Sun Solaris 8: Patch Management

 

 

Contents

  1. Overview
  2. Disk Space Considerations
  3. Sun Digital Certificates
  4. SunPKI Registration Authorities
  5. Revoked Sun Certificates
  6. Using Patch Management Tools
  7. Install Patch Management Tools
  8. Add a Signed Patch
  9. Remove a Signed Patch on a 8 System
  10. Change the Keystore Password
  11. Set Up Your Patch Environment
  12. Troubleshooting
  13. Using Signed Patches With Java-Based Tools
  14. Download the SUNWcert Package
  15. Change the Java Keystore Password
  16. Verify a Signed Patch
  17. Add a Verified Signed Patch

 

Overview

To view patches on your system, run showrev -p.

Patches available at SunSolve Online generally signed patches that include a digital signature and are stored in JAR files.

To manage signed patches on Solaris 8, use Solaris Patch Manager Base Version 1.0.

 

Disk Space Considerations

  1. The default download directory for signed patches is /var/sadm/spool.

  2. The patch download process might use more disk space than anticipated because multiple patches can be downloaded if prerequisite patches are required by the patch that you downloaded.

  3. Signed patches are unpacked in the /var/sadm/spool directory before they are installed so be sure you have enough disk space in the /var directory for this process.

  4. If your /var directory is not large enough to support the downloading and unpacking of signed patches, you can use the smpatch command with the -d option to specify an alternate patch download directory.

  5. You can also safely remove the signed patches from the /var/sadm/spool directory after they are successfully download and added to your system to reclaim disk space in the /var directory.

 

Sun Digital Certificates

Digital certificates, issued and authenticated by Sun Microsystems, are used to verify that the downloaded patch archive with the digital signature has not been compromised. These certificates are imported into your system's keystore. A keystore is a protected database that stores the keys and certificates from Sun. The keytool command is used to import the certificates in your system's keystore.

Access to a keystore is protected by a special password that you can specify when you import the Sun certificates into your system's keystore.

The SUNWcert package contains Sun's certificate authority (CA) that you need to verify a patch's signatures. You can obtain the SUNWcert package from one of the following methods:

You can verify that the certificates in the SUNWcert package match the certificate information at http://www.sun.com/pki/index.html.

 

SunPKI Registration Authorities

Sun Public Key Infrastructure (SunPKI) architecture is designed with 1 top-level certificate, called the Root CA (Certificate Authority) and a subordinate CA, which is the Sun Microsystems Inc., CA (Class B) certificate. An additional certificate issued by Sun Enterprise Services, called the patch management certificate, is used to verify the digital signatures on signed patches.

The Sun Root CA, Sun Class B CA, and the patch signing certificate are included in the SUNWcert package.

These three certificates provide a certificate chain of trust in the patch verification process whereby the Sun Root CA trusts the Class B CA and the Class B CA trusts the patch management certificate. And ultimately, the GTE CyberTrust CA trusts the Sun Root CA.

A certification authority certifies the relationship between public keys that are used to decrypt the digital signature with the patch and the owner of the public keys.

The Sun CA process means the following:

  • Sun has issued and authenticated the digital_certificates.
  • The public key in the certificate is paired with a private key that is held by Sun.
  • These certificates can be used for business purposes only and can be revoked or suspended if the certificate user violates Sun's certificate policy.

Sun certificates are issued by Baltimore Technologies, who recently bought GTE CyberTrust. For more information about Sun's certificate policy, go to http://www.sun.com/pki/cps.html.

 

Revoked Sun Certificates

If the Sun Root or Class B certificates are stolen or lost, a revoked certificate list is posted at http://www.sun.com/pki/ca/pkismica.crl.html.

We recommend that you view this site occasionally to verify that your imported certificates are still valid. If your imported certificates are revoked, remove them from your keystore and import the replaced certificates.

If the patch signing certificate is revoked, the existing signed patches on SunSolve would be removed and replaced by patches with a new digital signature.

 

Using Patch Management Tools

Keep the following key points in mind when using Solaris 8 patch management tools:

  • Make sure your systems running the Solaris 8 releases are currently up-to-date with patches, including the appropriate kernel update and Java patches.

  • You will have to manually import the Sun certificates used to verify a patch's signature after installing the Solaris 8 patch management tools.

  • If you have previous versions of the PatchPro software on your system, the older versions will be upgraded when Solaris Patch Manager Base Version 1.0 is installed.

