Chapter 24 Managing Solaris Patches (Overview)
Patch management involves listing or adding Solaris patches from a system running the Solaris release. Patch management might also involve removing unwanted or faulty patches. Removing patches is also called backing out patches.
This is a list of the overview information in this chapter.
For step-by-step instructions on adding a patch to your system, see High-Level View of Managing Patches in the Solaris Environment (Task Map).
For information on adding patches to diskless client systems, see Patching Diskless Client OS Services.
What Is a Patch?
A patch is a collection of files and directories that replace or update existing files and directories that are preventing proper execution of the existing software. The existing software is derived from a specified package format, which conforms to the Application Binary Interface. For details about packages, see Chapter 22, Managing Software (Overview).
What Is a Signed Patch?
A signed patch is a patch with a digital signature. A patch with a valid digital signature ensures that the patch has not been modified since the signature was applied to the patch. Using signed patches is a more secure method of downloading or adding patches because the patches include a digital signature that can be verified before the patch is added to your system.
Patches that are available for the Solaris 2.6, 7, 8, and 9 releases include a digital signature. Patches without a digital signature, or unsigned patches, are also available, but eventually, all patches will be signed patches. A valid digital signature ensures that the patch has not been modified since the signature was applied.
Signed patches are stored in Java archive format (JAR) files and are available from the SunSolve OnlineSM web site.
Using Sun's Certificates to Verify Signed Patches
Digital certificates, issued and authenticated by Sun Microsystems, are used to verify that the downloaded patch archive with the digital signature has not been compromised. These certificates are imported into your system's keystore. A keystore is a protected database that stores the keys and certificates from Sun. The keytool command is used to import the certificates into your system's keystore. For information on using the keytool command, see How to Import Sun Certificates Into the Keystore.
Access to a keystore is protected by a special password that you specify when you import the Sun certificates into your system's keystore.
The SUNWcert package contains Sun's certificate authority (CA) that you need to verify a patch's signatures. You can obtain the SUNWcert package from the following methods:
-
For Solaris 2.6, 7, and 8 releases – The SUNWcert package is automatically installed when you download and install the Solaris 2.6, 7, or 8 patch management tools.
-
For Solaris 9 releases – The SUNWcert package is automatically installed when you download and install the Solaris 9 patch management tools.
-
Download from one of the following secure sites:
You can verify that the certificates in the SUNWcert package match the certificate information at http://www.sun.com/pki/index.html.
SunPKI Registration Authorities
Sun Public Key Infrastructure (SunPKI) architecture is designed with one top-level certificate, called the Root CA (Certificate Authority) and a subordinate CA, which is the Sun Microsystems Inc., CA (Class B) certificate. An additional certificate issued by Sun Enterprise Services, called the patch management certificate, is used to verify the digital signatures on signed patches.
The Sun Root CA, Sun Class B CA, and the patch signing certificate are included in the SUNWcert package.
These three certificates provide a certificate chain of trust in the patch verification process whereby the Sun Root CA trusts the Class B CA, and the Class B CA trusts the patch management certificate. And ultimately, the GTE CyberTrust CA trusts the Sun Root CA.
Sun certificates are issued by Baltimore Technologies, who recently bought GTE CyberTrust.
A certification authority certifies the relationship between public keys that are used to decrypt the digital signature with the patch and the owner of the public keys.
The Sun CA process means the following:
-
Sun has issued and authenticated the digital certificates.
-
The public key in the certificate is paired with a private key that is held by Sun.
-
These certificates can be used for business purposes only and can be revoked or suspended if the certificate user violates Sun's certificate policy.
For more information about Sun's certificate policy, go to http://www.sun.com/pki/cps.html.
Revoked Sun Certificates
If the Sun Root or Class B certificates are stolen or lost, a revoked certificate list is posted at http://www.sun.com/pki/ca/pkismica.crl.html.
You should view this site occasionally to verify that your imported certificates are still valid. If your imported certificates are revoked, remove them from your keystore and import the replaced certificates.
If the patch signing certificate is revoked, the existing signed patches on the SunSolve web site are removed and replaced by patches with a new digital signature.
Accessing Solaris Patches
All Sun customers can access patches through the SunSolve OnlineSM web site. The following table describes the various ways to access Solaris patches.
Table 24–1 Ways to Access Solaris Patches
You can access Solaris patches from a web site or by using anonymous ftp.
To access patches from a web site, you need a system that is:
-
Connected to the Internet
-
Capable of running a web browser such as the NetscapeTM software.
To access patches by anonymous ftp, you need a system that is:
-
Connected to the Internet
-
Capable of running the ftp program
Access patches from the SunSolve OnlineSM web site by using the following URL:
http://sunsolve.Sun.COM/pub-cgi/show.pl?target=patches/patch-access |
You can install either a patch cluster of recommended patches or individual patches that are freely available. Patch reports are also available.
Solaris Patch Numbering
Patches are identified by unique alphanumeric strings, with the patch base code first, a hyphen, and a number that represents the patch revision number. For example, patch 108528-10 is a patch ID for the SunOS 5.8 kernel update patch.
