12.4 Obtaining Patches

There are five principal sources for obtaining patches:

• IT Resource Center

• Support Plus Media

• HP online Software Depot

• Local Response Center

• HP-assigned Support Representative

12.4.1 ITRC

The IT Resource Center can be found at http://itrc.hp.com. For Hewlett-Packard customers, the Patch Database is the primary mechanism for searching for and acquiring patches. Listed within the IT Resource Center as the Individual Patches selection of the Maintenance and Support area, it provides support for all operating systems and hardware. We can Retrieve a Specific Patch if we know the actual patch handle we are looking for, or under HP-UX patches, we can search using keywords for any known problems that may be fixed by a patch.

Before using the ITRC, you will have to register to obtain an ITRC User ID. This is free of charge and involves giving some personal details to HP. This information is kept in confidence and is used to configure and tune the ITRC to your personal preferences. We can link a current HP Support Contract to your ITRC User ID. This can give you access to advanced features of the ITRC that are otherwise locked by a standard User ID. The functions available to you will depend on the Support Contract you have purchased. A support agreement is required for access to some services, or they may be purchased online.

12.4.1.1 ITRC: CUSTOM PATCH MANAGER

A tool available via the ITRC Web site that relates to proactive patching is a tool called Custom Patch Manager (CPM). First things first. CPM requires you to have the service enabled via a suitable Warranty or Support Agreement.

Once you're logged in to the ITRC, clicking on the link near the top of the page titled Maintenance and Support (hp products) takes you to a screen with a section titled Patching . CPM can be found in that section.

CPM is a configuration-based patching tool. This means it will generate a list of patches for a given system based on its current configuration. Essentially, the process looks something like this:

• Download cpm.collect.sh from ITRC.
  
  

  - There is also a depot_collect.sh script now available whereby you can analyze an existing software depot. The resulting Candidate Patch List will be applicable to that software depot. The resulting file to upload to the ITRC will be called <hostname>.dp .

• Run cpm.collect.sh on your local host.
  
  
• Upload the resulting <hostname>.fs file to ITRC.
  
  
• Perform patch analysis on ITRC.
  
  
• Create patch bundle on ITRC.
  
  
• Download <hostname>.sh from ITRC.
  
  
• Unshar <hostname>.sh on local host.
  
  
• Run get_patches to retrieve patch bundle from ITRC.
  
  

There are a couple of gotchas relating to CPM:

• Once you have uploaded the resulting <hostname>.fs configuration file and performed Patch Analysis , CPM will generate a Candidate Patch List . The Candidate Patch List is in no way a recommended list of patches to be loaded onto a system. The Candidate Patch List is purely a list of patches that, in some way, affect a product or fileset that is currently loaded on your system. This can lead to a situation where a patch is included in the Candidate Patch List for a product that you do not have loaded. In this case, it may be that an individual fileset included with the original product that has subsequently been patched has caused CPM to include it in the Candidate Patch List. The lesson to be learned here is that the Candidate Patch List is a starting point for selecting patches to be loaded onto a system. CPM can be used to provide a list of patches to be loaded into a patch depot. From there, it is necessary for the administrator to analyze which patches actually do affect your system. A common tool to help in this situation is to use the patch_match_target=true option to swinstall.

• The other consideration for CPM is that, currently, the tools must be run on an HP-UX machine. The scripts are ksh scripts and will not work on a PC. The machine that the script get_patches is run on needs ftp access to the Internet in order to download the patches listed in the Candidate Patch List .

If you browse through the CPM pages, there are clear and precise details of the process. The resulting patch bundles are useful in patching individual systems and setting up a patch depot .

There is another part of CPM that may prove useful: Custom Patch Notification. You receive regular (weekly, by default) emails of all new patches uploaded to the ITRC. In this way, you can keep up to date with what new patches are available.

