This appendix provides step-by-step instructions for managing signed patches by using Java technology-based tools (Java tools) or Netscape technology-based tools (Netscape tools), instead of the Solaris patch management tools. See these sections:
For information about signed patches, see Chapter 1, Managing Signed Patches (Overview).
For information about how to manage signed patches with Solaris patch management tools, see Chapter 1, Managing Signed Patches (Overview) and Chapter 2, Managing Signed Patches by Using Solaris Patch Management Tools (Tasks).
You can manage signed patches with either Java or Netscape security tools. You need the Java 1.3 version to verify signed patches. Java 1.3 is available from http://java.sun.com.
Perform these tasks in the order shown.
Task |
Description |
For Instructions |
---|---|---|
1. Download and install the SUNWcert package. |
Download and install the SUNWcert package. For a list of download sites, see Sun Certificates That Verify Signed Patches. | |
2. Import the Sun certificates. |
Use the keytool command to import and accept the Sun certificates from the SUNWcert package. | |
3. (Optional) Change the keystore password. |
Change the password to keep the keystore secure. | |
4. Verify a signed patch. |
Download a patch from SunSolve Online, and use the jarsigner command to verify the patch. | |
5. Apply the verified signed patch. |
Use the patchadd command to apply the verified signed patch. |
This procedure assumes that the SUNWcert package is located in the /tmp directory.
Download the SUNWcert package from the following site:
https://sunsolve.sun.com/SUNWcert
For a list of additional sites, see Sun Certificates That Verify Signed Patches.
Become superuser.
Install the SUNWcert package.
# cd /tmp # unzip SUNWcert.zip # pkgadd -d . |
Verify that the SUNWcert package is installed.
# pkginfo -l SUNWcert |
Verify the signed patches that you want to install against the authenticated Sun certificates.
Become superuser.
Determine the fingerprints of your Sun Root certificate and Sun Class B certificate.
For example, on a Solaris 8 system:
# /usr/java1.3/bin/keytool -printcert \ -file /etc/certs/SUNW/smirootcacert.b64 # /usr/java1.3/bin/keytool -printcert -file /etc/certs/SUNW/smicacert.b64 |
Verify that the output of these commands match the Sun Root and Class B certificate fingerprints displayed at this site:
https://www.sun.com/pki/ca |
Change to the /etc/certs/SUNW directory.
# cd /etc/certs/SUNW |
Import the Class B certificate.
For example, on a Solaris 8 system, type:
# /usr/java1.3/bin/keytool -import -alias smicacert \ -file smicacert.b64 -keystore /usr/java1.3/jre/lib/security/cacerts Enter keystore password: changeit Owner: O=Sun Microsystems Inc, CN=Sun Microsystems Inc CA (Class B) Issuer: CN=Sun Microsystems Inc Root CA, O=Sun Microsystems Inc, C=US Serial number: 1000006 Valid from: Mon Nov 13 12:23:10 MST 2000 until: Fri Nov 13 12:23:10 MST 2009 Certificate fingerprints: MD5: B4:1F:E1:0D:80:7D:B1:AB:15:5C:78:CB:C8:8F:CE:37 SHA1: 1E:38:11:02:F0:5D:A3:27:5C:F9:6E:B1:1F:C4:79:95:E9:6E:D6:DF Trust this certificate? [no]: yes Certificate was added to keystore |
Import the root certificate.
# /usr/java1.3/bin/keytool -import -alias smirootcacert \ -file smirootcacert.b64 -keystore /usr/java1.3/jre/lib/security/cacerts Enter keystore password: changeit Owner: CN=Sun Microsystems Inc Root CA, O=Sun Microsystems Inc, C=US Issuer: CN=GTE CyberTrust Root, O=GTE Corporation, C=US Serial number: 40002ae Valid from: Wed Oct 16 09:45:00 MDT 2002 until: Sat Oct 16 17:59:00 MDT 2004 Certificate fingerprints: MD5: 54:E3:D1:E4:79:B4:17:23:65:B4:F9:14:AD:C6:4A:FE SHA1: 90:F1:AB:87:AE:A0:4C:1F:AF:43:60:DE:5D:A8:0E:D8:CE:E7:06:AE Trust this certificate? [no]: yes Certificate was added to keystore |
Become superuser.
Change the keystore password.
# /usr/java1.3/bin/keytool -storepasswd \ -keystore /usr/java1.3/jre/lib/security/cacerts Enter keystore password: changeit New keystore password: new-password Re-enter new keystore password: new-password |
Verify that the following prerequisites are met:
You have installed the SUNWcert package.
For more information, see How to Download the SUNWcert Package.
You have imported the appropriate Sun PKI certificates.
For more information, see How to Import the Sun Certificates With Java Tools.
You are logged in as superuser.
Download a signed patch from the SunSolve Online site.
