HP-UX Software Assistant Administration Guide HP-UX 11i Systems Abstract This administration guide is for system administrators who maintain the security of HP-UX systems. Administrators are assumed to have in-depth knowledge of HP-UX operating system concepts, commands, and configurations. It assumes familiarity with installing HP computer hardware and software, upgrading software, applying patches, and troubleshooting system problems.
© Copyright 2007, 2013 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Contents 1 Introducing HP-UX Software Assistant............................................................5 HP-UX SWA overview................................................................................................................5 Release notes...........................................................................................................................5 Capabilities.........................................................................................................................
5 Networking options..................................................................................23 Using SWA in secure network environments...............................................................................23 Using proxy servers with Software Assistant................................................................................23 Using the download_cmd extended option.................................................................................
1 Introducing HP-UX Software Assistant HP-UX SWA overview HP-UX Software Assistant (SWA) is a tool that consolidates and simplifies patch management and security bulletin management on HP-UX systems. SWA can perform a number of checks including applicable security bulletins and installed patches with critical warnings. Once an analysis has been performed, you can use SWA to download any recommended patches or patch bundles and create a depot ready for installation.
# swa -X Context sensitive help is available for all SWA commands with the -? option. # swa -? The following sections give a brief overview of SWA commands. For detailed information, see the HP-UX Software Assistant Reference, available at http://www.hp.com/go/swa-docs. The major modes SWA has the following major modes: report, get, step, and clean. The major modes report and get are comprised of steps, outlined below.
When the swa command runs, it produces a cache of files for its use. Run swa clean to free up disk space after your swa session is complete. The swa clean command has modifiers that specify the caches to clean. The modifiers are: usercache, swcache, and all. The usercache holds the files created by swa report, and the swcache holds the patches and patch bundles downloaded by swa get or swa step download. The swcache directory can be set with the extended option swcache.
2 Installing HP-UX Software Assistant Installation requirements For Windows systems within HP SIM When installing SWA on a Windows system to run within HP SIM, all the requirements are met by running a supported version of HP SIM. Be sure to select the Windows software specification from the SWA download webpage at http://www.hp.com/go/swa-download. SWA is only available via HP SIM on a Windows system – there is no command-line interface.
SWA software is available from the following places: • Software Assistant on the HP Software Depot: for Windows, HP-UX 11i v1 (B.11.11), HP-UX 11i v2 (B.11.23), HP-UX 11i v3 (B.11.31). From http://www.hp.com/go/swa-download, click Installation for installation instructions. The newest version of SWA is available on the Software Depot. What version of SWA should I use? HP recommends downloading and using the latest version of SWA, available at http:// www.hp.com/go/swa-download.
SWA will be available within HP Systems Insight Manager (HP SIM) if you install SWA while HP SIM is running. If SWA is installed before HP SIM is initially configured via mxinitconfig, SWA will automatically be included for use within HP SIM. See mxinitconfig(1M) for more information. If you install SWA when HP SIM is installed but not running, you must run the /opt/swa/lbin/configHPSIM script once HP SIM is running again to configure HP SIM for SWA.
3 Quick Start Steps to using SWA To get started using Software Assistant right away, follow these steps: 1. Make sure you have your active HP support agreement that includes Software Updates linked to your HPSC profile to access patch content and services. 2. Create a config file that contains your HPSC login information. 3. Run the initial report with the command swa report. 4. Review recommended actions, especially the manual actions, written to standard output. 5.
The Actions Summary Report begins with the Assessment Profile. The exact catalog and inventory files used in the analysis are identified. Detailed analysis information follows. Software Assistant Actions Summary Report ASSESSMENT PROFILE Catalog Information Catalog File: $HOME/.swa/cache/swa_catalog.xml Catalog Date: dd month year hh:mm:ss Inventory Source Name: systemname OS: HP-UX B.11.xx Model: model info Inventory File: $HOME/.swa/cache/swa_inventory_n.
As each patch is downloaded into the swcache, a notice is displayed on standard output. . . . NOTE: * Downloading Software from HP to Local Cache Estimated total download size: x bytes. * Downloading PHCO_n (1 of x) . . . Once the patches have been downloaded to the swcache directory, they are processed into the depot. SWA automatically uses MD5 cryptographic hash to verify patch integrity before unpacking downloaded patches.
4 Creating and interpreting reports Analysis All reports are based on the selected analyzers. SWA is capable of performing a variety of analyses. To perform an analysis, Software Assistant requires an inventory file and a catalog file. During analysis, those two files are compared to see what issues require attention. Issues in ignore files are not included in the analysis. For more information, see “Put appropriate actions in the ignore file” (page 13).
