Thursday Jul 29, 2010

Oracle Sun patches now available from My Oracle Support (MOS)

As you may already know, Oracle Sun patches are now available from My Oracle Support (MOS).

We've uploaded over 30,000 6-2 digit PatchIDs to MOS, including all Solaris 8, 9, and 10 patches, SunCluster, and patches for over a thousand other products.  Any patch for these products which was available on SunSolve is now also available from MOS, making MOS your one stop support shop for all Oracle products.

My colleague David F. Campbell has also completed the upload of all patch and firmware update content to MOS from CDS (Content Delivery System, formerly the Sun DownLoad Center (SDLC)).

Any another colleague, Tom Murray, has completed the upload of StorageTek patch content natively to MOS too. Most StorageTek patches are in a mainframe patch format and are not applied using the Solaris 'patchadd' utility.  To host them on SunSolve after the StorageTek acquistion, we wrapped them in a 6-2 digit PatchID.  However, it doesn't make sense to wrap these StorageTek 6-2 digit PatchIDs in Oracle BugDB IDs which would be a second level of indirection.  Therefore, Tom has uploaded them in their native format to MOS.

Customers with an Oracle support contract can log into My Oracle Support.  The full functionality version is Flash based, https://support.oracle.com.   There is also a limited functionality html version, https://supporthtml.oracle.com .

Click on the "Patches & Updates" tab and you'll see that the Patch Search options have been expanded to "Patch Name, Number or Sun CR ID".  As it suggests, you can search by the 6-2 digit PatchID or a Sun CR (Change Request) number (i.e. 7 digit BugID).

Please note that you can see all revisions of a patch by searching with the format 119254-% .  The "-" (dash) is required in the current version of MOS.

To get the Solaris patch clusters and patch bundles, use the "Product or Family (Advanced Search)" option on the "Patches & Updates" tab. Select:

  • Product is Solaris Operating System
  • Release is Solaris 10 Operating System
  • Select "Type" instead of "Platform" and Type is "Patchset"

...and it'll return all Solaris 10 patch clusters and patch bundles. This includes the Solaris OS Recommended Patch Clusters, the Solaris Update Patch Bundles, the Solaris OS Critical Patch Updates (CPUs), Live Upgrade (LU) Zones Patch Bundle, etc.

You can add further search filters, e.g. Platform is Oracle Solaris on SPARC (64-bit), to further refine the results.

Using "Platform" is useful to eliminate the double-entries for 32-bit and 64-bit.  These dual returns are a pet peeve of mine and I'm continuing to work with the MOS team to get this "fixed" in a future release.  They are an historical artifact from Oracle DB platform porting and are not relevant to the Solaris OS.

Note that the alternative option for "Type" is "Patch", which can be used to search for individual patches.

For example:

  • Product is Solaris Operating System
  • Release is Solaris 10 Operating System
  • Type is Patch
  • Platform is Oracle Solaris on SPARC (64-bit)
  • Description contains patch utilities

In the example above, the Description option searches for the phrase "patch utilities" in the Synopsis line of patches. This returns the Solaris 10 SPARC patch utility patches.

Since the synopsis line of patches is free format, some guesswork is involved in searching using this method. For example "patch utility" returns nothing. "IP" returns more than just TCP/IP related patches. "firmware" returns any patch with the word "firmware" in its Synopsis.

Alternatively, you can use "Classification", which can be set to "Security" to return Security patches.

Click on the "Updated" column in the search returns to get these listed from earliest to latest or vice versa.

My understanding is that MOS currently limits search results to 100 entries in the current version and again I'm discussing "fixing" this with the MOS team in a later release.

Searches can be edited and saved for reuse at a later date.

A "Classification" of "Other Recommended" rather logically will give other non-security recommended patches included in the Solaris OS Recommended Patch Cluster. (In MOS terminology, "Security" and "Other Recommended" together are equivalent of the old Sun "Recommended" term.) But if you want to know exactly what's in the Solaris OS Recommended Patch Cluster, it's easier to simply look at the patch list in the Cluster README.

As discussed in the http://blogs.sun.com/patch/entry/solaris_10_recommended_patching_strategy which I published yesterday, we're really trying to encourage customers to move away from selecting unique patch combinations and to instead use the Solaris OS patch clusters and patch bundles as the core of your patching strategy.

If you are looking for individual patches to address a specific CR, then use "Patch Name, Number, or Sun CR ID" search option instead of "Product or Family (Advanced Search)". For example, enter Sun CR ID 6927931 and patch 119254-78 is returned which is the patch in which the CR is fixed. A CR which was fixed a long time ago, e.g. 6486471, will return all patch revisions which contain the fix, so you can decide whether you want to take the latest patch revision which fixes it or the earliest.

For firmware patches:

  • Go to the "Patches & Updates" tab
  • Click on "Produce or Family (Advanced Search)"
  • Select the hardware product in which you are interested.  For example, type "x6" and select, Product is Sun Blade X6440 Server Module.
  • Select the Release(s) you are interested in, e.g. Release is X6440 SW 2.2.0
  • Click Search.

As I say, I'm continuing to work with the MOS team to enhance the customer experience further, but I hope you find the above tips helpful.

