Chapter 25 Managing Solaris Patches (Tasks)

This chapter provides step-by-step instructions for managing patches in the Solaris environment.

This is a list of the task maps in this chapter.

• Managing Patches in the Solaris Environment (Road Map)

• Adding Signed Patches With patchadd Command (Task Map)

• Managing Unsigned Solaris Patches (Task Map)

For overview information about managing patches in the Solaris environment, see Chapter 24, Managing Solaris Patches (Overview).

Step-by-step instructions for using the smpatch command with PatchPro has been removed from this guide. For information about using the smpatch command with PatchPro, see Signed Patches Administration Guide for PatchPro 2.2.

Managing Patches in the Solaris Environment (Road Map)

Use this map to identify all the tasks for managing patches in the Solaris environment. Each task points to a series of additional tasks such as managing signed or unsigned patches.

Selecting Signed or Unsigned Patches for Your Environment

The key factor in determining when to add signed or unsigned patches is whether or not the secure download of patches is important in your environment. If the secure download of patches is important in your environment, then add signed patches to your system.

Adding Signed Patches With patchadd Command (Task Map)

How to Import a Trusted Certificate into Your Package Keystore (pkgadm addcert)

To add signed patches to your system with the patchadd command, you will need to add Sun's Root CA certificate, at the very least, to verify the signature on your signed patch. You can import this certificate from the Java keystore into the package keystore.

1. Become superuser or assume an equivalent role.

2. Export the Root CA certificate from the Java keystore into a temporary file.

   For example:

   # keytool -export -storepass changeit -alias gtecybertrustca -keystore gtecybertrustca -keystore /usr/j2se/jre/lib/security/cacerts -file /tmp/root.crt Certificate stored in file </tmp/root.crt>

   -export	Exports the trusted certificate.
   -storepass storepass	Specifies the password that protects the integrity of the Java keystore.
   -alias gtecybertrustca	Identifies the alias of the trusted certificate.
   -keystore certfile	Specifies the name and location of the keystore file.
   -file filename	Identifies the file to hold the exported certificate.

3. Import the Root CA certificate into the package keystore from the temporary file.

   For example:

   # pkgadm addcert -t -f der /tmp/root.crt Enter Keystore Password: storepass Keystore Alias: GTE CyberTrust Root Common Name: GTE CyberTrust Root Certificate Type: Trusted Certificate Issuer Common Name: GTE CyberTrust Root Validity Dates: <Feb 23 23:01:00 1996 GMT>-<Feb 23 23:59:00 ... MD5 Fingerprint: C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58 SHA1 Fingerprint: 90:DE:DE:9E:4C:4E:9F:6F:D8:86:17:57:9D:D3:91... Are you sure you want to trust this certificate? yes Trusting certificate <GTE CyberTrust Root> Type a Keystore protection Password. Press ENTER for no protection password (not recommended): For Verification: Type a Keystore protection Password. Press ENTER for no protection password (not recommended): Certificate(s) from </tmp/root.crt> are now trusted

   -t	Indicates that the certificate is a trusted CA certificate. The command output includes the details of the certificate, which the user is asked to verify.
   -f format	Specifies the format of the certificates or private key. When importing a certificate, it must be encoded using either the PEM (pem) or binary DER (der) format.
   certfile	Specifies the file that contains the certificate.

4. Display the certificate information.

   For example:

   # pkgadm listcert -P pass:storepass Keystore Alias: GTE CyberTrust Root Common Name: GTE CyberTrust Root Certificate Type: Trusted Certificate Issuer Common Name: GTE CyberTrust Root Validity Dates: <Feb 23 23:01:00 1996 GMT>-<Feb 23 23:59:00 2006 GMT> MD5 Fingerprint: C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58 SHA1 Fingerprint: 90:DE:DE:9E:4C:4E:9F:6F:D8:86:17:57:9D:D3:91: BC:65:A6:89:64

5. Remove the temporary file.

   For example:

   # rm /tmp/root.crt

How to Set Up a Proxy Server (patchadd)

If your system is behind a firewall with a proxy, you will need to set up a proxy server before you can add a package from an HTTP server with the patchadd command.

1. Become superuser or assume an equivalent role.

2. Select one of the following methods to specify a proxy server.

   1. Specify the proxy server by using the http_proxy, HTTPPROXY, or HTTPPROXYPORT environment variable.

      For example:

      # setenv http_proxy http://mycache.domain:8080

      Or, specify one of the following:

      # setenv HTTPPROXY mycache.domain # setenv HTTPPROXYPORT 8080

   2. Specify the proxy server on the patchadd command line.

      For example:

      # patchadd -x mycache.domain:8080 -M http://www.sun.com/solaris/patches/latest 101223-02 102323-02

How to Manually Download and Add a Signed Solaris Patch (patchadd)

You can use this procedure when you want to manually download the signed Solaris patch, and then add the signed Solaris patch in a separate step.

