test

Signed Patches Administration Guide for PatchPro 2.2

Managing Signed Patches by Using Netscape Tools (Task Map)

Perform these tasks in the order shown.

Task 

Description 

For Instructions 

1. Download the Netscape signtool command.

Download the Netscape signtool command to verify signed patches.

How to Download the Netscape signtool Command

2. Import the Sun certificates. 

Import and accept the Sun certificates into the Netscape 4.7 keystore. 

Import and accept the Sun certificates into the Netscape 6 keystore. 

How to Import the Sun Certificates With Netscape 4.7 Tools

How to Import the Sun Certificates With Netscape 6 Tools

3. Certify the Sun certificates. 

Certify the Sun certificates by using Netscape 4.7 tools. 

Certify the Sun certificates by using Netscape 6 tools. 

How to Certify the Sun Certificates With Netscape 4.7 Tools

How to Certify the Sun Certificates With Netscape 6 Tools

4. Create or change the keystore password. 

Create or change a password to keep the keystore secure. 

How to Create or Change a Keystore Password With Netscape Tools

5. Verify a signed patch. 

Download a patch from SunSolve Online, and verify it with the signtool command.

How to Verify a Signed Patch (signtool)

6. Apply the verified signed patch. 

Use the patchadd command to apply the verified signed patch.

How to Apply a Verified Signed Patch

How to Download the Netscape signtool Command

  1. Go to the following site:


    http://developer.netscape.com/software/signedobj/jarpack.html#signtool1.3

  2. Download signtool 1.3 by clicking SignTool 1.3 for Solaris 2.6 (SunOS 5.6).

  3. As superuser, uncompress the signtool13SunOS56.tar.gz package.


    # gunzip signtool13SunOS56.tar.gz

  4. Untar the signtool13SunOS56.tar file.


    # tar xvf signtool13SunOS56.tar

How to Import the Sun Certificates With Netscape 4.7 Tools

The following procedure removes the existing GTE CyberTrust Root CA before importing the Sun certificates into your certificate store. You will add the GTE CyberTrust Root CA back when you import the chain of Sun certificates into your certificate store.

Use this procedure with Netscape Communicator 4.7.

  1. If necessary, start Netscape Communicator.

  2. Access the Security Info page in one of the following ways:

    • Click the Security button on your Netscape browser (the small lock in the lower left corner).

    • Click the Security button in the Navigator toolbar.

    • From the Communicator menu, choose Tools->Security Info.

  3. Select Signers under Certificates on the Security Info pop-up window.

  4. Select GTE CyberTrust Root CA, and click the Delete button.

  5. Click OK in the Delete pop-up window.

  6. Click OK in the Signers window.

  7. Import the Sun certificates into Netscape Communicator.

    1. Go the following site to import the Sun certificates:


      https://ra.sun.com:11005

    2. Select the Retrieval tab at the top of the page.

    3. Select Import CA Certificate Chain in the left panel, and if it is not already selected, click the radio button next to Import the CA Certificate Chain Into Your Browser.

    4. Click Submit.

    5. Click Next on the pop-up windows that lead you through the import process until you get to a panel that has three checkboxes for accepting the certificate for network sites, email users, and software developers.

    6. Check all three boxes, then click Next.

    7. Continue clicking Next until you get to a panel with a Name text field.

    8. Type GTE CyberTrust Root CA in the Name text field.

    9. Click Finish.

  8. Verify that the certificates have been successfully imported.

    1. Access the Netscape Security Info page in one of the following ways:

      • Click the Security button on your Netscape browser (the small lock in the lower left corner).

      • Click the Security button in the Navigator toolbar.

      • From the Communicator menu, choose Tools->Security Info.

    2. Select Signers under Certificates on the Security Info pop-up window.

    3. Scroll down until you see the GTE CyberTrust Root entry, and the SunPKI certificates: Sun Microsystems Inc CA (Class B) - Sun Microsystems Inc and Sun Microsystems Inc Root CA - GTE Corporation entries.

  9. You can verify that the Sun certificates are imported by viewing the Sun Microsystems certificates in the output of this command:


    # signtool -L

  10. Go to the next procedure to certify the Sun certificates that you just imported.

How to Certify the Sun Certificates With Netscape 4.7 Tools

This procedure describes how to uncertify the GTE CyberTrust Root certificate and certify the Sun Microsystems Inc. CA (Class B) certificate.

  1. Verify that you have already completed the import procedure.

    See How to Import the Sun Certificates With Netscape 4.7 Tools.

  2. If necessary, access the Netscape Communicator Security Info window.

  3. Select Signers under Certificates on the Security Info pop-up window.

  4. Select GTE CyberTrust Root and click Edit.

  5. Deselect the three Accept boxes and click OK.

  6. Select Sun Microsystems Inc. CA (Class B), and click the three Accept boxes.

  7. Click OK.

  8. Select Sun Microsystems Inc. Root CA, and click the three Accept boxes.

    This means that you are restricting your certification of signed objects to only those signed by Sun Microsystems, Inc.

  9. Click OK.

  10. Click OK in the Signers window.

  11. Create a keystore password.

    See How to Create or Change a Keystore Password With Netscape Tools.

