This chapter provides step-by-step instructions for managing patches in the Solaris environment.
This is a list of the task maps in this chapter.
For overview information about managing patches in the Solaris environment, see Chapter 24, Managing Solaris Patches (Overview).
For information on troubleshooting problems with the smpatch command, see http://sunsolve.Sun.COM/pub-cgi/show.pl?target=patches/spfaq.
Use this map to identify all the tasks for managing patches in the Solaris environment. Each task points to a series of additional tasks such as managing signed or unsigned patches.
Task |
Description |
For Instructions |
---|---|---|
Identify disk space requirements for patches |
Identify whether your system has enough disk space to download or spool patches. | |
Determine if adding signed or unsigned patches |
Determine whether adding signed or unsigned patches is best for your environment. | |
Add a signed or unsigned patch to your system |
You can add signed patches with either of the following commands: |
|
|
Use the patchadd command in the Solaris 9 12/03 release. |
How to Automatically Download and Add a Signed Solaris Patch (patchadd) |
|
Use the smpatch command in the Solaris 2.6, 7, 8, or 9 releases. |
|
|
smpatch command – Prepare your system for this method. |
Preparation for Managing Signed Patches with smpatch Command (Task Map) |
|
smpatch command – Add signed patches to your system. | |
|
Add an unsigned patch to your system. |
Keep the following disk space considerations in mind before you begin downloading or spooling patches:
The default download directory for signed patches is /var/sadm/spool. Unsigned patches that are spooled are also stored in /var/sadm/spool.
The patch download process might use more disk space than anticipated because multiple patches can be downloaded, if prerequisite patches are required by the patch that you downloaded.
Signed patches are unpacked in the /var/sadm/spool directory before they are installed. Be sure you have enough disk space in the /var directory for this process.
If your /var directory is not large enough to support the downloading and unpacking of signed patches, you can use the smpatch command with the -d option to specify an alternate patch download directory.
You can safely remove the patches from the /var/sadm/spool directory after they are successfully downloaded and added to your system to reclaim disk space in the /var directory.
The key factor in determining when to add signed or unsigned patches is whether or not the secure download of patches is important in your environment. If the secure download of patches is important in your environment, then add signed patches to your system.
Task |
Description |
For Instructions |
---|---|---|
1. Set up the package keystore |
Import Sun's Root CA certificate into your package keystore. |
How to Import a Trusted Certificate into Your Package Keystore (pkgadm addcert) |
2. Download and add the signed patch |
Select one of the following to download and add the signed patch to your system with the patchadd command. |
|
|
You can manually download and add a signed Solaris patch. |
How to Manually Download and Add a Signed Solaris Patch (patchadd) |
|
You can automatically download and add a signed Solaris patch. |
How to Automatically Download and Add a Signed Solaris Patch (patchadd) |
3. Add the signed patch |
Add the signed patch with the patchadd command. |
To add signed patches to your system with the patchadd command, you will need to add Sun's Root CA certificate, at the very least, to verify the signature on your signed patch. You can import this certificate from the Java keystore into the package keystore.
Become superuser or assume an equivalent role.
Export the Root CA certificate from the Java keystore into a temporary file.
For example:
# keytool -export -storepass changeit -alias gtecybertrustca -keystore gtecybertrustca -keystore /usr/j2se/jre/lib/security/cacerts -file /tmp/root.crt Certificate stored in file </tmp/root.crt> |
-export |
Exports the trusted certificate. |
-storepass storepass |
Specifies the password that protects the integrity of the Java keystore. |
-alias gtecybertrustca |
Identifies the alias of the trusted certificate. |
-keystore certfile |
Specifies the name and location of the keystore file. |
-file filename |
Identifies the file to hold the exported certificate. |
Import the Root CA certificate into the package keystore from the temporary file.
