Managing Solaris Patches by Using the patchadd Command (Task Map)
How to Import a Trusted Certificate to Your Package Keystore
To apply signed patches to your system by using the patchadd command, you must
add Sun's Root CA certificate, at the very least, to verify the
signature of your signed patch. You can import this certificate from the Java
keystore to the package keystore.
- Become superuser or assume an equivalent role.
- If you are using the patchadd command to install signed patches, add the
new trusted Verisign certificate to the keystore.
- Download the Class 2 Public Primary Certification Authority - G2 trusted Verisign certificate
from https://www.sun.com/pki/certs/ca/.
The Subject Name of this certificate is:
C=US, O=VeriSign, Inc., OU=Class 2 Public Primary Certification
Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only,
OU=VeriSign Trust Network
- Select the binary format (DER encoded).
- Copy the certificate to the file, /tmp/root.crt.
Note - In the event you are unable to download the trusted Verisign certificate, see
Exporting the Root CA Certificate From the Java Keystore for alternate instructions.
- Import the Root CA certificate from the temporary file to the package keystore.
Unless changed by the system administrator, the default Java keystore password is changeit.
For example:
# pkgadm addcert -t -f der /tmp/root.crt
Keystore Alias: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O
Common Name: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O
Certificate Type: Trusted Certificate
Issuer Common Name: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O
Validity Dates: <May 18 00:00:00 1998 GMT> - <Aug 1 23:59:59 2028 GMT>
MD5 Fingerprint: 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1
SHA1 Fingerprint: B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D
Are you sure you want to trust this certificate? yes
Trusting certificate </C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O>
Type a Keystore protection Password. changeit
Press ENTER for no protection password (not recommended):
For Verification: Type a Keystore protection Password.
Press ENTER for no protection password (not recommended):
Certificate(s) from </tmp/root.crt> are now trusted
- -t
Indicates that the certificate is a trusted CA certificate. The command output includes the certificate details, which you are asked to verify.
- -f format
Specifies the format of the certificate or private key. When importing a certificate, it must be encoded using either the PEM (pem) or binary DER (der) format.
- certfile
Specifies the file that contains the certificate.
- Display the certificate information.
# pkgadm listcert
Enter Keystore Password: storepass
Keystore Alias: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O
Common Name: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O
Certificate Type: Trusted Certificate
Issuer Common Name: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O
Validity Dates: <May 18 00:00:00 1998 GMT> - <Aug 1 23:59:59 2028 GMT>
MD5 Fingerprint: 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1
SHA1 Fingerprint: B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D
- Remove the temporary file.
# rm /tmp/root.crt
Exporting the Root CA Certificate From the Java Keystore
If you are unable to download the trusted Verisign certificate from https://www.sun.com/pki/certs/ca/,
as described in Step 2 of How to Import a Trusted Certificate to Your Package Keystore, you can export the Root CA
certificate from the Java keystore to a temporary file.
For example:
# keytool -export -storepass changeit -alias verisignclass2g2ca \ -keystore /usr/java/jre/lib/security/cacerts -file /tmp/root.crt
Certificate stored in file </tmp/root.crt>
- -export
Exports the trusted certificate.
- -storepass storepass
Specifies the password that protects the integrity of the Java keystore.
- -alias verisignclass2g2ca
Identifies the alias of the trusted certificate.
- -keystore certfile
Specifies the name and location of the keystore file.
- -file filename
Identifies the file in which to hold the exported certificate.
You are now ready to import the Root CA certificate from the
temporary file to the package keystore. See the remaining steps in the section,
How to Import a Trusted Certificate to Your Package Keystore, for instructions.
How to Specify a Web Proxy
If your system is behind a firewall with a web proxy, you
must specify the web proxy to use patchadd to apply a patch.
- Become superuser or assume an equivalent role.
- Use one of the following methods to specify a web proxy:
Specify the web proxy by using the http_proxy, HTTPPROXY, or HTTPPROXYPORT environment variable.
For example:
# setenv http_proxy https://mycache.domain:8080
Or, specify one of the following:
# setenv HTTPPROXY mycache.domain
# setenv HTTPPROXYPORT 8080
Specify the web proxy on the patchadd command line.