12.4.2 Support Plus Media

HP-UX Support Plus CD/DVD-ROMs deliver diagnostics and HP-UX system patches. This software enables new hardware and fixes known defects. In some cases, a patch may deliver new software functionality. Support Plus replaces the Extension Software and Independent Product Release (IPR) products. Support Plus contains diagnostic tools and tested General Release, Quality Pack, and Hardware Enablement patch bundles. Support Plus does not create a new HP-UX release. Existing HP-UX releases are updated by a dedicated version of the Support Plus media. Currently, Support Plus versions are available for HP-UX versions 11.00 and 11i. As well as being delivered on CD/DVD-ROM patch bundles can be accessed via http://software.hp.com/SUPPORT_PLUS.

The Bundle Matrix : A variety of patch bundles are provided on each Support Plus CD. They may be installed directly to a system or used as the basis of a custom patch bundle. The Bundle Matrix (shown below) lists the HP-recommended usage and description of each bundle.

Please note that the bundles listed in the following table are supported on HP-UX workstations or servers running HP-UX 11i.

12.4.2.1 THE BUNDLE MATRIX

Diagnostics : Including Support Tool Manager (STM) for online diagnostics, ODE (offline diagnostics), EMS hardware monitors , EMS Kernel Resource Monitor, and the Instant Capacity on Demand (iCOD) client product.

Gold Base depot : Including Gold Base patch bundle, which contains defect fixes for core OS files.

Gold Applications patch bundle : Including defect fixes for the operating environment applications.

Hardware enablement patch bundle : Required for new systems and add-on hardware.

The Gold Quality Pack depot : Including those patches recommended by HP Support, HP application groups, and key third-party application providers. Bundles in this depot are subjected to stringent levels of testing to assure a high level of reliability and are updated every six months.

HP Instant Support Enterprise Edition : A support solution that enables delivery of HP remote support services over the Internet. HP ISEE provides continuous hardware event monitoring and automated notification to identify potential problems during Support Contract delivery hours. HP ISEE is available to customers in two configurations depending on your level of support:

Standard : For customers with HP hardware support onsite with four- hour response time or higher level support.

Advanced : Customers with any of the following support levels qualify for HP ISEE Advanced Configuration remote support solution:

• Mission critical partnership

• Critical service

• Proactive service for networks

• Business continuity support

• Critical system support

• Critical service for SANs

• Network availability monitoring

• Network environment services

• Open network environment support

If you require more information regarding HP ISEE, I suggest that you contact your local HP representative, because the Support marketplace is an ever-changing landscape.

NOTE : If you have used Support Plus on HP-UX 11.00, the Gold bundles replace the Quality Pack and GR bundles, combining the best features of both.

Table 12-1 will help you decide which bundles to install.

Table 12-1. Support Plus Bundles

The GOLDQPK11i depot contains the GOLDAPPS11i and GOLDBASE11i bundles.

If your Support Contract is current, you will be offered Support Plus media that includes these bundles and products. However, because everything on the Support Plus CD/DVD is also available at http://software.hp.com/SUPPORTPLUS, you can download all the software contained on Support Plus free of charge and without a Support Contract.

12.4.3 Support Plus CD-ROM Layout

Support Plus is structured as a multiple depot CD/DVD-ROM. To support this functionality, depots are provided within subdirectories. No software is delivered at the CD/DVD top-level directory. When accessing these depots via the interactive versions of swinstall or swcopy on the system hosting the mounted CD/DVD, the source depot type is local directory, not local CD/DVD-ROM.

HP-UX patch management (PDF) : A version of this document appropriate to the release of HP-UX is present at the top directory on the CD/DVD. PDF files can be read or printed from the Adobe Acrobat viewer. Viewers for HP-UX and other platforms are available from the Adobe Web site at http://www.adobe.com/prodindex/acrobat/readstep.html.

Support Plus users guide (PDF) : A brief, printed users manual is provided within the Support Plus CD/DVD packaging. This guide is also provided within the root directory of the CD/DVD in the PDF format.