For example:
# pkgadm addcert -t -f der /tmp/root.crt Enter Keystore Password: storepass Keystore Alias: GTE CyberTrust Root Common Name: GTE CyberTrust Root Certificate Type: Trusted Certificate Issuer Common Name: GTE CyberTrust Root Validity Dates: <Feb 23 23:01:00 1996 GMT>-<Feb 23 23:59:00 ... MD5 Fingerprint: C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58 SHA1 Fingerprint: 90:DE:DE:9E:4C:4E:9F:6F:D8:86:17:57:9D:D3:91... Are you sure you want to trust this certificate? yes Trusting certificate <GTE CyberTrust Root> Type a Keystore protection Password. Press ENTER for no protection password (not recommended): For Verification: Type a Keystore protection Password. Press ENTER for no protection password (not recommended): Certificate(s) from </tmp/root.crt> are now trusted |
-t |
Indicates that the certificate is a trusted CA certificate. The command output includes the details of the certificate, which the user is asked to verify. |
-f format |
Specifies the format of the certificates or private key. When importing a certificate, it must be encoded using either the PEM (pem) or binary DER (der) format. |
certfile |
Specifies the file that contains the certificate. |
Display the certificate information.
For example:
# pkgadm listcert -P pass:storepass Keystore Alias: GTE CyberTrust Root Common Name: GTE CyberTrust Root Certificate Type: Trusted Certificate Issuer Common Name: GTE CyberTrust Root Validity Dates: <Feb 23 23:01:00 1996 GMT>-<Feb 23 23:59:00 2006 GMT> MD5 Fingerprint: C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58 SHA1 Fingerprint: 90:DE:DE:9E:4C:4E:9F:6F:D8:86:17:57:9D:D3:91: BC:65:A6:89:64 |
Remove the temporary file.
For example:
# rm /tmp/root.crt |
You can use this procedure when you want to manually download the signed Solaris patch, and then add the signed Solaris patch in a separate step.
This procedure assumes that you have set up the package keystore.
(Optional) Log in to the system where the patch will be applied.
Or, you can download the patch and use the ftp command to copy the patch to the target system.
Open a web browser and go to the SunSolve Online Web site:
http://sunsolve.Sun.COM/pub-cgi/show.pl?target=patches/patch-access |
Determine if you are going to download a specific patch or patch cluster. Then select one of the following:
Type the patch number (patch-ID) in the “Find Patch” search field. Then, click on Find Patch.
Entering patch-ID downloads the latest patch revision.
If this patch is freely available, the patch README is displayed. If this patch is not freely available, an ACCESS DENIED message is displayed.
There are different patch numbers for SPARC and x86 systems, which are listed in the displayed patch README. Make sure you install the patch that matches your system architecture.
Click on a recommended patch cluster based on the Solaris release running on the system to be patched.
Click the Download Signed Patch (n bytes) HTTPS or FTP button.
After the signed patch or patches are downloaded successfully, close the web browser.
Change to the directory that contains the downloaded patch package, if necessary.
Become superuser or assume an equivalent role.
Add the signed patch.
For example:
# patchadd /tmp/114861-01.jar |
You can use this procedure when you want to automatically download and add the signed Solaris patch in one step.
This procedure assumes that you have set up the package keystore.
Become superuser or assume an equivalent role.
Download and add the signed patch or patches from the SunOnline web site.
For example:
# patchadd "http://sunsolve.central.sun.com/cgi/patchDownload.pl?target= 114684&method=hs" . . . Downloading patch from ... + dwnld_file http://sunsolve.central.sun.com/cgi/patchDownload.pl?target= 114684&method=hs /tmp/patchadd-dwnld /var/sadm/security console patchadd ...........20%...........40%...........60%...........80%...........100% ## Downloading... ## Download Complete . . . Enter keystore password: xxx . . . |
Use this map to identify all the preparation tasks that are required before you can add signed patches to your system with the smpatch command.