For example:
# patchadd -x mycache.domain:8080 \ -M https://www.sun.com/solaris/patches/latest 101223-02 102323-02
Restrictions on Using patchadd -R to Create an Alternate root Path
On systems that are running a Solaris release that is not zones
aware, using the patchadd command, or any command that accepts the -R option to
specify an alternate root path for a global zone that has non-global zones
installed, does not work.
You can use of the -R option to add and remove software packages
and patches, if the alternate boot environment has configured non-global zones, but no
installed non-global zones.
To avoid a potential problem, restrict the use of the -R option for
the creation of an alternate root path.
If you are running this Solaris release, you can alternately choose one of
the following methods:
If you are running the Solaris 10 OS, you can alternately choose
one of the following methods:
Upgrade any systems that are not running at least the Solaris 10 1/06 OS to the Solaris 10 1/06 release.
If you are running the Solaris 10 initial 3/05 release, you can install the following patch to enable the use of commands that accept the -R option for creation of an alternate root path.
Boot an alternate root, for example the Solaris 10 release, as the active OS. You can then install and uninstall packages and patches without using the -R option.
For more information, see the patchadd(1M), patchrm(1M), pkgadd(1M), and pkgrm(1M) man pages.
How to Download and Apply a Solaris Patch
Use this procedure to download either a signed or an unsigned Solaris patch and then
apply it to your system.
If you want to apply signed patches, you must first set up
the package keystore.
- Gain access to the system in one of the following ways:
- Log in to the system where you want to apply the patch.
- Download the patch and use the ftp command to copy the patch to
the target system.
- Start a web browser and go to the SunSolve Online Patch Portal at
https://sunsolve.Sun.COM.
- Determine whether to download a specific patch or a patch cluster, then do
one of the following:
- Type the patch number (patch-id) in the Find Patch search field, then click
Find Patch.
Entering patch-id downloads the latest patch revision.
If this patch is freely available, the patch README appears. If this patch
is not freely available, an ACCESS DENIED message appears.
Note that patch numbers for SPARC based and x86 based systems are
different. The patch IDs are listed in the patch README. Ensure that you apply the
patch that matches your system architecture.
- Select the Recommended Patch Cluster that matches the Solaris release that is running
on the system that you want to patch.
- Download the patch by following these instructions:
- To download a copy of the signed patch, click the Download Signed Patch
(n bytes) button.
- To download an unsigned patch, click the Download Patch (n bytes) button.
When the patch or patches are successfully downloaded, close the web browser.
- Change to the directory that contains the downloaded patch.
- Become superuser or assume an equivalent role.
- (Unsigned patch) If you downloaded an unsigned patch, unzip the patch.
# unzip patch-id
- Apply the signed or unsigned patch.
If you downloaded a signed patch, apply it.
For example:
# patchadd /tmp/111879-01.jar
If you downloaded an unsigned patch, apply it.
For example:
# patchadd /tmp/111879-01
- Verify that the patch has been successfully applied.
For example:
# patchadd -p | grep 111879
Patch: 111879-01 Obsoletes: Requires: Incompatibles: Packages: SUNWwsr
How to Display Information About Solaris Patches
Before applying patches, you might want to know more about patches that have
been previously applied.
The following commands provide useful information about patches that are already applied to
a system.
patchadd -p or showrev -p
Shows all patches that have been applied to the system.
pkgparam pkgid PATCHLIST
Shows all patches that have been applied to the package identified by pkgid, for example, SUNWadmap.
patchadd -S Solaris-OS -p
Shows all the /usr patches that have been applied to an OS server.
- Use one of the following patchadd command lines to display information about patches
that have been applied to your system.
To obtain information about all patches that have been applied to your system, type:
$ patchadd -p
To verify whether a particular patch has been applied to your system, type, for example:
$ patchadd -p | grep 111879
How to Remove a Solaris Patch by Using the patchrm Command
- Become superuser.
- Remove the patch.
# patchrm 111879-01
Checking installed patches...
Backing out patch 111879-01...
Patch 111879-01 has been backed out.
- Verify that the patch was removed.
# patchadd -p | grep 111879
#