Perform these tasks in the order shown.
Task |
Description |
For Instructions |
---|---|---|
1. Download and install the SUNWcert package. |
Download and install the SUNWcert package. For a list of download sites, see Sun Certificates That Verify Signed Patches. | |
2. Import the Sun certificates. |
Use the keytool command to import and accept the Sun certificates from the SUNWcert package. | |
3. (Optional) Change the keystore password. |
Change the password to keep the keystore secure. | |
4. Verify a signed patch. |
Download a patch from SunSolve Online, and use the jarsigner command to verify the patch. | |
5. Apply the verified signed patch. |
Use the patchadd command to apply the verified signed patch. |
This procedure assumes that the SUNWcert package is located in the /tmp directory.
Download the SUNWcert package from the following site:
https://sunsolve.sun.com/SUNWcert
For a list of additional sites, see Sun Certificates That Verify Signed Patches.
Become superuser.
Install the SUNWcert package.
# cd /tmp # unzip SUNWcert.zip # pkgadd -d . |
Verify that the SUNWcert package is installed.
# pkginfo -l SUNWcert |
Verify the signed patches that you want to install against the authenticated Sun certificates.
Become superuser.
Determine the fingerprints of your Sun Root certificate and Sun Class B certificate.
For example, on a Solaris 8 system:
# /usr/java1.3/bin/keytool -printcert \ -file /etc/certs/SUNW/smirootcacert.b64 # /usr/java1.3/bin/keytool -printcert -file /etc/certs/SUNW/smicacert.b64 |
Verify that the output of these commands match the Sun Root and Class B certificate fingerprints displayed at this site:
https://www.sun.com/pki/ca |
Change to the /etc/certs/SUNW directory.
# cd /etc/certs/SUNW |
Import the Class B certificate.
For example, on a Solaris 8 system, type:
# /usr/java1.3/bin/keytool -import -alias smicacert \ -file smicacert.b64 -keystore /usr/java1.3/jre/lib/security/cacerts Enter keystore password: changeit Owner: O=Sun Microsystems Inc, CN=Sun Microsystems Inc CA (Class B) Issuer: CN=Sun Microsystems Inc Root CA, O=Sun Microsystems Inc, C=US Serial number: 1000006 Valid from: Mon Nov 13 12:23:10 MST 2000 until: Fri Nov 13 12:23:10 MST 2009 Certificate fingerprints: MD5: B4:1F:E1:0D:80:7D:B1:AB:15:5C:78:CB:C8:8F:CE:37 SHA1: 1E:38:11:02:F0:5D:A3:27:5C:F9:6E:B1:1F:C4:79:95:E9:6E:D6:DF Trust this certificate? [no]: yes Certificate was added to keystore |
Import the root certificate.
# /usr/java1.3/bin/keytool -import -alias smirootcacert \ -file smirootcacert.b64 -keystore /usr/java1.3/jre/lib/security/cacerts Enter keystore password: changeit Owner: CN=Sun Microsystems Inc Root CA, O=Sun Microsystems Inc, C=US Issuer: CN=GTE CyberTrust Root, O=GTE Corporation, C=US Serial number: 40002ae Valid from: Wed Oct 16 09:45:00 MDT 2002 until: Sat Oct 16 17:59:00 MDT 2004 Certificate fingerprints: MD5: 54:E3:D1:E4:79:B4:17:23:65:B4:F9:14:AD:C6:4A:FE SHA1: 90:F1:AB:87:AE:A0:4C:1F:AF:43:60:DE:5D:A8:0E:D8:CE:E7:06:AE Trust this certificate? [no]: yes Certificate was added to keystore |
Become superuser.
Change the keystore password.
# /usr/java1.3/bin/keytool -storepasswd \ -keystore /usr/java1.3/jre/lib/security/cacerts Enter keystore password: changeit New keystore password: new-password Re-enter new keystore password: new-password |
Verify that the following prerequisites are met:
You have installed the SUNWcert package.
For more information, see How to Download the SUNWcert Package.
You have imported the appropriate Sun PKI certificates.
For more information, see How to Import the Sun Certificates With Java Tools.
You are logged in as superuser.
Download a signed patch from the SunSolve Online site.
Verify the signed patch, for example:
# /usr/java1.3/bin/jarsigner -verify -verbose -keystore /usr/java1.3/jre/lib/security/cacerts /patchdb/100103-12.jar smk 2149 Tue Sep 25 15:47:20 MDT 2001 100103-12/README smk 18553 Tue Sep 25 15:47:20 MDT 2001 100103-12/4.1secure.sh 385 Tue Sep 25 15:47:20 MDT 2001 META-INF/manifest.mf 493 Tue Sep 25 15:47:20 MDT 2001 META-INF/zigbert.sf 3819 Tue Sep 25 15:47:20 MDT 2001 META-INF/zigbert.rsa s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore i = at least one certificate was found in identity scope jar verified. # |
Make sure that you see the smk entries in the output to confirm that the patch signature is verified. Otherwise, the patch verification has failed, even if you see the jar verified message.
Become superuser.
Unzip the patch bundle, for example:
# unzip 100103-12.jar Archive: 100103-12.jar inflating: 100103-12/README inflating: 100103-12/4.1secure.sh inflating: META-INF/manifest.mf inflating: META-INF/zigbert.sf inflating: META-INF/zigbert.rsa # |
Apply the verified uncompressed signed patch, for example:
# patchadd /patchdb/100103-12 |