice server to check for any available updates. If you do not enter your HPE credentials, you will have to manually upload and install any updates.
Starting with Policy Manager 6.9.7, Software updates are authenticated using a token rather than username and password. Tokens are obtained by clicking the Generate Token button in the HPE PassPort Credentials section. A new browser page opens and is used to perform the Single SIgn On action with the HPE Passport system using the current username/password. This prevents the problem of ClearPass Policy Manager updates attempting to authenticate with a password that has expired or been changed. If the token does not automatically renew, then approximately seven days prior to the expiration date the Administration > Agents and Software Updates > Software Updates page will display a message indicating that the token will expire at a specific date and time. Administrators must then click the Generate Token button to obtain a new token again.You must authenticate to your HPE passport account to allow the Policy Manager server to automatically contact the Webservice server to check for any available updates. If you do not enter authenticate your credentials, you will have to manually upload and install any updates.
Users should be aware that whenever appliances are removed from a cluster, then on each standalone appliance you will need to go to Administration > Agents and Software Updates > Software Updates and use the Generate Token button to generate a new software updates token specific to that appliance.
Posture, Profiler, and Windows Hotfix Updates
Use this section of the Policy Manager publisher.
page to view or manually download and install the posture, endpoint profiler and Windows hotfix updates from the Webservice server to aViewing Available Posture Signature Updates
The Policy Manager server uses posture signature updates to check if the AntiVirus and the DAT files are the latest version. (for more details, refer to the Viewing Available Posture Signature Updates ). Click the Posture Hotfixes Updates link on the > > page to open an extensive list of all third-party antivirus products supported by Policy Manager. The top of this section displays a version number and a timestamp that identifies when it was last updated. For each product, information includes Definition Version, Definition Date, Definition Signature, and Engine Version for all supported versions.
Figure 2 Posture Signature Updates Data Displayed
Viewing Available Windows Hotfixes
The
> > page includes a list of available Windows Hotfixes for supported Windows operating systems. To view a list of these updates1. Click the Windows Hotfixes Updates link to open a list of all supported Windows OS versions. Then click any Windows version in the list to display the full list of all hotfixes that have been issued for that version.
2. Click the link for any Windows version of interest to display detailed Windows Hotfixes information for the selected version of Windows. The information for each hotfix includes the KBID (Microsoft’s ID number for the hotfix), Operating System, Severity, and Title.
Figure 3 Complete List of Windows Hotfixes for the Selected Version of Windows
3. Click the for a specific hotfix to open a Hotfix Information window that includes the following additional details:
Title
Type
Updates superseding this update
Updates superseded by this update
Reboot behavior
Description
Figure 4 Windows Hotfixes: KBID Information for Specific Hotfix
Viewing Available Endpoint Profiler Fingerprints
The Endpoint Profiler Updates section of the Policy Manager in profiling endpoints.
page displays details about the latest updates to fingerprints that are used byDownloading and Installing Updates
If you enabled automatic download and installation of updates in the Cluster-Wide Parameters configuration and entered your HPE passport credentials on this page, the Policy Manager server automatically manages these tasks. Otherwise, to manually download and install a Windows hotfix, posture signature, or endpoint profiler update:
1. Navigate to https://clearpass.arubanetworks.com/cppm/appupdate/<apps_update_filename>, where <appsShort form for application. It generally refers to the application that is downloaded and used on mobile devices._update_filename> is one of the following file names:
cppm_antivirus_updates.signed.tar (Posture Signature Updates)
cppm_fingerprints.signed.tar (Endpoint Profiler Fingerprints)
cppm_windowshotfixes_updates.signed.tar (Windows Hotfixes Updates)
cppm_appsShort form for application. It generally refers to the application that is downloaded and used on mobile devices._updates.signed.tar (File contains all three updates listed above. This file is updated once per day.)
2. When prompted for authentication credentials, enter your SubscriptionA business model where a customer pays a certain amount as subscription price to obtain access to a product or service. ID or or the SubscriptionA business model where a customer pays a certain amount as subscription price to obtain access to a product or service. ID 95jqdf-x6xvc4-gvvgy7-x288zb-vd7fjq for both the username and password. (Starting with Policy Manager 6.8, the name of the downloaded file is cppm_appsShort form for application. It generally refers to the application that is downloaded and used on mobile devices._updates.signed.tar.)
3. Once you have downloaded the file, you can import it to the publisher by clicking the button in the section of the page. The window opens.