Patch bundle depots : Each patch bundle described within the Patch Matrix is delivered within a top-level subdirectory that is given the same name as the bundle it contains. These depots, and not the CD/DVD mount point, should be used as the source for all swinstall or swcopy sessions.

Patch bundle readme files (text) : Each bundle has its own .readme file (for example, / cdrom /XSWGR1100.readme ). This file contains additional installation instructions, notes about problems in previous releases, a list of patches and their dependencies, changes since the last release, and a listing of disk space usage.

One exception is the documentation for the diagnostics bundle. This is found under the DIAGNOSTICS subdirectory.

Diagnostics directory : Diagnostics provided include Support Tool Manager (STM) for online diagnostics, ODE (offline diagnostics), EMS hardware monitors, Predictive Support (S800 only), and EMS Kernel Resource Monitor. Depots and documentation for all these products are found in the DIAGNOSTICS subdirectory.

12.4.4 HP online Software Depot

HP's online Software Depot can be found at http://software.hp.com. It contains a myriad of new and updated products, many available as free downloads. As an example, IPv6 was not available for the initial release of HP-UX 11i. If you navigate to http://software.hp.com Internet Ready and Networking, you will find IPv6 available as part of the Transport Optional Upgrade Release (TOUR) . This is a convenient and free method for HP and us to keep our implementation of HP-UX 11i up to date with the latest technical developments.

While a large proportion of the software at the Software Depot is free to download, you will notice that some products are licensed and can be purchased online.

12.4.4.1 SECURITY PATCH CHECK

A patching tool worth considering that is available free from the online Software Depot is known as security_patch_check .

security_patch_check is a Perl script that runs on HP-UX 11.X systems. security_patch_check performs an analysis of the filesets and patches installed on an HP-UX machine, and generates a listing (report) of recommended security patches. In order to determine which patches are missing from a system, security_patch_check must have access to a listing, or catalog, of security- related patches.

Since new security patches can be released at any time, security_patch_check depends on a patch catalog stored on an HP server. This catalog is updated nightly. To help automate the process of checking for security patches missing from a system, security_patch_check is able to download the most recently generated catalog from an HP FTP site. It does this by using the LWP Perl module. The LWP module can operate through a firewall. Refer to the man page for security_patch_check for more information.

Once security_patch_check has access to a security patch catalog, it will create a list of the patches that are both applicable and not installed. Note that although the security patch catalog contains the most recent and highest rated patches, security_patch_check will recommend a patch only if it addresses a security problem not already addressed by an installed patch.

Installing the patches that security_patch_check recommends addresses only those vulnerabilities that are closed by patches. The security bulletins and advisories from HP sometimes contain other actions (manual steps) to close vulnerabilities. Thus, each advisory from the archive of previously released security advisories, which applies to the platform being analyzed , must be examined to determine if any manual steps are required. This archive is available at http://itrc.hp.com/cki/bin/doc.pl/screen=ckiSecurityBulletin.

The process for obtaining and using security_patch_check can be summarized as follows :

• Because security_patch_check is a Perl script, we need to have, as a minimum, Perl 5.005. The latest version of Perl is available for download from http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=PERL.

• Download and install the security_patch_check Software Distributor depot from http://software.hp.com. Navigate via Security and Manageability S ecurity Patch Check (the depot file currently named B6834AA.depot).

 root@hpeos003[]  swinstall -s /tmp/B6834AA.depot \*  =======  09/27/03 07:29:05 BST  BEGIN swinstall SESSION          (non-interactive) (jobid=hpeos003-0040)        * Session started for user "root@hpeos003".        * Beginning Selection        * Target connection succeeded for "hpeos003:/".        * Source:                 /tmp/B6834AA.depot        * Targets:                hpeos003:/        * Software selections:              B6834AA,r=B.01.01,a=HP-UX_B.11.00_32/64,v=HP              SecPatchChk.PATCH-CHK,r=B.01.01,a=HP-UX_B.11.00_32/64,v=HP,fr=B.01. 01,fa=HP-UX_B.11.00_32/64        * Selection succeeded.        * Beginning Analysis and Execution        * Session selections have been saved in the file          "/.sw/sessions/swinstall.last".        * The analysis phase succeeded for "hpeos003:/". WARNING: "hpeos003:/":  1 configure or unconfigure scripts had          warnings.        * Analysis and Execution succeeded. NOTE:    More information may be found in the agent logfile using the          command "swjob -a log hpeos003-0040 @ hpeos003:/". =======  09/27/03 07:29:19 BST  END swinstall SESSION (non-interactive)          (jobid=hpeos003-0040) root@hpeos003[] 