Verify the signed patch, for example:
# /usr/java1.3/bin/jarsigner -verify -verbose -keystore /usr/java1.3/jre/lib/security/cacerts /patchdb/100103-12.jar smk 2149 Tue Sep 25 15:47:20 MDT 2001 100103-12/README smk 18553 Tue Sep 25 15:47:20 MDT 2001 100103-12/4.1secure.sh 385 Tue Sep 25 15:47:20 MDT 2001 META-INF/manifest.mf 493 Tue Sep 25 15:47:20 MDT 2001 META-INF/zigbert.sf 3819 Tue Sep 25 15:47:20 MDT 2001 META-INF/zigbert.rsa s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore i = at least one certificate was found in identity scope jar verified. # |
Make sure that you see the smk entries in the output to confirm that the patch signature is verified. Otherwise, the patch verification has failed, even if you see the jar verified message.
Become superuser.
Unzip the patch bundle, for example:
# unzip 100103-12.jar Archive: 100103-12.jar inflating: 100103-12/README inflating: 100103-12/4.1secure.sh inflating: META-INF/manifest.mf inflating: META-INF/zigbert.sf inflating: META-INF/zigbert.rsa # |
Apply the verified uncompressed signed patch, for example:
# patchadd /patchdb/100103-12 |
Perform these tasks in the order shown.
Task |
Description |
For Instructions |
---|---|---|
1. Download the Netscape signtool command. |
Download the Netscape signtool command to verify signed patches. | |
2. Import the Sun certificates. |
Import and accept the Sun certificates into the Netscape 4.7 keystore. Import and accept the Sun certificates into the Netscape 6 keystore. | |
3. Certify the Sun certificates. |
Certify the Sun certificates by using Netscape 4.7 tools. Certify the Sun certificates by using Netscape 6 tools. | |
4. Create or change the keystore password. |
Create or change a password to keep the keystore secure. |
How to Create or Change a Keystore Password With Netscape Tools |
5. Verify a signed patch. |
Download a patch from SunSolve Online, and verify it with the signtool command. | |
6. Apply the verified signed patch. |
Use the patchadd command to apply the verified signed patch. |
Go to the following site:
http://developer.netscape.com/software/signedobj/jarpack.html#signtool1.3 |
Download signtool 1.3 by clicking SignTool 1.3 for Solaris 2.6 (SunOS 5.6).
As superuser, uncompress the signtool13SunOS56.tar.gz package.
# gunzip signtool13SunOS56.tar.gz |
Untar the signtool13SunOS56.tar file.
# tar xvf signtool13SunOS56.tar |
The following procedure removes the existing GTE CyberTrust Root CA before importing the Sun certificates into your certificate store. You will add the GTE CyberTrust Root CA back when you import the chain of Sun certificates into your certificate store.
Use this procedure with Netscape Communicator 4.7.
If necessary, start Netscape Communicator.
Access the Security Info page in one of the following ways:
Click the Security button on your Netscape browser (the small lock in the lower left corner).
Click the Security button in the Navigator toolbar.
From the Communicator menu, choose Tools->Security Info.
Select Signers under Certificates on the Security Info pop-up window.
Select GTE CyberTrust Root CA, and click the Delete button.
Click OK in the Delete pop-up window.
Click OK in the Signers window.
Import the Sun certificates into Netscape Communicator.
Go the following site to import the Sun certificates:
https://ra.sun.com:11005 |
Select the Retrieval tab at the top of the page.
Select Import CA Certificate Chain in the left panel, and if it is not already selected, click the radio button next to Import the CA Certificate Chain Into Your Browser.
Click Submit.
Click Next on the pop-up windows that lead you through the import process until you get to a panel that has three checkboxes for accepting the certificate for network sites, email users, and software developers.
Check all three boxes, then click Next.
Continue clicking Next until you get to a panel with a Name text field.
Type GTE CyberTrust Root CA in the Name text field.
Click Finish.
Verify that the certificates have been successfully imported.
Access the Netscape Security Info page in one of the following ways:
Click the Security button on your Netscape browser (the small lock in the lower left corner).
Click the Security button in the Navigator toolbar.
From the Communicator menu, choose Tools->Security Info.
Select Signers under Certificates on the Security Info pop-up window.
Scroll down until you see the GTE CyberTrust Root entry, and the SunPKI certificates: Sun Microsystems Inc CA (Class B) - Sun Microsystems Inc and Sun Microsystems Inc Root CA - GTE Corporation entries.
You can verify that the Sun certificates are imported by viewing the Sun Microsystems certificates in the output of this command:
# signtool -L |
Go to the next procedure to certify the Sun certificates that you just imported.
This procedure describes how to uncertify the GTE CyberTrust Root certificate and certify the Sun Microsystems Inc. CA (Class B) certificate.
Verify that you have already completed the import procedure.
See How to Import the Sun Certificates With Netscape 4.7 Tools.
If necessary, access the Netscape Communicator Security Info window.
Select Signers under Certificates on the Security Info pop-up window.
Select GTE CyberTrust Root and click Edit.
Deselect the three Accept boxes and click OK.
Select Sun Microsystems Inc. CA (Class B), and click the three Accept boxes.
Click OK.
Select Sun Microsystems Inc. Root CA, and click the three Accept boxes.