This procedure assumes that you have set up the package keystore.

1. (Optional) Log in to the system where the patch will be applied.

   Or, you can download the patch and use the ftp command to copy the patch to the target system.

2. Open a web browser and go to the SunSolve Online Web site:

   http://sunsolve.Sun.COM/pub-cgi/show.pl?target=patches/patch-access

3. Determine if you are going to download a specific patch or patch cluster. Then select one of the following:

   1. Type the patch number (patch-ID) in the “Find Patch” search field. Then, click on Find Patch.

      Entering patch-ID downloads the latest patch revision.

      If this patch is freely available, the patch README is displayed. If this patch is not freely available, an ACCESS DENIED message is displayed.

      There are different patch numbers for SPARC and x86 systems, which are listed in the displayed patch README. Make sure you install the patch that matches your system architecture.

   2. Click on a recommended patch cluster based on the Solaris release running on the system to be patched.

4. Click the Download Signed Patch (n bytes) HTTPS or FTP button.

   After the signed patch or patches are downloaded successfully, close the web browser.

5. Change to the directory that contains the downloaded patch package, if necessary.

6. Become superuser or assume an equivalent role.

7. Add the signed patch.

   For example:

   # patchadd /tmp/114861-01.jar

How to Automatically Download and Add a Signed Solaris Patch (patchadd)

You can use this procedure when you want to automatically download and add a signed Solaris patch in one step.

This procedure assumes that you have set up the package keystore.

1. Become superuser or assume an equivalent role.

2. Identify the HTTP URL for the patch you want to download.

   1. Open a web browser and go to the SunSolve Online web site:

      http://sunsolve.Sun.COM/pub-cgi/show.pl?target=patches/patch-access

   2. Enter the patch number you wish to download.

      For example:

      114861-01 Find Patch

   3. Place your mouse over the HTTPS link at the top of the patch page in hover mode.

      The URL for the patch is displayed in the browser status line at the bottom of the screen.

3. Download and add the signed patch or patches from the SunSolve Online web site.

   For example:

   # patchadd "http://sunsolve.central.sun.com/cgi/patchDownload.pl?target= 114684&method=hs" . . . Downloading patch from ... + dwnld_file http://sunsolve.central.sun.com/cgi/patchDownload.pl?target= 114684&method=hs /tmp/patchadd-dwnld /var/sadm/security console patchadd ...........20%...........40%...........60%...........80%...........100% ## Downloading... ## Download Complete . . . Enter keystore password: xxx . . .

Managing Unsigned Solaris Patches (Task Map)

Displaying Information About Unsigned Solaris Patches

Before installing patches, you might want to know more about patches that have previously been installed. The following table describes commands that provide useful information about patches that are already installed on a system.

How to Display Information About Solaris Patches

Use the patchadd -p command to display information about patches installed on your system.

$ patchadd -p

Use the following command to verify whether a specific patch is installed on your system. For example:

$ patchadd -p | grep 111879

Adding an Unsigned Solaris Patch

You can use the following tools to add unsigned patches to servers or standalone systems:

• patchadd

• smpatch

• Solaris Management Console's Patch Manager

If you need to add a patch to a diskless client system, see Patching Diskless Client OS Services.

When you add a patch, the patch tools call the pkgadd command to install the patch packages from the patch directory to a local system's disk. More specifically, the patch tools do the following:

• Determine the Solaris version number of the managing host and the target host

• Update the patch package's pkginfo file with information about patches obsoleted by the patch being installed, other patches required by this patch, and patches incompatible with this patch

During patch installation, the patchadd command keeps a log of the patch installation in the /var/sadm/patch/patch-ID/log file for current Solaris versions.

The patchadd command will not install a patch under the following conditions:

• The package is not fully installed on the host.

• The patch packages architecture differs from the system's architecture.

• The patch packages version does not match the installed package's version.

• A patch with the same base code and a higher version number is already installed.

• The patch is incompatible with another, already installed patch. Each installed patch keeps this information in its pkginfo file.

• The patch being installed requires another patch that is not installed.

When you add or remove patches with the smpatch command, the command prompts you for authentication information if you do not specify the information in the command line.

You can specify authentication information to the smpatch command using the following syntax:

# smpatch add -p mypassword -u root -- -i patch-ID-revision

The smpatch subcommands, such as add or remove, are separated from the authentication options and arguments by --.

Or, you can let the smpatch command prompt you for the authentication information.

# /usr/sadm/bin/smpatch add -i patch-ID-revision
Type /? for help, pressing <enter> accepts the default denoted by [ ]
Please enter a string value for: password :: 
Loading Tool: com.sun.admin.patchmgr.cli.PatchMgrCli from holoship
Login to holoship as user root was successful.
Download of com.sun.admin.patchmgr.cli.PatchMgrCli from holoship was 
successful.