Set up FTP proxy access (if using a proxy server to access the Internet):

 #  export ftp_proxy=<myproxy>:<proxy>  

e.g.

 #  export ftp_proxy=web-proxy.uksr.hp.com:8088  

• Download the recent security patch catalog to the current working directory utilizing anonymous ftp at ftp://ftp.itrc.hp.com/export/patches/security_catalog.

  The security patch catalog is updated nightly, hence, your current copy may become out of date quickly. Having security_patch_check download the catalog directly avoids this issue (see man page for the r option to security_patch_check ).

• Once the security patch catalog is in place, you can commence running the tool (/opt/sec_mgmt/spc/bin/security_patch_check ). If you haven't downloaded the security patch catalog, then you can use security_patch_check with the r option, which will download the current security patch catalog and then generate a patch report.

  The report generated reflects HP's recommended patches based on your current loaded software and patches compared against your current security patch catalog . This list of patches should be downloaded from the ITRC and installed at the earliest convenience. As a depot administrator, you may also consider adding these patches to your patch depot, making them available to other machines on the network. Here is a report generated on one of my systems:

 root@hpeos003[]  ll security_catalog  -rw-rw-rw-   1 root       sys        1624412 Sep 27 07:40 security_catalog root@hpeos003[]  /opt/sec_mgmt/spc/bin/security_patch_check  WARNING: There are group- and world-writable directories in your path          to perl and/or your PATH environment variable.  This represents a          security vulnerability (especially if running as root) that may          compromise the effective use of this tool.  Please use the command:          chmod og-w <directory name>          to ensure this tool can be used safely in the future.  A list of the          vulnerable directories follows:             /usr/local             /usr/local/bin WARNING: ./security_catalog is group or world writable. WARNING: Recalled patch PHCO_24287 is active on the target system. Its record,              including the Warn field, is available from ./security_catalog,              through the Patch Database area of the ITRC or by using the -m flag              (security_patch_check -m ...). WARNING: Recalled patch PHKL_23946 is active on the target system. Its record,              including the Warn field, is available from ./security_catalog,              through the Patch Database area of the ITRC or by using the -m flag              (security_patch_check -m ...). WARNING: Recalled patch PHKL_25165 is active on the target system. Its record,              including the Warn field, is available from ./security_catalog,              through the Patch Database area of the ITRC or by using the -m flag              (security_patch_check -m ...). WARNING: Recalled patch PHKL_25389 is active on the target system. Its record,              including the Warn field, is available from ./security_catalog,              through the Patch Database area of the ITRC or by using the -m flag              (security_patch_check -m ...). WARNING: Recalled patch PHNE_25627 is active on the target system. Its record,              including the Warn field, is available from ./security_catalog,              through the Patch Database area of the ITRC or by using the -m flag              (security_patch_check -m ...). WARNING: Recalled patch PHSS_24106 is active on the target system. Its record,              including the Warn field, is available from ./security_catalog,              through the Patch Database area of the ITRC or by using the -m flag              (security_patch_check -m ...). WARNING: Recalled patch PHSS_24261 is active on the target system. Its record,              including the Warn field, is available from ./security_catalog,              through the Patch Database area of the ITRC or by using the -m flag              (security_patch_check -m ...). *** BEGINNING OF SECURITY PATCH CHECK REPORT *** Report generated by: /opt/sec_mgmt/spc/bin/security_patch_check.pl, run as root Analyzed localhost (HP-UX 11.11) from