Signed Patches Administration Guide for PatchPro 2.2

Solaris Patch Management Tools for Signed Patches

You use the smpatch command with Solaris Patch Manager Base 1.0.1 to manage signed patches on systems that run the Solaris 2.6, Solaris 7, and Solaris 8 releases. You use the smpatch command with PatchPro 2.2 to manage signed patches on systems that run the Solaris 9 release.

Both Solaris patch management tools for signed patches provide the following capabilities:

Analyzing patch requirements and downloading signed patches for the local system only.
Applying one or more signed patches in JAR format. They also authenticate the patch or patches to be applied.
Solaris 9 GUI only – Removing one or more patches. Patch dependencies are checked beforehand.
Enabling you to set up a default policy for applying patches of various types, such as rebootafter and standard.

Note –

You can still use the patchadd command to apply unsigned patches to systems that run the Solaris 2.6, Solaris 7, Solaris 8, and Solaris 9 releases.

You cannot use Patch Manager Base 1.0.1 to apply unsigned patches to Solaris 2.6, Solaris 7, or Solaris 8 systems. However, you can use smpatch add to apply unsigned patches to Solaris 9 systems.

Manual and Automatic Application of Patches

Patches are classified as standard patches or nonstandard patches. The Solaris patch management tools can apply patches in two modes: automatic mode and manual mode. In automatic mode, only standard patches can be applied on a regularly scheduled basis. In manual mode, all standard patches and most nonstandard patches can be applied from the command line.

A standard patch is one that is safe to apply and can be applied while the system is in multiuser mode. The effects of the patch are visible as soon as it is applied unless the application being patched is running while the patch is applied. In this case, the effects of the patch are visible after the affected application is restarted. A standard patch is associated with the standard property and can be applied in automatic mode.

A nonstandard patch has one of the following characteristics:

A patch that is associated with the interactive property.
A patch that is associated with the rebootafter, rebootimmediate, reconfigafter, reconfigimmediate, or singleuser properties. This nonstandard patch can be applied in manual mode.
A patch that cannot be applied by running the patch management tools, but must be applied by following the instructions in the patch's README file.

Two options are available for applying patches in automatic mode:

Standard patches only – Only standard patches are downloaded to the patch directory and applied. A standard patch is one that does not require any special actions on the part of the user. A standard patch also does not require a reboot for the patch to take effect.

Specify this policy by using the pprosetup -p standard command.
No patches – No patches are downloaded to the patch directory or applied. This option is the default.

Specify this policy by using the pprosetup -p none command.

Most nonstandard patches can only be applied in manual mode. You can specify the patch policy for manual mode by using this command:

# pprosetup -i patch-property-list

patch-property-list is one or more of the following patch properties: interactive, rebootafter, rebootimmediate, reconfigafter, reconfigimmediate, singleuser, and standard. For descriptions of the patch properties, see the pprosetup(1M) man page.

A number of patches cannot be applied by PatchPro 2.2 or by Patch Manager Base 1.0.1 under any circumstances. For instance, nonconforming patches cannot be applied by using the smpatch, pprosvc, or patchadd command. Nonconforming patches must be extracted manually and applied by following the instructions in the patch's README file.

Solaris Patch Manager Base 1.0.1 Limitations

The patch management tool for Solaris 2.6, Solaris 7, and Solaris 8 has some limitations. You cannot apply signed patches in the following cases:

When applying signed patches to an alternate boot environment or to a diskless client
When automatically applying a signed patch that has the rebootimmediate, reconfigimmediate, or nonconforming patch property

Software Requirements for the Solaris Patch Management Tools

Certain Solaris packages must be installed on your system before you install the Solaris patch management tools for signed patches.

For Solaris 2.6, Solaris 7, or Solaris 8 – Your system requires a minimal system configuration plus some additional packages. All the required packages are available from the End User cluster (SUNWCuser).
For Solaris 9 – You must have at least the Developer cluster (SUNWCprog) installed.