This means that you are restricting your certification of signed objects to only those signed by Sun Microsystems, Inc.
Click OK.
Click OK in the Signers window.
Create a keystore password.
See How to Create or Change a Keystore Password With Netscape Tools.
If necessary, start Netscape Communicator 6.
Import the Sun certificates into Netscape Communicator.
Go the following site to import the Sun certificates:
https://ra.sun.com:11005 |
Select the Retrieval tab at the top of the page.
Select Import CA Certificate Chain in the left panel, and if it is not already selected, click the radio button next to Import the CA Certificate Chain Into Your Browser.
Click Submit.
Click the three checkboxes regarding accepting the certificate for web sites, email users, and software developers for the Sun Microsystems Inc CA (Class B) certificate on the Downloading Certificate pop-up window.
Click OK.
Verify that the certificates have been successfully imported.
Access the Netscape Edit->Preferences->Privacy and Security->Certificates window.
Click Manage Certificates in the middle of the window.
Click the Authorities tab to display the list of certificate authorities.
Scroll through the list of certificates and verify that you see these entries: GTE Corporation - GTE CyberTrust Root, Sun Microsystems Inc Root CA, and Sun Microsystems Inc - Sun Microsystems Inc CA (Class B ).
Go to the next procedure to certify the Sun certificates that you just imported.
Verify that you have already completed the import procedure.
See How to Import the Sun Certificates With Netscape 6 Tools.
If necessary, access the Netscape Communicator Edit->Preferences->Privacy and Security->Certificates window.
Click Manage Certificates.
Click the Authorities tab.
Select GTE Corporation - GTE CyberTrust Root in the scrolling pane and click Edit.
Verify that the three Accept boxes are deselected and click OK.
Select the Sun Microsystems Inc - Sun Microsystems Inc CA (Class B) entry and click Edit.
Verify that the three Accept boxes are selected and click OK.
This means that you are restricting your certification of signed objects to only those signed by Sun Microsystems Inc CA (Class B).
You can verify that the Sun certificates are imported by viewing the Sun Microsystems certificates in the output of this command:
# signtool -L |
Go to the next procedure to create a keystore password.
This procedure might vary slightly depending on whether you are using Netscape 4 or Netscape 6.
Verify that you have completed the following procedures:
If necessary, access the Netscape Communicator Security Info window.
Click Passwords in the left panel.
Set or change the keystore password.
Click the Set Password button in the main panel, and follow the steps to set the keystore password.
Click the Change Password button in the main panel if you need to change the keystore password.
Select or change one of the following password policies:
The first time your certificate is needed
Every time your certificate is needed
After (30) minutes of inactivity
Click OK.
Verify that the following prerequisites are met:
You have downloaded the Netscape signtool program.
For more information, see How to Download the Netscape signtool Command.
You have imported the appropriate Sun certificates.
For more information, see How to Import the Sun Certificates With Netscape 4.7 Tools.
You are logged in as superuser.
Download a signed patch from the following location:
http://sunsolve.Sun.COM/pub-cgi/show.pl?target=patches/patch-access |
Verify a signed patch, for example:
# signtool -v /patchdb/100103-12.jar using certificate directory: /.netscape archive "/patchdb/100103-12.jar" has passed crypto verification. status path ------------ ------------------- verified 100103-12/README verified 100103-12/4.1secure.sh # |
If the patch verification fails, you will see a message similar to this:
archive DID NOT PASS crypto verification |
Become superuser.
Unzip the patch bundle, for example:
# unzip 100103-12.jar Archive: 100103-12.jar inflating: 100103-12/README inflating: 100103-12/4.1secure.sh inflating: META-INF/manifest.mf inflating: META-INF/zigbert.sf inflating: META-INF/zigbert.rsa # |
Apply the verified uncompressed signed patch, for example:
# patchadd /patchdb/100103-12 |
This section describes how to troubleshoot problems using signed patches with Netscape tools.
If you need to verify a signed patch, use the following command:
# signtool -v patch-ID.jar |
Problem or Error Message |
Explanation |
Solution |
---|---|---|
Cannot import Sun certificate chain from https://ra.sun.com:110005 to the Netscape cert database |
Self-explanatory. |
Make sure that the GTE CyberTrust Root CA was deleted before importing the certificate chain. For more information, see How to Import the Sun Certificates With Netscape 4.7 Tools. |
signtool: No certificate database in keystore-location signtool: Check the -d arguments that you gave |
Either the certificate is not in the keystore, the keystore is not accessible, or the arguments are incorrect. |
Make sure that the argument is correct and that the keystore is accessible. Use Netscape->Security->Signers to check if all three CAs are present: GTE CyberTrust Root CA, Sun Microsystems Inc CA (Class B) - Sun Microsystems Inc, Sun Microsystems Inc Root CA - GTE Corporation. If the certificates are not in the Netscape keystore, import the certificate chain from https://ra.sun.com:11005. |
Cannot install sign patches |
It is possible that signed patches cannot be installed due to lack of space. |
Make sure that there is enough disk space. |