Report overview After the analysis is complete, SWA reports its findings. The types of reports follow. Table 3 Report Overview Report type HTML Action What it reports How to generate it Where to find it Comprehensive – • Always • $HOME/.swa/report/ includes the generated and swa_report.html by Action, Issue, and written to a file default Detail reports.
The HTML report begins with a table of contents, which includes links to all sections of the report. The Assessment Profile This section is included in every report. It identifies the catalog used, the inventory used, and the analysis information for the unique report. The Assessment Profile is required to interpret any report by giving it context. Using the information in the assessment profile, an analysis can be recreated.
The Action report The Action report is a to-do list of patches and patch bundles to install, plus a list of manual actions. This report does not include explanations as to why the actions are required; for this information, see the Detail report. The patch and patch bundle actions can be taken care of by installing the depot created by the SWA commands swa get and swa step depot. The depot includes all the patches and patch bundles listed in the Action report, which includes all dependent patches.
Manual actions These actions require direct administrator response and include product (non-patch) updates, product removal, manually updating files, and other manual actions, such as direct file system changes. Security bulletins are listed only if manual actions are required. If a patch satisfies a security bulletin, it will be included in the QPK patch bundle or listed explicitly in the Patches section. The date listed for security bulletins is the date the bulletin was posted or last updated.
The Issue report The Issue report is included in the HTML report. There is a section for every analyzer selected, plus an Automatically invoked analyzers section if there are AUTO issues detected. The Issue report includes issues SWA does not have recommendations for (unresolved issues), but does not indicate they are unresolved. Information on unresolved issues can be found in the Detail report.
1 2 3 4 The short form of the external HP security identifier. It is comprised of the numeric portion of the HPSBUX identifier, 02284, plus the revision number, r4. The long form of the external HP security identifier, also called the HPSBUX identifier. The software security response team number, which is used internally to HP. The revision number. A security bulletin revision can be issued for minor or significant changes.
1 The Patch PHKL_31500 is a special patch for HP-UX 11i v2, in that new dependencies may be introduced after its release. The Detail report This report is included in the HTML report. The Detail report is a comprehensive cross-reference between actions and issues, which comes in handy since some issues require multiple actions and some actions satisfy multiple issues. The Detail report includes information not available in the Action or Issue reports.
Sometimes one action will resolve more than one issue. In the following example, installing PHCO_36506 will resolve both a critical issue and a patch warning. Both patches, PHCO_36506 and PHCO_31562, will appear in the Issue report. Only PHCO_36506 will appear in the Action report. The Detail report below shows the cross-reference of the action to both issues. The Detail report might include the section, “Unresolved Issues.” These are issues that SWA detected but has no action to recommend.
5 Networking options Using SWA in secure network environments SWA is able to adapt to a secure network environment where one or more of the default protocols SWA uses are blocked. When customizing SWA for your environment, you must keep security concerns in mind. When SWA runs an analysis of a system, it relies on the integrity of the catalog file and the inventory file. The integrity of the catalog file and the analysis file controls the security properties of SWA.
Example: Use SWA With a Gateway This example requires SWA version C.02.80 or later. Download the latest version of SWA from http://www.hp.com/go/swa-download. If you would like to use SWA without direct internet access, you can use the download_cmd extended option and a gateway server to access the catalog and patch files. This gateway can be a non-HP-UX system. We will use GET to download the catalog, since the catalog is not very large, and use wget within a script to download the patches.
1. Using a system with Internet access (this system may be running Linux or Windows), download the catalog from the HPSC. 1. Get /opt/swa/lbin/swaFetch.jar from an HP-UX system running SWA version C.02.80 or later and transfer the file to the system that will be running the download. 2. On the system to do the download, run the following command: # java -jar swaFetch.jar -x hp_id=uname \ -x hp_pw=pw -x proxy=http://user:pass@web-proxy.mycompany.com:8088 \ -x file=/export/patches/swa_catalog.xml.gz 3. 2.
6 Running SWA from within HP SIM The Central Management Server Software Assistant runs on a supported version of HP SIM Central Management Server (CMS). See “Installing SWA to use within HP SIM” (page 9) for information on installing SWA for HP SIM. To run SWA from HP SIM on an HP-UX system you must be a privileged user or an authorized user as described in “Authorizing non-privileged users” (page 38).
Use this menu item if you want to run an analysis immediately or if you want to schedule the analysis for a later time. NOTE: HP SIM servers might require significant space in /var/opt/swa/HPSIM to support client systems' analysis, catalog, inventory, and report files. You should consider the number of client systems you intend to support and adjust file system sizes accordingly.