The following table shows the Solaris cluster and package requirements for running the Solaris patch management tools. Notice that when only a Solaris cluster is listed, the required packages are included in that cluster.

Solaris Version	Required Clusters and Packages
Solaris 2.6	One of the following is required: Core System (`SUNWCreq`) plus `SUNWadmc`, `SUNWadmfw`, `SUNWmfrun`, `SUNWlibC`, and `SUNWxcu4` End User System (`SUNWCuser`) Developer System (`SUNWCprog`) Entire Distribution (`SUNWCall`) Entire Distribution Plus OEM Support (`SUNWCXall`)
Solaris 7 or Solaris 8	One of the following is required: Core System (`SUNWCreq`) plus `SUNWadmc`, `SUNWadmfw`, `SUNWmfrun`, and `SUNWlibC` End User System (`SUNWCuser`) Developer System (`SUNWCprog`) Entire Distribution (`SUNWCall`) Entire Distribution Plus OEM Support (`SUNWCXall`)
Solaris 9	One of the following is required: Developer System (`SUNWCprog`) Entire Distribution (`SUNWCall`) Entire Distribution Plus OEM Support (`SUNWCXall`)

Solaris Version

Required Clusters and Packages

Solaris 2.6

One of the following is required:

Core System (SUNWCreq) plus SUNWadmc, SUNWadmfw, SUNWmfrun, SUNWlibC, and SUNWxcu4
End User System (SUNWCuser)
Developer System (SUNWCprog)
Entire Distribution (SUNWCall)
Entire Distribution Plus OEM Support (SUNWCXall)

Solaris 7 or Solaris 8

One of the following is required:

Core System (SUNWCreq) plus SUNWadmc, SUNWadmfw, SUNWmfrun, and SUNWlibC
End User System (SUNWCuser)
Developer System (SUNWCprog)
Entire Distribution (SUNWCall)
Entire Distribution Plus OEM Support (SUNWCXall)

Solaris 9

One of the following is required:

Developer System (SUNWCprog)
Entire Distribution (SUNWCall)
Entire Distribution Plus OEM Support (SUNWCXall)

For information about verifying whether the required Solaris packages are installed on your system, see How to Verify Package Requirements for Patch Management Tools.

Summary of Solaris Patch Management Features

Feature	`patchadd` and `patchrm` Commands	Patch Check	PatchPro Interactive or PatchPro Expert	Solaris 2.6, Solaris 7, and Solaris 8 Patch Management Tool	Solaris 9 Patch Management Tool
How do I get this tool?	Included in Solaris release (`SUNWswmt`)	SunSolve Online site	Run tool from PatchPro Web site [The PatchPro Web site is `http://www.sun.com/PatchPro`.]	Download Solaris Patch Manager Base 1.0.1 from PatchPro Web site	Download PatchPro 2.2 from PatchPro Web site
Solaris release availability	Solaris 2.6, Solaris 7, Solaris 8, and Solaris 9	Solaris 2.6, Solaris 7, Solaris 8, and Solaris 9	Solaris 2.6, Solaris 7, Solaris 8, and Solaris 9	Solaris 2.6, Solaris 7, and Solaris 8	Solaris 9
Applies signed patches?	Yes [You can unpack a signed patch and then apply it to your system by using the `patchadd` command. However, in this case, the digital signature is lost. For information about manually verifying a signed patch and then applying it with the `patchadd` command, see How to Verify a Signed Patch (`jarsigner`) or How to Verify a Signed Patch (`signtool`).]	No	No	Yes, and automatically verifies the signed patch when it is downloaded	Yes, and automatically verifies the signed patch when it is downloaded
Applies unsigned patches?	Yes	Yes	No	No	Yes
GUI available?	No	No	No	No	Yes
Analyzes system for recommended patches, and downloads patches	No	Yes, unsigned patches only	Yes, unsigned patches only	Yes, signed patches only	Yes, signed patches only
Local and remote system patch support	Local	Local	No	Local	Local and remote
RBAC support?	No	No	No	No	Yes