System Administration Guide: Basic Administration

Preparation for Managing Signed Patches (Task Map)

Use this map to identify all the preparation tasks that are required before you can add signed patches to your system.

Task	Description	For Instructions
1. Verify Solaris package requirements	Verify that the required Solaris packages are installed on your system to support the patch tools.	How to Verify Package Requirements for Signed Patch Tools
2. Download and install a Solaris patch management tool	Select a Solaris patch management tool based on your Solaris release.	How to Download and Install the Solaris Patch Management Tools
3. Import Sun certificates into the keystore	Import and accept the Sun certificates that are used to verify a patch's signature. The `SUNWcert` package is automatically installed when you install the signed patches tool. Do not install the `SUNWcert` package separately if you have already installed a signed patches tool.	How to Import Sun Certificates Into the Keystore
4. (Optional) Change the keystore password	Change the password to keep the keystore secure.	How to Change the Keystore Password
5. Set up your patch environment	Set up your system for adding signed patches.	How to Set Up Your Patch Environment

Using the Solaris Patch Management Tools

Keep the following key points in mind when using the Solaris patch management tools:

Make sure your systems are currently up-to-date with patches, including the appropriate kernel update patches, Java patches, and the recommended patch clusters.
You will have to manually import the Sun certificates used to verify a patch's signature after installing the Solaris patch management tools.
Solaris 2.6, 7, or 8 only – If you have previous versions of the PatchPro software on your system, the older versions will be upgraded when Solaris Patch Manager Base Version 1.0 is installed.
Install patches on a quiet system, preferably in single-user mode.
Signed patches are verified when they are downloaded with the smpatch download command.

However, on a Solaris 9 system, no patch signature validation message is displayed during the patch download, even if the patch signature is successfully verified. If the patch signature verification fails, then the patch is not downloaded to your system.

Solaris 9 only – The smpatch command prompts you for authentication information if you do not specify the authentication information in the smpatch command line.

For example, you can specify authentication information to the smpatch command using the following syntax:

# smpatch add -p mypassword -u root -- -i patch-ID

The smpatch subcommands (add, analyze, download, or remove) and the authentication options and arguments are separated by the subcommand arguments with --.

Or, you can let the smpatch command prompt you for the authentication information. For example:

# /usr/sadm/bin/smpatch add -i patch-ID
Authenticating as user: root

Type /? for help, pressing <enter> accepts the default denoted by [ ]
Please enter a string value for: password :: 
Loading Tool: com.sun.admin.patchmgr.cli.PatchMgrCli from starbug
Login to starbug as user root was successful.
Download of com.sun.admin.patchmgr.cli.PatchMgrCli from starbug was 
successful.

Use the /opt/SUNWppro/bin/uninstallpatchpro script if you need to uninstall PatchPro 2.1. Do not attempt to remove PatchPro2.1 using this script if your current directory is /opt/SUNWppro/bin. Set your path as described in How to Set Up Your Patch Environment and then run the uninstallpatchpro script from the root (/) directory, for example.

How to Verify Package Requirements for Signed Patch Tools

Make sure that you have the required Solaris packages installed on your system before you install the signed patch tools. If you are running the Solaris 2.6, 7, or 8 release, you need a minimal system configuration plus some additional packages. If you are running the Solaris 9 release, you must have the Developer cluster (SUNWCprog) installed on your system to use the signed patch tools.

Identify your Solaris release and select one of the following:

If you are running the Solaris 2.6 release, identify whether the required packages are installed on your system:

# pkginfo | grep SUNWmfrun
system      SUNWmfrun      Motif RunTime Kit
# pkginfo | grep SUNWlibC
system      SUNWlibC       Sun Workshop Compilers Bundled libC
# pkginfo | grep SUNWxcu4
system      SUNWxcu4       XCU4 Utilities

If you are running the Solaris 7 or 8 releases, identify whether the required packages are installed on your system:

# pkginfo | grep SUNWmfrm
system      SUNWmfrun      Motif RunTime Kit
# pkginfo | grep SUNWlibC
system      SUNWlibC       Sun Workshop Compilers Bundled libC

If you are running the Solaris 9 release, verify that the required Developer cluster is installed on your system:
# cat /var/sadm/system/admin/CLUSTER CLUSTER=SUNWCprog

If the pkginfo commands do not return any output, you need to install the required packages.

How to Download and Install the Solaris Patch Management Tools

Become superuser.

Follow the links and download the appropriate tar file for your Solaris release from the following location:

http://www.sun.com/PatchPro

Select one of the following to unpack the patch tool package:
1. If you are running the Solaris 2.6 or 7 release, uncompress and unpack the package by using the following commands:
  # uncompress SUNWpkg-name.tar.Z # tar xvf SUNWpkg-name.tar
2. If you are running the Solaris 8 or 9 release, unpack the package by using the following command:
  # gunzip -dc SUNWpkg-name.tar.gz | tar xvf -

Run the install script.
# cd unzipped-pkg-dir # ./setup
If there are errors while running the install script, see Identifying Problems With Signed Patches.

Examples—Downloading and Installing Solaris Patch Management Tools

This example shows how to download and install the Solaris 2.6 patch management tools.

# uncompress pproSunOSsparc5.6jre2.1.tar.Z
# tar xvf pproSunOSsparc5.6jre2.1.tar 
.
.
.
# cd pproSunOSsparc5.6jre2.1
# ./setup
.
.
.

This example shows how to download and install the Solaris 9 patch management tools.

# gunzip -dc pproSunOSsparc5.9jre2.1.tar.gz | tar xvf -
.
.
# cd pproSunOSsparc5.9jre2.1
# ./setup
.
.
.

How to Import Sun Certificates Into the Keystore

Use the keytool command to import and verify the Sun certificates that are used to verify the signed patches you want to add to your system. You must do this task even if you imported the certificates from a previous installation.