1. 2. 3. 4. 5. Select the Search radio button in the Add targets by selecting from: box. Type the search text in the text box. The top six search matches appear in a popup box for quick selection. Click Search. Select the check boxes of desired systems. Selecting the check box in the top title row will toggle between selecting and deselecting all listed systems. Select Apply. TIP: Clicking in a column header area will sort the systems alphabetically by that column. Click again to reverse-order the list.
Verifying selected systems After you select Apply from one of the selection methods listed above, the Verify Target Systems page is displayed. Use the buttons at the bottom of the system list to manage your selections. • Select Add Targets... and add systems to the target systems list as described in “Selecting target systems” (page 27). Select Apply. You can click Cancel to close the Add Targets... interface and retain the original list of selected systems. • Select Remove Targets...
HPSC Account Information – Patch access is through the HPSC portal. You need to have a valid HPSC user ID and password. You will also need an active HP support agreement that includes Software Updates. This support agreement must be linked to your HPSC profile to access patch content and services. • User ID – Use this to specify your HPSC user ID to gain access to the HPSC patch database. • Password – Use this to specify your HPSC password.
Analyzers – Select the checkbox for all analyzers you want used in this report. If no analyzers are selected, SWA will run with the default analyzers: QPK, SEC, and PCW. • Quality Pack (QPK) – The Quality Pack analyzer detects the revision of the current QPK bundle and selects available updates. • Security Bulletins (SEC) – The Security Bulletins analyzer will list all detected security bulletins that might apply to your system.
This location assumes the C drive is your root drive and you used the default installation directory. Copy the configuration file template to a new location for editing, then add that file to the User Config Files text box. Advanced Options Display and hide the Advanced Options section using the expander buttons . Catalog – • Disable catalog update – This option corresponds to the catalog_max_age extended option value of –1.
HTTPS protocol is used for catalog download and the HTTP protocol is used to download the CRL. This proxy setting controls the default for all proxies. • URL Target – The url_target extended option is used in conjunction with download_cmd. It allows you to change the target string from %url to something else. See “Example: Use SWA With a Gateway” (page 24) for details on using %url.
• Once – This task will be run one time on the date and time specified in the Refine Schedule area. • Not Scheduled – By default, this task will not be run now or on a schedule. It will appear in the “Viewing All Scheduled Tasks” list where it can be managed. If you have selected Run now from the In Addition menu, it will be run immediately. In addition: – Use this area to augment the task information set above. You can add a task that runs when the SIM server reboots or make an immediate run.
The multisystem summary report The SWA multisystem summary report includes the following information: • Status – SWA will proceed through the steps: getting catalog, getting inventory, processing targets, and done. As each target is processed, its status is displayed in the Status column. • Actions – The total number of actions listed in the Action report. • Issues – The total number of exposed problems, including those with no SWA recommended solution.
Monitoring and maintaining your SWA tasks Viewing Task Results Information related to one task instance is available from Tasks & Logs→View Task Results... on the HP SIM menu bar. Software Assistant tasks will appear with other HP SIM tasks on the Tasks Results page. From the Task Instance Results you can see general results, including whether the task completed without errors, and the information sent to standard error and standard output regarding the execution of this task.
Viewing All Scheduled Tasks If you scheduled your SWA task, it will appear with other scheduled HP SIM tasks on the All Scheduled Tasks page. View this page via Tasks & Logs→View All Scheduled Tasks... on the HP SIM menu bar. Scheduled tasks can be identified by the Launching Task name you gave it when it was scheduled, as shown in “Running your SWA job in HP SIM” (page 33), and the Tool name SWA Scheduled Task. Task Instance Results information is available on this page for each run of the scheduled task.
• Delete – Removes the scheduled task completely. If you are not sure you want to permanently delete a task, you can instead Disable it until you are sure. Authorizing non-privileged users In an enterprise environment, it might make sense to authorize non-privileged users to run HP SIM SWA on a specific set of systems without giving those users full access on the HP SIM Central Management System (CMS). SWA toolboxes are available to enable this – the procedure follows.
• Select New... • From the New Authorizations section of the Users and Authorizations page, select the “Manually assign toolbox and system/system group authorizations:” radio button. • In the Select Toolbox(es): area, there are two possible selections for SWA: SWA Privileged and SWA Tools. SWA Tools will give the user access to all the SWA tools except the Download Command option. SWA Privileged allows the authorized user access to all the SWA tools plus the Download Command functionality.
7 Support and other resources Contacting HP Before you contact HP Be sure to have the following information available before you contact HP: • Technical support registration number (if applicable) • Service agreement ID (SAID) • Product serial number • Product model name and number • Product identification number • Applicable error message • Add-on boards or hardware • Third-party hardware or software • Operating system type and revision level HP contact information For the name of the nea
Related information Documents • HP-UX Software Assistant Administration Guide • HP-UX Software Assistant Reference • HP-UX Software Assistant Frequently Asked Questions • Patch Management User Guide for HP-UX 11.x Systems • HP-UX 11i Version 3 Release Notes • HP-UX 11i v3 Installation and Update Guide • The SWA manpages describe the commands and provide examples.
