Appendix A Managing Signed Patches Without Solaris Patch Management Tools (Tasks)

This appendix provides step-by-step instructions for managing signed patches by using Java technology-based tools (Java tools) or Netscape technology-based tools (Netscape tools), instead of the Solaris patch management tools. See these sections:

• Managing Signed Patches by Using Java Tools (Task Map)

• Managing Signed Patches by Using Netscape Tools (Task Map)

For information about signed patches, see Chapter 1, Managing Signed Patches (Overview).

For information about how to manage signed patches with Solaris patch management tools, see Chapter 1, Managing Signed Patches (Overview) and Chapter 2, Managing Signed Patches by Using Solaris Patch Management Tools (Tasks).

Managing Signed Patches by Using Java or Netscape Tools

You can manage signed patches with either Java or Netscape security tools. You need the Java 1.3 version to verify signed patches. Java 1.3 is available from http://java.sun.com.

Managing Signed Patches by Using Java Tools (Task Map)

Perform these tasks in the order shown.

How to Download the SUNWcert Package

This procedure assumes that the SUNWcert package is located in the /tmp directory.

1. Download the SUNWcert package from the following site:

   https://sunsolve.sun.com/SUNWcert

   For a list of additional sites, see Sun Certificates That Verify Signed Patches.

2. Become superuser.

3. Install the SUNWcert package.

   # cd /tmp # unzip SUNWcert.zip # pkgadd -d .

4. Verify that the SUNWcert package is installed.

   # pkginfo -l SUNWcert

How to Import the Sun Certificates With Java Tools

Verify the signed patches that you want to install against the authenticated Sun certificates.

1. Become superuser.

2. Determine the fingerprints of your Sun Root certificate and Sun Class B certificate.

   For example, on a Solaris 8 system:

   # /usr/java1.3/bin/keytool -printcert \ -file /etc/certs/SUNW/smirootcacert.b64 # /usr/java1.3/bin/keytool -printcert -file /etc/certs/SUNW/smicacert.b64

3. Verify that the output of these commands match the Sun Root and Class B certificate fingerprints displayed at this site:

   https://www.sun.com/pki/ca

4. Change to the /etc/certs/SUNW directory.

   # cd /etc/certs/SUNW

5. Import the Class B certificate.

   For example, on a Solaris 8 system, type:

   # /usr/java1.3/bin/keytool -import -alias smicacert \ -file smicacert.b64 -keystore /usr/java1.3/jre/lib/security/cacerts Enter keystore password: changeit Owner: O=Sun Microsystems Inc, CN=Sun Microsystems Inc CA (Class B) Issuer: CN=Sun Microsystems Inc Root CA, O=Sun Microsystems Inc, C=US Serial number: 1000006 Valid from: Mon Nov 13 12:23:10 MST 2000 until: Fri Nov 13 12:23:10 MST 2009 Certificate fingerprints: MD5: B4:1F:E1:0D:80:7D:B1:AB:15:5C:78:CB:C8:8F:CE:37 SHA1: 1E:38:11:02:F0:5D:A3:27:5C:F9:6E:B1:1F:C4:79:95:E9:6E:D6:DF Trust this certificate? [no]: yes Certificate was added to keystore

6. Import the root certificate.

   # /usr/java1.3/bin/keytool -import -alias smirootcacert \ -file smirootcacert.b64 -keystore /usr/java1.3/jre/lib/security/cacerts Enter keystore password: changeit Owner: CN=Sun Microsystems Inc Root CA, O=Sun Microsystems Inc, C=US Issuer: CN=GTE CyberTrust Root, O=GTE Corporation, C=US Serial number: 40002ae Valid from: Wed Oct 16 09:45:00 MDT 2002 until: Sat Oct 16 17:59:00 MDT 2004 Certificate fingerprints: MD5: 54:E3:D1:E4:79:B4:17:23:65:B4:F9:14:AD:C6:4A:FE SHA1: 90:F1:AB:87:AE:A0:4C:1F:AF:43:60:DE:5D:A8:0E:D8:CE:E7:06:AE Trust this certificate? [no]: yes Certificate was added to keystore

How to Change the Java Keystore Password

1. Become superuser.

2. Change the keystore password.

   # /usr/java1.3/bin/keytool -storepasswd \ -keystore /usr/java1.3/jre/lib/security/cacerts Enter keystore password: changeit New keystore password: new-password Re-enter new keystore password: new-password

How to Verify a Signed Patch (jarsigner)

1. Verify that the following prerequisites are met:

   • You have installed the SUNWcert package.

     For more information, see How to Download the SUNWcert Package.

   • You have imported the appropriate Sun PKI certificates.

     For more information, see How to Import the Sun Certificates With Java Tools.

   • You are logged in as superuser.