 So which Oracle Sun patches are currently available from MOS ?:

  • Over 30,000 Oracle Sun 6-2 digit PatchIDs (i.e. of the format xxxxxx-xx) for over a thousand products and product versions.  This includes all Solaris 8, 9, and 10 patches, SunCluster patches, etc.
  • All the Oracle Sun Patch Clusters and Patch Bundles
  • All the patch and firmware update content previously hosted on CDS (Content Delivery System, formerly the Sun DownLoad Center (SDLC))
  • All StorageTek patches

What's not transitioned to MOS ?:

  • Really, really old patches, such as SunOS 1.x patches, Solaris 7 and older patches, etc.   These are utterly obsolete products so there's no point in propagating this crud forward.
  • Public patches available without a support contract, such as OpenOffice and StarOffice patches.  It is planned to support these in a future MOS release.  In the meantime, they can be downloaded from https://sspatch.oracle.com/showMe.do?page=public
  • Some patch metadata files such as the "Checksum" and "patchdiag.xref" files.  It is planned to support these in a future MOS release.  In the meantime, they can be downloaded from https://support.oracle.com/CSP/main/article=?cmd=show&type=NOT&id=1272947.1

Terminology: You say potato, I say potato, and Dan Quail says "potatoe"

There's an unfortunate patch terminology clash between Oracle and Sun patches which you need to be aware of:

  • The Sun term "obsolete" equates to the Oracle term "superseded" - i.e. a patch which is no longer the latest patch is a sequence.
  • The Sun term "withdrawn" equates to the Oracle term "obsolete" - i.e. a patch withdrawn from release due to problems with it.

Since the term "obsolete" is deeply embedded in SVR4 patching, e.g. the variable name SUNW_OBSOLETE in the pkginfo files, it is not possible for us to change it.  Neither is it likely that Oracle will change their terminology as it's well known in DB and Fusion middleware circles.  Users simply need to be aware of this terminology clash when dealing with Oracle Sun SVR4 based patches.

I hope this doesn't become a hot potato. :)

Best Wishes,

Gerry.

Wednesday Aug 26, 2009

Automated 'wget' patch downloads: issue resolution

My colleague, Don O'Malley, asked me to post the following on resolving issues using 'wget' to automate patch downloads.  'wget' is a popular download method, and is used by patch automation tools such as 'pca'.

Summary: You can use versions 1.10.x and 1.11.x of 'wget' but not version 1.11.  Details of options to use are set out below.  See also Patch Download Automation using wget.

SunSolve recently migrated to using Akamai for patch and patch cluster downloads, to provide customers with a faster and more reliable experience.

Some customers have experienced issues accessing patches using 'wget'.  Here's information on the issues and how to resolve them:

1) You must use a version of 'wget' which supports 'https'.

Why?

SunSolve's new patch download service is accessed by redirecting requests to https://getupdates2.sun.com, which subsequently redirects to https://a248.e.akamai.net (Akamai).
Which versions of 'wget' support 'https'?
'wget' version 1.10.x or later has 'https' support.
How can I check which version of 'wget' I am using?
Run the command 'wget --version'

2) You must use the '-O' or '--output-document' switch in 'wget' to provide an output filename.

Why?

The Akamai URI identifying a patch is very long.  By default 'wget' will name the downloaded file the same as the URI.  As the filename is too long an error is thrown and the download will fail.
Example of the correct syntax:
# /usr/sfw/bin/wget --http-user="xxxxxxxx" --http-passwd="xxxxxxx" --no-check-certificate "http://sunsolve.sun.com/pdownload.do?target=119255-01&method=h" -O /tmp/119255-01.zip

Example of some the output for a failing 'wget' request:

140778-01.zip?AuthParam=1251205908_479a27379ab5595128ae9170de4228c9&TUrl=L0QdUQV8Z4i0fdED3QTP3SJDWA8FMyaJsHfIWf4X29kTWQpKEzIbwqFuyRPZ&TicketId=3q3wk1CPNxhU&GroupName=SWUP&BHost=sdlc2h.sun.com&FilePath=%2Fpatches%2Fpatchroot%2Fall_unsigned%2F140778-01.zip&File=140778-01.zip: File name too long

Cannot write to `140778-01.zip? AuthParam=1251205908_479a27379ab5595128ae9170de4228c9&TUrl=L0QdUQV8Z4i0fdED3QTP3SJDWA8FMyaJsHfIWf4X29kTWQpKEzIbwqFuyRPZ&TicketId=3q3wk1CPNxhU&GroupName=SWUP&BHost=sdlc2h.sun.com&FilePath=%2Fpatches%2Fpatchroot%2Fall_unsigned%2F140778-01.zip&File=140778-01.zip' (Error 0).

3) If you are using 'wget' version 1.11.x you must use the '--auth-no-challenge' switch.

Why?