Task |
Description |
For Instructions |
---|---|---|
1. Verify Solaris package requirements |
Verify that the required Solaris packages are installed on your system to support the patch tools. |
How to Verify Package Requirements for Signed Patch Tools (smpatch) |
2. Download and install a Solaris patch management tool |
Select a Solaris patch management tool based on your Solaris release. |
How to Download and Install the Solaris Patch Management Tools (smpatch) |
3. Import Sun certificates into the keystore |
Import and accept the Sun certificates that are used to verify a patch's signature. The SUNWcert package is automatically installed when you install the signed patches tool. Do not install the SUNWcert package separately if you have already installed a signed patches tool. | |
4. (Optional) Change the keystore password |
Change the password to keep the keystore secure. | |
5. Set up your patch environment |
Set up your system for adding signed patches. |
Keep the following key points in mind when using the Solaris patch management tools:
Make sure your systems are currently up-to-date with patches, including the appropriate kernel update patches, Java patches, and the recommended patch clusters.
You will have to manually import the Sun certificates used to verify a patch's signature after installing the Solaris patch management tools.
Solaris 2.6, 7, or 8 only – If you have previous versions of the PatchPro software on your system, the older versions will be upgraded when Solaris Patch Manager Base Version 1.0 is installed.
Install patches on a quiet system, preferably in single-user mode.
Signed patches are verified when they are downloaded with the smpatch download command.
However, on a Solaris 9 system, no patch signature validation message is displayed during the patch download, even if the patch signature is successfully verified. If the patch signature verification fails, then the patch is not downloaded to your system.
Solaris 9 only – The smpatch command prompts you for authentication information if you do not specify the authentication information in the smpatch command line.
For example, you can specify authentication information to the smpatch command using the following syntax:
# smpatch add -p mypassword -u root -- -i patch-ID |
Or, you can let the smpatch command prompt you for the authentication information. For example:
# /usr/sadm/bin/smpatch add -i patch-ID Authenticating as user: root Type /? for help, pressing <enter> accepts the default denoted by [ ] Please enter a string value for: password :: Loading Tool: com.sun.admin.patchmgr.cli.PatchMgrCli from starbug Login to starbug as user root was successful. Download of com.sun.admin.patchmgr.cli.PatchMgrCli from starbug was successful. |
Use the /opt/SUNWppro/bin/uninstallpatchpro script if you need to uninstall PatchPro 2.1. Do not attempt to remove PatchPro2.1 using this script if your current directory is /opt/SUNWppro/bin. Set your path as described in How to Set Up Your Patch Environment (smpatch) and then run the uninstallpatchpro script from the root (/) directory, for example.
Make sure that you have the required Solaris packages installed on your system before you install the signed patch tools. If you are running the Solaris 2.6, 7, or 8 release, you need a minimal system configuration plus some additional packages. If you are running the Solaris 9 release, you must have the Developer cluster (SUNWCprog) installed on your system to use the signed patch tools.
Identify your Solaris release and select one of the following:
If you are running the Solaris 2.6 release, identify whether the required packages are installed on your system:
# pkginfo | grep SUNWmfrun system SUNWmfrun Motif RunTime Kit # pkginfo | grep SUNWlibC system SUNWlibC Sun Workshop Compilers Bundled libC # pkginfo | grep SUNWxcu4 system SUNWxcu4 XCU4 Utilities |
If you are running the Solaris 7 or 8 releases, identify whether the required packages are installed on your system:
# pkginfo | grep SUNWmfrm system SUNWmfrun Motif RunTime Kit # pkginfo | grep SUNWlibC system SUNWlibC Sun Workshop Compilers Bundled libC |
If you are running the Solaris 9 release, verify that the required Developer cluster is installed on your system:
# cat /var/sadm/system/admin/CLUSTER CLUSTER=SUNWCprog |
If the pkginfo commands do not return any output, you need to install the required packages.