  • Install patches on a quiet system, preferably in single-user mode.

  • Signed patches are verified when they are downloaded with the smpatch command.

  • Use the /opt/SUNWppro/bin/uninstallpatchpro script if you need to uninstall PatchPro 2.1. Do not attempt to remove PatchPro2.1 using this script if your current directory is /opt/SUNWppro/bin. Set your path and then run the uninstallpatchpro script from the root (/) directory, for example.

 

Install Patch Management Tools

  1. Become superuser.

  2. Follow the links and download the appropriate tar file for your Solaris release at the following location:

    http://www.sun.com/PatchPro

  3. Unpack the package by using the following command: 

    # gunzip -dc SUNWpkg-name.tar.gz | tar xvf -

  4. cd unzipped-pkg-dir

  5. ./setup

  6. Import the Sun Certificates

  7. Set up your patch environment

 

Download and Add a Signed Patch

This procedure verifies the signed patch when it is downloaded.

  1. Become superuser.

  2. Download a signed patch or patches from SunSolve. 

    # smpatch download -i patch-ID

Requested patches:

  patch-ID

Downloading the requested patches

/var/sadm/spool/patch-ID.jar has been validated.

For downloaded patch(es) see /var/sadm/spool

    The patch is automatically verified during the download process.

  3. Add the signed patch. 

    # smpatch add -i patch-ID

 

Examples--Downloading and Adding a Signed Patch on a Solaris 8 System

The following example shows how to download and add patch 105407-01 

# smpatch download -i 105407-01

Requested patches:

    105407-01

Downloading the requested patches



/var/sadm/spool/105407-01.jar has been validated.

For downloaded patch(es) see /var/sadm/spool
# smpatch add -i 105407-01

On machine "earth/172.20.27.27" ...


Installing patch 105407-01 ...
Purging /var/sadm/spool/105407-01
/var/sadm/spool/README.txt has been moved to
/var/sadm/spool/patchproSequester

The following example shows how to download and add patch 107058-01 on a Solaris 7 system. This patch has two patch dependencies, which are automatically downloaded and verified. 

# smpatch download -i 107081-45

Requested patches:

    107081-45

Downloading the requested patches

The following patches were added due to patch dependencies:
    108376-37
    107656-09

/var/sadm/spool/108376-37.jar has been validated.

/var/sadm/spool/107656-09.jar has been validated.

/var/sadm/spool/107081-45.jar has been validated.

For downloaded patch(es) see /var/sadm/spool
# smpatch add -i 108376-37 -i 107656-09 -i 107081-45

On machine "venus/172.20.27.26" ...

Installing patch 108376-37 ...
Installing patch 107656-09 ...
Installing patch 107081-45 ...
Purging /var/sadm/spool/108376-37
Purging /var/sadm/spool/107656-09
Purging /var/sadm/spool/107081-45

 

Remove a Signed Patch on a 8 System

  1. Become superuser.

  2. Remove the signed patch. 

    # smpatch remove -i patch-ID

    You cannot remove multiple patches in the same command.

 

Example--Removing a Signed Patch on a Solaris 8 System

The following example shows how to remove a signed patch. 

# smpatch remove -i 105407-01

On machine "earth/172.20.27.27" ...

Removing patch 105407-01

Checking installed patches...

Backing out patch 105407-01...

Patch 105407-01 has been backed out.

 

Change the Keystore Password

  1. Become superuser.

  2. Change the keystore password. 

    keytool -storepasswd -keystore /usr/j2se/jre/lib/security/cacerts


    Enter keystore password:  changeit
New keystore password:  new-password
Re-enter new keystore password:  new-password

 

Set Up Your Patch Environment

  1. Become superuser.

  2. Add patch tool directories to your path. 

    # PATH=/usr/sadm/bin:/opt/SUNWppro/bin:$PATH
# export PATH

  3. (Optional) Identify the hardware on your system so that you can use the smpatch command to determine whether you need specific patches based on your hardware configuration. 

    # pprosetup -H

Change Hardware Configuration.
Analyzing this computer.
..............

    This command only identifies Sun's Network Storage products.

  4. Identify the types of patches you will be adding to the system. 

    # pprosetup -i standard:singleuser:rebootafter:reconfigafter:noncontract:clientusr:clientroot

    This command establishes the default patch policy for your system.

  5. (Optional) If you want to add contract signed patches to your system, do the following steps to define your SunSolve username and password.