How to Download an Unsigned Solaris Patch

1. (Optional) Log in to the system where the patch will be applied.

   Or, you can download the patch and use the ftp command to copy the patch to the target system.

2. Open a web browser and go to the SunSolve Online web site:

   http://sunsolve.Sun.COM/pub-cgi/show.pl?target=patches/patch-access

3. Determine if you are going to download a specific patch or patch cluster. Then, select one of the following:

   1. Type the patch number (patch-ID) in the “Find Patch” search field. Then, click on Find Patch.

      Entering patch-ID downloads the latest patch revision.

      If this patch is freely available, the patch README is displayed. If this patch is not freely available, an ACCESS DENIED message is displayed.

      There are different patch numbers for SPARC and x86 systems, which are listed in the displayed patch README. Make sure you install the patch that matches your system architecture.

   2. Click on a recommended patch cluster based on the Solaris release running on the system to be patched.

4. Click the Download Patch (n bytes) HTTP or FTP button.

   After the patch or patches are downloaded successfully, close the web browser.

5. Change to the directory that contains the downloaded patch package, if necessary.

6. Unzip the patch package.

   % unzip patch-ID-revision

How to Add a Unsigned Solaris Patch (patchadd)

This procedure assumes that the patch has already been downloaded and unzipped.

1. Become superuser.

2. Add the patch or patches.

   # patchadd patch-ID-revision

3. Verify that the patch was added successfully.

   # patchadd -p | grep patch-ID-revision

Example—Adding an Unsigned Solaris Patch

In the following example, the Solaris 8 patch, 111879–01, is added to the system with the patchadd command. The patch had already been downloaded to the system previously and unzipped.

# patchadd /export/Sol8patch/111879-01

Checking installed patches...
Verifying sufficient filesystem capacity (dry run method)...
Installing patch packages...

Patch number 111879-01 has been successfully installed.
See /var/sadm/patch/111879-01/log for details

Patch packages installed:
  SUNWwsr
# patchadd -p | grep 111879-01
Patch: 111879-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWwsr

How to Add a Unsigned Solaris Patch (smpatch)

Use this procedure on a system that runs the Solaris 9 release.

This procedure assumes that the patch is has already been downloaded to the /var/sadm/spool directory and is unzipped.

1. Become superuser.

2. Add the patch or patches.

   # /usr/sadm/bin/smpatch add patch-ID-revision

   For example:

   # /usr/sadm/bin/smpatch add -i 115028-01 Authenticating as user: root Type /? for help, pressing <enter> accepts the default denoted by [ ] Please enter a string value for: password :: Loading Tool: com.sun.admin.patchmgr.cli.PatchMgrCli from holoship Login to holoship as user root was successful. Download of com.sun.admin.patchmgr.cli.PatchMgrCli from holoship was successful. Patch 115028-01, or a patch required by patch 115028-01, requires a system reboot after installation. Perform a reconfiguration reboot immediately after the installation. On machine holoship ... Installing patch 115028-01

3. Check smpatch messages for instructions to reboot the system.

   Reboot the system if you are instructed to reboot.

   # init 6

4. Verify that the patch was added successfully.

   # patchadd -p | grep patch-ID-revision

Removing an Unsigned Solaris Patch

When you back out a patch, the patch tools restore all files modified by that patch, unless any of the following are true:

• The patch was installed with the patchadd -d option, which instructs patchadd to not save copies of files being updated or replaced.

• The patch has been obsoleted by a later patch.

• The patch is required by another patch.

The patch tools call the pkgadd command to restore packages that were saved from the initial patch installation.

During the patch removal process, the patchrm command keeps a log of the back out process in /tmp/backoutlog.process_id. This log file is removed if the patch backs out successfully.

How to Remove an Unsigned Solaris Patch

You can use the smpatch command, the patchrm command, or Solaris Management Console's Patch Manager if you need to remove an unsigned Solaris patch.

1. Become superuser.

2. Remove the patch.

   # patchrm patch-ID-revision

   Or,

   # /usr/sadm/bin/smpatch remove patch-ID-revision

3. Verify that the patch was removed.

   # patchadd -p | grep patch-ID-revision

Examples—Removing an Unsigned Solaris Patch

The following example shows how to remove the Solaris 8 patch, 111879–01 with the patchrm command.

# patchrm 111879-01

Checking installed patches...

Backing out patch 111879-01...

Patch 111874-02 has been backed out.

# showrev -p | grep 111879-01
#

The following example shows how to remove a Solaris 9 patch with the smpatch remove command.

# /usr/sadm/bin/smpatch remove -i 115028-01
Authenticating as user: root
.
.
.