Update required for all Patch Manager installations before installing 1024-bit RSA Key Invalidation Update (MS KB2661254)

For all Patch Manager customers with active maintenance, we have posted an update to your customer portal and to the product download page. This update, v1.73, is designed to ensure continued functionality of all Patch Manager installations, which will be adversely affected by the installation of the Microsoft update KB2661254. KB2661254 is scheduled for release on Patch Tuesday - August 14, 2012.

KB2661254 will invalidate all RSA-based certificates with key lengths of less than 1024 bits and has been discussed in several Microsoft postings of late, most notably the following:

• http://blogs.technet.com/b/pki/archive/2012/07/13/blocking-rsa-keys-less-than-1024-bits-part-2.aspx
• http://blogs.technet.com/b/pki/archive/2012/06/12/rsa-keys-under-1024-bits-are-blocked.aspx
• http://blogs.technet.com/b/msrc/archive/2012/07/10/gadgets-certificate-housekeeping-and-the-july-2012-bulletins.aspx
• http://blogs.technet.com/b/msrc/archive/2012/06/12/certificate-trust-list-update-and-the-june-2012-bulletins.aspx

How does Microsoft KB2661254 affect my Patch Manager installation?

This affects all existing Patch Manager installations, as all versions are currently based on 512-bit key lengths. Certificates are used in Patch Manager to authenticate console-to-server connections, as well as to authenticate server-to-server connections when additional Patch Manager servers have been deployed in the environment. Patch Manager v1.73 replaces the existing 512-bit certificate with 2048-bit certificates.

What do I need to do to address this issue?

You should defer deploying KB2661254 to your Patch Manager servers and console systems until they have been successfully updated to Patch Manager v1.73.

The Patch Manager v1.73 update must be applied to your Primary Application Server (PAS) first, and then to any additional servers or console installations. Once the v1.73 update is applied to the PAS, and until the v1.73 update is applied to the additional servers, the entire Patch Manager environment will be offline, as the additional servers will be unable to communicate with the updated PAS.

Furthermore, until the Patch Manager v1.73 update is applied to the remote consoles, those consoles will be unable to connect to any Patch Manager v1.73 Application Server.

To be specific -- any Patch Manager server or console prior to v1.73 cannot communicate with a Patch Manager server upgraded to v1.73.

We are providing this update as soon as we were able to complete testing so that you will have sufficient time to plan and implement this update prior to deploying KB2661254.

In addition to this certificate subsystem update, Patch Manager v1.73 also includes a roll-up of a fix we released in May that changes how we authenticate with remote systems using credentials. This will provide more reliable authentication with Patch Manager clients, and eliminate many issues that were previously encountered as a result of User Account Control (UAC) interference.