What is the correct Solaris 9 patch mechanism?
Hello,
For the last couple of months, all of my Solaris 9 systems have been reporting "No patches required." when smpatch update was run out of cron. As we are a contract customer, we are running a local patch server, and use that as our primary source of patches.
Here is the configuration on our local patch server machine:
15# patchsvr setup -l
Patch source URL: https://getupdates.sun.com/solaris/
Cache Location: /var/sadm/spool/patchsvr
Web proxy host name:
Web proxy port number: 8080
16# smpatch get
patchpro.backout.directory-""
patchpro.download.directory/ptmp/var/sadm/spool/var/sadm/spool
patchpro.install.types -rebootafter:reconfigafter:standard
patchpro.patch.sourcehttp://localhost:3816/solaris/ https://updateserver.sun.com/solaris/
patchpro.patchset-patchdb
patchpro.proxy.host -""
patchpro.proxy.passwd********
patchpro.proxy.port -8080
patchpro.proxy.user -""
patchpro.sun.passwd ********
patchpro.sun.user-""
The only change I have made since this was originally configured (2-3 years ago) was to change the Patch source URL setting per another thread in this forum.
My question is this: as a contract customer, what mechanism should I be using to keep my Solaris 9 systems up to date?
Thanks,
Bill
[1526 byte] By [
wgkorba] at [2007-11-26 15:52:27]
# 1
The patchset was updated to "patchdb1" with an update recently.Review document id # 102639 on sunsolve.sun.com for more info. You'll have to manually download and apply the approriate patches for your OS to ensure the toolset can then analyze the system correctly.
# 2
OK, I've now followed the instructions in Alert doc #102639, including:
- installation of current Verisign certificate in my Java key store
- update my local patch server system (running Solaris 9) with patch # 112945-44
This is the current state of my patch server configuration:
21# patchsvr setup -l
Patch source URL: https://getupdates.sun.com/solaris/
Cache Location: /export/home/patchsvr
Web proxy host name:
Web proxy port number: 8080
Here are my current smpatch settings:
25# smpatch get
patchpro.backout.directory-""
patchpro.download.directory-/var/sadm/spool
patchpro.install.types -rebootafter:reconfigafter:standard
patchpro.patch.sourcehttp://localhost:3816/solaris/ https://updateserver.sun.com/solaris/
patchpro.patchset-patchdb1
patchpro.proxy.host -""
patchpro.proxy.passwd********
patchpro.proxy.port -8080
patchpro.proxy.user -""
patchpro.sun.passwd ********
patchpro.sun.user-""
I am able to run smpatch analyze and see a list of patches that my system requires:
26# smpatch analyze
113434-33 SunOS 5.9: /usr/snadm/lib Library and Differential Flash Patch
117560-04 SunOS 5.9: Microtasking libraries (libmtsk) patch
113886-41 OpenGL 1.3: OpenGL Patch for Solaris (32-bit)
113887-41 OpenGL 1.3: OpenGL Patch for Solaris (64-bit)
(stuff deleted for brevity)
However, if I try to download and install one of the listed patches, it fails:
71# smpatch update -i 113434-33
Installing patches from /var/sadm/spool...
WARNING: The installer cannot find the patch.
/var/sadm/spool/patchpro_dnld_2007.01.25@11:31:02:CST.txt has been moved to /var/sadm/spool/patchproSequester/patchpro_dnld_2007.01.25@11:31:02:CST.txt
As smpatch update was running, I used ls to monitor progress. I did indeed see the patch jar file being downloaded into the patch server's download directory:
31# ls -l /export/home/patchsvr/Patches/113434-33*
-rw-r--r--1 rootother576708 Jan 25 11:30 /export/home/patchsvr/Patches/113434-33.jar.tmp
However, once the download completed, the jar file is gone:
35# ls -l /export/home/patchsvr/Patches/113434-33*
/export/home/patchsvr/Patches/113434-33*: No such file or directory
If I unset the patchpro.patch.source property to bypass the local patch server, the patch installation completes properly (although the patch is not actually installed as it violates my patch policy):
72# smpatch update -i 113434-33
113434-33 has been validated.
Installing patches from /var/sadm/spool...
NOTICE: Patch 113434-33 cant be installed because its type is prohibited by policy.
/var/sadm/spool/patchpro_dnld_2007.01.25@11:45:08:CST.txt has been moved to /var/sadm/spool/patchproSequester/patchpro_dnld_2007.01.25@11:45:08:CST.txt
ID's of the patches that are disallowed by installation policy have been
written to file
/var/sadm/spool/disallowed_patch_list
Please use
smpatch add -x idlist=/var/sadm/spool/disallowed_patch_list
to install these patches.