Note –

The SUNWcert package is automatically installed when you install the signed patches tool. Do not install the SUNWcert package separately if you have already installed a signed patches tool.

Verify that you have completed the prerequisite task, which is to download one of the Solaris patch management tools.

Become superuser.

Determine the fingerprints of your Sun root certificate and Sun class B certificate.

# /usr/j2se/bin/keytool -printcert -file /etc/certs/SUNW/smirootcacert.b64
# /usr/j2se/bin/keytool -printcert -file /etc/certs/SUNW/smicacert.b64

Verify that the output of these commands matches the Sun root and class B certificate fingerprints displayed at:
https://www.sun.com/pki/ca/

Accept the Sun class B certificate by importing it into your system:

# /usr/j2se/bin/keytool -import -alias smicacert -file /etc/certs/SUNW/ 
smicacert.b64  -keystore /usr/j2se/jre/lib/security/cacerts
Enter keystore password:  changeit
Owner: O=Sun Microsystems Inc, CN=Sun Microsystems Inc CA (Class B)
Issuer: CN=Sun Microsystems Inc Root CA, O=Sun Microsystems Inc, C=US
Serial number: 1000006
Valid from: Mon Nov 13 12:23:10 MST 2000 until: Fri Nov 13 12:23:10 MST 2009
Certificate fingerprints:
         MD5:  B4:1F:E1:0D:80:7D:B1:AB:15:5C:78:CB:C8:8F:CE:37
         SHA1: 1E:38:11:02:F0:5D:A3:27:5C:F9:6E:B1:1F:C4:79:95:E9:6E:D6:DF
Trust this certificate? [no]:  yes
Certificate was added to keystore

Accept the Sun root certificate by importing it into your system:

# /usr/j2se/bin/keytool -import -alias smirootcacert -file /etc/certs/SUNW/
smirootcacert.b64 -keystore /usr/j2se/jre/lib/security/cacerts
Enter keystore password:  changeit
Owner: CN=Sun Microsystems Inc Root CA, O=Sun Microsystems Inc, C=US
Issuer: CN=GTE CyberTrust Root, O=GTE Corporation, C=US
Serial number: 200014a
Valid from: Tue Nov 07 15:39:00 MST 2000 until: Thu Nov 07 16:59:00 MST 2002
Certificate fingerprints:
         MD5:  D8:B6:68:D4:6B:04:B9:5A:EB:34:23:54:B8:F3:97:8C
         SHA1: BD:D9:0B:DA:AE:91:5F:33:C4:3D:10:E3:77:F0:45:09:4A:E8:A2:98
Trust this certificate? [no]:  yes
Certificate was added to keystore

Accept the patch signing certificate by importing it into your system:

# /usr/j2se/bin/keytool -import -alias patchsigning -file /opt/SUNWppro/
etc/certs/patchsigningcert.b64 -keystore /usr/j2se/jre/lib/security/cacerts
Enter keystore password:  changeit
Owner: CN=Enterprise Services Patch Management, O=Sun Microsystems Inc
Issuer: O=Sun Microsystems Inc, CN=Sun Microsystems Inc CA (Class B)
Serial number: 1400007b
Valid from: Mon Sep 24 14:38:53 MDT 2001 until: Sun Sep 24 14:38:53 MDT 2006
Certificate fingerprints:
         MD5:  6F:63:51:C4:3D:92:C5:B9:A7:90:2F:FB:C0:68:66:16
         SHA1: D0:8D:7B:2D:06:AF:1F:37:5C:0D:1B:A0:B3:CB:A0:2E:90:D6:45:0C
Trust this certificate? [no]:  yes
Certificate was added to keystore

How to Change the Keystore Password

Become superuser.

Change the keystore password.

# /usr/j2se/bin/keytool -storepasswd -keystore /usr/j2se/jre/lib/security/
cacerts
Enter keystore password:  changeit
New keystore password:  new-password
Re-enter new keystore password:  new-password

How to Set Up Your Patch Environment

Become superuser.

Add patch tool directories to your path.

# PATH=/usr/sadm/bin:/opt/SUNWppro/bin:$PATH
# export PATH

(Optional) Identify the hardware on your system so that you can use the smpatch analyze command to determine whether you need specific patches based on your hardware configuration.
# pprosetup -H Change Hardware Configuration. Analyzing this computer. ..............
This command only identifies Sun's Network Storage products.

Identify the types of patches that you will be adding to the system.
# pprosetup -i standard:singleuser:rebootafter:reconfigafter
This command establishes the default patch policy for your system.

(Optional) If you want to add contract signed patches to your system, do the following steps to define your SunSolve username and password.
1. Define your SunSolve username.
  # pprosetup -u username
2. Define your SunSolve password by adding the password to the following file:
  /opt/SUNWppro/lib/.sunsolvepw

Identify a proxy server so that the patch tool can download patches to your system.
1. If your system is behind a firewall, you need to define a proxy server that can access the patchpro.sun.com server and one of the following Sun patch servers that are used to download patches:
  - americas.patchmanager.sun.com (default)
  - emea.patchmanager.sun.com
  - japan.patchmanager.sun.com
2. Identify the selected proxy server by using the following command:
  # pprosetup -x proxy-server:proxy-port
  For example, if you selected webaccess.corp.net.com as the proxy server, the pprosetup command would look like this:
  # pprosetup -x webaccess.corp.net.com:8080

Where to Go From Here

If you have completed all the signed patch preparation tasks, you can now add signed patches with the patch management tools.