Follow the links and download the appropriate tar file for your Solaris release from the following location:
Select one of the following to unpack the patch tool package:
If you are running the Solaris 2.6 or 7 release, uncompress and unpack the package by using the following commands:
# uncompress SUNWpkg-name.tar.Z # tar xvf SUNWpkg-name.tar |
If you are running the Solaris 8 or 9 release, unpack the package by using the following command:
# gunzip -dc SUNWpkg-name.tar.gz | tar xvf - |
Run the install script.
# cd unzipped-pkg-dir # ./setup |
If there are errors while running the install script, see Troubleshooting Problems With Signed Patches (smpatch).
This example shows how to download and install the Solaris 2.6 patch management tools.
# uncompress pproSunOSsparc5.6jre2.1.tar.Z # tar xvf pproSunOSsparc5.6jre2.1.tar . . . # cd pproSunOSsparc5.6jre2.1 # ./setup . . . |
This example shows how to download and install the Solaris 9 patch management tools.
# gunzip -dc pproSunOSsparc5.9jre2.1.tar.gz | tar xvf - . . # cd pproSunOSsparc5.9jre2.1 # ./setup . . . |
Use the keytool command to import and verify the Sun certificates that are used to verify the signed patches you want to add to your system. You must do this task even if you imported the certificates from a previous installation.
The SUNWcert package is automatically installed when you install the signed patches tool. Do not install the SUNWcert package separately if you have already installed a signed patches tool.
Verify that you have completed the prerequisite task, which is to download one of the Solaris patch management tools.
Become superuser.
Determine the fingerprints of your Sun root certificate and Sun class B certificate.
# /usr/j2se/bin/keytool -printcert -file /etc/certs/SUNW/smirootcacert.b64 # /usr/j2se/bin/keytool -printcert -file /etc/certs/SUNW/smicacert.b64 |
Verify that the output of these commands matches the Sun root and class B certificate fingerprints displayed at:
https://www.sun.com/pki/ca/ |
Accept the Sun class B certificate by importing it into your system:
# /usr/j2se/bin/keytool -import -alias smicacert -file /etc/certs/SUNW/ smicacert.b64 -keystore /usr/j2se/jre/lib/security/cacerts Enter keystore password: changeit Owner: O=Sun Microsystems Inc, CN=Sun Microsystems Inc CA (Class B) Issuer: CN=Sun Microsystems Inc Root CA, O=Sun Microsystems Inc, C=US Serial number: 1000006 Valid from: Mon Nov 13 12:23:10 MST 2000 until: Fri Nov 13 12:23:10 ... Certificate fingerprints: MD5: B4:1F:E1:0D:80:7D:B1:AB:15:5C:78:CB:C8:8F:CE:37 SHA1: 1E:38:11:02:F0:5D:A3:27:5C:F9:6E:B1:1F:C4:79:95:E9:6E:D6:DF Trust this certificate? [no]: yes Certificate was added to keystore |
Accept the Sun root certificate by importing it into your system:
# /usr/j2se/bin/keytool -import -alias smirootcacert -file /etc/certs/SUNW/ smirootcacert.b64 -keystore /usr/j2se/jre/lib/security/cacerts Enter keystore password: changeit Owner: CN=Sun Microsystems Inc Root CA, O=Sun Microsystems Inc, C=US Issuer: CN=GTE CyberTrust Root, O=GTE Corporation, C=US Serial number: 200014a Valid from: Tue Nov 07 15:39:00 MST 2000 until: Thu Nov 07 16:59:00 ... Certificate fingerprints: MD5: D8:B6:68:D4:6B:04:B9:5A:EB:34:23:54:B8:F3:97:8C SHA1: BD:D9:0B:DA:AE:91:5F:33:C4:3D:10:E3:77:F0:45:09:4A:E8:A2:98 Trust this certificate? [no]: yes Certificate was added to keystore |
Accept the patch signing certificate by importing it into your system:
# /usr/j2se/bin/keytool -import -alias patchsigning -file /opt/SUNWppro/ etc/certs/patchsigningcert.b64 -keystore /usr/j2se/jre/lib/security/ cacerts Enter keystore password: changeit Owner: CN=Enterprise Services Patch Management, O=Sun Microsystems Inc Issuer: O=Sun Microsystems Inc, CN=Sun Microsystems Inc CA (Class B) Serial number: 1400007b Valid from: Mon Sep 24 14:38:53 MDT 2001 until: Sun Sep 24 14:38:53 ... Certificate fingerprints: MD5: 6F:63:51:C4:3D:92:C5:B9:A7:90:2F:FB:C0:68:66:16 SHA1: D0:8D:7B:2D:06:AF:1F:37:5C:0D:1B:A0:B3:CB:A0:2E:90:D6:45:0C Trust this certificate? [no]: yes Certificate was added to keystore |
Become superuser.
