Friday Jan 28, 2011

Resolving 'smpatch' / Update Manager issues

A number of customers have reported issues with 'smpatch' / Update Manager resulting from the recent migration to the My Oracle Support (MOS) infrastructure.

My colleagues BethB, PeterM, and EthanR have published Document 1288579.1 which explains what to do if you are unable to register systems & download patches via sconadm, smpatch, and Update Manager . This document is also accessible via the Oracle Sun OS Community page too.

I apologize most sincerely for any inconvenience caused.

Thursday Nov 18, 2010

Test site available for SunSolve to MOS transition changes

My SunSolve colleagues tell me that the ability to test sample scripted My Oracle Support (MOS) patch downloads is now available. 

If you use scripted patch downloads, e.g. using 'wget', I highly recommend you take this opportunity to test the necessary changes to the download syntax in advance of the transition from SunSolve to MOS which is currently scheduled for December 10.

The document detailing the 'wget' syntax changes relating to the upcoming transition from SunSolve to MOS, http://sunsolve.sun.com/search/document.do?assetkey=1-79-1199543.1-1, has been updated with the relevant instructions.  I suggest you bookmark that document and return to it regularly for updates.

Monday Feb 01, 2010

'wget', 'pca', and TLP users need to accept updated software license

As the software license agreement terms were updated last week upon Sun becoming a wholly owned subsiduary of Oracle, customers who use 'wget' to automate patch downloads from SunSolve will need to login in once to SunSolve and accept the updated software license agreement before they can continue to use 'wget'.   Please note that some popular patch automation tools such as Traffic Light Patching (TLP) and the 3rd party 'pca' tool use 'wget' and hence this notice is applicable to them too.

http://sunsolve.sun.com currently has the following message at the top of the SunSolve home page:

Alert: wget customers ~ Please log into SunSolve to re-accept the new Software License Agreement prior to running any wget scripts. You can also look under "Update Account" and refer to:
Step 5: Register for patch download automation
Check the box to confirm that you read the license and save the changes. Downloads will work as normal at this point.

Wednesday Aug 26, 2009

Automated 'wget' patch downloads: issue resolution

My colleague, Don O'Malley, asked me to post the following on resolving issues using 'wget' to automate patch downloads.  'wget' is a popular download method, and is used by patch automation tools such as 'pca'.

Summary: You can use versions 1.10.x and 1.11.x of 'wget' but not version 1.11.  Details of options to use are set out below.  See also Patch Download Automation using wget.

SunSolve recently migrated to using Akamai for patch and patch cluster downloads, to provide customers with a faster and more reliable experience.

Some customers have experienced issues accessing patches using 'wget'.  Here's information on the issues and how to resolve them:

1) You must use a version of 'wget' which supports 'https'.

Why?

SunSolve's new patch download service is accessed by redirecting requests to https://getupdates2.sun.com, which subsequently redirects to https://a248.e.akamai.net (Akamai).
Which versions of 'wget' support 'https'?
'wget' version 1.10.x or later has 'https' support.
How can I check which version of 'wget' I am using?
Run the command 'wget --version'

2) You must use the '-O' or '--output-document' switch in 'wget' to provide an output filename.

Why?

The Akamai URI identifying a patch is very long.  By default 'wget' will name the downloaded file the same as the URI.  As the filename is too long an error is thrown and the download will fail.
Example of the correct syntax:
# /usr/sfw/bin/wget --http-user="xxxxxxxx" --http-passwd="xxxxxxx" --no-check-certificate "http://sunsolve.sun.com/pdownload.do?target=119255-01&method=h" -O /tmp/119255-01.zip

Example of some the output for a failing 'wget' request:

140778-01.zip?AuthParam=1251205908_479a27379ab5595128ae9170de4228c9&TUrl=L0QdUQV8Z4i0fdED3QTP3SJDWA8FMyaJsHfIWf4X29kTWQpKEzIbwqFuyRPZ&TicketId=3q3wk1CPNxhU&GroupName=SWUP&BHost=sdlc2h.sun.com&FilePath=%2Fpatches%2Fpatchroot%2Fall_unsigned%2F140778-01.zip&File=140778-01.zip: File name too long

Cannot write to `140778-01.zip? AuthParam=1251205908_479a27379ab5595128ae9170de4228c9&TUrl=L0QdUQV8Z4i0fdED3QTP3SJDWA8FMyaJsHfIWf4X29kTWQpKEzIbwqFuyRPZ&TicketId=3q3wk1CPNxhU&GroupName=SWUP&BHost=sdlc2h.sun.com&FilePath=%2Fpatches%2Fpatchroot%2Fall_unsigned%2F140778-01.zip&File=140778-01.zip' (Error 0).