    1. Define your SunSolve username. 

      # pprosetup -u user-name

    2. Define your SunSolve password by adding the password to the following file: 

      /opt/SUNWppro/lib/.sunsolvepw

  6. If your system is behind a firewall, you will need to define a proxy server that can access the patchpro.sun.com server and one of the following Sun patch servers that will be used to download patches:

    • americas.patchmanager.sun.com (default)
    • emea.patchmanager.sun.com
    • japan.patchmanager.sun.com

  7. Identify the selected proxy server by using the following command: 

    # pprosetup -x proxy-server:proxy-port

    For example, if you selected webaccess.corp.net.com, the pprosetup command would look like this: 

    # pprosetup -x webaccess.corp.net.com:8080

 

Troubleshooting

Problem or Error Message Explanation Solution
Patch tool didn't install the patch. Patches are sequestered if they can't be installed.
Cannot install sign patches It is possible that signed patches cannot be installed due to lack of disk space. Make sure there is enough disk space.
Problem detected during PatchPro initialization process. Please check the log file. Exiting. A problem occurred during the PatchPro installation. Check the /var/tmp/log/patchpro.log file for errors.

 

Find Out and Resolve Why a Patch Didn't Install

A patch might not install successfully if it requires prerequisite patches or if a system reboot is required to install the patch. Patches that cannot be installed by PatchPro are sequestered in the /var/spool/pkg/patchproSequester directory.

Review the patch README file to find out if there are any prerequisite patches, which are listed in a section called REQUIRED PATCHES.

You can either view a copy of the patch README from SunSolve Online or extract the README file from the JAR archive. Do not expand the JAR archive to avoid any tampering with the digital signature. Use the procedure below to extract the patch README file safely.

You should also review the contents of the /var/tmp/log/patchpro.log file to find out why a patch did not install successfully.

  1. Verify that a patch or patches were not installed by viewing the contents of the /var/spool/pkg/patchproSequester directory. 

    # cd /var/spool/pkg/patchproSequester; ls

  2. Extract the README file from the JAR archive by using the following commands:

    First, identify the name of the README file. For example: 

    # /usr/j2se/bin/jar tvf 107058-01.jar | grep README

    Then, extract the README file. For example: 

    # /usr/j2se/bin/jar xvf 107058-01.jar 107058-01/README.107058-01
extracted: 107058-01/README.107058-01

  3. View the README file.

    For example: 

    # more 107058-01/README.107058-01

 

Using Signed Patches With Java-Based Tools

  1. Download and install the SUNWcert package
  2. Change the password
  3. Download a patch from Sunsolve and verify it with the jarsigner command
  4. Add the verified signed patch with the patchadd command

 

Download the SUNWcert Package

  1. Download the SUNWcert package from:

    https://sunsolve.sun.com/SUNWcert/

  2. Become superuser.

  3. Download SUNWcert.tar.gz and deposit into to /var/spool/pkg on your Sun Solaris box

  4. Unzip and untar 

    # cd /var/spool/pkg
# unzip SUNWcert.zip
# pkgadd -d .

  5. Install:

    pkgadd SUNWcert

  6. Verify the SUNWcert package is installed. 

    # pkginfo -l SUNWcert

  7. Determine the fingerprints of your Sun root certificate and Sun class B certificate.

    keytool -printcert -file /etc/certs/SUNW/smirootcacert.b64
    keytool -printcert -file /etc/certs/SUNW/smicacert.b64

  8. Verify that the output of these commands match the Sun root and class B certificate fingerprints displayed at:

    https://www.sun.com/pki/ca/

  9. Change to the /etc/certs/SUNW directory:

    cd /etc/certs/SUNW

  10. Import the class B certificate:

    keytool -import -alias smicacert -file smicacert.b64 -keystore /usr/java/jre/lib/security/cacerts 

    Enter keystore password:  changeit
Owner: O=Sun Microsystems Inc, CN=Sun Microsystems Inc CA (Class B)
Issuer: CN=Sun Microsystems Inc Root CA, O=Sun Microsystems Inc, C=US
Serial number: 1000006
Valid from: Mon Nov 13 12:23:10 MST 2000 until: Fri Nov 13 12:23:10 MST 2009
Certificate fingerprints:
         MD5:  B4:1F:E1:0D:80:7D:B1:AB:15:5C:78:CB:C8:8F:CE:37
         SHA1: 1E:38:11:02:F0:5D:A3:27:5C:F9:6E:B1:1F:C4:79:95:E9:6E:D6:DF
Trust this certificate? [no]:  yes
Certificate was added to keystore

