
sun.com \| docs.sun.com	How To Buy \| My Sun \| Worldwide Sites

Previous Contents Index Next Next

Appendix A

Managing Signed Patches Without Solaris Patch Management Tools (Tasks)

This appendix provides step-by-step instructions for managing signed patches by using Java technology-based tools (Java tools) or Netscape technology-based tools (Netscape tools), instead of the Solaris patch management tools. See these sections:

For information about signed patches, see Chapter 1, Managing Signed Patches (Overview).

For information about how to manage signed patches with Solaris patch management tools, see Chapter 1, Managing Signed Patches (Overview) and Chapter 2, Managing Signed Patches by Using Solaris Patch Management Tools (Tasks).

Managing Signed Patches by Using Java or Netscape Tools

You can manage signed patches with either Java or Netscape security tools. You need the Java 1.3 version to verify signed patches. Java 1.3 is available from http://java.sun.com.

Managing Signed Patches by Using Java Tools (Task Map)

Perform these tasks in the order shown.

Task	Description	For Instructions
1. Download and install the `SUNWcert` package.	Download and install the `SUNWcert` package. For a list of download sites, see Sun Certificates That Verify Signed Patches.	How to Download the `SUNWcert` Package
2. Import the Sun certificates.	Use the `keytool` command to import and accept the Sun certificates from the `SUNWcert` package.	How to Import the Sun Certificates With Java Tools
3. (Optional) Change the keystore password.	Change the password to keep the keystore secure.	How to Change the Java Keystore Password
4. Verify a signed patch.	Download a patch from SunSolve Online, and use the `jarsigner` command to verify the patch.	How to Verify a Signed Patch (`jarsigner`)
5. Apply the verified signed patch.	Use the `patchadd` command to apply the verified signed patch.	How to Apply the Verified Signed Patch

How to Download the `SUNWcert` Package

This procedure assumes that the SUNWcert package is located in the /tmp directory.

Download the SUNWcert package from the following site:
https://sunsolve.sun.com/SUNWcert

For a list of additional sites, see Sun Certificates That Verify Signed Patches.
Become superuser.

Install the SUNWcert package.

# cd /tmp
# unzip SUNWcert.zip
# pkgadd -d .

Verify that the SUNWcert package is installed.
# pkginfo -l SUNWcert

How to Import the Sun Certificates With Java Tools

Verify the signed patches that you want to install against the authenticated Sun certificates.

Become superuser.

Determine the fingerprints of your Sun Root certificate and Sun Class B certificate.

For example, on a Solaris 8 system:

# /usr/java1.3/bin/keytool -printcert \
-file /etc/certs/SUNW/smirootcacert.b64
# /usr/java1.3/bin/keytool -printcert -file /etc/certs/SUNW/smicacert.b64

Verify that the output of these commands match the Sun Root and Class B certificate fingerprints displayed at this site:
https://www.sun.com/pki/ca
Change to the /etc/certs/SUNW directory.
# cd /etc/certs/SUNW

Import the Class B certificate.

For example, on a Solaris 8 system, type:

# /usr/java1.3/bin/keytool -import -alias smicacert \
-file smicacert.b64 -keystore /usr/java1.3/jre/lib/security/cacerts
Enter keystore password:  changeit
Owner: O=Sun Microsystems Inc, CN=Sun Microsystems Inc CA (Class B)
Issuer: CN=Sun Microsystems Inc Root CA, O=Sun Microsystems Inc, C=US
Serial number: 1000006
Valid from: Mon Nov 13 12:23:10 MST 2000 until: Fri Nov 13 12:23:10 MST 2009
Certificate fingerprints:
         MD5:  B4:1F:E1:0D:80:7D:B1:AB:15:5C:78:CB:C8:8F:CE:37
         SHA1: 1E:38:11:02:F0:5D:A3:27:5C:F9:6E:B1:1F:C4:79:95:E9:6E:D6:DF
Trust this certificate? [no]:  yes
Certificate was added to keystore

Import the root certificate.

# /usr/java1.3/bin/keytool -import -alias smirootcacert \
-file smirootcacert.b64 -keystore /usr/java1.3/jre/lib/security/cacerts
Enter keystore password:  changeit
Owner: CN=Sun Microsystems Inc Root CA, O=Sun Microsystems Inc, C=US
Issuer: CN=GTE CyberTrust Root, O=GTE Corporation, C=US
Serial number: 40002ae
Valid from: Wed Oct 16 09:45:00 MDT 2002 until: Sat Oct 16 17:59:00 MDT 2004
Certificate fingerprints:
         MD5:  54:E3:D1:E4:79:B4:17:23:65:B4:F9:14:AD:C6:4A:FE
         SHA1: 90:F1:AB:87:AE:A0:4C:1F:AF:43:60:DE:5D:A8:0E:D8:CE:E7:06:AE
Trust this certificate? [no]:  yes
Certificate was added to keystore

How to Change the Java Keystore Password

Become superuser.

Change the keystore password.

# /usr/java1.3/bin/keytool -storepasswd \
-keystore /usr/java1.3/jre/lib/security/cacerts
Enter keystore password:  changeit
New keystore password:  new-password
Re-enter new keystore password:  new-password

How to Verify a Signed Patch (`jarsigner`)

Verify that the following prerequisites are met:
- You have installed the SUNWcert package.
  
  For more information, see How to Download the SUNWcert Package.
- You have imported the appropriate Sun PKI certificates.
  
  For more information, see How to Import the Sun Certificates With Java Tools.
- You are logged in as superuser.
Download a signed patch from the SunSolve Online site.

Verify the signed patch, for example:

# /usr/java1.3/bin/jarsigner -verify -verbose -keystore 
/usr/java1.3/jre/lib/security/cacerts /patchdb/100103-12.jar
smk     2149 Tue Sep 25 15:47:20 MDT 2001 100103-12/README
smk    18553 Tue Sep 25 15:47:20 MDT 2001 100103-12/4.1secure.sh
         385 Tue Sep 25 15:47:20 MDT 2001 META-INF/manifest.mf
         493 Tue Sep 25 15:47:20 MDT 2001 META-INF/zigbert.sf
        3819 Tue Sep 25 15:47:20 MDT 2001 META-INF/zigbert.rsa

  s = signature was verified 
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

jar verified.
#

Make sure that you see the smk entries in the output to confirm that the patch signature is verified. Otherwise, the patch verification has failed, even if you see the jar verified message.