3) If you are using 'wget' version 1.11.x you must use the '--auth-no-challenge' switch.

Why?

This is related to the manner in which 'wget' 1.11.x sends SunSolve a users Sun Online Account (SOA) information in this version of 'wget' (i.e. via '--http-user' & '--http-passwd'.)
Failure to include the '--auth-no-challenge' with 'wget' 1.11.x requests will result in the SunSolve Software License Agreement (SLA) being downloaded rather than the patch.
Example of the syntax for 'wget' 1.11.x users:
# /usr/sfw/bin/wget --auth-no-challenge --http-user="xxxxxxxx" --http-passwd="xxxxxxx" --no-check-certificate "http://sunsolve.sun.com/pdownload.do?target=119255-01&method=h" -O /tmp/119255-01.zip
Note, 'wget' version 1.11 does not have the '--auth-no-challenge' switch and so is not compatible with patch downloads from SunSolve.

4) You must provide 'wget' with direction on how to handle security certificate information.  Otherwise, patch downloads via 'wget' will fail.

Why?

Domains, getupdates2.sun.com & a248.e.akamai.net, are signed by trusted Certificate Authorities. (Verisign for Sun's and GTE Cybertrust for the case of Akamai.) Without a pointer to these certificates being provided to 'wget', download attempts will fail.
Which certs are required?
CN=GTE CyberTrust Global Root
CN=VeriSign Class 3 Secure Server CA - G2
What kind of error message can you expect to see from a failing 'wget' request?
ERROR: Certificate verification error for getupdates2.sun.com: self signed certificate in certificate chain
To connect to getupdates2.sun.com insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.
Issue resolution:
If you wish to ignore this failure you can use the '--no-check-certificate' switch in 'wget'.  Example of the syntax:
# /usr/sfw/bin/wget --http-user="xxxxxxxx" --http-passwd="xxxxxxx" --no-check-certificate "http://sunsolve.sun.com/pdownload.do?target=119255-01&method=h" -O /tmp/119255-01.zip
If you wish to check against the certificates, you can use the '--ca-certificate' switch to point to a file containing the certificates.
http://sunsolve.sun.com/search/document.do?assetkey=1-9-240066-1 has an attachment called cacerts.pem, which is a concatenation of the two certificates.
If you save this file locally (eg to /tmp/cacerts.pem), you can use a syntax similar to:
# /usr/sfw/bin/wget --ca-certificate=/tmp/cacerts.pem --http-user="xxxxxxxx" --http-passwd="xxxxxxx" "http://sunsolve.sun.com/pdownload.pl?target=142284&method=h" -O /tmp/140778-01.zip

5) You may need to add firewall rules to enable 'wget' to work with SunSolve's new download service.

Why?

As the new download service is accessed by redirecting from http//:sunsolve.sun.com to https://getupdates2.sun.com initially and subsequently to https://a248.e.akamai.net, some customers may need to update their firewall rules to pass traffic from getupdates2.sun.com & a248.e.akamai.net in addition to sunsolve.sun.com.
How can I verify this?
Contact your System Administrator.

6) After associating a new contract to a SunSolve account there is a delay of up to 48 hours before 'wget' downloads will work for patches that the new contract should provide access to.

Additionally, customers registered in the Members Support Center must make an initial 'wget' call (which will fail) in order to trigger the synchronization process after associating a new contract to their party.

Why?

The delay is due to synchronization issues between SunSolve and the back-end access entitlement system.  Work is ongoing to reduce this delay.
What error message can you expect to see until this synchronization is complete ?
HTTP request sent, awaiting response... 403 You are not entitled to retrieve this content.