This is related to the manner in which 'wget' 1.11.x sends SunSolve a users Sun Online Account (SOA) information in this version of 'wget' (i.e. via '--http-user' & '--http-passwd'.)
Failure to include the '--auth-no-challenge' with 'wget' 1.11.x requests will result in the SunSolve Software License Agreement (SLA) being downloaded rather than the patch.
Example of the syntax for 'wget' 1.11.x users:
# /usr/sfw/bin/wget --auth-no-challenge --http-user="xxxxxxxx" --http-passwd="xxxxxxx" --no-check-certificate "http://sunsolve.sun.com/pdownload.do?target=119255-01&method=h" -O /tmp/119255-01.zip
Note, 'wget' version 1.11 does not have the '--auth-no-challenge' switch and so is not compatible with patch downloads from SunSolve.

4) You must provide 'wget' with direction on how to handle security certificate information.  Otherwise, patch downloads via 'wget' will fail.

Why?

Domains, getupdates2.sun.com & a248.e.akamai.net, are signed by trusted Certificate Authorities. (Verisign for Sun's and GTE Cybertrust for the case of Akamai.) Without a pointer to these certificates being provided to 'wget', download attempts will fail.
Which certs are required?
CN=GTE CyberTrust Global Root
CN=VeriSign Class 3 Secure Server CA - G2
What kind of error message can you expect to see from a failing 'wget' request?
ERROR: Certificate verification error for getupdates2.sun.com: self signed certificate in certificate chain
To connect to getupdates2.sun.com insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.
Issue resolution:
If you wish to ignore this failure you can use the '--no-check-certificate' switch in 'wget'.  Example of the syntax:
# /usr/sfw/bin/wget --http-user="xxxxxxxx" --http-passwd="xxxxxxx" --no-check-certificate "http://sunsolve.sun.com/pdownload.do?target=119255-01&method=h" -O /tmp/119255-01.zip
If you wish to check against the certificates, you can use the '--ca-certificate' switch to point to a file containing the certificates.
http://sunsolve.sun.com/search/document.do?assetkey=1-9-240066-1 has an attachment called cacerts.pem, which is a concatenation of the two certificates.
If you save this file locally (eg to /tmp/cacerts.pem), you can use a syntax similar to:
# /usr/sfw/bin/wget --ca-certificate=/tmp/cacerts.pem --http-user="xxxxxxxx" --http-passwd="xxxxxxx" "http://sunsolve.sun.com/pdownload.pl?target=142284&method=h" -O /tmp/140778-01.zip

5) You may need to add firewall rules to enable 'wget' to work with SunSolve's new download service.

Why?

As the new download service is accessed by redirecting from http//:sunsolve.sun.com to https://getupdates2.sun.com initially and subsequently to https://a248.e.akamai.net, some customers may need to update their firewall rules to pass traffic from getupdates2.sun.com & a248.e.akamai.net in addition to sunsolve.sun.com.
How can I verify this?
Contact your System Administrator.

6) After associating a new contract to a SunSolve account there is a delay of up to 48 hours before 'wget' downloads will work for patches that the new contract should provide access to.

Additionally, customers registered in the Members Support Center must make an initial 'wget' call (which will fail) in order to trigger the synchronization process after associating a new contract to their party.

Why?

The delay is due to synchronization issues between SunSolve and the back-end access entitlement system.  Work is ongoing to reduce this delay.
What error message can you expect to see until this synchronization is complete ?
HTTP request sent, awaiting response... 403 You are not entitled to retrieve this content.

7) Attempts to download a patch README file by providing "method=r" in the URI is now failing.

Why?

Prior to the latest SunSolve release it was possible to download a patch's README file only via 'wget', using a syntax similar to :
# /usr/sfw/bin/wget --no-check-certificate --http-user="xxxxxxxx" --http-passwd="xxxxxxxx" "http://sunsolve.sun.com/pdownload.do?target=142284-01&method=r" -O /tmp/142284-01.README
There's a bug in the current SunSolve release this no longer works and attempts to download a patch README using this URI will result in a file of 0 Bytes being created.  This will be fixed at a later date.
Workaround:
Use "method=tr" to download a patch README file.  Example command syntax:
# /usr/sfw/bin/wget --no-check-certificate --http-user="xxxxxxxx" --http-passwd="xxxxxxxx" "http://sunsolve.sun.com/pdownload.do?target=142284-01&method=tr" -O /tmp/142284-01.README
About

This blog is to inform customers about patching best practice, feature enhancements, and key issues. The views expressed on this blog are my own and do not necessarily reflect the views of Oracle. The Documents contained within this site may include statements about Oracle's product development plans. Many factors can materially affect these plans and the nature and timing of future product releases. Accordingly, this Information is provided to you solely for information only, is not a commitment to deliver any material code, or functionality, and SHOULD NOT BE RELIED UPON IN MAKING PURCHASING DECISIONS. The development, release, and timing of any features or functionality described remains at the sole discretion of Oracle. THIS INFORMATION MAY NOT BE INCORPORATED INTO ANY CONTRACTUAL AGREEMENT WITH ORACLE OR ITS SUBSIDIARIES OR AFFILIATES. ORACLE SPECIFICALLY DISCLAIMS ANY LIABILITY WITH RESPECT TO THIS INFORMATION. ~~~~~~~~~~~~ Gerry Haskins, Director, Software Lifecycle Engineer

Search

Categories
Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today