What do I have to do to get my local patch server working properly again?
Thanks,
Bill
# 3
Hello,
I would like to see the configuration of your patchsvr.
Please can you run the following commands on your patchsvr:
hostname
cat /etc/release
java -version
showrev -p | cut -d" " -f2 | sort > /tmp/showrev-p
egrep '11978[8|9]|12033[5|6]|12108[1|2]' /tmp/showrev-p
egrep '12111[8|9]|12145[3|4]|12156[3|4]' /tmp/showrev-p
egrep '12223[1|2]|12300[5|6]|124463|12461[4|5]' /tmp/showrev-p
/usr/lib/cc-ccr/bin/ccr -g cns.assetid
patchsvr setup -l
smpatch get
smpatch analyze
Regards,
# 4
Here you go:
156# hostname
ponyman
157# cat /etc/release
Solaris 9 s9_58shwpl3 SPARC
Copyright 2002 Sun Microsystems, Inc. All Rights Reserved.
Use is subject to license terms.
Assembled 15 April 2002
158# java -version
java version "1.4.2_12"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_12-b03)
Java HotSpot(TM) Client VM (build 1.4.2_12-b03, mixed mode)
159# showrev -p | cut -d" " -f2 | sort > /tmp/showrev-p
160# egrep '11978[8|9]|12033[5|6]|12108[1|2]' /tmp/showrev-p
161# egrep '12111[8|9]|12145[3|4]|12156[3|4]' /tmp/showrev-p
162# egrep '12223[1|2]|12300[5|6]|124463|12461[4|5]' /tmp/showrev-p
163# /usr/lib/cc-ccr/bin/ccr -g cns.assetid
ksh: /usr/lib/cc-ccr/bin/ccr: not found
164# patchsvr setup -l
Patch source URL: https://getupdates.sun.com/solaris/
Cache Location: /var/sadm/spool/patchsvr
Web proxy host name:
Web proxy port number: 8080
165# smpatch get
patchpro.backout.directory-""
patchpro.download.directory-/var/sadm/spool
patchpro.install.types -rebootafter:reconfigafter:standard
patchpro.patch.sourcehttp://localhost:3816/solaris/ https://updateserver.sun.com/solaris/
patchpro.patchset-patchdb1
patchpro.proxy.host -""
patchpro.proxy.passwd********
patchpro.proxy.port -8080
patchpro.proxy.user -""
patchpro.sun.passwd ********
patchpro.sun.user-""
166# smpatch analyze
113434-33 SunOS 5.9: /usr/snadm/lib Library and Differential Flash Patch
117560-04 SunOS 5.9: Microtasking libraries (libmtsk) patch
113146-08 SunOS 5.9: Apache Security Patch
114332-25 SunOS 5.9: c2audit & *libbsm.so.1 Patch
113319-27 SunOS 5.9: libnsl nispasswdd patch
112874-37 SunOS 5.9: patch libc
114713-03 SunOS 5.9: newtask Patch
112908-29 SunOS 5.9: gl_kmech_krb5 Patch
115553-24 SunOS 5.9: USB drivers patch
112960-42 SunOS 5.9: patch libsldap ldap_cachemgr libldap
118558-39 SunOS 5.9: Kernel Patch
116561-15 SunOS 5.9: Volume System H/W Series platmod patch
114344-23 SunOS 5.9: kernel/drv/arp Patch
123764-02 SunOS 5.9: Sun Fire V445 platform Patch
123763-03 SunOS 5.9: Sun Fire V215/V245 platform Patch
113713-23 SunOS 5.9: pkginstall Patch
112963-30 SunOS 5.9: linker patch
118465-03 SunOS 5.9: rcm_daemon Patch
113318-27 SunOS 5.9: patch /kernel/fs/nfs and /kernel/fs/sparcv9/nfs
115545-03 SunOS 5.9: nss_files patch
115544-03 SunOS 5.9: nss_compat patch
116016-04 SunOS 5.9: /usr/sbin/logadm patch
123370-01 SunOS 5.9: libsecdb.so.1 patch
123766-02 SunOS 5.9: pcf8584/pmugpio/ebus patch
121319-02 SunOS 5.9: devfsadmd_mod.so Patch
123368-01 SunOS 5.9: tip patch
120445-01 SunOS 5.9: Toshiba platform token links (TSBW,Ultra-3i)
112964-16 SunOS 5.9: /usr/bin/ksh Patch
113032-05 SunOS 5.9: /usr/sbin/init Patch