2. Download a signed patch from the SunSolve Online site.

3. Verify the signed patch, for example:

   # /usr/java1.3/bin/jarsigner -verify -verbose -keystore /usr/java1.3/jre/lib/security/cacerts /patchdb/100103-12.jar smk 2149 Tue Sep 25 15:47:20 MDT 2001 100103-12/README smk 18553 Tue Sep 25 15:47:20 MDT 2001 100103-12/4.1secure.sh 385 Tue Sep 25 15:47:20 MDT 2001 META-INF/manifest.mf 493 Tue Sep 25 15:47:20 MDT 2001 META-INF/zigbert.sf 3819 Tue Sep 25 15:47:20 MDT 2001 META-INF/zigbert.rsa s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore i = at least one certificate was found in identity scope jar verified. #

   Make sure that you see the smk entries in the output to confirm that the patch signature is verified. Otherwise, the patch verification has failed, even if you see the jar verified message.

How to Apply the Verified Signed Patch

1. Become superuser.

2. Unzip the patch bundle, for example:

   # unzip 100103-12.jar Archive: 100103-12.jar inflating: 100103-12/README inflating: 100103-12/4.1secure.sh inflating: META-INF/manifest.mf inflating: META-INF/zigbert.sf inflating: META-INF/zigbert.rsa #

3. Apply the verified uncompressed signed patch, for example:

   # patchadd /patchdb/100103-12

Managing Signed Patches by Using Netscape Tools (Task Map)

Perform these tasks in the order shown.

How to Download the Netscape signtool Command

1. Go to the following site:

   http://developer.netscape.com/software/signedobj/jarpack.html#signtool1.3

2. Download signtool 1.3 by clicking SignTool 1.3 for Solaris 2.6 (SunOS 5.6).

3. As superuser, uncompress the signtool13SunOS56.tar.gz package.

   # gunzip signtool13SunOS56.tar.gz

4. Untar the signtool13SunOS56.tar file.

   # tar xvf signtool13SunOS56.tar

How to Import the Sun Certificates With Netscape 4.7 Tools

The following procedure removes the existing GTE CyberTrust Root CA before importing the Sun certificates into your certificate store. You will add the GTE CyberTrust Root CA back when you import the chain of Sun certificates into your certificate store.

Use this procedure with Netscape Communicator 4.7.

1. If necessary, start Netscape Communicator.

2. Access the Security Info page in one of the following ways:

   • Click the Security button on your Netscape browser (the small lock in the lower left corner).

   • Click the Security button in the Navigator toolbar.

   • From the Communicator menu, choose Tools->Security Info.

3. Select Signers under Certificates on the Security Info pop-up window.

4. Select GTE CyberTrust Root CA, and click the Delete button.

5. Click OK in the Delete pop-up window.

6. Click OK in the Signers window.

7. Import the Sun certificates into Netscape Communicator.

   1. Go the following site to import the Sun certificates:

      https://ra.sun.com:11005

   2. Select the Retrieval tab at the top of the page.

   3. Select Import CA Certificate Chain in the left panel, and if it is not already selected, click the radio button next to Import the CA Certificate Chain Into Your Browser.

   4. Click Submit.

   5. Click Next on the pop-up windows that lead you through the import process until you get to a panel that has three checkboxes for accepting the certificate for network sites, email users, and software developers.

   6. Check all three boxes, then click Next.

   7. Continue clicking Next until you get to a panel with a Name text field.

   8. Type GTE CyberTrust Root CA in the Name text field.

   9. Click Finish.

8. Verify that the certificates have been successfully imported.

   1. Access the Netscape Security Info page in one of the following ways:

      • Click the Security button on your Netscape browser (the small lock in the lower left corner).

      • Click the Security button in the Navigator toolbar.

      • From the Communicator menu, choose Tools->Security Info.

   2. Select Signers under Certificates on the Security Info pop-up window.

   3. Scroll down until you see the GTE CyberTrust Root entry, and the SunPKI certificates: Sun Microsystems Inc CA (Class B) - Sun Microsystems Inc and Sun Microsystems Inc Root CA - GTE Corporation entries.

9. You can verify that the Sun certificates are imported by viewing the Sun Microsystems certificates in the output of this command:

   # signtool -L

10. Go to the next procedure to certify the Sun certificates that you just imported.

How to Certify the Sun Certificates With Netscape 4.7 Tools

This procedure describes how to uncertify the GTE CyberTrust Root certificate and certify the Sun Microsystems Inc. CA (Class B) certificate.

1. Verify that you have already completed the import procedure.

   See How to Import the Sun Certificates With Netscape 4.7 Tools.

2. If necessary, access the Netscape Communicator Security Info window.

3. Select Signers under Certificates on the Security Info pop-up window.

4. Select GTE CyberTrust Root and click Edit.

5. Deselect the three Accept boxes and click OK.

6. Select Sun Microsystems Inc. CA (Class B), and click the three Accept boxes.

7. Click OK.

8. Select Sun Microsystems Inc. Root CA, and click the three Accept boxes.

   This means that you are restricting your certification of signed objects to only those signed by Sun Microsystems, Inc.

