SWA C.01.00 Release – January, 2007

The initial release of SWA does not support checking of the certificate revocation list (CRL).
NOTE: This item was fixed in the June 2007 release.
In the initial release of SWA, the default permissions of the /var/opt/swa/cache directory are set to read only by root. In a subsequent release, Hewlett-Packard plans to allow read access by non-root users to allow creation of depots by non-privileged users. Write access to this directory will still be restricted, so the value of 'swcache' must be set to an alternate location to allow non-root users to download software.
NOTE: This item was fixed in the June 2007 release.
The initial release of the SWA user interface does not implement the following Security Patch Check (SPC) functionality. You would still have to run the security_patch_check command to use these options. Please note that SPC is included in the SwAssistant bundle. See the security_patch_check(1M) manpage.
- -a
  This option causes security_patch_check to behave as though all ancestors (filesets) are installed on the target system. This option is useful for analyzing a patch depot by itself.
- - or -f filename
  Using - causes security_patch_check to read from standard input. Using -f filename causes security_patch_check to read from a file.
- -m
  Display output in a machine-parsable format. This format contains zero or more recommended-action records in the format:
  action-name: {<tab>field-name:<tab>field-text [<tab><tab>more-field-text]... }...
- -n
  Suppress warnings about currently installed patches whose state is neither configured nor available. A patch which is not in one of these states is misconfigured and should be fixed. Software Assistant does not detect this type of issue at all.
- -o [bcdmprs]
  Alter the information printed by security_patch_check in the human-readable patch information table. (Software Assistant's reporting options have changed/improved significantly from SPC.)
- -q/-qq
  These options have changed meaning, and if you want to conditionally generate a report only if there are issues, you need to use report_when_no_issues and check the exit code of swa.
- -s os-version
  Specify the OS version. Without the -s option, security_patch_check uses the software_spec field of the OS-Core fileset to determine which OS is running on the target system. The os-version should be in the format 11.xx. This option is useful when analyzing a patch-only depot.
- -t
  Gather information about superseded patches.
The following HTTPS configuration options (were specified in spc_config file) are not implemented in the initial release of SWA. Check the SWA manpages for the latest functionality.
- CRLCHECK
  As of the June 2007 release, CRLCHECK is now implemented as the crl_check extended option.
- CRLURL
  As of the June 2007 release, CRLURL is now implemented as the crl_url extended option.
- HTTPS_CA_DIR
  A directory containing files, each of which consists of one PEM-encoded trusted CA certificate. If using certificates other than the defaults shipped by Hewlett-Packard, note that these files should be indexed using the certificate's subject name hash value, in the form "hash.0". Use the OpenSSL utility, c_rehash, to index the certificates in the directory, creating the hash.0 format files for each certificate file in the directory which ends with the .pem extension. Software Assistant uses Java's cacerts keystore; this cannot be changed.
- HTTPS_CA_FILE
  The fully qualified path to a file containing PEM-encoded CA certificates which will be trusted by security_patch_check. Software Assistant uses Java's cacerts keystore; this cannot be changed.
- OPENSSLDIR
  The directory path containing the openssl and c_rehash binaries. Software Assistant uses Java's internal ssl implementation, so this is not needed.

SWA C.01.00 Release – January, 2007

Technical documentation

» Table of Contents

» Index