How to Import the Sun Certificates With Netscape 6 Tools

  1. If necessary, start Netscape Communicator 6.

  2. Import the Sun certificates into Netscape Communicator.

    1. Go the following site to import the Sun certificates:


      https://ra.sun.com:11005

    2. Select the Retrieval tab at the top of the page.

    3. Select Import CA Certificate Chain in the left panel, and if it is not already selected, click the radio button next to Import the CA Certificate Chain Into Your Browser.

    4. Click Submit.

    5. Click the three checkboxes regarding accepting the certificate for web sites, email users, and software developers for the Sun Microsystems Inc CA (Class B) certificate on the Downloading Certificate pop-up window.

    6. Click OK.

  3. Verify that the certificates have been successfully imported.

    1. Access the Netscape Edit->Preferences->Privacy and Security->Certificates window.

    2. Click Manage Certificates in the middle of the window.

    3. Click the Authorities tab to display the list of certificate authorities.

    4. Scroll through the list of certificates and verify that you see these entries: GTE Corporation - GTE CyberTrust Root, Sun Microsystems Inc Root CA, and Sun Microsystems Inc - Sun Microsystems Inc CA (Class B ).

  4. Go to the next procedure to certify the Sun certificates that you just imported.

How to Certify the Sun Certificates With Netscape 6 Tools

  1. Verify that you have already completed the import procedure.

    See How to Import the Sun Certificates With Netscape 6 Tools.

  2. If necessary, access the Netscape Communicator Edit->Preferences->Privacy and Security->Certificates window.

  3. Click Manage Certificates.

  4. Click the Authorities tab.

  5. Select GTE Corporation - GTE CyberTrust Root in the scrolling pane and click Edit.

  6. Verify that the three Accept boxes are deselected and click OK.

  7. Select the Sun Microsystems Inc - Sun Microsystems Inc CA (Class B) entry and click Edit.

  8. Verify that the three Accept boxes are selected and click OK.

    This means that you are restricting your certification of signed objects to only those signed by Sun Microsystems Inc CA (Class B).

  9. You can verify that the Sun certificates are imported by viewing the Sun Microsystems certificates in the output of this command:


    # signtool -L

  10. Go to the next procedure to create a keystore password.

How to Create or Change a Keystore Password With Netscape Tools

This procedure might vary slightly depending on whether you are using Netscape 4 or Netscape 6.

  1. Verify that you have completed the following procedures:

  2. If necessary, access the Netscape Communicator Security Info window.

  3. Click Passwords in the left panel.

  4. Set or change the keystore password.

    • Click the Set Password button in the main panel, and follow the steps to set the keystore password.

    • Click the Change Password button in the main panel if you need to change the keystore password.

  5. Select or change one of the following password policies:

    • The first time your certificate is needed

    • Every time your certificate is needed

    • After (30) minutes of inactivity

  6. Click OK.

How to Verify a Signed Patch (signtool)

  1. Verify that the following prerequisites are met:

  2. Download a signed patch from the following location:


    http://sunsolve.Sun.COM/pub-cgi/show.pl?target=patches/patch-access

  3. Verify a signed patch, for example:


    # signtool -v /patchdb/100103-12.jar
using certificate directory: /.netscape
archive "/patchdb/100103-12.jar" has passed crypto verification.

          status   path
    ------------   -------------------
        verified   100103-12/README
        verified   100103-12/4.1secure.sh
#

    If the patch verification fails, you will see a message similar to this:


    archive DID NOT PASS crypto verification

How to Apply a Verified Signed Patch

  1. Become superuser.

  2. Unzip the patch bundle, for example:


    # unzip 100103-12.jar
Archive:  100103-12.jar
  inflating: 100103-12/README        
  inflating: 100103-12/4.1secure.sh  
  inflating: META-INF/manifest.mf    
  inflating: META-INF/zigbert.sf     
  inflating: META-INF/zigbert.rsa    
#

  3. Apply the verified uncompressed signed patch, for example:


    # patchadd /patchdb/100103-12

Troubleshooting Problems With Netscape Security Tools

This section describes how to troubleshoot problems using signed patches with Netscape tools.

If you need to verify a signed patch, use the following command:


# signtool -v patch-ID.jar

Problem or Error Message 

Explanation 

Solution 

Cannot import Sun certificate chain from https://ra.sun.com:110005 to the Netscape cert database

Self-explanatory. 

Make sure that the GTE CyberTrust Root CA was deleted before importing the certificate chain. For more information, see How to Import the Sun Certificates With Netscape 4.7 Tools.

signtool: No certificate database in keystore-location

signtool: Check the -d arguments that you gave

Either the certificate is not in the keystore, the keystore is not accessible, or the arguments are incorrect. 

Make sure that the argument is correct and that the keystore is accessible. Use Netscape->Security->Signers to check if all three CAs are present: GTE CyberTrust Root CA, Sun Microsystems Inc CA (Class B) - Sun Microsystems Inc, Sun Microsystems Inc Root CA - GTE Corporation. If the certificates are not in the Netscape keystore, import the certificate chain from https://ra.sun.com:11005.

Cannot install sign patches  

It is possible that signed patches cannot be installed due to lack of space. 

Make sure that there is enough disk space.