Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX Software Assistant Administration Guide: HP-UX 11i Systems > Chapter 5 Networking Options

Using SWA in Secure Network Environments

» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

SWA is able to adapt to a secure network environment where one or more of the default protocols SWA uses are blocked. When customizing SWA for your environment, you must keep security concerns in mind.

When SWA runs an analysis of a system, it relies on the integrity of the catalog file and the inventory file. The integrity of the catalog file and the analysis file controls the security properties of SWA. Depot creation relies on the integrity of the patches within the swcache directory.

The validity of the catalog file is of primary importance, since it contains all the data for identifying issues, recommending solutions, and downloading and verifying content.

Because the integrity of SWA files must be maintained, use either a secure shell (ssh) connection or media when accessing a remote system for the inventory, catalog, analysis, and swcache files.

Using Proxy Servers With Software Assistant

The basic way to specify a proxy host and port is with the extended option proxy. You can optionally specify a basic HTTP authentication user name and password pair. You can use the proxy extended option with the commands swa get, swa report, swa step catalog, and swa step download. By default, no proxy information is specified. For more information, see the SWA manpages.

There are protocol-specific extended options (ftp_proxy, https_proxy, and http_proxy) and environment variables (ftp_proxy, https_proxy, and http_proxy). You cannot use the general proxy extended option, such as proxy=http://web-proxy.mycompany.com:8088, as an environment variable.

For information on the various ways to set SWA extended options, see “Extended Options”.

For information on SWA errors related to proxies, see Appendix B.

Using the download_cmd Extended Option

The download_cmd extended option can be used to override the default SWA download commands, and therefore the protocols SWA uses to download the catalog and patch files. The command specified with this option must:

  1. Take one argument supplied by SWA: the URL of the file content to download.

  2. Output the retrieved file content to standard output.

Programs like wget, curl, and Perl's GET can be used to pass the contents of a URL to standard output. These commands may provide support for different types of proxies or can be used with ssh to work with a gateway server. The GET command provides basic functionality. The wget and curl commands provide extended functionality and are provided with HP-UX 11i Internet Express (see www.hp.com/go/internetexpress). All three of these commands are available for operating systems other than HP-UX, such as Linux and Windows.

Example: Use SWA With a Gateway

If you would like to use SWA without direct internet access, you can use the download_cmd extended option and a gateway server to access the catalog and patch files. This gateway can be a non-HP-UX system that has any of the aforementioned commands functional on it.

The /opt/perl/bin/GET command satisfies the download_cmd extended option requirements listed above. The following procedure is to be run on the system to be analyzed.

  1. Create an inventory of the local system, then download the catalog using the gateway system, run an analysis, and create a report:

    # swa report -x download_cmd='ssh user@gateway_sys /opt/perl/bin/GET'

  2. Review the recommended actions and issues.

  3. Download patches using the gateway system and make a depot on the local system:

    # swa get -t target_depot -x download_cmd='ssh user@gateway_sys \ /opt/perl/bin/GET'
  4. Continue with the patch installation procedure as outlined in Chapter 3.

For more information on download_cmd, see swa-get(1M), swa-report(1M), and swa-step(1M).

Running SWA on a System Without Access to the Internet

If you must run SWA on a system that does not have Internet access, you can obtain the catalog and patches using a system connected to the Internet, and then transfer the downloaded files to the protected system using media or ssh. Required patches will have to be manually requested and downloaded from the ITRC at http://itrc.hp.com. You can run SWA without any network access whatsoever by using media to transfer the files from the system connected to the Internet. You can also print the system's Action report and carry it to a system with Internet access when downloading patches.

Example: Using SWA Without Internet Access

  1. Using a system with Internet access (this system may be a PC), download the catalog from the ITRC from https://ftp.itrc.hp.com/wpsl/bin/doc.pl/screen=wpslDownloadPatch/swa_catalog.xml.gz?PatchName=/export/patches/swa_catalog.xml.gz.

    Alternatively, you can use the FTP location ftp://ftp.itrc.hp.com/wpsl/bin/doc.pl/screen=wpslDownloadPatch/swa_catalog.xml.gz?PatchName=/export/patches/swa_catalog.xml.gz.

  2. Transfer the catalog to the system to be analyzed using ssh or media. The catalog's default location is $HOME/.swa/cache. Uncompress the file with

    # gunzip swa_catalog.xml.gz

  3. Create an inventory, run an analysis, and generate a report on the system with

    # swa report -x catalog_max_age=-1
    The catalog_max_age=-1 extended option setting instructs SWA to skip the catalog download step. Note that you can use the extended option catalog to specify the catalog location if it is other than the default $HOME/.swa/cache/swa_catalog.xml.

  4. Evaluate the reports and determine the patches to be downloaded.

  5. Contact the ITRC from a system connected to the Internet and select the patches you wish to install. Once you have a selected patch list, download them in your desired format. HP recommends using the depot creation script included with the patches since it will make installation easier.

    Note that when using media or other means to relocate the swcache files to a new system (the swa get and swa step download commands are not used), the MD5 cryptographic hash validation of the patches is not repeated.

  6. Continue with the patch installation procedure as outlined in Chapter 3.

For more information, see the Security Considerations section of swa(1M).

Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2007–2008 Hewlett-Packard Development Company, L.P.