test

System Administration Guide: Basic Administration

Adding Signed Patches With patchadd Command (Task Map)

Task 

Description 

For Instructions 

1. Set up the package keystore 

Import Sun's Root CA certificate into your package keystore. 

How to Import a Trusted Certificate into Your Package Keystore (pkgadm addcert)

(Optional) Set up a proxy server 

Specify a proxy server if your system is behind a firewall with a proxy.  

How to Set Up a Proxy Server (patchadd)

2. Download and add the signed patch 

Select one of the following to download and add the signed patch to your system with the patchadd command.

 

 

You can manually download and add a signed Solaris patch. 

How to Manually Download and Add a Signed Solaris Patch (patchadd)

 

You can automatically download and add a signed Solaris patch. 

How to Automatically Download and Add a Signed Solaris Patch (patchadd)

How to Import a Trusted Certificate into Your Package Keystore (pkgadm addcert)

To add signed patches to your system with the patchadd command, you will need to add Sun's Root CA certificate, at the very least, to verify the signature on your signed patch. You can import this certificate from the Java keystore into the package keystore.

  1. Become superuser or assume an equivalent role.

  2. Export the Root CA certificate from the Java keystore into a temporary file.

    For example:


    # keytool -export -storepass changeit -alias gtecybertrustca -keystore 
gtecybertrustca -keystore /usr/j2se/jre/lib/security/cacerts -file 
/tmp/root.crt
Certificate stored in file </tmp/root.crt>

    -export

    Exports the trusted certificate. 

    -storepass storepass

    Specifies the password that protects the integrity of the Java keystore. 

    -alias gtecybertrustca

    Identifies the alias of the trusted certificate. 

    -keystore certfile

    Specifies the name and location of the keystore file. 

    -file filename

    Identifies the file to hold the exported certificate. 

  3. Import the Root CA certificate into the package keystore from the temporary file.

    For example:


    # pkgadm addcert -t -f der /tmp/root.crt
Enter Keystore Password: storepass
      Keystore Alias: GTE CyberTrust Root
         Common Name: GTE CyberTrust Root
    Certificate Type: Trusted Certificate
  Issuer Common Name: GTE CyberTrust Root
      Validity Dates: <Feb 23 23:01:00 1996 GMT>-<Feb 23 23:59:00 ... 
     MD5 Fingerprint: C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58
    SHA1 Fingerprint: 90:DE:DE:9E:4C:4E:9F:6F:D8:86:17:57:9D:D3:91...

Are you sure you want to trust this certificate? yes
Trusting certificate <GTE CyberTrust Root>
Type a Keystore protection Password.
Press ENTER for no protection password (not recommended): 
For Verification: Type a Keystore protection Password.
Press ENTER for no protection password (not recommended): 
Certificate(s) from </tmp/root.crt> are now trusted

    -t

    Indicates that the certificate is a trusted CA certificate. The command output includes the details of the certificate, which the user is asked to verify. 

    -f format

    Specifies the format of the certificates or private key. When importing a certificate, it must be encoded using either the PEM (pem) or binary DER (der) format.

    certfile

    Specifies the file that contains the certificate. 

  4. Display the certificate information.

    For example:


    # pkgadm listcert -P pass:storepass
    Keystore Alias: GTE CyberTrust Root
       Common Name: GTE CyberTrust Root
  Certificate Type: Trusted Certificate
Issuer Common Name: GTE CyberTrust Root
    Validity Dates: <Feb 23 23:01:00 1996 GMT>-<Feb 23 23:59:00 2006 GMT>
   MD5 Fingerprint: C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58
  SHA1 Fingerprint: 90:DE:DE:9E:4C:4E:9F:6F:D8:86:17:57:9D:D3:91:
BC:65:A6:89:64

  5. Remove the temporary file.

    For example:


    # rm /tmp/root.crt

How to Set Up a Proxy Server (patchadd)

If your system is behind a firewall with a proxy, you will need to set up a proxy server before you can add a package from an HTTP server with the patchadd command.

  1. Become superuser or assume an equivalent role.

  2. Select one of the following methods to specify a proxy server.

    1. Specify the proxy server by using the http_proxy, HTTPPROXY, or HTTPPROXYPORT environment variable.

      For example:


      # setenv http_proxy http://mycache.domain:8080

      Or, specify one of the following:


      # setenv HTTPPROXY mycache.domain
# setenv HTTPPROXYPORT 8080

    2. Specify the proxy server on the patchadd command line.

      For example:


      # patchadd -x mycache.domain:8080 -M http://www.sun.com/solaris/patches/latest 101223-02
102323-02

How to Manually Download and Add a Signed Solaris Patch (patchadd)

You can use this procedure when you want to manually download the signed Solaris patch, and then add the signed Solaris patch in a separate step.

This procedure assumes that you have set up the package keystore.

  1. (Optional) Log in to the system where the patch will be applied.

    Or, you can download the patch and use the ftp command to copy the patch to the target system.

  2. Open a web browser and go to the SunSolve Online Web site:


    http://sunsolve.Sun.COM/pub-cgi/show.pl?target=patches/patch-access

  3. Determine if you are going to download a specific patch or patch cluster. Then select one of the following:

    1. Type the patch number (patch-ID) in the “Find Patch” search field. Then, click on Find Patch.

      Entering patch-ID downloads the latest patch revision.

      If this patch is freely available, the patch README is displayed. If this patch is not freely available, an ACCESS DENIED message is displayed.

      There are different patch numbers for SPARC and x86 systems, which are listed in the displayed patch README. Make sure you install the patch that matches your system architecture.

    2. Click on a recommended patch cluster based on the Solaris release running on the system to be patched.

  4. Click the Download Signed Patch (n bytes) HTTPS or FTP button.

    After the signed patch or patches are downloaded successfully, close the web browser.

  5. Change to the directory that contains the downloaded patch package, if necessary.

  6. Become superuser or assume an equivalent role.

  7. Add the signed patch.

    For example:


    # patchadd /tmp/114861-01.jar

How to Automatically Download and Add a Signed Solaris Patch (patchadd)

You can use this procedure when you want to automatically download and add a signed Solaris patch in one step.

This procedure assumes that you have set up the package keystore.

  1. Become superuser or assume an equivalent role.

  2. Identify the HTTP URL for the patch you want to download.

    1. Open a web browser and go to the SunSolve Online web site:


      http://sunsolve.Sun.COM/pub-cgi/show.pl?target=patches/patch-access

    2. Enter the patch number you wish to download.

      For example:


      114861-01 Find Patch

    3. Place your mouse over the HTTPS link at the top of the patch page in hover mode.

      The URL for the patch is displayed in the browser status line at the bottom of the screen.

  3. Download and add the signed patch or patches from the SunSolve Online web site.

    For example:


    # patchadd "http://sunsolve.central.sun.com/cgi/patchDownload.pl?target=
114684&method=hs"
.
.
.
Downloading patch from ...
+ dwnld_file http://sunsolve.central.sun.com/cgi/patchDownload.pl?target=
114684&method=hs /tmp/patchadd-dwnld /var/sadm/security  console patchadd
...........20%...........40%...........60%...........80%...........100%
## Downloading...
## Download Complete
.
.
.
Enter keystore password: xxx
.
.
.