Workflow Template - Zero Day Patch

Created: 25 Oct 2013 • Updated: 25 Oct 2013 | Author: Jason Short
+8 8 Votes
Login to vote
Symantec single video player.

About the Zero Day Patch Template

The Zero Day Patch Workflow Template runs on a schedule to automatically on a schedule to identify, stage and create policies for bulletins/patches that meet a pre-defined set of criteria.  

The above video and attached document will help you download, configure, test and deploy the attached Workflow Template.  Although the template is built to run as is, you can modify the project in workflow to meet the unique process and goals of our organization.

Zero Day Patch Image.jpg

Video Upload: 

Comments

Frank Fleming's picture

Very nice Jason - thanks !

Frank Fleming - VP Sales, Operations & Consulting

ExpressAbility (www.expressability.com)

Symantec Master Specialists (Altiris, Endpoint Mgmt & Security, Mobility)

0
Login to vote
skhs's picture

Hi Jason, I am not good with workflow, and need some help with this workflow, once policies are created and emial is sent, can we have another approval process that will add the other targets based on the response by applciation owner. 

For example policies are created and tested on the test target, now we want to add other targets but based on which team have tested, how can this be completed. I am hoping the end user can go on a console and click click on check mark next to thier targets and that be added?

0
Login to vote
Pascal KOTTE's picture

Thanks a lot; I was seeing this feature inside the "What's new under 7.5" but was absolutly not able to find it after installing 7.5, reading all patch doc manuals, or try to find it under Connect, any 7.5 patch area or CMS or SMS, I was not able to find any about this Workflow.

I was not thinking about installing 1st the workflow designer; and latest going a look inside this nice "solution center" I was not know before... That's why I was thinking a false promess of Symantec. Happy to see I was wrong. 

~Pascal @ Kotte.net~ Do you speak French? Et utilisez Altiris: venez nous rejoindre sur le GUASF

0
Login to vote
skhs's picture

I guess you are not that much wrong Pascal, as I think this is just a workflow outside of Symantec product release, meaning it might not ( I could be worng here too :) be supported by support. But it gives you a very good start on auomating the patch. 

+1
Login to vote
Pascal KOTTE's picture

Good point, you are very right: If not supported from Symantec support, not "part" the SMS or CMS or Patch Solution support, not an "integrated" supported extension...

But I do not see any disclaimer, or EULA, and this Workflow published accessible from "Workflow Manager", part of the solution. So legaly, they forgot to "exclude" it from support explicitly, and so, it should be part of the solution. Of course; if support refuse the case opening; the support will takes some additional time and cost; to be fulfilled; after a legal pursuit and so on ;)

I will try this, and open a case if I got an issue... We'll see if I got one ;)

~Pascal @ Kotte.net~ Do you speak French? Et utilisez Altiris: venez nous rejoindre sur le GUASF

0
Login to vote
Pascal KOTTE's picture

Any body know what is the Application property "Age_filter"; with default '15' value not explain in the PDF :(

I guess about 15 days old maximum for activation and processing ? But not sure about :)

If it is; we should extend it for a start; with older bulletin to be auto-activated?

~Pascal @ Kotte.net~ Do you speak French? Et utilisez Altiris: venez nous rejoindre sur le GUASF

0
Login to vote
Pascal KOTTE's picture

And what about the Ludovic tools ?

and about this more light and simple option ?

was initialy design for 7.0 but perhaps reusable for 7.5? But probably less features :) OK just joking. But... ?

~Pascal @ Kotte.net~ Do you speak French? Et utilisez Altiris: venez nous rejoindre sur le GUASF

0
Login to vote
Pascal KOTTE's picture

I wanted to verify the workflow able to process only "missing" and "applicable" Bulletins, not "all" including useless ones...

And also: if able to avoid requesting to edit each policy manualy; to add the pilot2 goup; and another time for PROD1 group; and a 3rd time the PROD2 final group in addition. As we must deploy "by wave", for validation steps: It is absolutly required being able to associate all those automated policies, to a single "editable" target, so we can swtich all the policies; to next wave level with a single simple change. NOT needing to edit each 30 to 60 or more policies; to add the additionnal wave targets. If you deploy in 4 waves: this will ask for about 120 to 240 "edit" operations per month on this so "quick answering" Altiris web console (just joking about "quick")...

I feel we will have to create a new "Named target" each month, and edit the GUID inside the DATA/Application properties: "Zero Day Patch settings". So we will be able to edit and change a single "Named target" 4 times, for extending each week; the additionnal targets with the next wave of computers to deploy patches this month... Instead of editing 30 policies or more, 4 times ;-)

~Pascal @ Kotte.net~ Do you speak French? Et utilisez Altiris: venez nous rejoindre sur le GUASF

0
Login to vote
Pascal KOTTE's picture

Well: Email notify

Error Message: The request failed with HTTP status 404: Not Found.
 