  11. Import the root certificate:

    keytool -import -alias smirootcacert -file smirootcacert.b64 -keystore /usr/java/jre/lib/security/cacerts 

    Enter keystore password:  changeit
Owner: CN=Sun Microsystems Inc Root CA, O=Sun Microsystems Inc, C=US
Issuer: CN=GTE CyberTrust Root, O=GTE Corporation, C=US
Serial number: 200014a
Valid from: Tue Nov 07 15:39:00 MST 2000 until: Thu Nov 07 16:59:00 MST 2002
Certificate fingerprints:
         MD5:  D8:B6:68:D4:6B:04:B9:5A:EB:34:23:54:B8:F3:97:8C
         SHA1: BD:D9:0B:DA:AE:91:5F:33:C4:3D:10:E3:77:F0:45:09:4A:E8:A2:98
Trust this certificate? [no]:  yes
Certificate was added to keystore

  12. Import the patch signing certificate:

    keytool -import -alias patchsigning -file /opt/SUNWppro/etc/certs/patchsigningcert.b64 -keystore /usr/java/jre/lib/security/cacerts 

    Enter keystore password:  changeit
Owner: CN=Enterprise Services Patch Management, O=Sun Microsystems Inc
Issuer: O=Sun Microsystems Inc, CN=Sun Microsystems Inc CA (Class B)
Serial number: 1400007b
Valid from: Mon Sep 24 14:38:53 MDT 2001 until: Sun Sep 24 14:38:53 MDT 2006
Certificate fingerprints:
         MD5:  6F:63:51:C4:3D:92:C5:B9:A7:90:2F:FB:C0:68:66:16
         SHA1: D0:8D:7B:2D:06:AF:1F:37:5C:0D:1B:A0:B3:CB:A0:2E:90:D6:45:0C
Trust this certificate? [no]:  yes
Certificate was added to keystore

 

Change the Java Keystore Password

  1. Become superuser.

  2. Change the keystore password. 

    # /usr/java1.3/bin/keytool -storepasswd -keystore /usr/java1.3/jre/lib/
security/cacerts
Enter keystore password:  changeit
New keystore password:  new-password
Re-enter new keystore password:  new-password

 

Verify a Signed Patch

  1. Verify the following prerequisites are met:

  2. Download a signed patch from SunSolve Online.

  3. Verify a signed patch: 

    # /usr/java1.3/bin/jarsigner -verify -verbose -keystore
/usr/java1.3/jre/lib/security/cacerts /patchdb/100103-12.jar
smk     2149 Tue Sep 25 15:47:20 MDT 2001 100103-12/README
smk    18553 Tue Sep 25 15:47:20 MDT 2001 100103-12/4.1secure.sh
         385 Tue Sep 25 15:47:20 MDT 2001 META-INF/manifest.mf
         493 Tue Sep 25 15:47:20 MDT 2001 META-INF/zigbert.sf
        3819 Tue Sep 25 15:47:20 MDT 2001 META-INF/zigbert.rsa

  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

jar verified.
#

    Make sure that you see the smk entries listed to confirm that the patch signature is verified. Otherwise, the patch verification has failed, even if you see the jar verified message.

 

Add a Verified Signed Patch

  1. Become superuser.

  2. Unzip the patch bundle. 

    # unzip 100103-12.jar
Archive:  100103-12.jar
       inflating: 100103-12/README
       inflating: 100103-12/4.1secure.sh
       inflating: META-INF/manifest.mf
       inflating: META-INF/zigbert.sf
       inflating: META-INF/zigbert.rsa
#

  3. Add the verified uncompressed signed patch. 

    # patchadd /patchdb/100103-12

 

Possible Install Problem

If you have set permissions on your /etc directory differently than they were delivered by Solaris then the PatchPro or Patch Manager installation may fail with the following message in the log file:

The following files are already installed on the system and are being used by another package:

/etc attribute change only

Installation of SUNWcert was suspended (interaction required). No changes were made to the system.

Solution:

  • Set the owner, group & mode of your /etc directory to root, sys & 0755

    or

  • In the file /var/sadm/install/admin/default change the line

    conflict=ask

    to

    conflict=nocheck

 

  Home