Use this map to identify all the preparation tasks that are required before you can add signed patches to your system.
Task |
Description |
For Instructions |
---|---|---|
1. Verify Solaris package requirements |
Verify that the required Solaris packages are installed on your system to support the patch tools. | |
2. Download and install a Solaris patch management tool |
Select a Solaris patch management tool based on your Solaris release. |
How to Download and Install the Solaris Patch Management Tools |
3. Import Sun certificates into the keystore |
Import and accept the Sun certificates that are used to verify a patch's signature. The SUNWcert package is automatically installed when you install the signed patches tool. Do not install the SUNWcert package separately if you have already installed a signed patches tool. | |
4. (Optional) Change the keystore password |
Change the password to keep the keystore secure. | |
5. Set up your patch environment |
Set up your system for adding signed patches. |
Keep the following key points in mind when using the Solaris patch management tools:
Make sure your systems are currently up-to-date with patches, including the appropriate kernel update patches, Java patches, and the recommended patch clusters.
You will have to manually import the Sun certificates used to verify a patch's signature after installing the Solaris patch management tools.
Solaris 2.6, 7, or 8 only – If you have previous versions of the PatchPro software on your system, the older versions will be upgraded when Solaris Patch Manager Base Version 1.0 is installed.
Install patches on a quiet system, preferably in single-user mode.
Signed patches are verified when they are downloaded with the smpatch download command.
However, on a Solaris 9 system, no patch signature validation message is displayed during the patch download, even if the patch signature is successfully verified. If the patch signature verification fails, then the patch is not downloaded to your system.
Solaris 9 only – The smpatch command prompts you for authentication information if you do not specify the authentication information in the smpatch command line.
For example, you can specify authentication information to the smpatch command using the following syntax:
# smpatch add -p mypassword -u root -- -i patch-ID |
Or, you can let the smpatch command prompt you for the authentication information. For example:
# /usr/sadm/bin/smpatch add -i patch-ID Authenticating as user: root Type /? for help, pressing <enter> accepts the default denoted by [ ] Please enter a string value for: password :: Loading Tool: com.sun.admin.patchmgr.cli.PatchMgrCli from starbug Login to starbug as user root was successful. Download of com.sun.admin.patchmgr.cli.PatchMgrCli from starbug was successful. |
Use the /opt/SUNWppro/bin/uninstallpatchpro script if you need to uninstall PatchPro 2.1. Do not attempt to remove PatchPro2.1 using this script if your current directory is /opt/SUNWppro/bin. Set your path as described in How to Set Up Your Patch Environment and then run the uninstallpatchpro script from the root (/) directory, for example.
Make sure that you have the required Solaris packages installed on your system before you install the signed patch tools. If you are running the Solaris 2.6, 7, or 8 release, you need a minimal system configuration plus some additional packages. If you are running the Solaris 9 release, you must have the Developer cluster (SUNWCprog) installed on your system to use the signed patch tools.
Identify your Solaris release and select one of the following:
If you are running the Solaris 2.6 release, identify whether the required packages are installed on your system:
# pkginfo | grep SUNWmfrun system SUNWmfrun Motif RunTime Kit # pkginfo | grep SUNWlibC system SUNWlibC Sun Workshop Compilers Bundled libC # pkginfo | grep SUNWxcu4 system SUNWxcu4 XCU4 Utilities |
If you are running the Solaris 7 or 8 releases, identify whether the required packages are installed on your system:
# pkginfo | grep SUNWmfrm system SUNWmfrun Motif RunTime Kit # pkginfo | grep SUNWlibC system SUNWlibC Sun Workshop Compilers Bundled libC |
If you are running the Solaris 9 release, verify that the required Developer cluster is installed on your system:
# cat /var/sadm/system/admin/CLUSTER CLUSTER=SUNWCprog |
If the pkginfo commands do not return any output, you need to install the required packages.
Become superuser.
Follow the links and download the appropriate tar file for your Solaris release from the following location:
Select one of the following to unpack the patch tool package:
If you are running the Solaris 2.6 or 7 release, uncompress and unpack the package by using the following commands:
# uncompress SUNWpkg-name.tar.Z # tar xvf SUNWpkg-name.tar |
If you are running the Solaris 8 or 9 release, unpack the package by using the following command:
# gunzip -dc SUNWpkg-name.tar.gz | tar xvf - |
Run the install script.
# cd unzipped-pkg-dir # ./setup |
If there are errors while running the install script, see Troubleshooting Problems With Signed Patches.
This example shows how to download and install the Solaris 2.6 patch management tools.
# uncompress pproSunOSsparc5.6jre2.1.tar.Z # tar xvf pproSunOSsparc5.6jre2.1.tar . . . # cd pproSunOSsparc5.6jre2.1 # ./setup . . . |
This example shows how to download and install the Solaris 9 patch management tools.
# gunzip -dc pproSunOSsparc5.9jre2.1.tar.gz | tar xvf - . . # cd pproSunOSsparc5.9jre2.1 # ./setup . . . |
Use the keytool command to import and verify the Sun certificates that are used to verify the signed patches you want to add to your system. You must do this task even if you imported the certificates from a previous installation.