Change the keystore password.
# /usr/j2se/bin/keytool -keystore /usr/j2se/jre/lib/security/ cacerts Enter keystore password: changeit New keystore password: new-password Re-enter new keystore password: new-password |
Become superuser.
Add patch tool directories to your path.
# PATH=/usr/sadm/bin:/opt/SUNWppro/bin:$PATH # export PATH |
(Optional) Identify the hardware on your system so that you can use the smpatch analyze command to determine whether you need specific patches based on your hardware configuration.
# pprosetup -H Change Hardware Configuration. Analyzing this computer. .............. |
This command only identifies Sun's Network Storage products.
Identify the types of patches that you will be adding to the system.
# pprosetup -i standard:singleuser:rebootafter:reconfigafter |
This command establishes the default patch policy for your system.
(Optional) If you want to add contract signed patches to your system, do the following steps to define your SunSolve username and password.
Identify a proxy server so that the patch tool can download patches to your system.
If your system is behind a firewall, you need to define a proxy server that can access the patchpro.sun.com server and one of the following Sun patch servers that are used to download patches:
americas.patchmanager.sun.com (default)
emea.patchmanager.sun.com
japan.patchmanager.sun.com
Identify the selected proxy server by using the following command:
# pprosetup -x proxy-server:proxy-port |
For example, if you selected webaccess.corp.net.com as the proxy server, the pprosetup command would look like this:
# pprosetup -x webaccess.corp.net.com:8080 |
If you have completed all the signed patch preparation tasks, you can now add signed patches with the patch management tools.
Task |
Description |
For Instructions |
---|---|---|
1. Perform signed patches preparation tasks |
Perform all of the signed patches preparation tasks:
|
Preparation for Managing Signed Patches with smpatch Command (Task Map) |
2. Download and add a signed patch or patches |
Download and add a signed patch with the smpatch command. | |
3. (Optional) Remove a signed patch |
If necessary, remove an unsigned patch from your system. |
Make sure you have completed the preparation tasks before downloading and adding a signed patch to your system. For more information, see Preparation for Managing Signed Patches with smpatch Command (Task Map).
Become superuser.
Solaris 9 system only – Notify the Solaris Management Console server that the PatchPro packages were added to the system.
# /etc/init.d/init.wbem stop # /etc/init.d/init.wbem start |
Download a signed patch or patches from the SunSolve web site.
# smpatch download -i patch-ID Requested patches: patch-ID Downloading the requested patches /var/sadm/spool/patch-ID.jar has been validated. For downloaded patch(es) see /var/sadm/spool |
Add the signed patch.
# smpatch add -i patch-ID |
The following example shows how to download and add a signed patch with the smpatch command on a Solaris 9 system.