Stack Trace: at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall) at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) at PatchWorkflowSvcDynamicService.PatchWorkflowSvc.EnsureStaged(String bulletinGuids, Boolean sync) at PatchWorkflowSvcDynamicService.EnsureStaged.Run(IData data) at LogicBase.Core.ExecutionEngine.SinglePathProcessComponentExecutionDelegate.Execute(IData data, IOrchestrationComponent comp, String& outputPath, IExecutionEngine engine, TLExecutionContext context) at LogicBase.Core.ExecutionEngine.AbstractExecutionEngine.RunComponent(TLExecutionContext context, IData data, IOrchestrationComponent comp)
 
Report Process ID: Patch-0Day-001007
 
Model ID: 7e82176f-0fe0-11e2-85c7-005056a27acc
 
Last Component: Ensure Staged
Workflow logs:
Application Name : Symantec.Patch.Zero_Day
Process ID : 5780
Date :3/3/2014 1:10:50 AM
Log Level :Error
Log Category :LogicBase.ExecutionEngine.Delegates
Machine Name : TMS1
Message : 
the component Setup Process declares that it outputs variable [PolicyName] of typeString but did not.  
followed by:
Application Name : Symantec.Patch.Zero_Day
Process ID : 5780
Date :3/3/2014 1:10:52 AM
Log Level :Error
Log Category :PatchWorkflowSvcDynamicService.EnsureStaged
Machine Name : TMS1
Message : 
Exception at Run method with message :The request failed with HTTP status 404: Not Found.
Finishing with:
Application Name : Symantec.Patch.Zero_Day
Process ID : 5780
Date :3/3/2014 1:10:52 AM
Log Level :Error
Log Category :LogicBase.ExecutionEngine
Machine Name : TMS1
Message : 
Exception was thrown from the exception handling model in project.
 
Does an installed service desk is a requirement ? Because I do not have, and so PDF told about "Tickets" I don't have... 

~Pascal @ Kotte.net~ Do you speak French? Et utilisez Altiris: venez nous rejoindre sur le GUASF

0
Login to vote
Pascal KOTTE's picture

The URL setup is not answering:

http://tms1.itsm.demo/patchmanagementcore/patchwor...

Server Error in '/' Application.

--------------------------------------------------------------------------------
 
The resource cannot be found. 
Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable.  Please review the following URL and make sure that it is spelled correctly. 
 
Requested URL: /patchmanagementcore/patchworkflowsvc.asmx/Default.aspx
 
--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:2.0.50727.5477; ASP.NET Version:2.0.50727.5479 
All the same; the page seems there...
Capture.PNG
 

~Pascal @ Kotte.net~ Do you speak French? Et utilisez Altiris: venez nous rejoindre sur le GUASF

0
Login to vote
Pascal KOTTE's picture
I also try to switch https to http; same issue... Here the settings I was using.
 
Zero Day Patch Settings        
Category: Not Set 
IsDefault True 
InstanceName Default 
Category: Configuration 
Enable_New_Policy_After_Creation True 
Resource_Targets_To_Apply_To_Policy 25353043-FA7D-4B25-A416-9237EEC2B156
 
Category: Connection 
PatchWorkflowSvcURL http://tms1.itsm.demo/patchmanagementcore/patchworkflowsvc.asmx 
Symantec_CMDB_ConnectionString Data Source=(local);Initial Catalog=Symantec_CMDB;Integrated Security=SSPI; 
Category: Email 
Email_Server 192.168.100.10 
Email_To_Address service.altiris@itsm.demo 
Email_From_Address PatchZeroDay.tms1@itms.demo 
Category: Filter Settings 
Age_Filter 15 
Ignore_Bulletins_With_Policies True 
Ignore_Staged_Bulletins False 
Vendor_Filter 00000000-0000-0000-0000-000000000000
 
Platform_Filter Any 
Severity_Levels_To_Analyze Critical
Important
Unclassified
 
So I will perhaps needing to test if "Symantec support" will support this; or not :)
 
 
 

~Pascal @ Kotte.net~ Do you speak French? Et utilisez Altiris: venez nous rejoindre sur le GUASF

0
Login to vote
Pascal KOTTE's picture

Must also say; Workflow installed with a domain service account; was needing to change the Application pool Identity for Process Manager to run using "NETWORK SERVICE" for Portal process manager able to open. But NETWORK SERVICE has the right on Patch also, this service account is also the Altiris server service account. I added the rights on windows\temp, and framework folders...

I also try opening with domain admin account; same error.