112954-15 SunOS 5.9: uata Driver Patch
113225-07 SunOS 5.9: 2002c Timezone Patch
117155-14 SunOS 5.9: pcipsy Patch
114235-02 SunOS 5.9: libsendfile.so.1 Patch
116488-06 SunOS 5.9: Lights Out Management (lom) patch
114224-06 SunOS 5.9: csh Patch
114370-05 SunOS 5.9: libumem.so.1 patch
124498-01 SunOS 5.9: tail patch
117123-07 SunOS 5.9: wanboot Patch
113335-04 SunOS 5.9: devinfo Patch
113330-03 SunOS 5.9: rpcbind Patch
113329-18 SunOS 5.9: lp Patch
118335-06 SunOS 5.9: sockfs patch
113278-16 SunOS 5.9: NFS Daemon Patch
113277-50 SunOS 5.9: sd and ssd Patch
113077-20 SunOS 5.9: /platform/sun4u/kernal/drv/su Patch
112998-04 SunOS 5.9: patch /usr/sbin/syslogd
114133-03 SunOS 5.9: mail Patch
119937-04 SunOS 5.9: unable to jumpstart client using DHCP boot
113459-05 SunOS 5.9: udp patch
118305-09 SunOS 5.9: tcp Patch
123761-04 SunOS 5.9: PCIE/Fire drivers Patch
123760-01 SunOS 5.9: platform driver Patch
120241-04 SunOS 5.9: bge patch
117067-05 SunOS 5.9: awk nawk oawk Patch
114564-10 SunOS 5.9: /usr/sbin/in.ftpd Patch
114014-13 SunOS 5.9: libxml, libxslt and Freeware man pages Patch
116340-06 SunOS 5.9: gzip and Freeware info files patch
113579-11 SunOS 5.9: ypserv/ypxfrd Patch
116669-23 SunOS 5.9: md Patch
112965-06 SunOS 5.9: patch /kernel/drv/sparcv9/eri
112838-12 SunOS 5.9: pcicfg Patch
116231-04 SunOS 5.9: llc2 patch
123366-01 SunOS 5.9: ldapaddent patch
113320-07 SunOS 5.9: patch se driver
114716-03 SunOS 5.9: usr/bin/rcp Patch
112928-04 SunOS 5.9: in.ndpd Patch
114684-07 SunOS 5.9: samba Patch
113575-08 SunOS 5.9: sendmail Patch
114006-02 SunOS 5.9: tftp Patch
119166-21 Sun Java System App Server Enterprise Ed 8.1 2005Q1, Solaris: SVR4 patch
114049-14 SunOS 5.9: Netscape Portable Runtime(4.1.4)/Network Security System(3.3.4)
119211-11 NSS_NSPR_JSS 3.11.4: NSPR 4.6.4 / NSS 3.11.4 / JSS 4.2.4
118666-10 J2SE 5.0: update 10 patch (5.0u10)
118667-10 J2SE 5.0: update 10 patch (5.0u10), 64bit
114636-04 SunOS 5.9: KCMS security fix
113042-16 SunOS 5.9: qlc driver patch
113041-13 SunOS 5.9: fcip driver patch
113039-17 SunOS 5.9: Sun StorEdge Traffic Manager patch
113040-21 SunOS 5.9: fctl/fp/fcp driver patch
117595-05 SunOS 5.9: Manual Page updates for Solaris 9
112661-11 SunOS 5.9: IIIM and X Input & Output Method patch
112771-34 Motif 1.2.7 and 2.1.1: Runtime library patch for Solaris 9
124215-01 CDE 1.5: dtterm patch
112807-18 CDE 1.5: dtlogin patch
112785-58 X11 6.6.1: Xsun patch
124830-01 X11 6.6.1: xdm patch
167#
Let me know if you need anything else.
Thanks,
Bill
# 5
Hello,
The *Patch source URL* which you are using on your patchsvr:
Patch source URL: https://getupdates.sun.com/solaris/
Is incorrect for the version of Solaris which it is running on. The "getupdates" site is used for SunUC clients for Solaris 10, or for Solaris 8 & 9 clients using Patch Manager 2.0 configured to use a Solaris 10 SunUC patchsvr.
As such please can you run the following command on your patchsvr:
patchsvr setup -p https://updateserver.sun.com/solaris/
Then run the following command on one of the cleint systems configured to use yout LPS:
smpatch update
Regards,
# 6
That didn't make any difference:
176# smpatch update -i 113225-07
Installing patches from /var/sadm/spool...