hpeos003 Security catalog: ./security_catalog Security catalog created on: Sat Sep 27 02:28:44 2003 Time of analysis: Sat Sep 27 07:43:49 2003 List of recommended patches for most secure system: #  Recommended  Bull(s) Spec? Reboot? PDep? Description -------------------------------------------------------------------------------- 1  PHCO_25918   237     No    No      No    sort(1) cumulative 2  PHCO_26561   275     No    No      No    csh(1) cumulative 3  PHCO_27019   275     No    No      No    ksh(1) 4  PHCO_27345   275     No    No      Yes   cumulative sh-posix(1) 5  PHCO_28259   213     Yes   No      No    lpspool subsystem cumulative 6  PHCO_28719   258     No    No      No    wall(1M) 7  PHKL_27179  206     No    Yes    No    Corrected reference to thread register state 8  PHKL_28267  183     No    Yes     No    thread perf, user limit, cumulative VM 9  PHNE_24512   232     Yes   No      No    NTP timeservices upgrade plus utilities 10 PHNE_27703   271     No    Yes     Yes   Cumulative STREAMS 11 PHNE_27796   209     Yes   No      Yes   libnss_dns DNS backend 12 PHNE_28103   215 242 Yes   Yes     Yes   ONC/NFS General Release/Performance 13 PHNE_28444  270     No    Yes     No   nettl(1M), netfmt(1M) and nettladm(1M) 14 PHNE_28450   209 233 No    No      No    Bind 8.1.2 15 PHNE_28810   246 253 Yes   No      No    sendmail(1m) 8.9.3 16 PHSS_27858   208     Yes   No      No    OV EMANATE14.2 Agent Consolidated 17 PHSS_28386   196     Yes   No      Yes   HP DCE/9000 1.8 DCE Client IPv6 18 PHSS_28470   228     No    No      No    X Font Server 19 PHSS_28676   263     Yes   No      No    CDE Base Periodic 20 PHSS_28677   263     Yes   No      Yes   CDE Applications Periodic -------------------------------------------------------------------------------- *** END OF REPORT *** NOTE: Security bulletins can be found ordered by number at              http://itrc.hp.com/cki/bin/doc.pl/screen=ckiSecurityBulletin root@hpeos003[] 

As you can see, I have some work to do on this system.

There is an option h that allows you to run security_patch_check on a remote host. You will need to be able to run SD-UX commands on a remote host in order for this facility to work. You can explore this on your own time.

12.4.5 Local Response Center

Customers who log a support call with their local Response Center have the option of having patches sent to them via the postal system. Every endeavor is made to ensure that the required patches are delivered in a timely fashion. However, Hewlett Packard cannot be held responsible for delays in delivery due to a problem with the local postal system.

When specifying the patches you need, you should also specify the media on which you wish to receive them, i.e., DDS, DLT, and possibly CD and/or DVD (depending on the local Response Center's capabilities).

This method of delivery should be used only if no other option is available to you.

12.4.6 HP-assigned Support Representative

Customers who purchase the necessary level of support will have access to an HP Support Representative whose many jobs include assisting customers with keeping their mission-critical systems up and running. Customers know this individual by various titles. The titles used may depend on region, support level, or personal preference. Some names for this individual include Technical Account Manager (TAM), Account Support Engineer (ASE), Remote Account Support Engineer (RACE), and Named Response Center Engineer (NRCE). An important part of that role is to ensure that their customers' systems maintain a stable operating environment. To assist in this, the HP Support Representative will periodically perform "proactive patch analysis." This process involves evaluating the hardware and software in a system against the current patch database. Any new or relevant patches will be identified and made available to the customer. It is hoped that this will prevent those systems from experiencing problems previously encountered in similar systems. Planned downtime can be built into a maintenance schedule, thus minimizing unplanned system outages and decreased system availability. Contact your HP Representative if you are interested in finding out more about theses services.