Tools for Managing Solaris Patches
The following table summarizes Solaris patch management features.
|
Feature |
patchadd/patchrm Commands |
Solaris 2.6, 7, and 8 Patch Management Tools |
Solaris 9 Patch Management Tools |
PatchPro Interactive or PatchPro Expert |
|---|---|---|---|---|
|
How do I get this tool? |
Bundled in Solaris release (SUNWswmt) |
Must download tool from http://www.sun.com/PatchPro |
Must download tool from http://www.sun.com/PatchPro |
Run tool from http://www.sun.com/PatchPro |
|
Solaris release availability |
Solaris 2.6, 7, 8, and 9 |
Solaris 2.6, 7, and 8 |
Solaris 9 |
Solaris 2.6, 7, 8, and 9 |
|
Adds signed patches? |
Yes* |
Yes, and automatically verifies the signed patch when it is downloaded |
Yes, and automatically verifies the signed patch when it is downloaded |
No |
|
Adds unsigned patches? |
Yes |
No |
Yes |
Yes |
|
GUI available? |
No |
No |
Yes |
No |
|
Analyzes system for required patches and downloads signed or unsigned patches |
No |
Yes, both signed and unsigned patches |
Yes, both signed and unsigned patches |
Yes, unsigned patches only |
|
Local and remote system patch support |
Local |
Local |
Local and Remote |
No |
|
RBAC support? |
No |
No |
Yes |
No |
*You can unpack a signed patch and add it to your system with the patchadd command, but the digital signature will be lost. For information on manually verifying a signed patch and adding it with the patchadd command, see http://sunsolve.Sun.COM/patches/spag.pdf.
Detailed information about how to install and back out a patch is provided in the patchadd(1M) and patchrm(1M) man pages. Each patch also contains a README file that contains information about the patch.
Solaris Patch Management Tools for Signed Patches
Solaris Patch Manager Base Version 1.0, which is the smpatch command, is used to manage signed patches on systems running the Solaris 2.6, 7, and 8 releases. You can use the smpatch command with PatchPro 2.1 to manage signed patches on systems running the Solaris 9 release.
Both signed patch tools provide the following capabilities:
-
They analyze patch requirements and download signed patches on the local system only. Similar to PatchPro Expert, this tool reads the /etc/patchpro_hdw.conf file to determine what hardware is installed. Other than this feature, the two tools are entirely independent.
-
They apply one or more signed patches in JAR format, which also authenticates the patch or patches to be added.
-
They remove one or more patches, which checks patch dependencies before removing the patch or patches.
-
You can set up a default patch policy that allows the installation of various patch types such as clientroot, clientusr, rebootafter, or standard patches.
-
If you upgrade to the Solaris 9 release, the smpatch command is automatically upgraded to the lastest version.
The patchadd command is still available to add unsigned patches to systems running the Solaris 2.6, 7, 8, and 9 releases. You cannot use Patch Manager Base Version 1.0 to add unsigned patches on these systems.
Restrictions When Using Solaris 2.6, 7, or 8 Signed Patch Tools
The Solaris 2.6, 7, and 8 signed patch tools limitations are:
-
You cannot install signed patches to alternate boot environments nor to diskless clients.
-
You cannot install patches that do not have a digital signature.
-
You cannot install patches with the rebootimmediate, reconfigimmediate, or nonconforming attributes.
Package Requirements for Solaris Patch Management Tools
When you install the patch management tools, several Solaris packages are added to your system, including some Java packages, that are required for the tools to run. In addition, several packages must be installed on your system before you can install the patch tools. These packages are as follows:
-
Solaris 2.6 release – Core cluster plus the SUNWmfrun, SUNWlibC, and SUNWxcu4 packages.
-
Solaris 7 and 8 releases – Core cluster plus the SUNWmfrun and SUNWlibC packages.
-
Solaris 9 release – Developer cluster (SUNWprog) is required if you are using the Solaris Management Console Patches Tool with PatchPro 2.1.
For information on verifying whether the required Solaris packages are installed on your system, see How to Verify Package Requirements for Signed Patch Tools.
Downloading the Solaris Patch Management Tools
You can download the Solaris patch management tools from the following location:
Follow the links for your Solaris release and select the appropriate tar file.
Selecting the Best Method for Adding Signed Patches
After you have installed a patch management tool, you can use several different methods of downloading or adding a signed patch or patches to your system. Use the following table to determine which method is best for your needs.
|
Command or Tool |
Description |
For More Information |
|---|---|---|
|
smpatch update |
Use this command to identify required patches, and then, automatically download and add the patches to your system. | |
|
smpatch analyze |
Use this command to identify required patches and display a list of required patch IDs for your system. Then, you could use the smpatch download and smpatch add commands to download and add the patches to your system. |
smpatch(1M) |
|
smpatch download and smpatch add |
Use these commands to download and add a patch or patches to your system. These commands also download and add any prerequisite patches. |
Examples—Downloading and Adding a Signed Patch on a Solaris System (smpatch Command) |
|
ftp and smpatch add |
Use the ftp command to transfer a patch or patches to your system. Then, use the smpatch add command to add the patch or patches to your system. |
Examples—Downloading and Adding a Signed Patch on a Solaris System (smpatch Command) |
|
Solaris Management Console Patches Tool |
For Solaris 9 systems only – Use this tool when you want the convenience of a GUI tool to manage signed patches. |
Solaris Management Console online help |
- © 2010, Oracle Corporation and/or its affiliates