WARNING: The installer cannot find the patch.
/var/sadm/spool/patchpro_dnld_2007.01.25@15:25:47:CST.txt has been moved to /var/sadm/spool/patchproSequester/patchpro_dnld_2007.01.25@15:25:47:CST.txt
177# patchsvr setup -l
Patch source URL: https://updateserver.sun.com/solaris/
Cache Location: /var/sadm/spool/patchsvr
Web proxy host name:
Web proxy port number: 8080
I even stopped and restarted the patch server to make sure it had picked up the change, but that didn't make any difference, either.
Thanks,
Bill
# 7
Hi.Are there any errors in the file:/var/patchsvr/logs/catalina.out or in the appropriately dated logs in the same directory on the patch server, which would indicate why the patches are disappearing from the download directory?Mod.
# 8
In catalina.out, I see this:
113225-07 cannot be validated.
Ahhh...in the localhost_log I find the smoking gun:
2007-01-25 15:58:22 Thu Jan 25 15:58:22 CST 2007(ERROR) => com.sun.patchpro.server.ServerPatchServiceProvider@3ef810 <=Failed to validate the digital signature(s). for: /var/sadm/spool/patchsvr/Patches/113225-07.jar.tmp: The specific Jar file is not signed by a known digital certificate. 113225-07/.diPatch CN=Enterprise Services Patch Management, O=Sun Microsystems Inc
2007-01-25 15:58:22 Thu Jan 25 15:58:22 CST 2007(DEBUG) => com.sun.patchpro.server.ServerPatchServiceProvider@3ef810 <=The downloader validation is done
2007-01-25 15:58:22 Thu Jan 25 15:58:22 CST 2007(DEBUG) => com.sun.patchpro.server.ServerPatchServiceProvider@3ef810 <=Added patch 113225-07 to the list. ErrString: Failed to validate the digital signature(s).
2007-01-25 15:58:22 Thu Jan 25 15:58:22 CST 2007(ERROR) => com.sun.patchpro.server.ServerPatchServiceProvider@3ef810 <=Failed to validate the digital signature(s).
I double-checked my certificate database, and the one I installed yesterday (the new Verisign cert) is the only one there:
19# pkgadm listcert
Enter Keystore Password:
Keystore Alias: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O
Common Name: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O
Certificate Type: Trusted Certificate
Issuer Common Name: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O
Validity Dates: <May 18 00:00:00 1998 GMT> - <Aug 1 23:59:59 2028 GMT>
MD5 Fingerprint: 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1
SHA1 Fingerprint: B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D
There is another post in this forum that talks about this, including a work-around:
http://forum.java.sun.com/thread.jspa?threadID=5108200&start=0
Unfortunately, that work-around is specifically targeted towards an lps that is running on Solaris 10, and I do not currently have any Solaris 10 systems that could act as an lps. I did try cleaning out all of the exising patches in /var/sadm/spool and /var/sadm/spool/patchsvr/Patches, and I also removed everything in /var/sadm/spool/cache and /var/sadm/spool/patchproSequester and then restarted the lps, but I saw the same result.
Is there a Solaris 9 lps work-around similar to the one described in the above Solaris 10 lps thread?
Thanks,
Bill
# 9
WOOHOO! I got it working!
Here's what I did: I ignored the part in that other thread that talked about installing the SWUP 1.0.8 Client update on the LPS as that only applies to Solaris 10 systems. I then made the web.xml change described in that post (in /var/patchsvr/solaris/WEB-INF/web.xml). So my patchsvr.security.patch.signingcert init-param now looks like this:
<init-param>
<param-name>patchsvr.security.patch.signingcert</param-name>
<param-value>patchsigning:patchsigning2</param-value>
</init-param>
After making this change, I stopped and restarted the lps, and now I see the behavior I expect:
73# smpatch update -i 113225-07
113225-07 has been validated.
Installing patches from /var/sadm/spool...
NOTICE: Patch 113225-07 cant be installed because its type is prohibited by policy.
/var/sadm/spool/patchpro_dnld_2007.01.26@08:58:32:CST.txt has been moved to /var/sadm/spool/patchproSequester/patchpro_dnld_2007.01.26@08:58:32:CST.txt
ID's of the patches that are disallowed by installation policy have been
written to file
/var/sadm/spool/disallowed_patch_list
Please use
smpatch add -x idlist=/var/sadm/spool/disallowed_patch_list
to install these patches.
Thanks for your help, and I hope this discussion helps anyone else that's running a Solaris 9 LPS.
Bill