4. Click to browse to and select the downloaded file.
5. Enter the shared secret for the file, (if any) then click to import the file.
6. Once the file is imported, click to install the update.
The
window can include buttons that perform the following actions:: Initiate a reboot of the server. The button appears only for updates that require a reboot to complete the installation.
: Deletes the log messages and closes the dialog box.
: Closes the dialog box
If the
dialog is closed, you can bring it up again by any one of the following actions:While the installation is in progress, click the
link.Click the
> link.When the installation is completed, click the
link.Downloadable User Role Plugin Updates
The procedure to install an downloadable user role plugin varies, depending upon whether your Policy Manager server can contact theClearPass Webservice server. If you have entered your HPE passport credentials and Policy Manager is able to reach the Webservice server,any applicable Downloadable User Role plugins are available for download using the following procedure:
1. Click the button to download the Downloadable User Role (DUR) Plugin from the Webservice server.
2. Once the DUR Plugin Update is downloaded, click to install the update on your Policy Manager server.
3. Once the update is installed, you can click the link by the update to display the dialog box shown in Figure 5 and view log messages generated during installation.
If Policy Manager is not able to reach the Webservice server,
1. Click Import Updates to import a downloadable user role plugin obtained via support or other means.
2. You will be prompted to browse to and select the file, and to enter the shared secret for the file (if any).
3. Once the DUR Plugin Update is imported, click to install the update on your Policy Manager server.
4. Once the DUR Plugin Update is installed, you can click the link by the update to display the dialog box shown in Figure 5 and view log messages generated during installation.
Figure 5 Install Update Dialog Box
Firmware and Patch Updates
The /var/avenda/platform/backup, /var/avenda/platform/patches, or /var/avenda/platform/store/updates folders that are seven (or more) days old are automatically deleted daily.
table shows only the data that is known to Webservice or imported using the button. Patch residual files located in theInstalling a Firmware or Patch Update Using the WebUI
The procedure to install an firmware or patch update varies, depending upon whether Policy Manager can contact the Webservice server. If you have entered your HPE passport credentials and Policy Manager is able to reach the Webservice server, the button appears by any new firmware or patch updates.
If Policy Manageris able to reach the Webservice server,
1. Click the button to download the file.
2. Once the file is downloaded, click to install the file on your Policy Manager server.
3. Once the update is installed, you can click the link by the update and open and the dialog box shown in Figure 5 and view the log messages generated during installation.
If Policy Manager is not able to reach the Webservice server,
1. Click Import Updates to import a firmware or patch update file obtained via support or other means.
2. You will be prompted to browse to and select the file, and to enter the shared secret for the file (if any).
3. Once the file is imported, click to install the update.
|
If a patch requires a prerequisite patch, that patch's Install button will not be enabled until the prerequisite patch is installed. |
4. Once the update is installed, you can click the link by the update and open and the dialog box shown in Figure 5 and view the log messages generated during installation.
The
section also includes the following information:: The link appears when an update needs a reboot of the server in order to complete the installation. Clicking this link displays the dialog box, which shows the log messages generated during the installation.
: The link appears when an update has been successfully installed. Clicking this link displays the Install Update dialog box, which shows the log messages generated during the installation.
: This link appears when an update install encounters an error. Clicking this link displays the Install Update dialog box, which shows the log messages generated during the install.
Installing a Firmware or Patch Update Using the CLI
When logged in as appadmin, you can manually install the upgrade and patch binaries imported via the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. using the following commands:
(for patches)
(for upgrades)
Reinstalling a Patch
The
feature allows the administrator to reinstall a patch in the event the previous attempt to install fails. You can only reinstall the last installed patch, which is indicated by a “!” symbol next to it in the Firmware & Patch Updates table on the page.To reinstall a patch or software update:
1. From the section of the page, click the or link.
2. Click .The screen closes and the reinstallation process begins. A window displays, showing the installation progress via log messages.
Uninstalling a Skin
To uninstall a skin:
1. Navigate to .
2. In the section, select the installed skin that you want to uninstall.
Figure 6 Viewing the Installed Link for a Skin
3. Click the link. The dialog opens.
Figure 7 Install Update Dialog
4. To uninstall the skin, click . The screen closes and the software is uninstalled.
Was this information helpful?
Great! Thanks for the feedback
Sorry about that! How can we improve it? Send your comments and suggestions!