SA-200-S10
System Administration for the Oracle Solaris 10 OS Part 1

Menu

Introduction

Introducing the Oracle Solaris 10 OS Directory Hierarchy

Managing Local Disk Devices

Describing Interface Configurations

Managing USF File Systems

ZFS File System

Performing Mounts and Unmounts

Performing Package Administration

Managing Software Patches

Using Boot PROM Commands

Using the Grand Unified Bootloader (GRUB)

Performing Legacy Boot and Shutdown Procedures

Service Management Facility (SMF)

Performing User Administration

Controlling System Processes

Oracle Solaris 10 Operating System Installation Requirements

Backing Up a Mounted File System With a UFS Snapshot

Performing File System Backups

Performing File System Restores

Managing Software Patches on the Solaris 10 OS
 

Oracle Documentation

Managing Software (Overview) from Solaris 10 System Administrator Collection, System Administration Guide: Basic Administration.

Patch Management Terms and Definitions.

Chapter 19 Managing Solaris Patches by Using the patchadd Command (Tasks).

www.oracle.com

My Oracle Support

My Oracle Support - Registration, Sign In, and Accessibility Options

My Oracle Support Welcome Center, about half way down this page ("How Can I Transition") you will find links to training videos including patch access.

My Oracle Support Access Information for Sun Customers and Partners

Oracle Enterprise Manager Ops Center.

Oracle Solaris10 Recommended Patching Strategy, also a local pdf file.

Sun Patches and Updates Information Center Requires MOS access.

Oracle Technology Network Patching Center

bigadmin:

Overview of Solaris Patch Types and Dependencies.

Patching Center

Patch Management Best Practices

Patching With Solaris Live Upgrade: Process Flowchart

Blogs:

Patch Corner, Solaris Critical Patch Updates (CPUs)

Patch Corner, Merging the Solaris Recommended and Sun Alert Patch Clusters

Patch Corner, Freeing up space in /var

Patch Corner, Patching Pre-flight Checks (ppc) tool now available

Patch Corner, Useful Oracle Sun patch download options, including metadata & READMEs

Dan Lacher's blog, Solaris Patch Return Codes.

other:

PCA Patch Check Advanced (pca) generates lists of installed and missing patches for Sun Solaris systems and optionally downloads patches. It resolves dependencies between patches and installs them in correct order. It can be the only tool you ever need for patch management, be it on a single machine or a complete network. Just one perl script, it doesn't need compilation nor installation, and it doesn't need root permissions to run. It works on all versions of Solaris, both SPARC and x86.

Image Packaging System used with Solaris 11 and Open Solaris.

Signed Patches

The verification process requires the verifying entity to have the public key of the CA. Sun supplies a list of CA public keys and these are stored in a Root CA certificate on the system in the /usr/j2se/jre/lib/security/cacerts file. The following command lists the entries in the Root CA certificate file. You must become the root user, or switch to a privileged role to execute this command:

chaos:/> keytool -storepass changeit -list -keystore /usr/j2se/jre/lib/security/cacerts

Keystore type: jks
Keystore provider: SUN

Your keystore contains 36 entries

...
thawtepremiumserverca, Feb 12, 1999, trustedCertEntry,
Certificate fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A
verisignclass2g2ca, Jun 15, 2004, trustedCertEntry,
Certificate fingerprint (MD5): 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1
gtecybertrustca, May 10, 2002, trustedCertEntry,
Certificate fingerprint (MD5): C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58
...

Use the keytool utility to export the Root CA certificate from the Java keystore into a temporary file: 

chaos:/> keytool -export -storepass changeit -alias verisignclass2g2ca -keystore/usr/j2se/jre/lib/security/cacerts -file /var/run/certstore

Adding the certificate with the pkgadm command: 

chaos:/> pkgadm addcert -t -f der /var/run/certstore

Here is the important bits when adding signed patch 125418-01... 

...

Patches that passed the dependency check:

125418-01

Patching global zone
Adding patches...

Verifying signed patch <125418-01>...
Enter keystore password:
Verifying digital signature for signer 
Digital signature for signer  verified.

Verifying contents of signed patch 
Contents of signed patch  verified.
Signature on signed patch <125418-01> has been verified.
Extracting patch contents...

Checking installed patches...
Verifying sufficient filesystem capacity (dry run method)...
Installing patch packages...

Patch 125418-01 has been successfully installed.

# jarsigner -verify -verbose -keystore /usr/j2se/jre/lib/security/cacerts /tmp/121118-05.jar

sm      6144 Mon Feb 06 08:48:38 MST 2006 121118-05/README.121118-05
sm        76 Mon Jan 23 16:40:50 MST 2006 121118-05/.diPatch
sm       549 Mon Jan 23 16:41:44 MST 2006 121118-05/SUNWupdatemgrr/pkgmap
sm       505 Mon Jan 23 16:41:44 MST 2006 121118-05/SUNWupdatemgrr/pkginfo
...
sm        29 Mon Jan 23 16:42:02 MST 2006 121118-05/mkpatch_info
sm     13272 Mon Sep 26 22:46:30 MDT 2005 121118-05/LEGAL_LICENSE.TXT
       14129 Mon Feb 06 08:53:42 MST 2006 META-INF/manifest.mf
       14237 Mon Feb 06 08:53:42 MST 2006 META-INF/es-signature.sf
        3820 Mon Feb 06 08:53:50 MST 2006 META-INF/es-signature.rsa

s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope

jar verified.