# /usr/sadm/bin/smpatch download -i 111711-01 Authenticating as user: root Type /? for help, pressing <enter> accepts the default denoted by [ ] Please enter a string value for: password :: xxx Loading Tool: com.sun.admin.patchmgr.cli.PatchMgrCli from starbug Login to starbug as user root was successful. Download of com.sun.admin.patchmgr.cli.PatchMgrCli from starbug was successful. Requested patches: 111711-01 Downloading the requested patches ... For downloaded patch(es) see /var/sadm/spool. # smpatch add -i 111711-01 Authenticating as user: root Type /? for help, pressing <enter> accepts the default denoted by [ ] Please enter a string value for: password :: xxx Loading Tool: com.sun.admin.patchmgr.cli.PatchMgrCli from starbug Login to starbug as user root was successful. Download of com.sun.admin.patchmgr.cli.PatchMgrCli from starbug was successful. On machine starbug ... Installing patch 111711-01 # |
The following example shows how to download and add patch 105081–45 with the smpatch command on a Solaris 2.6 system.
# smpatch download -i 105407-01 Requested patches: 105407-01 Downloading the requested patches /var/sadm/spool/105407-01.jar has been validated. For downloaded patch(es) see /var/sadm/spool # smpatch add -i 105407-01 On machine "earth/172.20.27.27" ... Installing patch 105407-01 ... Purging /var/sadm/spool/105407-01 /var/sadm/spool/README.txt has been moved to /var/sadm/spool/patchproSequester |
The following example shows how to download and add patch 107081–45 with the smpatch command on a Solaris 7 system. This patch has two patch dependencies, which are automatically downloaded and verified.
# smpatch download -i 107081-45 Requested patches: 107081-45 Downloading the requested patches The following patches were added due to patch dependencies: 108376-37 107656-09 /var/sadm/spool/108376-37.jar has been validated. /var/sadm/spool/107656-09.jar has been validated. /var/sadm/spool/107081-45.jar has been validated. For downloaded patch(es) see /var/sadm/spool # smpatch add -i 108376-37 -i 107656-09 -i 107081-45 On machine "venus/172.20.27.26" ... Installing patch 108376-37 ... Installing patch 107656-09 ... Installing patch 107081-45 ... Purging /var/sadm/spool/108376-37 Purging /var/sadm/spool/107656-09 Purging /var/sadm/spool/107081-45 |
The following example shows how to use the ftp command to get a signed Solaris 8 patch from the SunSolve Online web site and then use the smpatch add command to add the signed patch to the system.
# ftp sunsolve.sun.com Connected to sunsolve.sun.com. 220- 220-Welcome to the SunSolve Online FTP server. 220- 220-Public users may log in as anonymous. . . . Name (sunsolve.sun.com:root): anonymous 331 Guest login ok, send your complete e-mail address as password. Password: xxx 230- 230-SUN MICROSYSTEMS, INC. . . .230 Guest login ok, access restrictions apply. ftp> cd signed_patches 250 CWD command successful. ftp> get 112846-01.jar /var/sadm/spool/112846-01.jar 200 PORT command successful. 150 Opening ASCII mode data connection for 112846-01.jar (22524 bytes). 226 Transfer complete. local: /var/sadm/spool/112846-01 remote: 112846-01.jar 22613 bytes received in 0.065 seconds (341.70 Kbytes/s) ftp> quit # smpatch add -i 112846-01 On machine "earth/172.20.27.27" ... Installing patch 112846-01 ... Purging /var/sadm/spool/112846-01 |
Become superuser.
Remove the signed patch.
# smpatch remove -i patch-ID |
You cannot remove multiple patches in the same command.
The following example shows how to remove a signed patch on a system running the Solaris 9 release.
# /usr/sadm/bin/smpatch remove -- -i 111711-01 Authenticating as user: root Type /? for help, pressing <enter> accepts the default denoted by [ ] Please enter a string value for: password :: Loading Tool: com.sun.admin.patchmgr.cli.PatchMgrCli from starbug Login to starbug as user root was successful. Download of com.sun.admin.patchmgr.cli.PatchMgrCli from starbug was successful. On machine starbug ... Removing patch 111711-01 |
The following example shows how to remove a signed patch on a system running the Solaris 2.6 release.
