Scenario#1:
Windows Patch Remediation job fails in 'download' phase with following error in the job run log:

BLPAT1306-An error occurred while downloading payload for: IVA-4072698-1-IVA18-001-en-WINDOWS SERVER 2008 R2 STANDARD (X64)-SP1.
Check whether you have access to host and proxy configuration, Error: Maximum retries completed. Failed to download https://content.ivanti.com/noop-sha256.exe No permission to connect to URL: https://content.ivanti.com/noop-sha256.exe. Request for url failed with status code: 403 (Caused By: No permission to connect to URL: https://content.ivanti.com/noop-sha256.exe. Request for url failed with status code: 403)

Scenario#2:
Windows Patch Catalog fails to download 'Windows Defender' patches with following error in the catalog update job run log:

BLPAT1306-An error occurred while downloading payload for: mpam-fe-1.1.18900.2-x64.exe-WINDEF-220203-en-WINDOWS DEFENDER ENGINE-Gold.
Check whether you have access to host and proxy configuration, Error: Maximum retries completed. Failed to download https://go.microsoft.com/fwlink/?LinkID=121721&arch=x64. No permission to connect to URL: https://go.microsoft.com/fwlink/?LinkID=121721&arch=x64. Request for url failed with status code: 403 (Caused By: No permission to connect to URL: https://go.microsoft.com/fwlink/?LinkID=121721&arch=x64. Request for url failed with status code: 403)

Note: The patch name may differ

Scenario#3:
Windows Patch Catalog fails with the following error:

BLPAT1306-An error occurred while downloading payload for:
...
Caused By: Certificate for <catalog.s.download.windowsupdate.com> doesn't match any of the subject alternative names: [some.untrusted.domain.here, some.other.untrusted.domain.here]
...

Scenario#4:
Windows patch catalog update fails with the following error, where 'Zscaler' (transparent type proxy) was used:

BLPAT1306-An error occurred while downloading payload for: GoogleChromeStandaloneEnterprise_XX.XX.XX.XX_x64.msi-CHROME-240625-en-GOOGLE CHROME X64-Gold.
Check whether you have access to host and proxy configuration,Error: Maximum retries completed. Failed to download https://dl.google.com/chrome/install/GoogleChromeStandaloneEnterprise64.msi?XX.XX.XX.XX.Error occurred while connecting to url: https://dl.google.com/chrome/install/GoogleChromeStandaloneEnterprise64.msi?XX.XX.XX.XX. Please verify Internet connectivity and if you have provided Proxy then verify your Proxy settings (Caused By: Error occurred while connecting to url: https://dl.google.com/chrome/install/GoogleChromeStandaloneEnterprise64.msi?XX.XX.XX.XX
...

Scenario#1:
If you analyze with the Security Tools category and do auto-remediation you must exclude bulletins starting with IVA. 
The best way is to setup an exclusion smart group for bulletins starting with IVA. 
If you are manually remediating patches either selectively remediate to avoid these bulletins  or exclude the IVA bulletins from your analysis with a catalog smart group that excludes them.

Catalog


Patch Analysis


Scenario#2:
Defect #DRBLG-128424 has been filed and is fixed in TSSA version 22.2.00

If a Hotfix is needed, please open a case with BMC and share following details:
1. Screenshot of the problem
2. Catalog Update Job logs
3. <AppserverInstallDir>/NSH/br/stdlib/feed-common-1.0.jar
4. <AppserverInstallDir>/NSH/br/stdlib/feed-common-1.0-SNAPSHOT.jar ( Available only on Windows application server)
5. md5sum value of the above jar files
6. TSSA application server exact version and OS of the appserver

The issue occurs due to the patch vendor's Content Delivery Networks (CDN) not working due to a failed TLS certificate binding between the Microsoft TLS Certificate and the catalog.s.download.windowsupdate.com endpoint

Download the required certificate (from ZScaler) and rename this with <Certificate_Name>.cer extension. Please follow the steps below :
 
For Windows Appserver:

1.  Goto <NSH_DIR>\jre\lib\security

2.  Copy the certificate (cer file) to this dir

3.  Goto <NSH_DIR>\jre\bin

4.  Execute cmd: .\keytool.exe -import -alias <Alias_Name> -file ..\lib\security\<Certificate_Name>.cer -keystore ..\lib\security\cacerts

5.  Password (when asked) : changeit (default)

6.  Restart the appserver for change to take effect

7.  Perform this step on all the application servers.

 
For Linux Appserver:

1.  Goto <NSH_DIR>/br/java/lib/security

2.  Copy the certificate (.cer file)  file to this dir

3.  Goto <NSH_DIR>/br/java/bin

4.  Execute cmd:  ./keytool -import -alias <Alias_Name> -file ../lib/security/<Certificate_Name>.cer -keystore ../lib/security/cacerts

5.  Password(when asked): changeit

6.  Restart the appserver for change to take effect.

7.  Perform this step on all the application servers.

Note: changeit above must be typed exactly as shown in the above examples. It is not a variable.

The <Alias_Name> can be anything.  It is just an alias that is used to add the certificate in cacerts