~Pascal @ Kotte.net~ Do you speak French? Et utilisez Altiris: venez nous rejoindre sur le GUASF

0
Login to vote
Roman Vassiljev's picture
Hello Pascal KOTTE,
 
Any body know what is the Application property "Age_filter"
 
I think it is a number of Days Backward to look for bulletins. In other words only bulletins released during last N days(N is value of Age_Filter) will be used in this process.
 
I also try to switch https to http; same issue... Here the settings I was using.
PatchWorkflowSvcURL http://tms1.itsm.demo/patchmanagementcore/patchworkflowsvc.asmx 
 
It looks like PatchWorkflowSvcURL is mistyped in your settings. I guess http://tms1.itsm.demo/altiris/patchmanagementcore/patchworkflowsvc.asmx should work.
 
Thanks,
Roman
 
+1
Login to vote
Richard_Combes's picture

Hi Pascal,

Keep us updated on how this is going for you, I got this working in my lab and have a few tips to help along the way.

1) When you test the workflow by running the debug, it should run through, enable the policy but then the workflow will start again, This is because the workflow is set to "autorun" and in a live environment this is kicked off at a certain time and will only run once. So be sure to not let the workflow continually run in debug mode or you will have lots of policys and a server slowdown. In fact close it after letting it run through twice and you should have the following as a result.

  • An email stating the patches enabled / a policy with the patches enabled targetting your specific target
  • A second email stating that there were no patches to install from the second run of the workflow (provided you set the setting below)

There is a setting in the config page to "ignore staged policys" or something similar (I dont have access to a console right now to tell you the exact setting wording) so basically it does not duplicate policys.

Hope this helps

Rich

0
Login to vote
Hendrik Dijkstra's picture

Hello,

Because I wasn't able to install Process Manager on my workflow server, I had to disable the application properties. I have 'converted' the application properties to global properties and that works fine. It's a bit less flexible, but for us still very acceptable. I obviously also changed all the components which were using values from the application properties and when I run the workflow in debugger, I get exactly the result that I expect. Currently the result is that I get an email telling that no bulletins were available and all the variables in the email are filled with correct data.

Now the problem ...... once I publish the workflow, it will not send any emails anymore. Besides, I cannot really check if it has been running on the defined schedule so I have no clue if it has been running on the schedule. That's one of the nice features of Process Manager, but not available for me at this point.

Is there anyone out there who knows why email works when running the workflow in debugger and why it doesn't if it's published?

And then it would be also nice if I could somehow trace if the workflow has been running.

I published the workflow on my workflow server, which is a different one than the SMP server but that shouldn't make a difference, should it?

Any input is very welcome.

Hendrik

0
Login to vote
HarrisT's picture

Try putting a "Create Log Entry" component at the very beginning of your Workflow, and set the logging level to "Fatal". Then save/publish the workflow and open your Log Viewer. You will be able to see your log entry component write a fatal error to the logs. This is a great way to confirm whether the Workflow ran or not.

0
Login to vote
Hendrik Dijkstra's picture

Thanks for your comment Harris. Eventually you put me on track with this. It happened to be that the workflow was crashing when it reached the stage where it needed to send the email. As I explained already, I needed to convert the application properties to global properties because we do not have the process manager installed in our environment. It seems that when a workflow is published, for some reason it cannot correctly handle some of the global variables. After I converted the global variables which were related to email to project properties, it started to work.

I will definitely start looking at implenting the process manager as for this purpose I see a lot of benefits there.

Well .... at least for now this is working, but I may need to convert the variables again at some point to application properties smiley

0
Login to vote
Marilou's picture

Hello guys,

Please share me a guide on how to do it without Process Manager....

Also, is the process still the same for 7.5 SP1?

Thanks!!

0
Login to vote
Marilou's picture

I'm getting this error when running the project on debug mode. Can anyone help me pinpoint the problem here?

CurrentResourceGUID = "D27E6007-9A73-4E22-92AE-95BA7AA9A40E"
ErrorMessage = "System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> System.Exception: The specified item guid does not exist.
   at Altiris.ASDK.NS.ItemManagementLib.GetItemByGuid(Guid itemGuid)
   at Altiris.ASDK.NS.Web.ItemManagementService.GetItemByGuid(Guid itemGuid)
   --- End of inner exception stack trace ---"
IteratorPrefix_c487e7b2-9591-11e2-a847-000c294e9052 = 0
LastComponent = "Get Item By Guid Component"
ModelID = "e317bec1-0fe0-11e2-85c7-005056a27acc"
ReportProcessID = "Patch-0Day-000162"
ShortDateString = "1/26/2015"
StackTrace = "   at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Altiris7.WebServices.Item.ItemManagementService.GetItemByGuid(Guid itemGuid)
   at Altiris7.WebServices.Item.GetItemByGuidComponent.Run(IData data)
   at LogicBase.Core.ExecutionEngine.SinglePathProcessComponentExecutionDelegate.Execute(IData data, IOrchestrationComponent comp, String& outputPath, IExecutionEngine engine, TLExecutionContext context)
   at LogicBase.Core.ExecutionEngine.AbstractExecutionEngine.RunComponent(TLExecutionContext context, IData data, IOrchestrationComponent comp)"
Today = 1/26/2015 11:37:00 AM