# smpatch remove -i 105407-01 On machine "earth/172.20.27.27" ... Removing patch 105407-01 Checking installed patches... Backing out patch 105407-01... Patch 105407-01 has been backed out. |
For up-to-date information on troubleshooting signed patch problems or error messages, see http://sunsolve.Sun.COM/pub-cgi/show.pl?target=patches/spfaq.
Various log files on the system can identify problems with installing patch management tools or adding signed patches.
By default, PatchPro writes to the system log file. The syslog configuration file, /etc/syslog.conf, identifies where the system log file resides on the system. You can instruct PatchPro to write messages to a different file on the local file system by updating the patchpro.log.file property in the PatchPro configuration file, /opt/SUNWppro/etc/patchpro.conf.
For example, if you want PatchPro to write to the /var/tmp/patchpro.log file, assign /var/tmp/patchpro.log to the patchpro.log.file property.
Use the following table to determine which log file might contain information about a failed installation of a patch management tool or a signed patch.
Log File |
Description |
---|---|
/var/tmp/ppro_install_log.nnn |
Identifies the success or failure of the installation of PatchPro packages and patches. |
/var/tmp/log/patchpro.log |
Identifies problems when adding a signed patch with the various patch tools. |
/var/adm/messages |
Can identify problems when adding a signed patch with the various patch tools or when the patch tools did not initialize properly. |
Solaris Management Console 's Log Viewer on a Solaris 9 system |
Identifies the success or failure of adding a signed patch with the Solaris Management Console's Patches tool. |
A patch might not install successfully if it requires prerequisite patches or if a system reboot is required to install the patch. Patches that cannot be installed by PatchPro are sequestered in the /var/spool/pkg/patchproSequester directory.
Review the patch README file to find out if there are any prerequisite patches, which are listed in a section called REQUIRED PATCHES.
You can either view a copy of the patch README from the SunSolve Online Web site or extract the README file from the JAR archive. Do not expand the JAR archive to avoid any tampering with the digital signature. Use the following procedure to safely extract the patch README file.
You should also review the contents of the /var/tmp/log/patchpro.log file to find out why a patch did not install successfully.
Verify that a patch or patches were not installed by viewing the contents of the /var/spool/pkg/patchproSequester directory.
# cd /var/spool/pkg/patchproSequester; ls |
Extract the README file from the JAR archive:
View the README file.
For example:
# more 107058-01/README.107058-01 |
If a problem occurred during the PatchPro installation, you might just remove the certificates and import them again.
Become superuser.
Remove the previously imported certificates.
#/usr/j2se/bin/keytool -delete -alias smicacert -keystore /usr/j2se/jre/lib/security/cacerts Enter keystore password: changeit # /usr/j2se/bin/keytool -delete -alias smirootcacert -keystore /usr/j2se/jre/lib/security/cacerts Enter keystore password: changeit # /usr/j2se/bin/keytool -delete -alias patchsigning -keystore /usr/j2se/jre/lib/security/cacerts Enter keystore password: changeit |
Task |
Description |
For Instructions |
---|---|---|
1. (Optional) Display information about unsigned patches |
Display information about unsigned patches already installed on your system. | |
2. Download an unsigned patch |
Download an unsigned patch to your system. | |
3. Add an unsigned patch |
Add an unsigned patch to your system. | |
4. (Optional) Remove an unsigned patch |
If necessary, remove an unsigned patch from your system. |
Before installing patches, you might want to know more about patches that have previously been installed. The following table describes commands that provide useful information about patches that are already installed on a system.
Table 25–1 Commands for Solaris Patch Management
Command |
Description |
---|---|
patchadd -p, showrev -p |
Shows all patches that have been applied to a system. |
pkgparam pkgid PATCHLIST |
Shows all patches that have been applied to the package identified by pkgid, the name of the package. For example, SUNWadmap. |
patchadd -S Solaris-OS -p |
Shows all the /usr patches installed on an OS server. |
Use the patchadd -p command to display information about patches installed on your system.