7) Attempts to download a patch README file by providing "method=r" in the URI is now failing.

Why?

Prior to the latest SunSolve release it was possible to download a patch's README file only via 'wget', using a syntax similar to :
# /usr/sfw/bin/wget --no-check-certificate --http-user="xxxxxxxx" --http-passwd="xxxxxxxx" "http://sunsolve.sun.com/pdownload.do?target=142284-01&method=r" -O /tmp/142284-01.README
There's a bug in the current SunSolve release this no longer works and attempts to download a patch README using this URI will result in a file of 0 Bytes being created.  This will be fixed at a later date.
Workaround:
Use "method=tr" to download a patch README file.  Example command syntax:
# /usr/sfw/bin/wget --no-check-certificate --http-user="xxxxxxxx" --http-passwd="xxxxxxxx" "http://sunsolve.sun.com/pdownload.do?target=142284-01&method=tr" -O /tmp/142284-01.README

Thursday Aug 13, 2009

New SunSolve release, wget, and patch access entitlement update

SunSolve 7.3.0 Release, Akamai, and Vintage Solaris 8 patch access entitlement

The SunSolve 7.3.0 release was deployed to production August 11th. 

It includes major changes to back-end processes designed to provide a more robust, reliable, and consistent customer experience.  All patch downloads are now serviced by Akamai, which is the same process used by Sun's patch automation tools smpatch, Update Manager, UCE, and xVM Ops Center.

Firewall rules may need to be changed to permit the access to the following systems:

  • sunsolve.sun.com
  • getupdates2.sun.com
  • a248.e.akamai.net
The move to using Akamai to service download requests should resolve the transient "500" error issues in Squid which was impacting the reliability of patch downloads in the old SunSolve download infrastructure.

This release also removes Member Support Center (MSC) from the critical path for Solaris 8 Vintage Patch access entitlement.   Prior to this release, Vintage Solaris 8 customers needed to register in MSC in order to access Vintage Solaris 8 patches (created after April 1, 2009).  This was difficult for some customers who needed to undergo a contract clean-up process prior to full registration in MSC.  Now, such customers can simply associate their Vintage Solaris 8 Patch Plan contract number with their Sun Online Account (SOA) using the "Change Contract" link at the top right hand corner of SunSolve pages once they have logged on.  This is now sufficient to grant patch download entitlement to patches covered by any support contract, including Solaris 8 Vintage patches.

Note, customers who are registered in Member Support Center (MSC) will not see the "Change Contact" link as their contract associations are automatically handled by MSC.

For non-MSC users, to ensure access to all patches to which you are entitled, please ensure your associate your Support Contracts with your Sun On-line Account.

Recognition of Support Contract Changes

Support contracts naturally get renewed, upgraded, extended, or expire.  

When a support contract changes - for example a new line item is added to provide support for additional products - then, for non-MSC registered users, to get this additional entitlement "recognized" quickly to enable manual download of access-entitled patches covered by this additional line item, either remove and re-add the Contract number to your Sun Online Account (SOA) using the "Change Contract" link on SunSolve while logged on or else simply log out and log back in again.  Both methods will grant the additional access entitlement as long as the back-end IBIS Contract database has been updated with the modified contract information.

For Member Support Center (MSC) registered users, the contract association will be handled automatically by MSC.    (BTW: A bug in the refresh of IBIS Materialized Views has now been fixed, so delays in automate updates of contract associations by MSC should no longer occur, once the contract amendments have been inputed to the backend database.)

Patch access entitlement information

We will be improving the ability for customers to clearly determine what they are / are not entitled to access in the next release of SunSolve and the new PatchFinder tool (due in October).

In the meantime, when logged into SunSolve, go to the "Change Contract" link at the top right hand corner of SunSolve pages.