The SUNWcert package is automatically installed when you install the signed patches tool. Do not install the SUNWcert package separately if you have already installed a signed patches tool.
Verify that you have completed the prerequisite task, which is to download one of the Solaris patch management tools.
Become superuser.
Determine the fingerprints of your Sun root certificate and Sun class B certificate.
# /usr/j2se/bin/keytool -printcert -file /etc/certs/SUNW/smirootcacert.b64 # /usr/j2se/bin/keytool -printcert -file /etc/certs/SUNW/smicacert.b64 |
Verify that the output of these commands matches the Sun root and class B certificate fingerprints displayed at:
https://www.sun.com/pki/ca/ |
Accept the Sun class B certificate by importing it into your system:
# /usr/j2se/bin/keytool -import -alias smicacert -file /etc/certs/SUNW/ smicacert.b64 -keystore /usr/j2se/jre/lib/security/cacerts Enter keystore password: changeit Owner: O=Sun Microsystems Inc, CN=Sun Microsystems Inc CA (Class B) Issuer: CN=Sun Microsystems Inc Root CA, O=Sun Microsystems Inc, C=US Serial number: 1000006 Valid from: Mon Nov 13 12:23:10 MST 2000 until: Fri Nov 13 12:23:10 MST 2009 Certificate fingerprints: MD5: B4:1F:E1:0D:80:7D:B1:AB:15:5C:78:CB:C8:8F:CE:37 SHA1: 1E:38:11:02:F0:5D:A3:27:5C:F9:6E:B1:1F:C4:79:95:E9:6E:D6:DF Trust this certificate? [no]: yes Certificate was added to keystore |
Accept the Sun root certificate by importing it into your system:
# /usr/j2se/bin/keytool -import -alias smirootcacert -file /etc/certs/SUNW/ smirootcacert.b64 -keystore /usr/j2se/jre/lib/security/cacerts Enter keystore password: changeit Owner: CN=Sun Microsystems Inc Root CA, O=Sun Microsystems Inc, C=US Issuer: CN=GTE CyberTrust Root, O=GTE Corporation, C=US Serial number: 200014a Valid from: Tue Nov 07 15:39:00 MST 2000 until: Thu Nov 07 16:59:00 MST 2002 Certificate fingerprints: MD5: D8:B6:68:D4:6B:04:B9:5A:EB:34:23:54:B8:F3:97:8C SHA1: BD:D9:0B:DA:AE:91:5F:33:C4:3D:10:E3:77:F0:45:09:4A:E8:A2:98 Trust this certificate? [no]: yes Certificate was added to keystore |
Accept the patch signing certificate by importing it into your system:
# /usr/j2se/bin/keytool -import -alias patchsigning -file /opt/SUNWppro/ etc/certs/patchsigningcert.b64 -keystore /usr/j2se/jre/lib/security/cacerts Enter keystore password: changeit Owner: CN=Enterprise Services Patch Management, O=Sun Microsystems Inc Issuer: O=Sun Microsystems Inc, CN=Sun Microsystems Inc CA (Class B) Serial number: 1400007b Valid from: Mon Sep 24 14:38:53 MDT 2001 until: Sun Sep 24 14:38:53 MDT 2006 Certificate fingerprints: MD5: 6F:63:51:C4:3D:92:C5:B9:A7:90:2F:FB:C0:68:66:16 SHA1: D0:8D:7B:2D:06:AF:1F:37:5C:0D:1B:A0:B3:CB:A0:2E:90:D6:45:0C Trust this certificate? [no]: yes Certificate was added to keystore |
Become superuser.
Change the keystore password.
# /usr/j2se/bin/keytool -storepasswd -keystore /usr/j2se/jre/lib/security/ cacerts Enter keystore password: changeit New keystore password: new-password Re-enter new keystore password: new-password |
Become superuser.
Add patch tool directories to your path.
# PATH=/usr/sadm/bin:/opt/SUNWppro/bin:$PATH # export PATH |
(Optional) Identify the hardware on your system so that you can use the smpatch analyze command to determine whether you need specific patches based on your hardware configuration.
# pprosetup -H Change Hardware Configuration. Analyzing this computer. .............. |
This command only identifies Sun's Network Storage products.
Identify the types of patches that you will be adding to the system.
# pprosetup -i standard:singleuser:rebootafter:reconfigafter |
This command establishes the default patch policy for your system.
(Optional) If you want to add contract signed patches to your system, do the following steps to define your SunSolve username and password.
Identify a proxy server so that the patch tool can download patches to your system.
If your system is behind a firewall, you need to define a proxy server that can access the patchpro.sun.com server and one of the following Sun patch servers that are used to download patches:
americas.patchmanager.sun.com (default)
emea.patchmanager.sun.com
japan.patchmanager.sun.com
Identify the selected proxy server by using the following command:
# pprosetup -x proxy-server:proxy-port |
For example, if you selected webaccess.corp.net.com as the proxy server, the pprosetup command would look like this:
# pprosetup -x webaccess.corp.net.com:8080 |
If you have completed all the signed patch preparation tasks, you can now add signed patches with the patch management tools.