$ patchadd -p |
Use the following command to verify whether a specific patch is installed on your system. For example:
$ patchadd -p | grep 111879 |
You can use the patchadd command to add unsigned patches to servers or standalone systems. If you need to add a patch to a diskless client system, see Patching Diskless Client OS Services.
When you add a patch, the patchadd command calls the pkgadd command to install the patch packages from the patch directory to a local system's disk. More specifically, the patchadd command:
Determines the Solaris version number of the managing host and the target host
Updates the patch package's pkginfo file with information about patches obsoleted by the patch being installed, other patches required by this patch, and patches incompatible with this patch
During patch installation, the patchadd command keeps a log of the patch installation in the /var/sadm/patch/patch-ID/log file for current Solaris versions.
The patchadd command will not install a patch under the following conditions:
The package is not fully installed on the host.
The patch packages architecture differs from the system's architecture.
The patch packages version does not match the installed package's version.
A patch with the same base code and a higher version number is already installed.
The patch is incompatible with another, already installed patch. Each installed patch keeps this information in its pkginfo file.
The patch being installed requires another patch that is not installed
(Optional) Log in to the system where the patch will be applied.
Or, you can download the patch and use the ftp command to copy the patch to the target system.
Open a web browser and go to the SunSolve Online web site:
http://sunsolve.Sun.COM/pub-cgi/show.pl?target=patches/patch-access |
Determine if you are going to download a specific patch or patch cluster. Then select one of the following:
Type the patch number (patch-ID) in the “Find Patch” search field. Then, click on Find Patch.
Entering patch-ID downloads the latest patch revision.
If this patch is freely available, the patch README is displayed. If this patch is not freely available, an ACCESS DENIED message is displayed.
There are different patch numbers for SPARC and x86 systems, which are listed in the displayed patch README. Make sure you install the patch that matches your system architecture.
Click on a recommended patch cluster based on the Solaris release running on the system to be patched.
Click the Download Patch (n bytes) HTTP or FTP button.
After the patch or patches are downloaded successfully, close the web browser.
Change to the directory that contains the downloaded patch package, if necessary.
Unzip the patch package.
% unzip patch-ID-revision |
Become superuser.
Add the patch or patches.
# patchadd patch-ID-revision |
Verify that the patch was added successfully.
# patchadd -p | grep patch-ID-revision |
In the following example, the Solaris 8 patch, 111879–01, is added to the system. The patch had already been downloaded to the system previously.
# patchadd /export/Sol8patch/111879-01 Checking installed patches... Verifying sufficient filesystem capacity (dry run method)... Installing patch packages... Patch number 111879-01 has been successfully installed. See /var/sadm/patch/111879-01/log for details Patch packages installed: SUNWwsr # patchadd -p | grep 111879-01 Patch: 111879-01 Obsoletes: Requires: Incompatibles: Packages: SUNWwsr |
When you back out a patch, the patchrm command restores all files modified by that patch, unless:
The patch was installed with the patchadd -d option, which instructs patchadd to not save copies of files being updated or replaced.
The patch has been obsoleted by a later patch.
The patch is required by another patch.
The patchrm command calls the pkgadd command to restore packages that were saved from the initial patch installation.
During the patch removal process, patchrm keeps a log of the back out process in /tmp/backoutlog.process_id. This log file is removed if the patch backs out successfully.
Use the patchrm command if you need to remove an unsigned Solaris patch.
Become superuser.
Remove the patch.
# patchrm patch-ID-revision |
Verify that the patch was removed.
# patchadd -p | grep patch-ID-revision |
The following example shows how to remove the Solaris 8 patch, 111879–01.
# patchrm 111879-01 Checking installed patches... Backing out patch 111879-01... Patch 111874-02 has been backed out. # showrev -p | grep 111879-01 # |