Table 4 Typographic Conventions (continued) Typeface Usage Examples Computer output Text a program displays Please select a boot option User input Text you type 15.1.54.117 Variable Variables to be replaced by a name or value IP Address Listing File contents cfg "HP-UX b.11.23 Default" { } Screen An example display Seconds left until autoboot - 0 AUTOBOOTING... [ ] The contents are command options.
A Useful files and directories Many of the following files have characteristics that may be modified by extended options, including the location and name. For more information, see swa-report(1M), swa-get(1M), swa-step(1M), and swa-clean(1M). Table 5 SWA Useful Files and Directories Location Purpose $HOME/.swa.conf The per-user SWA configuration file. This file takes precedence over the system-wide SWA configuration file. $HOME/.swa/cache/swa_catalog.
Table 5 SWA Useful Files and Directories (continued) Location Purpose /var/opt/swa/HPSIM/user User-specific directory used by SWA when running under HP SIM. /var/opt/swa/HPSIM/user/job_/swa-web.log Job-specific log file when running HP SIM with an HP-UX CMS. 44 /var/opt/swa/swa.log Default log file. download.contents Lists all files downloaded from HP to the swcache. It is located in the swcache directory. readBeforeInstall.
B Troubleshooting SWA Log files The HP-UX command line SWA log file details each SWA session. Its default location for root users is /var/opt/swa/swa.log. If you do not have permissions to write to the default file, the log file is written to $HOME/.swa/swa.log. Each action in the log file can be verified by looking in the swcache, the usercache, or the reports generated by SWA. Table 6 HP SIM log file locations Log files Job-specific log files CMS Filename HP-UX /var/opt/swa/HPSIM/swa_hpsim.
Proxy errors A proxy server is sometimes required. If this is the case, and proxy settings are absent or incorrect, you might see an error like this: ERROR: Failed to access authorization service. You can specify a proxy server with the swa report extended option proxy. For more information, see swa-report(1M). If you do not have a standard proxy, you can specify an arbitrary command for downloading files. See the extended option download_cmd.
Glossary A glossary term appears in boldface when used for the first time in the text of this manual. Italicized terms in the following glossary refer to other terms in the glossary. A analysis A comparison of the inventory and the catalog to determine the recommended actions and applicable patches for installation. analyzer An option of the swa report and swa step analyze commands used to specify the type of analyses to run. Available analyzers are: CRIT, PCW, PW, QPK, SEC, CHAIN, and PATCH.
Patch Assessment Tool Guided patch analysis and selection software available on the HP Support Center that ensures your systems meet the HP recommended patch configuration. HP-UX Software Assistant has all the capabilities of the HPSC Patch Assessment Tool and more. patch chain See supersession chain. Q Quality Pack (QPK) A bundle of HP-UX defect-fix patches for proactive patching. QPK bundles are targeted for a particular version of HP-UX.
Index Symbols %url, 24 A Action report explained, 17 overview, 15 analyze depot, 5 overview, 5 analyze step, 6 analyzers, 14 see also automatic analyzers (AUTO) see also CHAIN analyzer see also CRIT analyzer see also PATCH analyzer see also PCW analyzer see also PW analyzer see also QPK analyzer see also SEC analyzer default, 14 overview, 14 setting in HP SIM, 29 specifying, 12 assessment profile explained, 16 overview, 12 automatic analyzers (AUTO) in the Issue report, 20 overview, 16 swa report, 6 swa s
HP SIM log, 45 HP SIM log file for HP-UX CMS, 43 HP SIM log file for Windows CMS, 43 HP SIM root directory, 44 HP-UX log, 45 HPSIM config file template, 43 HPSIM configuration, 43 ignore, 13, 21, 43 inventory, 6, 43 job-specific HP SIM log file for HP-UX CMS, 44 job-specific HP SIM log file for Windows CMS, 43 list of useful files, 43 log, 43, 44 manpages directory, 43 options, 7 readBeforeInstall.txt, 13, 44 report, 15, 43 swa.conf, 7, 45 swa.conf.template, 7 swa_analysis.xml, 6 swa_catalog.
P PATCH analyzer in the assessment profile, 16 in the Issue report, 20 overview, 14 PCW analyzer overview, 14 proxy errors, 46 using, 23 using in HP SIM, 31, 32 PW analyzer in the Issue report, 20 overview, 14 Q QPK analyzer in the Issue report, 19 overview, 14 QPK bundles in the Action report, 17 with warnings, 19 R readBeforeInstall.