This will display the "Entitlement Classes" provided by the support contracts which you have currently associated with your Sun Online Account (SOA).  Displaying the internal "Entitlement Class" names is not ideal and will be improved in the next release, but here's how to interpret them:

  • "Public": You are entitled to access Public patches - i.e. patches which don't require a support contract to access them.
  • "Solaris8VintageSoftwareUpdates": You have a Solaris 8 Vintage Patch Service plan and are entitled to access Solaris 8 Vintage patches produced after April 1, 2009.  (See previous blog posting on the Solaris 8 Vintage Patch Service plan.)
  • "Solaris8SoftwareUpdates": You are entitled to access non-Vintage Solaris 8 patches.
  • "Solaris9SoftwareUpdates": You are entitled to access Solaris 9 patches.
  • "Solaris10SoftwareUpdates": You are entitled to access Solaris 10 patches.

There are a couple of additional entitlement classes, some of which are historical artifacts which overlap with the above.  These will be cleaned up in due course.

Did you know:

  • You need a support contract to access most patches
  • You must have a Solaris 8 Vintage Patch support plan in order to access Vintage Solaris 8 patches created after April 1, 2009
  • A SunSpectrum support plan or a Solaris 8 Software Subscription entitles you to access non-Vintage Solaris 8, 9, and 10 patches
  • A Solaris 9 Software Subscription entitles you to access Solaris 9 and 10 patches
  • A Solaris 10 Software Subscription entitles you to access Solaris 10 patches

Another "did you know":

Many documents on SunSolve have a "Document Audience:" of "PUBLIC".  However, in the case of patch README files, this does not necessarily mean that the patches they refer to have "public" access entitlement - i.e. that anyone can download the patch without a support contract.  The README is designed to make folk aware of the existence of a patch they may need.  However, they may still need to purchase a support contract in order to access the patch itself.

Using 'wget' to automate patch downloads

'wget' is a popular and efficient way to automate patch downloads.   Popular patch automation tools such as 'pca' and TLP utilize 'wget' for patch downloads.  Authentication is via the user's Sun Online Account (SOA), so customers should associate their support contracts to their SOA using the "Change Contract" link at the top right hand corner of SunSolve pages once they have logged on.

A version of 'wget' which support https transfers is now required in order to download patches.  For example, the 'wget' version in Solaris 10 supports https transfers.  To check whether the version of wget you are using is linked to SSL (to provide https support), you can use the following command:

# wget --help.

For example, the current development releases of wget (1.12-devel) shows:

   Options: +digest +ipv6 +nls +ntlm +opie +md5/openssl -gnutls
           +openssl +gettext

You also have to have your proxy configured to allow https connections through the proxy with the 'connect' command.

When contracts are added, renewed, or changed, MSC registered 'wget' users now need to attempt a download of a access-entitled patch (which will fail) in order to trigger a resynchronization of their contract data between the backend servers servicing the patch download request.  The modified contract entitlement will then be activated within 8 hours of this initial download attempt.

See Information on using wget for http download including example download script for further information.

Solaris 2.5.1 patch access entitlement removed

Solaris 2.5.1 is past its End Of Service Life (EOSL).   Access to Solaris 2.5.1 patches has therefore been removed.

Vintage Phone support, which includes access to existing patches (but no new patches will be created) is still available for Solaris 2.6 and Solaris 7 until the end of 2009, after which all access to Solaris 2.6. and Solaris 7 patches will also be removed.

About

This blog is to inform customers about patching best practice, feature enhancements, and key issues. The views expressed on this blog are my own and do not necessarily reflect the views of Oracle. The Documents contained within this site may include statements about Oracle's product development plans. Many factors can materially affect these plans and the nature and timing of future product releases. Accordingly, this Information is provided to you solely for information only, is not a commitment to deliver any material code, or functionality, and SHOULD NOT BE RELIED UPON IN MAKING PURCHASING DECISIONS. The development, release, and timing of any features or functionality described remains at the sole discretion of Oracle. THIS INFORMATION MAY NOT BE INCORPORATED INTO ANY CONTRACTUAL AGREEMENT WITH ORACLE OR ITS SUBSIDIARIES OR AFFILIATES. ORACLE SPECIFICALLY DISCLAIMS ANY LIABILITY WITH RESPECT TO THIS INFORMATION. ~~~~~~~~~~~~ Gerry Haskins, Director, Software Lifecycle Engineer

Search

Categories
Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today