9. Click OK.

10. Click OK in the Signers window.

11. Create a keystore password.

    See How to Create or Change a Keystore Password With Netscape Tools.

How to Import the Sun Certificates With Netscape 6 Tools

1. If necessary, start Netscape Communicator 6.

2. Import the Sun certificates into Netscape Communicator.

   1. Go the following site to import the Sun certificates:

      https://ra.sun.com:11005

   2. Select the Retrieval tab at the top of the page.

   3. Select Import CA Certificate Chain in the left panel, and if it is not already selected, click the radio button next to Import the CA Certificate Chain Into Your Browser.

   4. Click Submit.

   5. Click the three checkboxes regarding accepting the certificate for web sites, email users, and software developers for the Sun Microsystems Inc CA (Class B) certificate on the Downloading Certificate pop-up window.

   6. Click OK.

3. Verify that the certificates have been successfully imported.

   1. Access the Netscape Edit->Preferences->Privacy and Security->Certificates window.

   2. Click Manage Certificates in the middle of the window.

   3. Click the Authorities tab to display the list of certificate authorities.

   4. Scroll through the list of certificates and verify that you see these entries: GTE Corporation - GTE CyberTrust Root, Sun Microsystems Inc Root CA, and Sun Microsystems Inc - Sun Microsystems Inc CA (Class B ).

4. Go to the next procedure to certify the Sun certificates that you just imported.

How to Certify the Sun Certificates With Netscape 6 Tools

1. Verify that you have already completed the import procedure.

   See How to Import the Sun Certificates With Netscape 6 Tools.

2. If necessary, access the Netscape Communicator Edit->Preferences->Privacy and Security->Certificates window.

3. Click Manage Certificates.

4. Click the Authorities tab.

5. Select GTE Corporation - GTE CyberTrust Root in the scrolling pane and click Edit.

6. Verify that the three Accept boxes are deselected and click OK.

7. Select the Sun Microsystems Inc - Sun Microsystems Inc CA (Class B) entry and click Edit.

8. Verify that the three Accept boxes are selected and click OK.

   This means that you are restricting your certification of signed objects to only those signed by Sun Microsystems Inc CA (Class B).

9. You can verify that the Sun certificates are imported by viewing the Sun Microsystems certificates in the output of this command:

   # signtool -L

10. Go to the next procedure to create a keystore password.

How to Create or Change a Keystore Password With Netscape Tools

This procedure might vary slightly depending on whether you are using Netscape 4 or Netscape 6.

1. Verify that you have completed the following procedures:

   • How to Import the Sun Certificates With Netscape 4.7 Tools

   • How to Certify the Sun Certificates With Netscape 4.7 Tools

2. If necessary, access the Netscape Communicator Security Info window.

3. Click Passwords in the left panel.

4. Set or change the keystore password.

   • Click the Set Password button in the main panel, and follow the steps to set the keystore password.

   • Click the Change Password button in the main panel if you need to change the keystore password.

5. Select or change one of the following password policies:

   • The first time your certificate is needed

   • Every time your certificate is needed

   • After (30) minutes of inactivity

6. Click OK.

How to Verify a Signed Patch (signtool)

1. Verify that the following prerequisites are met:

   • You have downloaded the Netscape signtool program.

     For more information, see How to Download the Netscape signtool Command.

   • You have imported the appropriate Sun certificates.

     For more information, see How to Import the Sun Certificates With Netscape 4.7 Tools.

   • You are logged in as superuser.

2. Download a signed patch from the following location:

   http://sunsolve.Sun.COM/pub-cgi/show.pl?target=patches/patch-access

3. Verify a signed patch, for example:

   # signtool -v /patchdb/100103-12.jar using certificate directory: /.netscape archive "/patchdb/100103-12.jar" has passed crypto verification. status path ------------ ------------------- verified 100103-12/README verified 100103-12/4.1secure.sh #

   If the patch verification fails, you will see a message similar to this:

   archive DID NOT PASS crypto verification

How to Apply a Verified Signed Patch

1. Become superuser.

2. Unzip the patch bundle, for example:

   # unzip 100103-12.jar Archive: 100103-12.jar inflating: 100103-12/README inflating: 100103-12/4.1secure.sh inflating: META-INF/manifest.mf inflating: META-INF/zigbert.sf inflating: META-INF/zigbert.rsa #

3. Apply the verified uncompressed signed patch, for example:

   # patchadd /patchdb/100103-12

Troubleshooting Problems With Netscape Security Tools

This section describes how to troubleshoot problems using signed patches with Netscape tools.

If you need to verify a signed patch, use the following command:

# signtool -v patch-ID.jar