0
Login to vote
africo's picture

I'm not familiar with that project, but it looks as though you're either mixing two altiris environments (grabbing an item from one database and then trying to save it to another; the GUID may not exist in both places) or the mappings aren't correct somewhere.  That's just a guess though; check any mapping components to ensure you're mapping the item guid properly.

0
Login to vote
Marilou's picture

Hi Africo,

I only have 1 Altiris on my lab.. the GUID that i have provided on the project is for my target filter (extracted from SQL)..

I attached the image on the part where the process stops..

Thanks for your comment.. Appreciate your help on this.

workflow1.jpg workflow2.jpg workflow3.jpg
0
Login to vote
Nonos's picture

Hi,

Did you try to use the GUID given in the error log on the Web Service itself?

Like you open a web browser and type in the URL to the "itemmanagementservices.asmx" and you'll get a list of all available methods in which you'll find "Get Item By GUID".

When you try that, do you get the item itself or does it crash?

If it crashes, it mainly means that the GUID you are using does not correspond to any item.

Been working a lot on 7.1 SP2 but don't know if things are still out there in 7.5.

Hope this helps.

Regards,

Cédric

0
Login to vote
Marilou's picture

Hi Nonos,

I've tried typing http://itemmanagementservices.asmx but there's notting to display (Internet Explorer cannot display the web page). Am I doing it right??

It's my first time trying out this process.. I will be grateful if you can help me on troubleshooting steps that i should perform.

Thanks!

0
Login to vote
B_Asnot's picture

Marilou,

be sure you add the servername in the url (eg. http://localhost/itemmanagementservices.asmx)

0
Login to vote
africo's picture
http://localhost/Altiris/ASDK.NS/ItemManagementService.asmx

 is what i assume you're trying to reach.

0
Login to vote
Marilou's picture

Thanks guys!!!

Tried accessing http://localhost/itemmanagementservices.asmx and it display The resource cannot be found.

Tried accessing http://localhost/Altiris/ASDK.NS/ItemManagementService.asmx and it redirect me to the ItemManagementService page.

There are two items named GetItemByGuid, the other one has a text on the bottom "MessageName="GetItemsInFolderX". One the first GetItemByGuid, There's a box to test the GUID I think (To test the operation using the HTTP POST protocol, click the 'Invoke' button). I put the GUID that extracted from SQL and I see the name of the filter that I've created.

I think its working? hahaha what to do next?

AttachmentSize
GetItemByGuidX.txt 3.67 KB
GUIDTestResult.txt 841 bytes
0
Login to vote
africo's picture

if you get a result back, then you're GUID.

0
Login to vote
Marilou's picture

The GUID causes the error?

When I have installed the workflow.. I have installed also the process manager portal and process manager database.. And that's where I have uploaded the application profile for this project and input the GUIDs.. I'm thinking if the data is being process on workflow from the data i have put on service desk portal..

0
Login to vote
Marilou's picture

I'm already have it recognize the GUID of my filter.

I am inputing the values on process manager portal and not being recognize by workflow hahaha.

My luck, it happened out of my curiosity to click the link of my project on application properties on workflow manager that leads me to correct page on where I should input the values needed.

Thanks guys!!

0
Login to vote
Marilou's picture

Just a question.. I am encountering a redownload of patches.. I already have them but whenever the schedule set on workflow kicks I see patches being downloaded on Altiris Log Viewer..

0
Login to vote
Marilou's picture

Guys Question..

I have my workflow manager installed on my SMP.

Here are my question:

1. I can't determine the basis for bulletin download (is it date released, revised, compliance).

2. Will the superseded bulletins can still be downloaded?

3. How to correctly publish the zero path template on SMP?

I have schedule for the workflow to run at a certain time. I have downloaded the patch and deleted the created policies but it didnt recreate when the schedule kicks. Also I did not receive that no bulletin is available.

0
Login to vote
Marilou's picture

Guys Question..

I have my workflow manager installed on my SMP.

Here are my question:

1. I can't determine the basis for bulletin download (is it date released, revised, compliance).

2. Will the superseded bulletins can still be downloaded?

3. How to correctly publish the zero patch template on SMP?

I have schedule for the workflow to run at a certain time. I have downloaded the patch and deleted the created policies but it didnt recreate when the schedule kicks. Also I did not receive that no bulletin is available.

0
Login to vote